Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Basic Authorization concept

Former Member

‎09-28-2006 6:28 AM

0 Kudos

Hi Friends,

I want to be clear in basic authorization terminologies.

Can any one give the definition for the each below mentioned basic authorization terminologies with some example?

1.Object class

2.Authorization

3.Authorization Object

4.Authorization Field

5.Field Value

6.Profile

7.Role

8.Composite role

9.Reference role

10.Derived role

Thanks in advance.

Regards,

Venu

2 REPLIES 2

Former Member

‎09-28-2006 6:45 AM

0 Kudos

Hi Venu,

Lets come from the top to bottom ...

at the highest level you have the Role. A role can be defined as follows.

<b>Role</b>

The collection of activities that a person performs to participate in one or more business scenarios in an organization.

Access to the transactions, reports, Web-based applications, and other objects contained in roles is through user menus.

Also in a simple manner can be defined as a set of transaction codes in one bundle.

Note : when a Tcode is assigned to a Role hte related authorization objects get autmaticaly assigned to the role. I hope its clear until now.

So every Tcode i sassigned to a specific set pof Authorization objects and every authorization object has a set of Auth fields assigned to it. They can be che3cked in any role in transaction PFCG.

for better programming SAP has classified a set of authorization objects into OBJECT classess. its not much of importance to you as its a system thing.

One more thing is every role has a profile assigned to it when its created and Generated. Usually profiles are the concept until 4.0 system of SAP...later the roles concept came into existence and hence they are defunct exept a few standard SAP profiles like SAP_ALL and stuff which can be assigned to Users directlky. Else Profiles are also automatic assignment and get linked to a uswer once a user is assigned a particular properly generated role.

Coming to other terms, a group of single roles can be bundles into a single <b>composite role</b>. Hence its justa group of single roles.

In authorization concept, wehave the Parent Child relations hip in roles.

That is... when a Role is created we call it the master role and its properties can be inherited by a cild role.

the scenario is if we r having 4 company codes in an org, and i am supposed to create roles for each comp code seperately..so i try to create a master role and create 5 child roles with inheritance properties. this way any change to master role gets drilled down to child roles without having to change all the rolese seperately.

This is the concept of <b>derived roles</b>.

i wish this info has helpfed you...

Br,

Sri

Thanks for the points...

Former Member

‎09-28-2006 6:42 PM

0 Kudos

Venu,

There are lot of information here

http://www.sapsecurityonline.com/