Introduction to SAP Security

What is Security

Security in the context of IT denotes giving access to users to only those system resources which they require to perform their jobs.

In SAP, these resources generally take the form of either business application or administration tools through transactions, screens, tables, programs, reports, web services, etc.

Why Security is important?

SAP being an ERP solutions comes loaded with a huge number of applications which can be configured to map the business progresses of an organization like procurement, manufacturing, sales, financial accounting, controlling and human resource management.

It is imperative that only actual employees/business partners get access to the SAP system (Authentication).

Each user using the SAP system should only have access to the application relevant to their jobs (Authorization).

e.g. we certainly do not want an employee working on the shop floor to get access to see and update the bank details for other employees, a job typically reserved for the HR department.

Authentication and Authorization

Authentication: is ensured by having an unique user id and password for each user maintained as part of the user master record. Any user trying to access a SAP system should have a valid User Master Record. In addition to that it lists the user's name, email, telephone and the roles which allow access to different applications.

Authorization: are implement through roles (or the older term activity groups) and typically assigned to users through their user master record.

Each role also has one or more corresponding authorization profiles with different authorizations. Its authorization profiles which actually give access to users.

Levels of Authorizations

Level 1: User ID Access Login w/ UserID and Password

Level 2: Transaction Code Access Object: S_TCODE Examples: FB01, MM01

Level 3: Authorization Access Examples: F_BKPF_BUK, M_MATE_BUK

User Master Record Role/Profile Authorization Object Field Values