The SAP Authorization Concepts

Authorizations Simplified
Introduction to Authorizations Terminology of Authorizations

The SAP Authorization Concept protects SAP systems Authorization Object

against unauthorized access and system use – and
can be viewed as the KEY to SAP security. It enables The Authorization Object is the basic element - or
authorizations to be centrally-managed. Users building block - of the SAP Authorization Concept.
(individuals with unique IDs that allow them to log Every Authorization Object is a separate entity and, all
onto and use a specific SAP system) are granted the have equal weight within the SAP environment. The
authority to perform certain specific actions, and are term ‘Company’ (which can stand for a global branch, a
not allowed to perform any actions for which they have department within a specific branch, or other segment
not been granted authorizations. within the organizational structure) is an example of a
standard Authorization Object within the SAP concept.
In some applications (such as Microsoft), Other examples of standard SAP Authorization Objects
authorizations can be granted or denied to a user; are ‘Warehouse’, ‘Document Type’ and ‘Transaction
meaning that the user is “granted” or “denied” access Code’. In addition to standard SAP Authorization
to certain authorizations. However, in SAP, the opposite Objects, organizations can create their own unique
is true; without values, there are no authorizations and, Authorization Objects; whose names should always
unless specific permission for access or activity has begin with either the letter ‘Y‘ or ‘Z’.
been granted, it is NOT authorized. ABAP is the name
of the SAP language. Determining whether or not a Authorization Field
user has been granted a specific authorization can
usually be accomplished through an ABAP command. An Authorization Field is a template that allows a Value
to be linked to an Authorization Object. A Value can be
Multiple authorizations may be required in order a number representing a specific department within an
to perform certain operations within SAP. For enterprise (e.g., Accounting Dept.or a specific action
example, the task of paying a vendor’s invoice may (e.g., ‘Create’ or ‘Change’). When the Authorization
require a dozen or more different authorizations. All Field of an Authorization Object has been assigned a
authorizations that are required for the performance of Value, an Authorization is created. Without a Value in
any task must be granted to the user whose job it is to the Authorization Field, there is NO Authorization.
perform that task. However, according to the most up-
to-date and generally accepted authorization concepts, Normally, an Authorization Object contains up to
only the minimum number of authorizations should 10 Authorization Fields and an unlimited number of
be assigned to each user and, only those that are Values per field.
specifically required for the performance of the user’s
job or role in the organization should be assigned. All Authorization
authorizations granted to a user are combined in the
user’s profile. An Authorization (i.e. an access or activity privilege
which has been granted) is created when all
The SAP Authorization Concept enables organizations Authorization Fields of an Authorization Object are
to make certain policy decisions that help to control its assigned Values.
system’s security.

Examples of Authorizations Granted:

• Only users X, Y, and Z can issue invoices for the

company.
• Employees working in the company’s branch in one All authorizations should be granted carefully;
country (e.g. U.S.) cannot perform activities for the sensitive authorizations even more so.
branch in another country (e.g. Ireland). Therefore, it is crucial to control the process
• A warehouse worker can only check inventory in of granting authorizations and to periodically
their own warehouse review authorizations to verify that they are still
required.

White Paper | The Authorization Concept 2

Authority Check Transaction Code

An Authority Check is a check that runs automatically A Transaction Code, or T-code, is a sequence
in SAP whenever a user tries to perform an action of characters which is the technical name of a
within the system (if the Authority Check has been Transaction in SAP. If a user wants to perform a
included in the specific program). The Authority Check Transaction, the system will first perform a check to
determines whether or not the user has the required determine whether or not they have the Authorization
authorization to perform the specific action. In order for the Transaction (T- code). FB60 is an example
to pass the Authority Check for an Authorization of a T-code - the Transaction of Creating a Vendor
Object, the user must pass all the checks for all the Invoice. If a user wants to create a vendor invoice,
Authorization Fields in the Authorization Object. the system will check their authorization for T-code
FB60. However, it is not sufficient to give the user
An Authority Check is the only way to check authorization for T-code FB60. The user must also
authorizations in SAP. If authority check commands be granted all Authorizations required for FB60, such
have not been inserted into the source code of a as the vendor’s company codes, business areas and
program, then that program can be accessed without account types.
needing any Authorization. Without Authority Checks,
system users are free to use the program as they see Transaction/Activity Checks
fit, i.e. to freely view and perform actions at will.
In order to allow a user to perform a Transaction,
Transaction/Authorization Field ACTV the system automatically carries out the necessary
Authorization Checks. Each Transaction Code has
The term “Transaction” in SAP, represents a series of certain required Authorizations. Typically, there
related steps that are required in order to perform a are 10-15 Authorization Objects to check for each
particular task. In a common SAP installation, there are Transaction; though this number is actually unlimited
over 100,000 transaction names. Most Transactions and there can be 30 or more different authorization
fall into one of the following categories: ‘Create an checks in a single Transaction!
Object’, ‘Change an Object’ and ‘Display an Object’. Without these checks, the transaction can be fully
utilized by any user in the system.
EXAMPLES

• Create an Invoice (Ex: SAP Transaction FB60) The Process

• Change a Bank Account (Ex: SAP Transaction
FS02) The system checks whether or not the user has been
• Display Vendor Details (Ex: SAP Transactions XK03 granted the required Transaction (i.e. T-code) for any
and FK03) authorization.

In order to correlate between the purpose of the If the answer is yes, then the system goes through a
Transaction and the Authorization, the Standard SAP series of further Authorization Checks.
Authorization Field – ACTVT – is used. Typical values At any point along the way, the user can be stopped
for these fields include 01 (Create), 02 (Change), and if any of the Authorizations connected to the specific
03 (Display). T-code are missing.

According to our observations, despite the potential for significant security

breaches, most programs created in-house do not include Authority Checks. This
is most likely due to the difficulties experienced by programmers in gathering
the required information – or to their lack of awareness regarding the need for
Authority Checks. XPANDION has developed a solution that will ease this problem
for programmers.

White Paper | The Authorization Concept 3

If the user becomes stuck, (i.e., the system does not * The term “Authorization Role” is commonly referred
allow the user to continue,), they can usually activate to as “Role” among authorization-related or technical
Transaction SU53* (the last Authorization Object that people. In this case, it is unrelated to “Job Role” of an
was checked), and from there request the missing employee within the organization.
Authorization from the Authorization Manager.
When this occurs, the user’s work is generally 3A Roles can actually include more objects, such
interrupted until the missing Authorization is granted. as menu entries and mini-Apps, but this definition is
the most commonly referred to, when speaking with
* Transaction Code SU53 (Display Authorization Data) Authorization people. More data about SAP roles can
should be executed following the appearance of an error be found in the SAP documentation for Transaction
message. It enables the user to retrieveal of the required PFCG.
missing authorization data.
Authorization Profiles
Identifying the Correct Authorization for Each
Transaction Authorization Profiles are usually collections of
logically connected Authorizations, but are not as
Since there is no way to identify all the required complex as Roles. Roles can include T-codes, menu
Authorizations, Transaction SU24 is often used. SU24 entries, or validity periods, while Authorization Profiles
is the basis for adding required authorizations when a include ONLY Authorizations. Authorization Profiles
Transaction is added to a Role (see below), using the are no longer recommended by SAP for granting
Role Generator - PFCG. Though not perfect, it enables Authorizations, however, they are still being used due
visibility of the checks required for each Transaction, to issues of compatibility.
as well as the associated Authorization Objects. When creating a Role in SAP via Transaction PFCG
(Role Maintenance), a corresponding Authorization
However, this is only a partial solution, since Profile is automatically created. Though SAP
SU24 must be manually updated. If the required abandoned the Authorization Profile concept some
Authorizations for each Transaction have not been time ago, several historical Authorization Profiles
updated, they will not exist in the system. When an without related Roles still remain in the system.
activity is added to a role through PFCG, SAP will These Profiles, for example - SAP_ALL, FI_ALL, SAP_
automatically add all Authorization Objects required NEW, S_A. DEVELOPER and others - are all critical,
for the specific activity (or T-Code). It is critical to then high-risk, and represent significant potential security
update SU24 as well. If an Authorization Manager or breaches.
Programmer has added a new Transaction Check to
a Transaction, they must add it to the required checks Example – The Profile ‘SAP_ALL’ includes almost all
for the Transaction in SU24. Unfortunately, most the Authorization Objects in SAP. Users with a SAP_
Programmers ARE NOT AWARE OF THIS CRUCIAL ALL profile can perform all tasks in the SAP system.
REQUIREMENT and therefore it is not done leaving the Therefore, this should not be assigned to anyone, ever.
SU24 outdated.
Role Maintenance Transaction PFCG
Authorization Roles
Role Maintenance (T-Code PFCG - also known by its
An Authorization Role* in SAP is usually a collection original name, Profile Generator) automatically creates
of logically connected authorizations 3A. Roles can be customizable Roles, thereby easing and simplifying the
assigned to multiple users, and users can be assigned process of creating and maintaining Roles.
multiple roles. Roles are usually assigned on a need-to-
know basis.

Only Roles (not Authorizations) can be assigned to

users. A typical user may have 5 or 6 Authorization
Roles, with each Role having several dozen
According to our current view regarding security,
Authorizations.
users should be assigned only the minimum
number of Authorizations required to perform
their duties.

White Paper | The Authorization Concept 4

User Buffer T-code SU24 must be manually updated. This factor
is critical. T-Code SU24 must be manually updated
Every time a user logs into the system, SAP combines on a regular basis to remain current as this particular
all a user’s Authorizations into a single location, T-code (SU24) contains all the required Authorization
called the User Buffer. The User Buffer resides in the Objects for an SAP T-Code.
SAP memory and not on a physical disk, so access
to it is fast – much faster than retrieval from a hard- SAP_ALL and SAP_NEW Profiles should never be
drive. Transaction Code SU56 shows the contents granted to anyone, since individuals with these Profiles
of the user’s User Buffer and the total number of have carte blanche to view and do whatever they like
authorizations in the user’s master record. within the SAP system.

Authority Checks ONLY check the User Buffer. One The User Buffer, an integral part of the SAP
of the problems with the User Buffer is that it cannot Authorization Mechanism, does not allow for the
isolate transactions. When dynamically creating the isolation of transactions, which can therefore result in
User Buffer (and this happens each time a user logs unintended and sometimes high-risk cross- access to
into the system), the SAP application combines all data.
the Authorization Roles of the user and allocates all
granted Authorizations into the user’s User Buffer, Summary
while ignoring duplicate objects. Therefore, using
the User Buffer can create a situation in which one By following the requirements, advice and guidelines
Transaction is using another Transaction’s Values. in this whitepaper, enterprises will be able to verify
that authorizations granted to employees are valid
Example - An organization has decided to grant a and comply with regulations, they will also be able
certain user Transaction Code FB60 (Vendor Invoice) to increase control of employee authorizations.
- but only for Company 1000, and T-code FB50 (G/L Reviewing authorizations at least once a year will
Account Document) - but only for Company 2000. ensure that employees hold authorizations for
However, if these two transactions use the same justifiable reasons and allow the organization to
Authorization Object, then a situation is created make the proper decisions regarding its authorization
whereby the user has Authorizations for FB60 for compliance.
BOTH Company 1000 AND Company 2000 - and has
authorizations for FB50 for BOTH Company 1000 AND Focused on the areas of SAP security and SAP
Company 2000. Without compensatory controls, the licensing, Xpandion creates user-friendly, easily
user can perform the right transactions for the wrong deployed, automatic management solutions for SAP’s
company. global customers. Xpandion’s ProfileTailor™ suite
of solutions delivers unprecedented visibility of
Keys Points To Remember actual, real-time SAP authorization usage - enabling
significant improvements in enterprise security,
The SAP Authorization Concept guards the system including reduction of fraud and leakage of sensitive
against unauthorized access and use of the system. data. It is the first solution that detects and alerts
An Authorization is created ONLY after a Value to deviations in behaviour in real time - including
has been attached to the Authorization Field of an deviations from SoD (Segregation of Duties) rules.
Authorization Object. ProfileTailor™ creates a thin and controllable SAP
system that can be easily managed with substantially
According to the current view regarding security, users reduced effort and resources. Once the confusion
should be assigned only the minimum number of regarding authorizations has been dispelled,
Authorizations required to perform their duties. enterprises can then maintain on-going control of their
SAP licenses and authorization usage. Xpandion’s
ABAP Command AUTHORITY-CHECK is the only LicenseAuditor optimizes SAP investments, enabling
method to check user Authorizations. If a program considerable savings through the identification of
does not have Authorization Checks embedded in its dormant, underused, duplicate and misclassified users.
code, anyone can access and use the program. The entire suite of solutions is available as classic
enterprise software or as SAAS/Cloud.

White Paper | The Authorization Concept 5