UNIT ONE

SAP AUTHORIZATION CONCEPT

The authorization concept helps in establishing maximum security, sufficient
privileges (accesses) for end users to fulfill their job duties, easy user maintenance.
Authorizations are used to control access at the application level. Authentication
controls who have access into the system, in order to do this a user must possess a
valid user master record and a valid password.
When developing a security concept, we tend to seek out; what is to be protected
(ASSETS), Against what (THREATS) and how do we achieve maximum
protection (MEASURES).
FACTORS TO CONSIDER WHEN PROTECTING AN SAP SYSTEM
Security must be implemented at all levels; this is because most time an
attack could come from the weakest point within the system.
Complex authorization is just one aspect of a security concept.
SYSTEM ACCESS CONTROL AND ROLE BASED ACCESS CONTROL
System access control has to deal with users identifying themselves in the system
using a valid user ID and a password; Access control has to deal with authority
checks for programs and transactions.

Access control is a security technique that can be used to regulate who or what can
view or use resources in a computing environment. In order to work in an sap
system, users require a valid USER ID and a user master record must be created
for each system user. Authorizations are assigned to a user using profiles in the
form of roles which are entered into the user master record
DEFINITION OF TERMS
i.
ii.
iii.

Roles:- It is a group of activities performed within a business scenario

Profile:- It is a container for authorizations
Business Scenario: - It is a group of activities performed by employees in
their various roles. i.e.

PROCUREMENT

BUSINESS SCENARIO

ACTIVITIES,
REQUIRES CERTAIN AUTHORIZATIONS
ORDER PURCHASE
REQUISITION
CREATE PURCHASE REQUISITION
RELEASE PURCHASE REQUISITION

When creating roles, we use the transaction code PFCG; the four core elements of
a role include

TRANSACTION
MENU
AUTHORIZATION
USER ASSIGNMENT

CREATING AND IMPLEMENTING AN AUTHORIZATION CONCEPT

When setting up an authorization concept; it must be planned step by step using a
project plan (ASAP) methodology.
a)
b)
c)
d)
e)

Project Preparation
Business Blueprint
Realization (implementation)
Final Preparation
GO-Live and support

DETERMINE USER AND ADMINISTRATION STRATEGY

SAP gives different possibilities for managing users. It could be centralized or
decentralized. It is not a good practice for one administrator to do everything
according to the principle of Dual Control. It is important we divide the
administrators into;
a. User Administrator: Whose function is to carryout user maintenance and
assign roles.
b. Profile Administrator: Whose function is to activate the profile
c. Authorization Data Administrator: whose function is to create and maintain
roles
UNIT TWO
BASIC TERMINOLOGY OF AUTHORIZATIONS

ELEMENTS

AND

TERMINOLOGY OF

SAP

R/3

AUTHORIZATION

CONCEPT
Overview of the terms and Elements in the Authorization Concept
Authorization Object Class: - This contains one or more authorization objects, it is
said to be the logical grouping of authorization objects i.e. All authorization objects
are assigned to a class.
Authorization Object: it refers to groups of authorization fields that control a
particular activity, a template for security that contains fields with blank values.
Authorization Field: Smallest unit in which an authorization check is to be run.
Authorization: It is a combination of allowed values for each authorization field of
an authorization object, it is also said to be an authorization object with the
completed fields or an instance of an authorization object.
Authorization profile: This is the grouping of the different authorizations for the
authorization object.
User Master Record: This is used for logging on to the sap system (Authentication)
after the successful verification of the user, the system grants the user the necessary
access needed to perform its operations (Authorizations)
All possible activities are stored in the Table TACT.

The valid activities for each authorization object is found in Table TACTZ
AUTHORIZATION CHECKS IN THE SAP SYSTEM
There are two authorization checks carried out in the system they include;
a. The check by the kernel: this checks if the user is authorized to start a
transaction, then it checks if an authorization object is assigned to the
transaction code, finally the system checks if the user has an authorization
for the authorization object.
b. The individual check in a programme: The system checks whether an
authorization object has been assigned to the transaction code, if this is the
case the system checks whether user has an authorization for the
authorization object.
After authorization check the system gives back a return code such as
0:- the user has the authorization for the authorization object with the correct
field values.
4:- The user has an authorization for the object but the values checked are
not assigned to the user.
12:- The user does not have any authorization for the authorization object.
16: No profile is entered in the User Master Record.
The values returned by the program check depend on the user buffer.

BUFFER: Each user has his/her own user Buffer in which all authorizations that
are assigned to the user are listed.
WHY WOULD A USER FAIL AN AUTHORIZATION CHECK?
A user might fail an authorization check if
The authorization object doesnt exist in the buffer
The values checked by the application are not assigned to the authorization
object in the user buffer.

UNIT 3
USER SETTING
A user can only log on to an SAP system if a user master record with a
corresponding password exist. User master records are client specific. The Table
below consist of authorization Objects which are required to create and maintain a
user master record (ADMINISTRATOR)
S/N AUTHORIZATION

FUNCTION

1
2
3
4

OBJECT
S_USER_GRP

Authorization to create and maintain user master

S_USER_PRO

record and to assign it to a user group

Authorization for the authorization profile that you

S_USER_AUTH
S_USER_AGR

assign to users
Authorization to create and maintain authorization
Authorization to protect roles; with this object you
specify which roles can be edited and which

S_USER_TCD

activities are intended for the roles

It is the authorization for a transaction which you
may assign to a role and for which you can assign

S_USER_VAL

authorization to start the transaction in the PFCG

Authorization to restrict values that the system
administrator can include in a role or change in
PFCG

Apart from authorization which is a means to protecting sensitive data, it is also

necessary to ensure your data is protected with additional measures such as;
a) Secure communication in the network (Secure Network Communication
SNC): The SNC protects the data communication paths between the various
clients and server components of the SAP system that uses the SAP
protocols RFC or dialogues

b) Secure data formats (Secure, Store and Forward SSF):- this mechanism
provides you with the means to secure data and does in SAP NetWeaver
c)
d)
e)
f)

Application Server (SAP NetWeaver As) as independent data units

Security in the internet
System Passwords
Database Access
Transport system

Address Tab Page

This is the first tab page you get when creating a new user master record. Under
the address tab page, it is a must you maintain the last name field. The address tab
page contains the personal information of the user, mode of communication etc
Logon Data
Alias: This refers to an alternative ID for the SAP user. When an alias has
been assigned to the user, the user therefore can be identified using the user
name or the alias. It is primarily used if users are created in a self-service
scenario from internet transactions.

User group for authority check: If you want to assign a user to a user group
it is done under the logon data tab and user group field. It is carried out if
you want to run user maintenance amongst several administrators
User Type:
Dialog user: Regular SAP user
System user: User type for backyard processing and communication
within a system
Communication: Dialog free communication between system
Service: Dialogue user for a larger anonymous user range (should
only have a minimum access authorization)
Reference: User type for general, Non person related users that allow
the assignment of additional, identical authorizations e.g. Internet
users
Default Tab Page
Here the standard output devices, its spool control and the personal adjustments for
the display of numbers and dates are displayed. This tab contains the
Start Menu: In this field you can specify an area menu which you can choose
using the possible entries help
Logon Language: System language when the user logs on. In this screen the
user can choose another language if required.

 Output Device: Name of a printer in the SAP system, specified in the device
definition.
Time Zone: This describes the location of an object in relation to its local
time.
Decimal Notation and date format: Different countries use different formats
for numbers and date. Enter the format of your country.
Parameters
The personal user parameters are explained here.
Roles
This displays the roles assigned to a user. A role is a set of function describing a
specific work area. The relationship between a role and a user is many to many.
Profile Tabs
In this area you assign manually created authorization profiles and authorizations
to a user. The generated profiles of the roles assigned to a user are also displayed
here. It also displays the profiles assigned to the user. The maximum number of
profiles that can be assigned to a user is 312.
Note: Never assign profiles generated using PFCG manually in the profile tab.
Since the transaction code PFUD deletes this assignment if there is no entry for

them on the role tab page. When you assign a role to a user on the role tab the
generated profile is automatically entered on the profile tab.
Groups
This displays the groups in which the user is listed as a member. Users can only be
a member of one authorization user group, but several general user group. General
user group is not relevant for the object S_USER_GRP
Logon Data: Used for Authorization purpose
Groups: Not used for authorization purpose
Personalization Tab
In this tab you can make person related settings using personal objects.
License data Tab
SAP software contains a measurement program with which every system produces
the information used to determine the payment applicable for installation.

UNIT 4
WORKING WITH THE PROFILE GENERATOR
Role maintenance in an sap system is the central place with which authorizations
are set for users and combined into reusable blocks.
There are two processing views in the profile generator,
1. The basic maintenance: This allows you to access all functions for role
maintenance, assign roles only to SAP users.
2. The complete view: it displays all assignment and data for a role.

In the PFCG you can select the transaction, report and web link of which the user
menu consist of. An authorization profile is generated, The profile is then assigned
to a user.
PROFILE GENERATOR
This is the central tool for generating authorizations and authorization profiles and
assigning them to users.
Roles
A role consists of one or more profiles. A role is used to implement the menu that
users can work with after they have logged into the sap system
Procedure:
PFCG is the transaction code which we use to automatically generate profile and
assign them to users. The PFCG consist of the following tabs; Description, Menu,
Authorization, User, Mini app and personalization.
STEPS:
1.
2.
3.
4.
5.
6.

Define a role and maintain a short description of its content

Define the activities for the user role
Define what the menu tree would look like for the new user role
Maintain the authorization for the selected activities and generate a profile
Assign users to the role under the menu tab
Perform user comparison; this updates the profile in the user master record

SPECIAL PFCG ROLES

Customizing roles: If you only want to allow the project team members to work on
the project for a limited time you can implement this with a time restriction for this
role.
Composite Role: This role is a combination of multiple single roles; it could be
single or derived roles. Composite roles cant be included in composite roles;
ensure you develop a naming conventions which differentiates single role from
composite roles.
Advantages
It reduces the effort for user maintenance
Menu can be mixed as required
Transactions can be deleted from the menu and the authorizations
retained
Disadvantages
Changes to authorization can only be made using roles
A composite role has no authorization itself
Changes to the included role are not immediately visible in the menu
of the composite role a renewed import is required
You can build the menu tree of the composite role by clicking on read menu.

You can remove transactions in the composite role menu. There are two possible
ways of building the menu tree;
i.
ii.

If the menu tree has not been built you can use the read menu.
Refresh: this brings up an additional query, under this you have the option to
merge and re-import.

REFERENCED ROLES AND DERIVED ROLES

Derived roles inherit everything from the parents role except the user assignment.
Subtleties of the Authorization maintenance
Traffic light refers to some authorizations fields in the lower branches.
Green: Authorization field contents maintained
Yellow: Some unmaintained authorization field content
Red: Unmaintained organizational levels
Status texts for Authorizations:

Standard: field values have not been changed

Maintained: values entered in the field delivered empty
Changed: field delivered with content was changed
Manually: Authorization object was inserted manually

UNIT 5
BASIC SETTING
Before the profile generator can be used, you must activate it in the system and
link it with the default tables for the delivered SAP transaction codes. Activating
the profile generator after a new installation requires that:
The SAP system profile parameter auth/no_check_in_some_cases has the
value Y
The default tables are filled which control the behavior of the profile
generator when a transaction is selected in a role
There are two tables and they include
a) USOBT: this defines for each transaction and which authorization object,
which default values an authorization created from an authorization object
should have in the PFCG
b) USOBX: this defines which authorization checks are to be performed within
a transaction and which are not (despite programmed authority check
command)

These tables are SAP delivered table, this table are filled with default values and
are used for the initial fill of the customer table USOBT_C and USOBX_C.
If an administrator selects a transaction while creating a role the PFCG selects the
authorization object that are checked in this transaction and maintained in the
PFCG four cases can occur.
a) For an authorization object for which a check is performed the PFCG has
default values for the authorization content so that full authorization can be
provided. The traffic light beside the authorization object is green
b) For an authorization object for which a check is to be performed in the
transaction selected the PFCG doesnt have the default value for the
authorization content, for security reason no specification were made as to
which activity can be performed the traffic light is yellow
c) For an authorization object for which a check is to be performed in the
transaction selected the PFCG doesnt have the default value for the
authorization content and the field is an organizational level field the traffic
light beside this would be red
d) It may be the case that some authorization checks during transaction
processing were not maintained in the PFCG. The corresponding
authorization object dont appear in the profile overview.
UPGRADING THE PROFILE GENERATOR

What are the things you need to do when you perform an upgrade
1.
2.
3.
4.

Migration of report tree

Check of PFCG activation
Upgrade and roles of default tables
Conversion of manually created profiles to roles

ACCESS CONTROL AND USER ADMINISTRATION

In order to restrict access there is a need to define the password rules. There are
two ways you can control the choice of user passwords
Using the system to assign a minimum length for passwords and define how
often passwords have to be changed
Enter a list of invalid password into table USR40
There are general rules of passwords that cannot be deactivated they include
Must be at least six characters long
Must not begin with? or !
PROFILE PARAMETERS
The Following Are List Of Profile Parameters
1. LOGIN/MIN_PASSWORD_LNG:- MINIMUM PASSWORD LENGTH
2. LOGIN/PASSWORD_EXPIRATION_TIME:- VALIDITY PERIODS FOR
PASSWORDS

3. LOGIN/PASSWORD_MAX_IDLE_PRODUCTION:- VALIDITY PERIOD

FOR UNUSED USER PASSWORD
4. LOGIN/PASSWORD_MAX_IDLE_INITIAL: VALIDITY PERIOD FOR
UNUSED INITIAL PASSWORD
5. LOGIN/MIN_PASSWORD_DIFFERENCE: MINIMUM DIFFERENCE IN
PASSWORRD CHARACTERS
6. LOGIN/FAILS_TO_SESSION_ENDS: END THE LOGON PROCEDURE
7. LOGIN/FAILS_TO_SESSION_USER_LOCK: MAXIMUM NUMBER OF
FSILED LOGON ATTEMPTS
8. LOGIN/FAILED_USER_AUTO_UNLOCK:- DEACTIVATION OF AUTO
UNLOCKING
9. LOGIN/DISABLE_MULTI_GUI_LOGIN: DEACTIVATION OF MULTI
DIALOG LOGON
10.LOGIN/MULTI_LOGIN_USERS:

SPECIAL

USERS

(MULTIPLE

LOGON)
SPECIAL USERS
There are two types of special users, they include
I.
II.

Those created by installing the SAP system

Those created when you copy client

During the installation of the Sap system client 000 and 066 are created
SAP* is the only user in the system for which no user master record is required, the
password is PASS and the initial password is 06071992

DDIC: this is responsible for maintaining the ABAP dictionary and the software
logistics. When you install the SAP system a user master record is created in client
000 (001) with the default password 19920706. It is the only user that can log onto
the SAP system during the installation of a new release.
EARLY WATCH: this user is delivered in client 066 and is protected with the
password support. the early watch experts at SAP work with this user. This user
should not be deleted.
In order to restrict SAP* access it is necessary to deactivate the special properties
of

SAP*,

to

do

this

you

must

set

the

system

profile

parameter

login/no_automatic_user_sapstar to a value greater than zero.

SPECIAL AUTHORIZATION OBJECT
S_TABU_DIS: This defines which table content maybe maintained by
which employees. This table controls only complete accesses which are
made using standard table maintenance, advanced table maintenance and
data browser.
S_TABU_CLI: This grants the authorization to maintain cross client tables
with the standard table maintenance, Extended table maintenance and the
data browser. It contains the following field
S_TABU_LIN: To display and to change content for only a certain work
area such as a country or a plant.

 S_PROGRAM: it is possible to check programs using this authorization

project. The programs are combined into program authorization groups and
can be protected from unauthorized access using the group.
USER AND AUTHORIZATION ADMINISTRATION
The following authorization object are used to manage the principle of dual and
treble control
FOR USERS
i.

S_USER_GRP: this object is used to grant administrative rights for only a

ii.

certain user group in a decentralized administration

S_USER_SYSTEM: defines the system a user administrator can access from

iii.

the central user administration and the activities allowed.

S_USER_SAS: it is used to check the system specific role and profile

iv.

assignments for users in the central user administration.

S_USER_ADMIN: Checks access to general administrative functions for
user and authorization administrators; this authorization object has one

v.

authorization field
S_USER_OBJ: used to protect access to global deactivation of authorization
object.

AUTHORIZATION OBJECT FOR ROLES

i.

S_USER_AGR: it defines role names for which an administrator can is

authorized and the activities that are allowed; it can be used in a
decentralized administration to grant an administrator the authorization to

ii.

access certain roles.

S_USER_TCD: defines the transaction an administrator may include in a

iii.

role.
S_USER_VAL: defines which field values an administrator may enter in
roles for which authorization object and which field.

AUTHORIZATION OBJECT FOR PROFILES AND AUTHORIZATION

i.

S_USER_PRO: defines the profile name for which an administrator has

ii.

authorization and the activities that are allowed.

S_USER_AUT: used to grant an administrator the authorization to create
only certain authorization in roles and thus prevent critical authorization

iii.

from being created in roles.

S_OC_ROLE: defines whether the user is an SAP office administrator or not

ADMINISTRATORS
AUTHORIZATION DATA ADMINISTRATOR: creates the role, selects the
transaction and maintains the authorization data
AUTHORIZATION PROFILE ADMINISTRATOR: he/she starts the
transaction SUPC and chooses all roles.

 USER ADMINISTRATION: Assigns this role to user from user

maintenance. The profile is entered for the user. The user admin may not
change the data for roles, generate or change profiles.
In a decentralized User administration, the administrative task is shared according
to certain criteria.
1. Application area/module
2. Location
3. Departments
TROUBLESHOOTING AND ADMINISTRATION AIDS
You use SU53 to find the last failed authorization check for a user, but if the
authorization checks show authorization successful it means it isnt an
authorization problem. Therefore, we trace.
The Audit Information System is used for
a)
b)
c)
d)
e)

System checks
Audits (business audit)
Tax audits
Internal auditing
External auditing

The AIS role improves the flow and quality of the check. AIS is used by auditor the
AIS role is divided into 2 categories,
a) Business audit

b) System audit
These roles can be split into two groups;
I.
II.

Authorization role
Transaction role

UNIT 6
TRANSPORTING AUTHORIZATION
The authorization components that could be transported include

User master records

Roles
Authorization profiles
Check indicators (USOBT_C, USOBX_C)

It is only possible to transport all user master record when performing a copy
Schedule transport as a background job during the night, it helps avoid data
inconsistency

There are two ways in which one can do client copy,

a. Local client copy: this is a copy carried out when a new client is filled with
data from another client of the same SAP system
b. Client Transport: this transport exchanges its data with a data export at
operating system level
c. Remote client copy: the data is copied over the network and not as a file

ROLES WITHOUT CENTRAL USER ADMINISTRATION

If your developed roles are to be transported between clients / sap systems, you
must differentiate between situations where CUA is implemented and those in
which it is not. If you are not using CUA, roles can be transported with user
assignment.
The transport request is either imported into another SAP system with the transport
management system or into another client of the same SAP system using SCC1.
The user master record of the target client must be compared after import
In default authorization profiles are transported with roles but if it is not desired,
you must prevent data export into source system with (PROFILE_TRANSPORT=
NO) in table PRGN_CUST.
TRANSPORTING ROLES WITH USER ASSIGNMENT.

If you do not want to transport the user assignment to roles, you can protect the
target system with an import lock.
ROLES WITH CENTRAL USER ADMINISTRATION
Roles must exist in the system in which they are assigned to users within the
central user administration. If systems are assigned to a Central User
Administration, roles must be transported without user assignment since these
assignments are made in and distributed from the central system. If user
assignments were transported, there would be a temporary inconsistency between
the actual state of the system and its subsystems.
UPLOADING AND DOWNLOADING ROLES
It is only possible to exchange data with transport request between SAP systems
with the same release status. When you download the data it is all stored in a local
file; with the exception of generated authorization profiles and user assignments.
After an upload the role has to be edited and generated.
TRANSPORTING CUSTOMERS CHECK INDICATORS
The customer tables USOBT_C & USOBX_C which controls the behavior of the
profile generator must be filled in each system in which the PFCG is used. It is
only when this tables are adjusted to customers need that they can be transported.

UNIT 7
INTEGRATION INTO THE COMPANY LANDSCAPE
Using central user administration simplifies user administration, central user
administration transfers only an assignment of users to roles and profiles but not
the authorization values that are contained in the authorization profiles. In the
central system, all the child system and central system are specified while in the
child system, the child system itself and central system are defined.

CHILD SYSTEM

CENTRAL SYSTEM

CHILD SYSTEM
CHILD SYSTEM

CHILD SYSTEM
This must be performed using communication users with certain RFC

SYSTEM
authorization for central user administration in the CHILD
relevant system.

CENTRAL SYSTEM
Roles

of

communication

user

in

the

central

system:

CHILD SYSTEM

SAP_BC_USR_CUA_CENTRAL,
SAP_BC_USR_CUA_CENTRAL_BDIST,

SAP_BC_USR_CUA_SETUP_CENTRAL. These roles must be assigned as

copies in the customer namespace
Roles
of
a
communication

user

in

the

child

system:

SAP_BC_USR_CUA_CLIENT, SAP_BC_USR_CUA_SETUP_CLIENT
The data sent (from where to where) is defined in the ALE DISTRIBUTION
MODEL. Distribution model is created, generated and distributed from transaction
BD64 in the central system. It only needs to be generated in all of the child system.
Central User Administration is then activated centrally in transaction code SCUA.
Note these are the various possibilities of a User Master record field attribute

1. Global: data can only be maintained in the central system, distributed to

child system when saved.
2. Default: default values is auto distributed from the central system to the
child system when saved. After distribution data is only maintained locally.
3. Redistribution: data can be maintained in both central and child system
4. Local: data can only be administered locally
5. Everywhere: data can be changed locally and globally. It is commonly used
when carrying out user lock.
COPYING USER MASTER RECORD
When copying user master record for use in the central system. It can be performed
once for each child system.
User Identification: first and last name
Identical user: if the user identification is already in the central user
administration it is entered as Identical user.
Different user: if the user identification is in the central user administration
with a different first and last name
New User: if the user is not yet contained in the central user administration
INTEGRATION IN ORGANIZATIONAL MANAGEMENT
I.
II.
III.
IV.
V.

Define the root organization

Create additional organizational unit
Editing the organizational structure
Creating jobs
Creating positions

VI.

Assigning tasks

Indirect role assignment using human resources organizational model: this is an

assignment whereby when an employee changes position, only the organizational
unit would have to be changed, since the authorization do not move with the
individual.
STRUCTURE OF AN SAP ORGANIZATIONAL MANAGEMENT
An organizational plan is a set of information that dynamically describes the
structural and personal environment of your company. Organizational plans are
created by linking object of the following types with each other
1.
2.
3.
4.

Organizational unit
Position
Job
Task