SAP R/3 uses a very complex mechanism to assign users access to system. SAP uses Authorization Objects to assign authorizations to users. An authorization objects works as a template for an authorization to be
defined. One point to note here is that there are a maximum of 10 fields per authorization object. For users to conduct an activity in SAP, their user profiles should satisfy the authorization check for each field in the authorization defined on a specific authorization object.
To take an example, if a user wants to create a new company code, the authorization object is F_SKA1_BUK - G/L Account: Authorization for company codes. User is given authorization to authorization object
mentioned above with the relevant fields. Authorizations in SAP are classified as General authorizations, Organizational authorizations or Functional authorizations. In our example above, authorization object
F_SKA1_BUK has been assigned to function for creating a general ledger master records. SAP can be configured to check authorizartions at the company code level, chart of account level, individual master record level so as to prevent user access. I will discuss more on SAP authorizations in my future posts.
SAP USER INFORMATION SYSTEM: PROFILES & AUTHORIZATIONS - Transaction Code SUIM
In SAP, it is possible to know the accesses and authorizations a user has using T-code SUIM. I was giving a talk on SAP security and controls at a client's place, when this question popped up. This gentleman asked me whether it was possible to view the profiles of users in SAP. The answer is yes. Enter the T-code SUIM in the short path menu.
This is the user information system menu. There are a number of different options available through which you can select the users. As you can see above, you can select users by Role, by profiles, by User id, by authorization values, by transaction authorizations etc. I generally prefer seraching this menu using "Users by Complex Selection Criteria".
Here you can select various options, for example, in the Transaction code field if you select VA01 which is the T-code for creating sales orders, it will give you a listing of all users who hae access to creating a sales order. Similarly, you can also search by User id. If you know a user id and want to know what accesses and authorizations he has, just go to users and enter the id. SAP will give you all accesses the user has. You can drill down futher for details such as profiles attached, authorization objects, activities etc. All in all, I find this feature in SAP very useful for the access and authorizations.
In case a SAP user is trying to execute a transaction code for which he does not have authorization, he will be given an error message. A user can view the object or transaction which he does not have authorization using transaction code SU53.
Reward points if useful.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.