In the World of SAP Authorizations – A Set of Concepts

Share

A basic set of concepts from the world of SAP entitlements

We can agree that one of the least comfortable situations in a meeting or teleconference is when our interlocutors use jargon or industry vocabulary with which we are unfamiliar or with which, for various reasons, we have not yet had time to become familiar.

This is also happening in the world of SAP entitlements.

Therefore, I have collected for you the basic and most common issues and elements of the authorization area.

Or maybe such a list will be useful for beginners in the SAP authorization world?

SAP glossary

I give the issues with their equivalents in the English version of SAP.

Authorization/Authorization (English. Authorization) - in simplest terms, what a user can do based on the roles and profiles in SAP assigned to their user.
I have permissions = I can operate on the system.

Transaction (English. Transaction) - SAP function that you perform an action on the system, e.g. SU01, MM03, XK02

The role of (English. Role)The so-called authorization "bag", containing the authorization elements defined by the authorization administrator who created the role. Just creating a role, giving it a name and a description doesn't do anything, the role must have objects filled in and must be regenerated and assigned to a user for the authorizations to work.

Single role (English. Single role) - A role containing transactions/authorization objects has only one profile after it is regenerated.

Collective role (English. Composite role) - A role consisting of at least two single roles, it can be otherwise called a collection of single roles. Collective roles are often used, for example, when creating position or process roles.

Reference role (English. Reference role) - Otherwise known as Model Role (for derived roles), containing transactions, authorization objects and organizational levels. Colloquially known as the "mother" role 😉.

Derivative role (English. Derived role) - a role created on the basis of a reference role, contains the same transactions/reports/authorization objects as its reference role but has different values in the organizational levels. They are used, for example, for rollouts to subsequent companies of a given company. Commonly referred to as a "daughter" role. 😉

312 - The magic number... indicates the maximum number of profiles assigned to one user in SAP. More simply won't fit, or rather, the system won't allow you to assign and save changes.
If you encounter such a problem then first consider at what point did you lose control of privilege management, are you sure your user needs so many roles?
Is he using them? (You can check the use of per-user roles with the SAST Authorization Management tool.)

In my next post, which will appear in two weeks, I will introduce more concepts from the world of authorization.

If you feel that your organization could use a knowledge refresher or training "from scratch" in the area of SAP permissions - feel free to contact us.

We can conduct the workshop at the customer's premises, at our headquarters or 100% remotely.

Bernadeta Szwarc