SAP authorizations
SAP systems are the digital backbone of many companies. A well thought-out authorization concept plays a central role in ensuring security, traceability and efficiency.
What are SAP authorizations?
SAP authorizations regulate what a user is allowed to see and execute in the system. Access to transactions, data, functions and reports is controlled via a fine-grained authorization concept. This is based on so-called authorization objects, which define certain actions in combination with organizational units or data fields.
What does an SAP authorization concept consist of?
A solid authorization concept is made up of several components:
| Component | Description |
| User master record | Central user administration with personal and security-relevant data |
| Rollers (PFCG) | Roles bundle authorization objects and are assigned to users |
| Profil | Technical translation of the roles for the authorization system |
| Authorization objects | Combination of fields such as activity, company code, plant, etc. |
| Organizational assignments | Restriction to organizational units such as company codes or plants |
Role management with transaction PFCG
Transaction PFCG is the heart of role maintenance in the SAP system. This is where roles can be created, changed and filled with transactions, reports and authorizations. A distinction is made between
- Single roles: A collection of specific authorizations
- Composite roles: Are made up of several single roles
- Derivations: Role variants for different organizational units
SAP authorizations in transition - What's new with S/4HANA?
With the introduction of SAP S/4HANA and the Fiori interface, authorization management is also changing:
| Range | Change with S/4HANA |
| Fiori Apps | Authorizations control access to Fiori tiles via APP IDs |
| CDS Views | Core Data Services are accessed via analytical authorizations |
| UI5 Technology | Technical roles for SAP GUI and Fiori must be managed in combination |
| SAP BRF+ | Business Rules Framework is used to control workflows and authorizations |
Blog post: authorizations in Fiori
FIORI apps are clear, easy to use and ideal for mobile devices. However, authorizations for FIORI work differently than for ERP transactions. We will tell you how to achieve a good authorization concept.
Typical roles and authorization objects
In practice, there are frequent roles with corresponding authorizations. Examples:
| Role | Typical transactions | Important authorization objects |
| Purchaser | ME21N, ME22N, ME23N | M_BEST_BSA, M_BEST_EKG |
| Accountant | FB60, F110, F-02 | F_BKPF_BUK, F_LFA1_APP |
| Warehouse manager | MIGO, MB1C, LT01 | M_MSEG_WMB, L_LGNUM |
| HR administrator | PA30, PA20, PA40 | P_ORGIN, P_PERNR |
| System administrator | SU01, PFCG, ST01 | S_USER_GRP, S_USER_PRO |
Organizational restrictions
A particular strength of SAP authorizations lies in the combination of activity (e.g. display, change, create) and organizational unit (e.g. plant, company code, personnel area). This restriction increases security:
Example: an employee may only make postings for company code 1000, but not for others.
FAQ - Frequently asked questions
Wie erkenne ich fehlende Berechtigungen eines Benutzers?
Mit Transaktionen wie SU53 (letzte fehlgeschlagene Berechtigungsprüfung) oder ST01 (Systemtrace) können fehlende Objekte analysiert werden.
Was ist der Unterschied zwischen Rolle und Profil?
Die Rolle ist die organisatorische Einheit für Benutzerrechte. Das Profil ist die technische Übersetzung, die vom System zur Laufzeit verwendet wird.
Wie funktioniert die Massenpflege von Rollen?
Mit Tools wie PFCG_MASS_CHANGE oder dem SAP NetWeaver Identity Management lassen sich Rollen und Benutzer effizient in großen Mengen verwalten.
Best practices for a secure authorization system
- Principle of minimal assignment of rights: only grant what is necessary.
- Separation of functions (SoD): Avoid critical combinations (e.g. posting invoice + triggering payment).
- Regular recertification: Have user roles checked periodically.
- Documentation & traceability: Log all changes to roles in an audit-proof manner.
- Use a test environment: Test new roles in a QA environment before going live.
Tools for management and analysis
SAP offers a range of tools for managing and analyzing authorizations:
| Tool / Transaction | Function |
| SU01/SU10 | User maintenance (individually / en masse) |
| PFCG | Roll care |
| SUIM | User information system |
| ST01 | System trace for authorization checks |
| SU53 | Analysis of failed authorizations |
| GRC Access Control | Advanced governance and compliance tools |
Challenges in the assignment of authorizations
The complexity of SAP authorizations can lead to various problems:
- Overauthorization due to role inheritance or poor maintenance
- Lack of separation of responsibilities
- Lack of documentation
- Difficult to trace in the event of an audit
Conclusion: Why a good authorization concept is crucial
A well thought-out authorization system is not a "nice-to-have", but essential for the IT security and efficiency of SAP systems. It protects sensitive data, fulfills legal requirements and supports smooth business processes. Especially with the switch to S/4HANA, it is crucial to put existing concepts to the test and redesign them.
