6-Tiered Approach to SAP Security and Authorizations & the SAP Authorization Concept
SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. By applying SAP authorization concepts, user access can be limited by transaction codes, organizational levels, field values, etc. SAP Security and Authorizations is designed so that the system must explicitly indicate what each user can do. This is done by assigning authorization roles, which are groupings of profiles comprised of authorizations.
The basic architecture of SAP Security and Authorizations is a 6-tiered approach:
1. User Master Record: Accounts for users to enable access to the SAP system; primarily used for user administration purposes.
2. Role: Compilation of transactions and permissions that are assigned to one or more user master records; usually includes commonality amongst a job role or job task.
3. Profile: Assigned when a role is generated and added to its corresponding user master record.
4. Authorization Object Class: Logical grouping of authorization objects by business area.
5. Authorization Object: Groupings of 1-10 authorization fields; configuration is performed against authority check statements written in the SAP code.
6. Authorization Field: Least-granular element in which values can be maintained to secure data and information.
Authorizations can be useful in limiting access to items such as: billing and vendor information, personnel and payroll information, key financial data, and critical system areas such as basis, configuration, development, and security. Users obtain their authorizations by being assigned to roles and users cannot start a transaction or complete a transaction without the proper authorization role assignment. In order to perform an action, a user may need several authorizations. For example, in order to create a sales order, the user will need access to the transaction, the “create” authorization, general authorization for the sales org, and the authorization for the specific sales document type. Therefore, the relationships required in order to meet user access requirements can become very complex.
The *SAP authorization concept *was created on the basis of authorization objects. Each authorization object is comprised of multiple authorization fields. A user’s permissions always refer to authorization objects, which can contain a single value or a range of values for each field. Both report and dialog transactions in SAP have predefined “authorization checks” embedded in the program logic which protects the functions and information within them.
The basis of an organization’s role design should always be the rule of least privilege, which is the SAP Security best practice of giving users exactly what they need to perform their job responsibilities, not much more, and not much less. Access creep is the adversary of this privilege as users may retain unnecessary access after a job function change or may receive unnecessary access as a result of the application of permissions or transactions to roles which are shared between users who have similar, but not identical, responsibilities. Ultimately, security is the gateway to the SAP system, but it can often be difficult to manage and understand. Information stored in SAP is a valued business asset, and SAP Security can aid an organization by increasing flexibility and customization at the user level and protecting critical information from unauthorized use.
For more information on SAP Security and Authorizations, continue reading in Beginner`s Guide to SAP Security and Authorizations by Tracy Juran. This book includes SAP best practices for user and role maintenance and how to create an SAP Security design that is both low maintenance and scalable. You will learn how to use and interpret SAP authorizations and troubleshoot security and authorization issues. Lastly, you will discover some advanced topics surrounding SAP authorizations, including an overview on upgrading your SAP Security environment and reducing avoidable segregation of duties conflicts.
Access Beginner`s Guide to SAP Security and Authorizations and Espresso Tutorials entire library of SAP books for FREE by starting a free 14-day trial to the SAP eBook Library.
Do you need up-to-date and accurate SAP resources? Join SAP professionals around the world who take advantage of the Espresso Tutorials SAP eBook Library. Get access to more than 100 SAP books with information on Financials, Controlling, Business Intelligence, Logistics, Human Resources, IT management, and programming information anytime, anywhere. The SAP eBook Library is updated as new books are released and provides effective learning and concrete examples.
Like a cup of espresso coffee, Espresso Tutorials SAP books are condensed and effective. We know that your time is valuable and we deliver information in a succinct and straightforward manner, it only takes our readers a short amount of time to consume SAP concepts. Espresso Tutorials provides up to date information for today‘s reader and today‘s SAP book market. Our SAP books are well-recognized in the industry for leveraging tutorial-style instruction and videos to show you step by step how to successfully work with SAP.