What is SAP Security?

Providing proper access to business users with respect to their responsibility.

  (OR)
Providing permissions with respect to Roles.

• Roles are combination of transactions, Reports, Menus…
• Profiles are associated with Roles.
• Profiles are combination of authorization objects.

Authorization:

         An authorization enables you to perform a particular activity in the SAP system, based on a set of authorization object field values.

Authorization Object:

        An authorization object groups up to ten authorization fields.

Authorization field:

       Contains the value that you defined. It is connected to the data elements stored with the ABAP Dictionary.

 Object Class:  Group of relevant authorization objects.

 

            BC-A, BC-B, BC-C  => Object Class
      S-TCODE     S-Programs    S-USR-AUTH       =>  Auth.object

 

Auth.  Object => collection of auth. Fields <=10

• Field values can be maintained under authorizations.
• Organization values are used for segregating users as per company codes, plants or purchasing auth.
• 150 profiles can be included in one Role.
• All standard authorization objects are stores in USOBT or USOBX.

                                                                           Text             Data

• After installation need to fill the customer tables USOBT_C and USOST_C

 

SU22/24         -> Maintain authorization objects for T-codes

SU21               -> Maintain object class

SU20               -> Maintain auth. Fields

SU02               -> Manually create profiles

SU03               ->  Manually create auth.

 

How to Create and Use the Authorization Objects in ABAP

Authorization Objects are used to manipulate the current user’s privileges for specific data selection and activities from within a program.

Steps to create authorization field

1. Go to transaction code SU20
2. Click the create new button on the application toolbar.
3. Enter “ZTCODE” in the Field Name and “TCODE” in the Data Element, then hit Enter.
4. Click the save button on the system toolbar.

Next step is to create the authorization class(see #1 in figure 1) and authorization object(see #2 in figure 1).

Steps to create authorization class

1. Go to transaction code SU21
2. Click on the Create button’s drop down icon and select “Object Class”.
3. Enter “ZTRN” on the Object Class field.
4. Give it a description and save it.

Steps to create authorization object

1. Again in SU21, in the list of authorization class(folder icon), click the one that we’ve created(ZTRN).
2. Click on the Create buttodrop down, this time selecting “Authorization Object”.
3. Enter “Z_TCODE” on the Object field and give it a description.
4. On the authorization fields section, enter ACTVT and ZTCODE. ACTVT is used to set and limit the activity of the user, while the ZTCODE is the authorization field that we’ve created earlier which is
responsible for holding a list of tcodes.
5. On the Further Authorization Object Settings, click on “Permitted activities” button. Here we will select the specific activities that we want to be available for our authorization object.
6. As an example, we will select 01(Create), 02(Change), and 03(Display).
7. Save and Exit.

Now we’re done creating our own authorization object, let us now use and assign it to a user.

Steps to create a role(see figure 2)

1. Go to transaction code PFCG.
2. Enter “ZAUTHTEST” on Role field and click the “Single Role” button.
3. Now give it a description, click the save button and click the Authorization tab.
4. Click the “Change Authorization Data” button inside the authorization tab.
5. Then click the “Manually” button on the application toolbar and type in the name of the authorization object that we’ve created earlier(”Z_TCODE”) and press enter.
6. Expand all the nodes, double click on the input field of the Activity and select activity 01 and 02.
7. Enter the tcode of our own abap program in ZTCODE field, in our example I used “ZCOMM” .
8. And also don’t forget to add the S_TCODE authorization object and enter ZCOMM on it’s field.
9. Now Click on the Generate button in the application toolbar and press enter on the pop-up screen.
10. press the back button and assign a specific user on the user tab and click User Comparison button.
11. Now create another role by repeating steps 1 to 9 but this time select activity 03 on step 6.
12. Then assign this 2nd role to another user.

SAP Authorization Concept

The basic SAP authorization concept terms are displayed below, before you specify the authorization field values. The colors of the SAP authorization concept modules are the standard colors in the following hierarchy display.

Explanation of terms:
Object class	1. Object classes have an orange background in the hierarchy display. 2. Authorization objects are divided into classes for comprehensibility. An object class corresponds e.g. to an application (Financial accounting, etc.) 3. The SAP authorization concept object classes are under Tools -->  Administration -->  User maintenance --> Authorizations.
Authorization objects	1. Authorization objects have a green background in the hierarchy display. 2. You may need several authorizations to perform an operation in the SAP System. The resulting contexts can be complex. The SAP authorization concept, based on authorization objects, has been realized to provide an understandable and simple procedure. Several system elements which are to be protected form an authorization object. 3. An authorization object allows complex tests of an Authorization for multiple conditions. Authorizations allow users to execute actions within the system. An authorization object groups up to ten fields that related by AND. 4. For an authorization check to be successful, all field values of the authorization object must be maintained in the user master. 5. You get the authorization object documentation by double-click on an authorization object. The documentation describes how you maintain the authorization values.
Authorizations	Authorizations have a yellow background in the hierarchy display. Authorization fields are light blue and their values are white. An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values. The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user is authorized to perform an activity by comparing the specified authorization object field values in the program with the authorization values in the user master record. T_9092029701 is an authorization for the authorization object F_KNA1_BUK with the following values: *           for company code and 01,02     activity Use of an authorization: Specifies permissible authorization object field values. Contents: One or more values for each field. Authorizations allow you to specify any number of values or value ranges for a field. You can also allow all values, or allow an empty field as a permissible value. Changes: All users with this authorization in their authorization profile are affected. You can maintain authorizations manually with reference to the authorization object documentation or by double-click on a value field. You can select individual field values or choose Full Authorization.
Profile	User authorizations are not usually assigned directly to user master records, but grouped together in authorization profiles. Authorizations can be collected in authorization profiles to reduce the maintenance effort which would be required to enter individual authorizations in the user master record. Access authorization changes affect all users with the profile in their master record. You can create profiles manually, but you should use the Profile generator. Use: Specifies authorizations in user master records Contents: Specific access rights, identified by an object name and a corresponding authorization name. Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session. In the example, T_58000097 is an authorization profile containing company code authorizations.
User Master Record	These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the specified authorization profiles. Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session. In the example a user whose user master record contains the profile T_58000097 can perform the activities in the profile authorizations.