For those who are familiar with SAP applications such as S/4 HANA and SAP ECC (Central Component), this will all be very elementary in nature. In the security world, authentication and authorization are two terms that get tossed around very frequently. Authorizations are especially useful when controlling access at the application level. They are responsible for controlling the various functions that a user can execute. User’s can also be authorized to view, change, enter, and delete data. While the underlying concept of the authorizing principle may seem trivial, there are numerous challenges that come into play during authorization implementations. Security compliances, enterprise restrictions, and high costs often times deter organizations from implementing best practices in their security architecture. However, at the end of the day, the importance of a secure access control framework cannot be stressed enough. Roles and authorizations are what enable users to execute transactions in SAP in a secure manner.
Roles
Single roles can be derived from their respective organizational values into derived roles. From a technical viewpoint, derived roles are also single roles that have inherited authorization characteristics from a separate “master” role. A collection of single and derived roles is called a composite role. In any case, once a role gets generated with at least a single authorization object, the system will naturally generate an authorization profile for that role.
- Single Roles – Single roles are derivable from their respective organizational values. Usually when single roles are discussed amongst professionals, the primary reference point is given to a job or position based role design. When this is the case, all required authorizations for a user’s job/position are contained in the single role. However, there are examples where many single role designs lack some or even all of a user’s required authorizations. This is typically the case when a basic authorization role that includes transactions and authorizations that are uniform for all users. Similarly, there will be users who will possess extra privileges in their authorization permissions.
- Derived Roles – There are a number of differences between single and derived roles. For starters, derived roles are composed of a “master” role and additional “child” roles that are each unique from the “master” and each other only in their organizational values. This approach does come with a number of limitations however. For example, if a user attempts to promote non-organizational fields to organizational fields, the user must ensure that the values be the same within one role. To put it simply, it’s not advisable to use different non-organizational fields in tandem with derived roles since the values across all the child roles will be the same as the “master” role. As a result, all objects will be effected.
- Composite Roles – The most versatile role type in SAP is the composite role. Composite roles are a collection of single roles that are capable of being grouped into a common composite role menu. The versatility results in users being able to indirectly assign multiple single roles to a user by assigning only the specific composite role that contains the single roles. Composite roles are heavily leveraged by SAP customers because they drastically reduce the single roles count that are directly assigned to users. In a nutshell, a composite role can really be thought of as a package of single roles that can guide a task-level single role.
hammad yousuf 