Requirements to an authorization concept
A good authorization concept should have the following characteristics:
- Reliability
- Security
- Testability
- Flexibility
- Comprehensibility
Functional structure
The authorization concept of SAP represents the fundamental security function of the system. All relevant security functions are controlled via the authorization concept, as for example the adjustments of system modifications or the segregation of duties within the modules. The main principle, on which the authorization concept is set up, is the protection of individual fields. Every user works with screens that again consist of several fields.
It should not be possible for every user to have unrestricted access to all fields including all potential values. The users should only get access to the individual fields in a way that this complies with a work related need. This way, the fields are protected from unauthorized accesses.
With regard to this, authorization objects were created in the SAP system that again were laid over the individual fields the same as a mask. This mask can exist of up to ten fields. In this mask, the options that will be assigned to the user are maintained. In Release ECC 6 2.580, 4.7 there are about 1033, in 4.6C 947, in 4.6B 891 and in 4.0B 711 predefined authorization objects.
Analysis of an authorization object:
| Authorization object | Authorization field | Authorization value | Description |
| F_KNA1_BUK | ACTVT
BUKRS |
03
$BUKRS |
Determination Activity
Determination in which company code dependent part of the master data, the activity defined ahead, may be executed. |
As they are named values assigned to the authorization object, then the field company code can be brought to display for the company code 0001.
With the assignment of values to the participating fields in this authorization object, an authorization to this object is created.
SAP works transaction controlled. That means that basically every application within SAP is represented by a transaction.
To every authorization object an unlimited number of authorizations can be created, resulting from the diverse combination possibilities of the field values with one another.
An authorization cannot be assigned directly to a user instead authorizations are collected in a profile. The profiles, in which authorizations are collected, are also called single profiles. Starting with the profile level, an assignment to users can succeed. SAP allows furthermore that profiles may be combined in composite profiles. In composite profiles, no authorizations are combined, only other profiles.
The most popular composite profile is the SAP_ALL profile, which contains (just about) all authorizations of the SAP-System. The profile SAP_ALL contains no authorizations, but other profiles. In a profile, either authorizations or profiles can be entered, but a combination of both is not possible.
These composite profiles can also be nested in other composite profiles. Concerning the nesting depth on the composite profile level there are no limitations other than related to the database structure [300 profile entries per composite profile]. Composite profiles are assigned to users just like single profiles. The user then receives all authorizations that are contained in the profiles of the composite profiles.
With the integration of the profile generator into SAP, profiles are created with the help of this tool. The profile generator creates roles. A role is similar to a container for one or more profiles that are generated and contain the defined authorizations. Roles may be combined as composite roles. The nesting depth is limited to one level only.
Roles as well as composite roles may be assigned to users.
