BASIC UNDERSTANDING OF

ROLES AND AUTHORIZATION

Many of the Functional Consultants face issues in understanding what are the Roles and
what are Authorizations in SAP. This is a document which would help people who are
curious to know what is exactly the concept behind this and how does it work.
Functional Consultants have a lot of questions in mind regarding this concept and one of
the main questions here is why should Functional Consultants worry about Roles and
Authorization when it is a job of BASIS team.
Well, to answer this, it is not solely a job of BASIS team rather it is also like other
activities, it an integrated activity which should be performed by both BASIS team and
Functional team.
BASIS team have a know how about the User Management, Roles Creation, Profile
Creation, Roles and Profile assignment, Authorization assignments etc. but main concern
in most of the cases arises when the below questions are unanswered by BASIS team:
1.
2.
3.

Whom to Assign the Roles or transactions

What to Restrict in a transaction and for whom
How to authorize Custom transactions
and many more such questions cannot be answered by BASIS team. Hence, it becomes
the role of a Functional Consultant to guide them with the exact process flow and exact
organizational chart.
Explaining with a small example here, suppose we have a maintenance team as below:

Supervisor He is responsible for notifying the breakdown or Corrective

Maintenance requirements
2.
Maintenance In-charge He is responsible for assigning the above tasks to
Engineers
3.
Head of the department He is responsible for approving the Maintenance tasks.
1.

Now, Functional Consultant is very well aware that for Supervisor would require only the
transactions related to Notifications (say IW21, IW22, IW28, IW29 etc), Maintenance Incharge would require some of the notification related transactions (say IW22, IW28,
IW29) and also order related transactions (IW31, IW32, IW38, IW39 etc) and the Head of
the department would require notifications and order transactions (say IW28, IW29,
IW38, IW39) and also along with this he require special permissions like releasing orders,
approving permits, technical completions etc.
Looking from BASIS teams perspective they are not clear with these requirements and
they thus cannot take the decision for this and should be provided by Functional
Consultants.
But, the main issue in most of the cases arises when Functional Consultants are not
aware about the concept of Roles and Authorizations.
Hereby, this document will explain the basic concept of Roles and Authorizations:

WHAT IS ROLES AND AUTHORIZATION CONCEPT:

Roles and Authorizations allow the users to access SAP Standard as well
as custom Transactions in a secure way.
SAP provides certain set of generic Standard roles for different modules
and different scenarios.
We can also define user defined roles based on the Project scenario
keeping below concept in mind:

1.
2.

There are basically two types of Roles:

Master Roles With Transactions, Authorization Objects and with all
organizational level management.
Derived Roles With organizational level management and
Transactions and Authorization Object copied from Master Role.
The reason behind this concept is to simplify the management of Roles.
WHAT ARE THE COMPONENTS OF A ROLE:

1.
2.
3.
4.

A Master Role or a Derived Role is having below components inside it:

Transaction Codes
Profile
Authorization Objects
Organization level
Transaction Codes: SAP Transaction codes (Standard or custom)
Profile: Profiles are the objects that actually store the authorization data and Roles are
the Container that contains the profile authorization data.
Authorization Objects: Objects that define the relation between different fields and
also helps in restricting/ allowing the values of that particular field (For ex: Authorization
object I_VORG_ORD: PM: Business Operation for Orders, contains relation between
fields: AUFART = Order Type and BETRVORG Business Transaction).
Authorization objects are actually defined in programs that are executed for any
particular transactions. We can also create custom authorization objects for any
particular transaction (generally custom transaction).
Organization level: This defines actually the organizational elements in SAP for ex:
Company Code, Plant, Planning Plant, Purchase organization, Sales organization, Work
Centers, etc.
Suppose we take an example of creating a role for Maintenance In-charges in a particular
industry who are responsible for different maintenance plants. Consider the Scenario as
under:
Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift Incharges).
As mentioned before, Maintenance In-charge will have rights to following transactions
IW22, IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to
release the Maintenance order.

EXPLAINING WITH AN EXAMPLE:

Hence, considering the above situation, we will create a common Master role for all 4
Maintenance In-charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name
starts with ZMPM to make us understand that it is a Z Master Role
for Plant Maintenance ) with transaction mentioned above with all rights (with value *)
inside the transactions but only restricting release of Maintenance order with the help of
authorization objectI_VORG_ORD and removing value: BFRE and field: BETRVORG but
with all any organizational level (sayplant) assignment.
Now based on this Master Role we have to create derived Roles for all 4 Maintenance Incharges individually say for first Maintenance In-Charge we create a derived
role ZDPM_MAIN_IN_CHARGE_ROLE_MI1referring the above Master
Role ZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the transactions and
authorization objects from Master Role but will not copy the organizational level
assignments which we have assigned in Master Role. Hence, we need to maintain the
organizational level for the derived role (say PlantP1).
Here once we save (& Generate) the Master as well as Derived Role we can assign this
role to the User ID for the particular Maintenance In-charge.