We can agree that one of the least comfortable situations at a meeting or teleconference is when our interlocutors use jargon or industry vocabulary that we do not know or with which, for various reasons, we have not yet had time to listen.
This also happens in the world of SAP authorisations.
Therefore, I have collected for you the basic and most common issues and elements of the authorization area.
Or maybe such a list will be useful for beginners and adepts of the sap authorization world?
The issues are listed together with their equivalents in the English language version of SAP.
Permission/Authorisation(an English therm)- to put it simply, what a user can do based on the roles and profiles assigned to their user in SAP.
I have permissions = I can run on the system.
Transaction (an English therm) –SAP function that you perform on the system, such as SU01, MM03, XK02
Role (an English therm) – the so-called authorization "bag", which contains permission elements defined by the permission administrator who created the role. Creating a role by itself, giving a name and description does not do anything, the role must have filled objects and must be regenerated and assigned to the user in order for the permissions to work.
Single role (an English therm) – A role that contains transactions/permission objects has only one profile when it is regenerated.
Composite role (an Englsih therm) – A role that consists of two or more single roles, otherwise known as a collection of single roles. Composite roles are often used, for example, when creating job or process roles.
Reference role (an English therm) – Otherwise known as a role model (for derived roles), containing transactions, authorization objects, and organizational levels. Colloquially known as the "mother" role. 😉
Derived role (an English therm) – a role created from a reference role contains the same transactions/reports/authorization objects as its reference role, but has different values at the organizational levels. They are used, for example, for rollouts to subsequent companies of the enterprise. Colloquially known as the "daughter" role. 😉
312 – the magic number ... means the maximum number of profiles assigned to a single user in SAP. More will simply not fit, or rather the system will not allow you to assign and save changes.
If you encounter such a problem, first think about when you lost control of permissions management, are you sure your user needs so many roles?
Is he/she using them? (You can check role usage per user by using the SAST Authorization Management Tool.)
In the next post, which will appear in two weeks, I will present further concepts from world of authorization.
If you feel that your organization could use a refresh of knowledge or training "from scratch" in the area of SAP permissions – feel free to contact us.
Workshops can be carried out at the customer's premises, at our premises or 100% remotely.
Author: Bernadeta Szwarc /Sast Polska Team/
GOOD TO READ ABOUT SAP SECURITY