Roles & Authorizations

Access to SAP system are assigned to users through roles maintained in their user master. In this article, we explore how access to the SAP system is extended to users through roles. We also talk about the related concepts of authorization objects and authorizations.

The transaction to create/maintain roles is PFCG. Lets create a role in PFCG and try to understand the various options available to us therein. We name the new role “ZTEST_HR_ACCESS” and click the “Single Role” button. (Note that you can follow any naming convention for your roles as long as they do not begin with SAP or /).

Role Maintenance (PFCG) - initial screen
Role Maintenance (PFCG) – initial screen

Inside, PFCG, there are again a number of tabs which need to be filled with data as part of the role creation process. We start with maintaining role name and description. There is also the option of specifying a parent role as shown in the diagram below. A child role inherits all tcodes and authorizations from its parent except the organizational levels (we will discuss org levels in a later article). The Long text field might be used as an audit log to track the background behind creating the new role.

PFCG - Role Description
PFCG – Role Description

In the menu tab, we maintain the tcodes that the role will have access to. In addition to tcodes, we can also add reports, queries and URL. There are lots of options to build the menu of a role. You can copy from an existing area menu defined in SAP, copy from another role or import from a text file.

PFCG - Menu
PFCG – Menu

Once we have maintained the menu for the role, we go into the Authorization tab. We have an option of generating a profile name or following our own naming convention. I would suggest following a naming conventions of our own (even though I have used the generated profile name in the example) as the profile name can help in subsequent reporting on authorizations. We save the new profile and click either of the two highlighted buttons, Change Authorization Data & Expert mode for profile generation to get into authorization data maintenance.

PFCG - Authorization Tab
PFCG – Authorization Tab

The next screen is for maintenance of authorization data. The different color codes define distinct security specific objects/concepts. Lets discuss these below

  • Blue LineRole – In our case its the new role which we have just created “ZTEST_HR_ACCESS”.
  • Pink Line – Authorization Class – These group Authorization Objects which protect similar application components.
  • Green Line – Authorization Object – Though called an object, an authorization object is more akin to an OOP class. Its a template or structure with a number of fields each of which needs to filled up with appropriate data to allow access.
  • Yellow Line -Authorization – This is an unique instance of an authorization object with values specified for its different fields. Carrying the OOP analogy forward, an authorization is actually similar to an object.
  • Off-white Line – Authorization Field – These are the unique fields within each authorization object. Different authorization objects will have different sets of authorization fields.

To understand how security works at the application level, we take the example of the S_TCODE object. To start a transaction, a user needs this authorization object in his user buffer with the the transaction maintained as a field value. In the example below, a user with the new role would be able to start transactions PA30, PA40 and SU53. However, starting a transaction is only the first level of check, any number of different authorization objects can be checked at each step of the transaction. These checks are for presence of individual authorizations in the user buffer.

During role maintenance, we maintain all the open field values (marked by yellow triangles) so all authorizations become green. Once finished we generate the role, by clicking the button with the a circle and red and white quadrants. This final step is the most important step in the entire process as this creates one or more authorization profiles for the role. It is actually the authorization profiles present the user buffer that give access to SAP applications. The role is just helps in easier maintenance of authorization profile. Even now, its technically feasible to directly modify authorization profiles but is strongly discouraged from SAP. Once generated, the role can be assigned through PFCG itself or through SU01.

PFCG - Role Authorization Data
PFCG – Role Authorization Data

In the next article, we discuss the link between transactions and authorization objects. This will in turn help us to understand how the authorization objects are pulled into the role during maintenance.

Basic Concepts

The introductory article gave a glimpse of one of the thousands of SAP applications delivered as part of a SAP standard package. This article follows on from there and starts our journey on SAP security. It tries to answer three basic questions: What is security? Why do we need security? and How does SAP implement security?

Q. What is Security?

A. Security in the context of IT denotes giving access to users to only those sytem resources which they require to perform their jobs. in SAP, these resources generally take the form of either business application or administation tools through transactions, screens, tables, programs, reports, web services, etc.

Q. Why do we need Security?

A. SAP being an ERP solutions comes loaded with a huge number of applications which can be configured to map the business processes of an organization like procurement, manufacturing, sales, financial accounting, controlling and human resource mangement. It is imperative that only actual employees/business partners get access to the SAP system (Authentication). Further, each user using the SAP system should only have access to the applications relevant to their jobs (Authorization). For example, we certainly do not want an employee working on the shop floor to get access to see and update the bank details for other employees, a job typically reserved for the HR department.

Q. How does SAP implement security?

A. Authentication

Authentication is ensured by having an unique user-id and password for each user maintained as part of the user master record. Any user trying to access a SAP system should have a valid User Master Record. In addition to the user id and password, a user master record also lists the user’s name, email, telephone and the roles which allow access to different applications.


Auhtorizations are implement through roles (or the older term activity groups) and typically assigned to users through their user master record. Each role also has one or more corresponding authorization profiles with different authorizations. Its the authorization profiles which actually give access to users.

Introduction to SAP

This site basically deals with SAP security. But before we get into the details of security it would be probably beneficial for the absolute newbies among us to first get a basic idea of ERP software in general and SAP in particular. This beginning article tries to do just that. So experienced ones……..please feel free to skip ahead to the next posts.

SAP (Systems, Applications and Products in Data Processing) is an example of ERP (Enterprise Resources Planing) software. An ERP system a computer based system to manage the internal and external resources for an enterprise. It might have various components to help in business processes like procurement, sales, accounting, human resources. Some of the major vendors for ERP software are SAP, Oracle, PeopleSoft, JD Edwards.

Since these pages deal with SAP security, let us consider a business process implemented in SAP. A user typically uses the SAP GUI/Logon pad to launch the login screen for a particluar SAP instance.

SAP Logonpad
SAP Logonpad

At the next screen, the user logs in to the SAP system using his unique user id and password

Log-on Screen
Log-on Screen

Each business process in SAP is typically started using a transaction code (tcode) or by following a menu path. We consider the HR transaction PA40 (Personnel Actions) which is used to hire a personl into a position into the enterprise.

Starting a transaction through its tcode
Starting a transaction through its tcode

On the initial PA40 screen we enter the date from which we want to hire our new employee, select the hiring actiona nd click the clock icon (execute).

PA40 Screen 1
PA40 Initial Screen

On each subsequent screen, we enter the relevant information, like personal data, organizational data, address, tax information, basic salary, bank details and click the save button.

Create Hiring Action

PA40 Create Hiring Action
PA40 Create Hiring Action

Create Personal Data

PA40 - Create Personal Data
PA40 - Create Personal Data

Create Organizational Data

PA40 - Create Organizational Data
PA40 - Create Organizational Data

Create Address

PA40 - Create Address Data
PA40 - Create Address Data

Create Bank Details

PA40 - Create Bank Details
PA40 - Create Bank Details

Final screen showing successful hiring of Mr Abap Developer with a personnel number of 2

PA40 - Final screen showing succesful hire
PA40 - Final screen showing succesful hire


This site strives to be a comprehensive guide to SAP Security and Authorizations. Though  a search in google returns any number of references on security, the number of sites dealing exclusively with SAP security are few and far between. This is a personal site maintained solely by me. I intend to update it regularly with more information, links and other online resources. Feel free to look around and make use of any of the resources. I would be glad if any of information presented in the following pages helps you in learning SAP security. Continue reading “Welcome!”