Authorization Concept
7
Authorization Concept [SAP | Authorization Troubleshooting | R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001). Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the user’s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records. There are 4 classes that deal with security in the SAP landscape:
-
Upload
ramesh-bandari -
Category
Documents
-
view
126 -
download
3
Transcript of Authorization Concept
Authorization Concept
[SAP | Authorization Troubleshooting|
R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the user’s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
There are 4 classes that deal with security in the SAP landscape:
ADM 940 R/3 Authorization conceptADM 950 Secure SAP system managementADM 960 Security in SAP system environmentBW365 BW authorization concept
Introduction
Probably the best standard SAP Transactions you can use for troubleshooting authorizations are ST01, SU53, SU56 and SUIM. Used together these enable you to see authorizations loaded into a User Master Record, authorization failures and authorization checks made by the SAP Kernel. This document will take you through using these Transactions in a combined way to effectively deal with Authorization failures.
Authorization Failure Analysis
The transaction code SU53 is used for viewing Authorization failures, the details displayed include the Authorization Object in question, its Class, and the options/fields which were checked within that object. Figure 1.0 shows the logical structure of authorizations, objects and classes.
Figure 1.0 Authorization Class Authorization Object 1 Authorization Field 1 Authorization Field 2 … Authorization Object 2 Authorization Field 1 …
An SAP Authorization Object can have up to 10 Fields, which may be Activities such as; Change, Display etc, or can be a Company Code 1234 for example. These options allow customized authorizations (Authorizations are instances of Authorization Objects which live in a Profile) to be created. This deep level customization also means that authorization mismatches will occur, especially when a new Role/Profile is constructed for a new purpose as the exact
requirements may not be known until the transactions are used for the first time. However in this scenario it is not preferable to use SU53 repeatedly for each authorization failure until complete, instead of this you can utilize SAP System Trace (Transaction ST01) which allows a log to be written of each authorization check the SAP Kernel makes, you can use this information to build Roles/Profiles accurately. For further information on using SAP System Trace (Transaction ST01) please see below:
Analyzing Authorizations using the System Trace
1. Choose Tools ® Administration ® Monitor ® Traces ® SAP System trace. 2. Choose the trace component Authorization check and then Trace on. The system then automatically writes the trace to disk. 3. To restrict the system trace to your own sessions, choose Edit ® Filter ® General. In the dialog box displayed, enter your user ID in the field Trace for user only. 4. After you have completed your analysis, choose Trace off. 5. To display the results of the analysis, choose Goto ® Files/Analysis or choose the pushbutton File list. Position the cursor on the file that you want to analyze and choose Analyze file. You will see authorization tests entries in the format <Authorization object>:<Field>=<Value tested>. You can display a formatted view of an authorization check by double–clicking an entry. (You may need to scroll down in the display to reach the formatted view of the entry.) If no authorization entries exist or the system displays the message Authorization entries skipped, check that you have set the trace switches correctly. If the switches are correct, then choose Trace file ® Analyze file and ensure that Trace for authorization checks is selected.
Authorization Failure, or not?
For most suspected authorization failures, the first step should be to ascertain whether the issue is actually an authorization failure or not. Transaction SU53 also confirms this as it will only show authorization objects upon an authorization check failure. If you see the message “The last authorization check was successful” then up to now your authorization checks have passed without fail, in the event of a failure you will see the details of the object involved. Figure 1.1 shows SU53 in the event of an authorization failure, please note the screen shot shows SU53 in its default layout (Tree). It is possible for SU53 to have 1 of 2 layouts, the instance shown in Figure 1.1 is called
‘Tree’, this gives the structured view as shown. It is also possible to have the layout ‘Classic’, this has a raw text feel but provides additional information such as the Authorization Class the object is in, the System ID and the Client number, see Figure 1.2.
Figure 1.1
Figure 1.2
What are the options?
Once an authorization failure is confirmed then the next step should be to ascertain the options available for the Authorization Object in question. Without understanding the options and their affect you cannot correspond with the business to effectively adjust the authorizations. To understand a particular Authorization Object we should read its documentation. Most SAP Authorization Objects have documentation to explain their purpose, fields, options etc. This can be found in several ways, the easiest is by using Transaction SUIM.
Transaction SUIM is the ‘User Information System’ which comprises many useful reports. Using the report ‘Authorization Objects >> By object name, text’ we can enter the name of the Authorization Object and execute. If we select the correct Authorization Object and click Documentation an additional window will display the details in a standard SAP Help screen, see Figure 1.3 for example of Object ‘S_ADMI_FCD’.
