Insider Threat, Compliance, Security and more: CA GovernanceMinder

SAP Authorization Concept Modules

The SAP authorization concept modules are color-coded in the hierarchy display.

The basic SAP authorization concept terms are displayed below, before you specify the authorization field values. The colors of the SAP authorization concept modules are the standard colors in the following hierarchy display.

Explanation of terms:

Object class	Object classes have an orange background in the hierarchy display. Authorization objects are divided into classes for comprehensibility. An object class corresponds e.g. to an application (Financial accounting, etc.) The SAP authorization concept object classes are under Tools ® Administration ® User maintenance ® Authorizations.
Authorization objects	Authorization objects have a green background in the hierarchy display. You may need several authorizations to perform an operation in the SAP System. The resulting contexts can be complex. The SAP authorization concept, based on authorization objects, has been realized to provide an understandable and simple procedure. Several system elements which are to be protected form an authorization object. An authorization object allows complex tests of an Authorization for multiple conditions. Authorizations allow users to execute actions within the system. An authorization object groups up to ten fields that related by AND. For an authorization check to be successful, all field values of the authorization object must be maintained in the user master. You get the authorization object documentation by double-click on an authorization object. The documentation describes how you maintain the authorization values.
Authorizations	Authorizations have a yellow background in the hierarchy display. Authorization fields are light blue and their values are white. An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values. The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user is authorized to perform an activity by comparing the specified authorization object field values in the program with the authorization values in the user master record. T_9092029701 is an authorization for the authorization object F_KNA1_BUK with the following values: * for company code and 01,02 activity Use of an authorization: Specifies permissible authorization object field values. Contents: One or more values for each field. Authorizations allow you to specify any number of values or value ranges for a field. You can also allow all values, or allow an empty field as a permissible value. Changes: All users with this authorization in their authorization profile are affected. You can maintain authorizations manually with reference to the authorization object documentation or by double-click on a value field in the following dialog box: You can select individual field values or choose Full Authorization.
Profile	User authorizations are not usually assigned directly to user master records, but grouped together in authorization profiles. Authorizations can be collected in authorization profiles to reduce the maintenance effort which would be required to enter individual authorizations in the user master record. Access authorization changes affect all users with the profile in their master record. You can create profiles manually, but you should use the Profile generator. Use: Specifies authorizations in user master records Contents: Specific access rights, identified by an object name and a corresponding authorization name. Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session. In the example, T_58000097 is an authorization profile containing company code authorizations.
User Master Record	These enable the user to log onto the SAP System and allow access to the functions and objects in it within the limits of the specified authorization profiles. Changes only take effect when the user next logs on. Users who are logged on when the change takes place are not affected in their current session. In the example a user whose user master record contains the profile T_58000097 can perform the activities in the profile authorizations.

When a transaction is called, a system program makes various checks to ensure that the user has the appropriate authorization.

Is the transaction code valid? (table TSTC check).

Is the transaction locked by the system administrator? (table TSTC check).

Is the user authorized to call the transaction?

The authorization object S_TCODE (call transaction) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.

Does the transaction code have an authorization object? If so, a check is made that the user has authorization for this authorization object.

If one of this checks fails, the transaction is not called and the system sends a message.

If the transaction is called, it calls an ABAP program which makes further authorization checks with the AUTHORITY-CHECK command. The programmer specifies an authorization object and the required values for each authorization field.

AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it searches in the specified authorization profile in the user master record to see whether the user has authorization for the authorization object specified in the command.

If the authorization is found and it contains the correct values, the check is successful.

The SAP Interface takes as input several SAP tables that describe users, roles, and authorization objects.

Sage Roles in SAP are called AGRs

The import process produces the following configurations:

1. Full import (down to the object level) (example: sap_full_2.cfg)

2. Full import filtered by active users only (example: sap_full_2_ACTIVE_USERS.cfg)

3. “SAP Profiles as resources” (No Authorization objects and Objects) (profiles_as_res.cfg)

4. “SAP Profiles as resources” filtered by active users only (profiles_as_res_ACTIVE_USERS.cfg)

5. “SAP Roles+Profiles as resources” (No Authorization objects and Objects) (roles_as_res.cfg)

6. “SAP Roles+Profiles as resources” filtered by active users only (roles_as_res_ACTIVE_USERS.cfg)

Preparation:

The following 11 tables are needed in CSV format (see example below). Header line in each file is mandatory.

In order to extract the SAP tables, use one of the SQL files that are attached in the SAP_Import.ZIP package.

There is SQL command template for Oracle Db and one for MS SQL DB.

Below is the list of SAP R/3 Security Table that are required by the RCM SAP import script:

USR02	Logon data
AGR_1251	Authorization data for the activity group
AGR_1252	Organizational elements for authorizations
AGR_AGRS	Roles in Composite Roles
AGR_USERS	Assignment of roles to users
UST04	Users to Profiles (multiple rows per user)
USR11	Text for authorization profiles
AGR_DEFINE	Role definition
AGR_TEXTS	Role description
AGR_PROF	Role to Profiles connector
USR05	Holds user parameters info

SAP tables examples

USR02 – users

HEADER: MANDT,BNAME,BCODE,GLTGV,GLTGB,USTYP,CLASS,LOCNT,UFLAG,ACCNT,ANAME,ERDAT,TRDAT,LTIME,OCOD1,BCDA1,CODV1,OCOD2,BCDA2,CODV2,OCOD3,BCDA3,CODV3,OCOD4,BCDA4,CODV4,OCOD5,BCDA5,CODV5,VERSN,CODVN,TZONE,ZBVMASTER,PASSCODE,PWDCHGDATE,PWDSTATE,RESERVED,PWDHISTORY,PWDLGNDATE,PWDSETDATE,PWDINITIAL,PWDLOCKDATE

Example