Difference between Role, Authorization Object/s, and Profile
As a Functional Consultant, one may wonder what a Role is and how different it is from the Authorization Object and Profile. While it is mostly the job of the Security team to assign the required Role for a user, it is also the Functional Consultant’s responsibility to provide inputs about the required Transactions, restrictions within a Transaction, and how these restrictions should vary depending on the user.
Let’s begin this blog by defining what a user is. In simple terms, if a system has our users already created in it, only then we will be able to log in using a username and password. In SAP, Transaction code SU01 is used to create a user. Using this Tr. Code, users can be created, modified, deleted, locked, unlocked, and copied to create a new one. Typically, in a project user creation has certain prerequisites. Initially, the user or the concerned manager requests the user creation by filling in the access form and providing all the required details. This is followed by one or two stages of approval and finally the creation of the user by the Security team.
Tr.Code: SU01 (User creation)
Image 01: User creation
Here mandatory fields are filled in all the tabs by the security consultant and saved to create a user.
Having created a user and the same is communicated to the respective Functional Consultant(user), he should now be able to login to the system with his credentials. For a user to execute all the activities he is supposed to, he should be assigned the required Roles. These Roles will generate a Profile which in turn has Authorization Objects.
So, what is a Role, and what is a Profile? How Roles and Profiles are different? how is a Profile generated from a Role? what are the Authorization Objects that will give the user the necessary authorizations? Is it linked to the Profile? How about Tr. Code and where does that fit in?
By the end of this blog, you would be having a clear understanding of all these. Let’s start with the Role…
Roles are the means of assigning authorizations to the user. For example, in the image below since the user is assigned a Role related to Table Display, he can only view the tables in SAP. If he tries to create another user for his colleague through the Tr. Code SU01, he will not be allowed to do so as he may be missing required authorizations.
Image 02: User creation (Adding Roles)
As Roles are assigned to the user, the Profile gets automatically assigned. Before seeing what a Profile is and how they are interlinked, let us understand what Authorization is.
- Authorization is identified by Authorization Objects
- Object Class reveals the area of Authorization Objects
- Authorization Object is a group of 10 Authorization Fields(max)
SU21 is the Tr. Code where you can see all the Authorization Objects. In the below image, you can see several Object Classes that can be referred to as an area or domain. Within each Object Class, there is a certain number of Authorization Objects. Let us expand the Object Class Transportation Management Solution for example.
Image 03: Object Class
Image 04: Authorization Objects under an Object Class
Further clicking on one of the Authorization Objects, T_TR_FWO all the Authorization Fields within the Authorization Object are seen.
Image 05: Detailed view of Authorization Object with Authorization Fields and their Description
On clicking Display Object Documentation at the bottom, you should be able to see all the Authorization Fields along with the kind of Authorizations for the respective Field. To be more precise, In the first Field TM_FWOTYPE, Forwarding Order Type/s can be specified, and in the Field ACTVT the kind of authorizations i.e., 01-Create, 02-Update, 01-Display/read, and so on… is defined. If the Field TM_FWOTYPE is left blank, the user is authorized to work on all the types of Forwarding Order, of course also depending on the entries in the Field ACTVT.
Image 06: Authorization Field and Authorizations
Now that you have understood what Authorization Object is, let us try to understand how Authorization Objects are linked to the Tr. Codes.
Necessary Authorization Objects for any Tr. Code can be seen in the Tr. Code SU24
Tr. Code: SU24 (Authorization Objects for a Tr. Code)
For example, for the Transaction BP you can see the Authorization Objects by filtering out the column Default Status “Yes”.
Image 08: Authorization Fields and Authorizations for the Authorization Object
It is now clear what Authorization Objects are and the relation between Authorization Objects and Tr. Codes.
The Role is a combination of Tr. Codes and the related Authorization Objects. To understand it better, let us assume that the user needs access to the following Tr. Codes
- Sales order creation – VA01
- Change Sales Order – VA02
- Display Sales Order – VA03
Role = Three Tr. Codes + Authorization Objects related to three Tr. Codes
Note: Since Tr. Codes and Authorization Objects cannot be assigned directly to a user, they are assigned to the user through a Role.
Going forward, before seeing the procedure to create a Role, let us try to understand what a Profile is.
Profiles are the objects that store the authorization data. There are two types of Profiles. They are
Standard Profiles are provided by SAP and can be assigned to a user directly through SU01, whereas Generated Profiles cannot be assigned to a user directly. Since Standard Profile provides additional access than what is required by the user, it is recommended to create a Role, and assign it to the users which in turn will assign the Profile (Generated) to users. We will see how a Profile is created while creating a Role.
- Creation of Role:
Tr. Code: PFCG
Type the Role Name as per a certain naming convention followed. Click on Single Role to Create the Role.
Image 09: Creation of Role
Fill in the required details in the Description tab and save it. Notice the changes after saving
Image 10: Creation of Role (Role Name and Reason for creation of the Role)
The Menu tab represents the list of Tr. Codes. Click on the Add Transaction below the Menu and keep adding the required Tr. Codes for the Role. Once all the required Tr. Codes are added, Menu tab changes from Red to Green. To display the Tr. Codes along with the Technical Names, click Switch On Technical Names tab beside the Print tab.
In the Authorizations tab, scroll down and click on Change Authorization Data
You should be seeing the list of Authorization Objects that are related to the Tr. Codes added in the previous step, i.e., under the Menu tab.
Image 12: Creation of Role (Authorization Objects corresponding to the Tr. Codes)
To verify which Authorization Objects belong to which Tr. Codes, recall from section 2 that you can go to SU24 and enter the Tr. Code and find the respective Authorization Objects. For example, in the Menu tab, we have added two Tr. Codes and among those two, let us check the Authorization Objects for the Tr. Code SE38 in SU24…
Tr. Code: SU24
Image 13: Authorization Objects for the Tr. Code SE38
Similarly, we can verify for the other Tr. Code/s.
Authorization Objects can be further drilled down to see the necessary Authorization Fields and Values.
Image 14: Authorization Fields with Authorizations
As of now, we have added the Description of the Role, Required Tr. Codes which in turn created the Authorization Objects with respective Authorization Fields and Values. To generate a Profile, you must click on Generate Profile at the top beside the delete button.
Image 15: Generating Profile
Note: Generated Profile name always starts with the alphabet T. After the Profile is generated, go back and notice that the Authorization Tab has changed its color from Red to Green. Also, the Profile Name and Profile Text is updated.
At this stage, this is how it looks like
Image 16: Role with the generated Profile
The next step is to assign the Role to the User. This can be done through Tr. Code SU01. After adding the Role to the user, the corresponding Profile also gets added and it can be seen under the Profile Tab. Another way of adding the Role to the user is by going to the User tab next to the Authorizations tab in the above image and adding the user there.
As the Role is interlinked with the Profile, Tr. Codes, and Authorization Objects, whatever we have discussed in the first three steps should start making sense when we saw how to create a Role in step 4.
Other topics like modifying authorizations, Composite Roles, and Derived Role are not covered in this blog and I will try to cover the same in future blogs.
Please do share your feedback or thoughts in the comments section. Also, please follow my profile for more such content.
Thank you for this fruitful blog.
Looking forward to your next one to explain remaining topic about authority.
I will note down my understand here.
Authorization Object is the basic element and it's organized by Authorization Class. It has Authorization Fileds. It can be found by SU21. It has the connection with trx. It can be found by SU24. But how the connection is established is not clear for me.
Authorization Object and Trx. can not be assigned to user directly. Role is the bridge there. When assigning Trx. to Roles and the Authorization Objects will be assigned automatically. Profiles need to be generated in this step.