Saturday, February 25, 2012

what are the Users, Roles, and Authorizations in sap


SAP security is based on authorization objects and authorizations. An authorization object is used to indicate that a user can perform a certain activity. An authorization is used to limit the scope of that activity.
For example, a profile contains the S_DEVELOP authorization object. This authorization object allows a user to perform ABAP workbench activities. Some users will need to do all ABAP activities while others will only need to perform a few. So S_DEVELOP has a selection of authorizations you can use: ACTVT, DEVCLASS, OBJNAME, OBJTYPE, and P_GROUP. The authorizations are set to the appropriate values as needed. A tree view of the S_DEVELOP authorization object can be seen below:
S_DEVELOP
ACTVT
Create or generate
Change
Display
Delete
Activate, generate
Execute
Create in DB
Delete in DB
Convert to DB
Administer
Copy
All Functions
Deactivate Mod. Assistant
DEVCLASS
Single Value or Value Range
OBJNAME
Single Value or Value Range
OBJTYPE
Single Value or Value Range
P_GROUP
Single Value or Value Range
The S_DEVELOP authorization object in a profile lets a user perform ABAP workbench activities. But having a S_DEVELOP authorization object with the ACTVT authorization value set to Display (03) means that the user is limited to display only in the ABAP workbench transactions. Thus we see that authorization objects grant while authorizations limit. It is important to remember, however, that a user with a profile having a S_DEVELOP with full authorizations still cannot access an ABAP workbench transaction until a matching S_TCODE (start up transaction code) has been added as well. In other words, a user may have the rights to add, modify and delete ABAP programs but until an entry for SE38 has been added to the S_TCODE authorization object, he cannot access transaction SE38 which is the ABAP Editor.
All authorization objects and authorizations are grouped into profiles before being attached to users. Profiles use a combination of authorization objects and their respective authorizations, and their creation can be complex as well as tedious. In order to simplify the creation of profiles, the Profile Generator (transaction PFCG) was created. Roles are created via a more user-friendly interface which generates profiles based on the information added via this interface.
Manually creating profiles is the “old” way of doing things. There are times, such as the start of a new SAP landscape where no roles exist, that the use of profiles is handy. But once the landscape has been completed all users, with the exception of the Basis team, should be attached to roles. There should never be a need to manually create a SAP new profile. To add a new role, the easiest method is to copy an existing role that matches your needs as closely as possible and make the changes you need for the new role.

Reactions:

0 comments:

Post a Comment