Sap Security Pages

Learn SAP Security & Authorizations Concepts

Basic Concepts Getting Started 

Basic Concepts

Aninda 16 Comments , , , ,

The introductory article gave a glimpse of one of the thousands of SAP applications delivered as part of a SAP standard package. This article follows on from there and starts our journey on SAP security. It tries to answer three basic questions: What is security? Why do we need security? and How does SAP implement security?

Q. What is Security?

A. Security in the context of IT denotes giving access to users to only those sytem resources which they require to perform their jobs. in SAP, these resources generally take the form of either business application or administation tools through transactions, screens, tables, programs, reports, web services, etc.

Q. Why do we need Security?

A. SAP being an ERP solutions comes loaded with a huge number of applications which can be configured to map the business processes of an organization like procurement, manufacturing, sales, financial accounting, controlling and human resource mangement. It is imperative that only actual employees/business partners get access to the SAP system (Authentication). Further, each user using the SAP system should only have access to the applications relevant to their jobs (Authorization). For example, we certainly do not want an employee working on the shop floor to get access to see and update the bank details for other employees, a job typically reserved for the HR department.

Q. How does SAP implement security?

A. Authentication

Authentication is ensured by having an unique user-id and password for each user maintained as part of the user master record. Any user trying to access a SAP system should have a valid User Master Record. In addition to the user id and password, a user master record also lists the user’s name, email, telephone and the roles which allow access to different applications.

Authorization

Auhtorizations are implement through roles (or the older term activity groups) and typically assigned to users through their user master record. Each role also has one or more corresponding authorization profiles with different authorizations. Its the authorization profiles which actually give access to users.

16 thoughts on “Basic Concepts

  • pujitha
    July 18, 2011 at 5:12 am
    Permalink

    Thanks for creating this site.I was very much impressed for this site.
    Could you please explain me with an example for the below sentence.

    “Each role also has one or more corresponding authorisation profiles with different authorisations.

    Thanks in advance

    Reply
    • AnindaPost author
      July 23, 2011 at 5:53 pm
      Permalink

      Once you generate a role in PFCG, SAP will take the latest authorization values maintained in the role and create an authorization profile for the role. Depending on the number of distinnct authorization object value combinations (authorizations) in a role, PFCG might create more than one profile for a role.

      Reply
      • ChandrahasKumar
        February 7, 2013 at 5:16 pm
        Permalink

        What are the maximum number of authorizations that a profile can contain ?

        Reply
        • AnindaPost author
          February 8, 2013 at 3:37 pm
          Permalink

          There is a limit but I am not sure of the exact number. A simple google search should give you the answer.

          Reply
          • Zak
            September 2, 2014 at 9:57 am
            Permalink

            There are 150 authorizations a profile can contain.

        • Zak
          September 2, 2014 at 10:03 am
          Permalink

          Hi,

          A profile can contain max 150 Authorizations.

          thanks

          Zak

          Reply
          • Ajay Ganjre
            June 15, 2017 at 9:34 am
            Permalink

            Correct number is 312

  • Rani
    April 20, 2012 at 1:21 am
    Permalink

    Can you give some examples of this kind of Roles where PFCG might create more than one profile for a role?

    Thanks.

    Reply
    • AnindaPost author
      April 22, 2012 at 5:22 am
      Permalink

      Hi Rani,

      Since roles are created for clients, my roles will be different from yours. So I would not be able to give you an example. If you end up ever creating a role similar to SAP all but with some specific restrictions you will run into the case, where a single role has multiple profiles.

      Aninda

      Reply
  • Vidhu Bhushan
    June 27, 2012 at 6:11 am
    Permalink

    Hi Aninda ,

    Just wanted to check how do we apply trace for the user in different instance in ST01 tcode.
    Can you please advise us in detail.
    Thanking you in advance.

    Regards,
    Vidhu Bhushan A.N

    Reply
    • AnindaPost author
      July 2, 2012 at 6:05 am
      Permalink

      Hi Vidhu,

      Use SM51 to check the different app servers. You can select each app server from the same screen and check the users logged in. Once you know the app server, you will be able to select and login from the same SM51 screen.

      Regards,
      Aninda

      Reply
  • Vandy
    April 9, 2013 at 5:28 pm
    Permalink

    Hi Sir,

    I am glad that somebody is really interesting in sharing the knowledge, in real way. I mean, without money/asking for subscription and all. Please dn’t make this site chargeable in near future as well.

    All people out there cant afford so many things in life.

    Reply
  • Teja
    June 17, 2015 at 11:47 am
    Permalink

    Hi Aninda,
    Your website is very useful to learn sap security concepts. Do you maintain any separate page for GRC as well. If so please let me know the page and I also request you to provide any other website details where i can learn GRC easily and for free.
    Regards,
    Teja.

    Reply
  • Ajay Ganjre
    June 15, 2017 at 9:37 am
    Permalink

    It ua is very useful website and best for the feathers who want to learn SAP security.

    Thank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *