Skip to Content
Author's profile photo Chintan Budhbhatti

BASIC UNDERSTANDING OF ROLES AND AUTHORIZATION

Many of the Functional Consultants face issues in understanding what are the Roles and what are Authorizations in SAP. This is a document which would help people who are curious to know what is exactly the concept behind this and how does it work.

Functional Consultants have a lot of questions in mind regarding this concept and one of the main questions here is why should Functional Consultants worry about Roles and Authorization when it is a job of BASIS team.

Well, to answer this, it is not solely a job of BASIS team rather it is also like other activities, it an integrated activity which should be performed by both BASIS team and Functional team.

BASIS team have a know how about the User Management, Roles Creation, Profile Creation, Roles and Profile assignment, Authorization assignments etc. but main concern in most of the cases arises when the below questions are unanswered by BASIS team:

  1. Whom to Assign the Roles or transactions
  2. What to Restrict in a transaction and for whom
  3. How to authorize Custom transactions

and many more such questions cannot be answered by BASIS team. Hence, it becomes the role of a Functional Consultant to guide them with the exact process flow and exact organizational chart.

Explaining with a small example here, suppose we have a maintenance team as below:

  1. Supervisor – He is responsible for notifying the breakdown or Corrective Maintenance requirements
  2. Maintenance In-charge – He is responsible for assigning the above tasks to Engineers
  3. Head of the department – He is responsible for approving the Maintenance tasks.

Now, Functional Consultant is very well aware that for Supervisor would require only the transactions related to Notifications (say IW21, IW22, IW28, IW29 etc), Maintenance In-charge would require some of the notification related transactions (say IW22, IW28, IW29) and also order related transactions (IW31, IW32, IW38, IW39 etc) and the Head of the department would require notifications and order transactions (say IW28, IW29, IW38, IW39) and also along with this he require special permissions like releasing orders, approving permits, technical completions etc.

Looking from BASIS team’s perspective they are not clear with these requirements and they thus cannot take the decision for this and should be provided by Functional Consultants.

But, the main issue in most of the cases arises when Functional Consultants are not aware about the concept of Roles and Authorizations.

Hereby, this document will explain the basic concept of Roles and Authorizations:

WHAT IS ROLES AND AUTHORIZATION CONCEPT:

Roles and Authorizations allow the users to access SAP Standard as well as custom Transactions in a secure way.

SAP provides certain set of generic Standard roles for different modules and different scenarios.

We can also define user defined roles based on the Project scenario keeping below concept in mind:

There are basically two types of Roles:

  1. Master Roles – With Transactions, Authorization Objects and with all organizational level management.
  2. Derived Roles –With organizational level management and Transactions and Authorization Object copied from Master Role.

The reason behind this concept is to simplify the management of Roles.

WHAT ARE THE COMPONENTS OF A ROLE:

A Master Role or a Derived Role is having below components inside it:

  1. Transaction Codes
  2. Profile
  3. Authorization Objects
  4. Organization level

Transaction Codes: SAP Transaction codes (Standard or custom)

Profile: Profiles are the objects that actually store the authorization data and Roles are the Container that contains the profile authorization data.

Authorization Objects: Objects that define the relation between different fields and also helps in restricting/ allowing the values of that particular field (For ex: Authorization object I_VORG_ORD: PM: Business Operation for Orders, contains relation between fields: AUFART = Order Type and BETRVORG Business Transaction).

Authorization objects are actually defined in programs that are executed for any particular transactions. We can also create custom authorization objects for any particular transaction (generally custom transaction).

Organization level: This defines actually the organizational elements in SAP for ex: Company Code, Plant, Planning Plant, Purchase organization, Sales organization, Work Centers, etc.

Suppose we take an example of creating a role for Maintenance In-charges in a particular industry who are responsible for different maintenance plants. Consider the Scenario as under:

Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift In-charges).

As mentioned before, Maintenance In-charge will have rights to following transactions – IW22, IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to release the Maintenance order.

EXPLAINING WITH AN EXAMPLE:

Hence, considering the above situation, we will create a common Master role for all 4 Maintenance In-charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name starts with ZMPM to make us understand that it is a Z Master Role for Plant Maintenance ) with transaction mentioned above with all rights (with value “*”) inside the transactions but only restricting release of Maintenance order with the help of authorization object I_VORG_ORD and removing value: BFRE and field: BETRVORG but with all any organizational level (say plant) assignment.

Now based on this Master Role we have to create derived Roles for all 4 Maintenance In-charges individually say for first Maintenance In-Charge we create a derived role ZDPM_MAIN_IN_CHARGE_ROLE_MI1 referring the above Master Role ZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the transactions and authorization objects from Master Role but will not copy the organizational level assignments which we have assigned in Master Role. Hence, we need to maintain the organizational level for the derived role (say Plant P1).

Here once we save (& Generate) the Master as well as Derived Role we can assign this role to the User ID for the particular Maintenance In-charge.

Assigned tags

      21 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Devraj Pillai
      Devraj Pillai

      Hi Chin2,

      Wonderful document to undrstand the roles and authorization.

      Great going...

      Author's profile photo Chintan Budhbhatti
      Chintan Budhbhatti
      Blog Post Author

      Thanks Devraj...Hope all Functionals like this.

      Author's profile photo Prem A
      Prem A

      Simple enough document to understand the roles, authorizations & assignments concept. Well put.

      Author's profile photo Chintan Budhbhatti
      Chintan Budhbhatti
      Blog Post Author

      Thank you Prem A,

      I tried to put it as simple as possible.

      Author's profile photo Former Member
      Former Member

      This was a good read.Got a very generic understanding of Roles and Authorizations. Finally, specifics and details may be modelled as per the article. Thanks for writing it!

      Author's profile photo Chintan Budhbhatti
      Chintan Budhbhatti
      Blog Post Author

      Yusuf Campwala

      Thanks for your comments....this encourages me to write more and more....

      Chin2

      Author's profile photo Ravi Prakash
      Ravi Prakash

      Good documentation for Role authorization Understanding

      Author's profile photo Chintan Budhbhatti
      Chintan Budhbhatti
      Blog Post Author

      Ravi Prakash

      Thank you for your appreciation.

      Chin2.

      Author's profile photo Former Member
      Former Member

      Nice document

      Author's profile photo Former Member
      Former Member

      Thanks for this sharing.

      it's wonderful knowledge

      Author's profile photo Former Member
      Former Member

      thank you for sharing this

      Author's profile photo Former Member
      Former Member

      good content.

      Author's profile photo Babaiah C
      Babaiah C

      Hi Chintan,

      it is useful document.

      Author's profile photo Mutheeshwaran S
      Mutheeshwaran S

      Good Read! Thanks!!

      Author's profile photo Edna Cruz
      Edna Cruz

      Chitan , thanks for sharing . By any chance do you have the link where I can find what is a Shell Role . Regards Edna

      Author's profile photo Ali Moahmmed
      Ali Moahmmed

      So clear & simple .Thanks

      Author's profile photo mohammed Gani
      mohammed Gani

      Thanks for sharing this wonderful document as it is explained very well.

       

      Author's profile photo Neha Singh
      Neha Singh

      Hi,

      Thanks for sharing this document and it explains well. Need help with more topics as I am new for SAP.

       

      Thanks

      Author's profile photo sharanabasanagouda M
      sharanabasanagouda M

      Thanks for sharing and I am Requesting you Please send me Project initial Authorization matrix need to be provided to Basis Team

      Please send me T codes with the Authorization object file.

      my mail.id: sharan.sap3@gmail.com

       

      Thanks in advance

      Author's profile photo Harry Jing
      Harry Jing

      Hi Chintan

      If you approve  me , I am ready  to translate  it to Chinese . Thanks  in advance.

      Author's profile photo Chintan Budhbhatti
      Chintan Budhbhatti
      Blog Post Author

      Yes Harry,

       

      It would be nice to have it translated to Chinese as more people will be able to get knowledge out of it.

       

      Thanks for taking the approach