BASIC UNDERSTANDING OF ROLES AND AUTHORIZATION

Many of the Functional Consultants face issues in understanding what are the Roles and what are
Authorizations in SAP. This is a document which would help people who are curious to know what is
exactly the concept behind this and how does it work.

Functional Consultants have a lot of questions in mind regarding this concept and one of the main
questions here is why should Functional Consultants worry about Roles and Authorization when it is a job
of BASIS team.

Well, to answer this, it is not solely a job of BASIS team rather it is also like other activities, it an
integrated activity which should be performed by both BASIS team and Functional team.

BASIS team have a know how about the User Management, Roles Creation, Profile Creation, Roles and
Profile assignment, Authorization assignments etc. but main concern in most of the cases arises when
the below questions are unanswered by BASIS team:

1. Whom to Assign the Roles or transactions

2. What to Restrict in a transaction and for whom
3. How to authorize Custom transactions

and many more such questions cannot be answered by BASIS team. Hence, it becomes the role of a
Functional Consultant to guide them with the exact process flow and exact organizational chart.
Explaining with a small example here, suppose we have a maintenance team as below:

1. Supervisor He is responsible for notifying the breakdown or Corrective Maintenance.

2. Maintenance In-charge He is responsible for assigning the above tasks to Engineers.
3. Head of the department He is responsible for approving the Maintenance tasks.

Now, Functional Consultant is very well aware that for Supervisor would require only the transactions
related to Notifications (say IW21, IW22, IW28, IW29 etc), Maintenance In-charge would require some of
the notification related transactions (say IW22, IW28, IW29) and also order related transactions (IW31,
IW32, IW38, IW39 etc) and the Head of the department would require notifications and order transactions
(say IW28, IW29, IW38, IW39) and also along with this he require special permissions like releasing
orders, approving permits, technical completions etc.

Looking from BASIS teams perspective they are not clear with these requirements and they thus cannot
take the decision for this and should be provided by Functional Consultants.

But, the main issue in most of the cases arises when Functional Consultants are not aware about the
concept of Roles and Authorizations.

Hereby, this document will explain the basic concept of Roles and Authorizations:

WHAT IS ROLES AND AUTHORIZATION CONCEPT:

Roles and Authorizations allow the users to access SAP Standard as well as custom
Transactions in a secure way.
SAP provides certain set of generic Standard roles for different modules and different
scenarios.
We can also define user defined roles based on the Project scenario keeping below
concept in mind:
There are basically two types of Roles:
 1. Master Roles With Transactions, Authorization Objects and with all
organizational level management.
2. Derived Roles With organizational level management and Transactions and
Authorization Object copied from Master Role.

The reason behind this concept is to simplify the management of Roles.

WHAT ARE THE COMPONENTS OF A ROLE:
A Master Role or a Derived Role is having below components inside it:

1. Transaction Codes
2. Profile
3. Authorization Objects
4. Organization level

Transaction Codes: SAP Transaction codes (Standard or custom)

Profile: Profiles are the objects that actually store the authorization data and Roles are the Container that
contains the profile authorization data.
Authorization Objects: Objects that define the relation between different fields and also helps in restricting/
allowing the values of that particular field (For ex: Authorization object I_VORG_ORD: PM: Business
Operation for Orders, contains relation between fields: AUFART = Order Type and BETRVORG Business
Transaction).

Authorization objects are actually defined in programs that are executed for any particular transactions.
We can also create custom authorization objects for any particular transaction (generally custom
transaction).

Organization level: This defines actually the organizational elements in SAP for ex: Company Code, Plant,
Planning Plant, Purchase organization, Sales organization, Work Centers, etc.

Suppose we take an example of creating a role for Maintenance In-charges in a particular industry who
are responsible for different maintenance plants. Consider the Scenario as under:

Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift In-charges).
As mentioned before, Maintenance In-charge will have rights to following transactions IW22, IW23,
IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to release the Maintenance order.

EXPLAINING WITH AN EXAMPLE:

Hence, considering the above situation, we will create a common Master role for all 4 Maintenance In-
charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name starts with ZMPM to make us
understand that it is a Z Master Role for Plant Maintenance ) with transaction mentioned above with all
rights (with value *) inside the transactions but only restricting release of Maintenance order with the
help of authorization object I_VORG_ORD and removing value: BFRE and field: BETRVORG but with all any
organizational level (say plant) assignment.

Now based on this Master Role we have to create derived Roles for all 4 Maintenance In-charges
individually say for first Maintenance In-Charge we create a derived
role ZDPM_MAIN_IN_CHARGE_ROLE_MI1 referring the above Master
Role ZMPM_MAIN_IN_CHARGE_ROLE.
This will copy all the transactions and authorization objects from Master Role but will not copy the
organizational level assignments which we have assigned in Master Role. Hence, we need to maintain
the organizational level for the derived role (say PlantP1). Here once we save (& Generate) the Master as
well as Derived Role we can assign this role to the User ID for the particular Maintenance In-charge.
Roles and Authorizations Concept
Use
For Management of Internal Controls (MIC), a large number of frequently
changing people need to perform tasks in a variety of functions.
Consequently, a special roles and authorizations concept has been created
for this purpose. Besides the general SAP standard roles that are edited by
the system administrator in transaction PFCG, there are also MIC-specific
roles comprising a variety of delivered tasks. These MIC-specific roles and
their respective tasks allow you to manage the detailed authorizations and the
workflow between those involved.
Features
For information about the general standard roles delivered with MIC,
see Standard Roles and Authorization Objects.
The MIC-specific roles refine the authorizations delivered in the standard
role Management of Internal Controls - Business User
(SAP_CGV_MIC_BUSINESS_USER). An MIC-specific role consists of
different tasks with authorizations attached. You can specify which tasks
belong to which role. For more information, see Editing MIC-Specific Roles.
The assignment of am MIC-specific role to one or more persons is dependent
on an object (for example, an organizational unit). The assignment is
performed in a Web application by different persons throughout the
organization hierarchy. The power user triggers this process for the highest
level of the organization hierarchy. For more information, see Assigning Roles to
Persons.
To ensure the segregation of duties so that the same person is not
authorized to perform an assessment as well as the validation of that
assessment, for example, you can define conflict groups. You include in a
conflict group any tasks that must not be performed by the same person. You
can use these conflict groups to run a check to establish whether the defined
segregation of duties is actually reflected in the system. For more information,
see Segregation of Duties.
Activities
1. The system administrator copies the delivered standard
role Management of Internal Controls All Authorizations
(SAP_CGV_MIC_ALL), makes any necessary adjustments, and assigns
the adjusted copy of the standard role to the MIC power user.
2. The power user edits the MIC-specific roles.
 3. The power user defines conflict groups.
4. The power user starts the role assignment procedure in the navigational
area on the start page.
5. The power user checks whether the segregation of duties defined in the
conflict groups is enforced by the system.

Standard Roles and Authorization Objects

Use
The authorization concept of the SAP NetWeaver Application Server uses the
assignment of authorizations to users on the basis of roles. Some general
SAP standard roles are delivered with MIC. You can copy and adjust them in
Customizing under SAP NetWeaver Application Server System
Administration Users and Authorizations Maintain Authorizations and
Profiles Using Profile Generator Maintain Roles (transaction PFCG).
Integration
The standard roles are refined using the MIC-specific Roles and Authorization
Concept.
Features
Standard Roles
MIC uses the following standard roles:
Management of Internal Controls - Customizing
(SAP_CGV_MIC_CUSTOMIZING)
This role contains all necessary authorizations to make the Customizing
settings for MIC. This role does not contain any authorizations for the
Web applications.
Management of Internal Controls - Business User
(SAP_CGV_MIC_BUSINESS_USER)
A user with this role is only authorized to perform those specific tasks
prescribed by the detailed role concept for MIC. All users that have this
role assigned to them must also have at least one MIC-specific role
assigned to them. A user may use the Web applications that are specified
by the tasks in the MIC-specific role.
Management of Internal Controls - Power User (SAP_CGV_MIC_ALL)
 When this role is assigned to a user, that user is made a power user. In
addition to the authorizations that the business user has, a power user
also has authorization for administration functions in the MIC
Implementation Guide, such as the expert mode for structure setup.
Moreover, the user has special authorizations in the People-Centric UI,
such as those for editing roles and for starting role assignment to persons
(see Assigning Roles to Persons).
Management of Internal Controls - Display (SAP_CGV_MIC_DISPLAY)
A user with this role can display Customizing for MIC in the SAP GUI.
This role is useful for external auditors, for example. We recommend
using this role in addition to the business user role.
For more information, see the documentation on the individual roles in
transaction PFCG.
Standard Authorization Objects Relevant to Security
Authorizations for objects of applications belonging to the Application
Server and used in MIC are relevant to security in MIC. If you run MIC in a
system in which the applications used by MIC are also used productively in
other projects, then you need to ensure that you manage the authorizations
for the MIC-specific objects separately from the other objects.
Authorization object Personnel Planning (PLOG) from Organizational
Management
The general object types Organizational Unit und Person are used in MIC
together with other MIC-specific object types.
Note, therefore, that the organizational units and persons created in other
projects are also available in MIC (and vice versa).
Various authorization objects in Case Management and Records
Management
Assessments, tests, issues, and remediation plans are stored in Case or
Records Management. The RMS ID FOPC_SOA is relevant for MIC.
Activities
1. Copy the general SAP roles delivered with MIC, and adjust the
authorizations in these roles to suit the circumstances in your system.
2. Assign the roles you have adjusted to the appropriate users. While doing
so, ensure that no user has been assigned role Management of Internal
Controls All Authorizations (SAP_CGV_MIC_ALL) as well as
role Management of Internal Controls - Business User
(SAP_CGV_MIC_BUSINESS_USER).
The SAP authorization concept is based upon the logical relationship between a User
ID and the range of system authorizations with which it can be associated.

The architecture of the authorization system is based upon the utilization of several
individuals but related logical components: Profiles, Objects, Fields, and
Authorizations.

The user ID refers exclusively to profiles. Each profile grants a set of specific system
access authorizations to user.

The hierarchical authorization concept in SAP.

Composite Profiles

Composite profiles refer to the various employee roles available in the corporation
(for instance: Purchasing / Receiving Clerk or Accounts Agent). As the name
suggests, composite profiles may contain multiple user IDs necessary to perform all
the business operations associated with a particular role. A composite profile may
encapsulate another composite profile(s).
In practice, a model composite profile should be recognized for each possible role in
the organization, which may be used to produce hybrid composite profiles. The over
existence of the hybrids can defy the very purpose of composite profiles and they
should be created only when specific needs arise.

User Ids

User ids allow access to SAP applications. Each user must have a corresponding
profile specifically assigned. In many situations, multiple composite profiles can be
assigned to a user ID, depending on the role(s) an individual user is responsible for, in
the business processes.

Authorizations

Authorizations are the key building blocks of SAP security. Authorization is the
process of assigning values to fields present in authorization objects.

In SAP, access to all system functionality is achieved through a complex array of

authorizations. Sometimes users find that they lack the necessary authorizations to
perform a certain function in the system, in which case the message: "You are not
authorized..." is displayed at the bottom of the screen.

An authorization process may ask for second associated authorization process which
in turn asks for third and so on. For example, the task of paying a vendor invoice may
require 10 different authorizations.