Managing and configuring SAP authorization objects is no easy task. Yet, proper handling of these objects is essential for a robust security framework within your SAP system. As key building blocks, they precisely control user access to specific functions and data.
Whether you’re an SAP administrator, a security expert, or simply curious about the intricacies of SAP access control, this article offers a comprehensive overview of SAP authorization objects, how to manage them, and how Xiting can support you.
SAP authorization objects are core components of the SAP authorization concept. They control user access to specific functions and data within the SAP system. Each object consists of one or more authorization fields that define specific values or ranges. The combination of these fields determines what actions a user is allowed to perform.
Example: The authorization object F_BKPF_BUK controls access to accounting documents. It includes fields like BUKRS (company code) and ACTVT (activity), which together define which company codes a user can work with and what specific actions (e.g., display, change, delete) they are permitted to perform.
Managing authorization objects is critical to keeping your SAP system secure and efficient. The following five aspects cover the majority of what you need to know:
When maintaining SAP authorization objects, proceed with extreme caution. Modifying existing objects – especially adding or removing fields – can have unintended consequences across the system.
Use transaction SU21 to maintain authorization objects. This transaction allows you to search for and edit existing objects.
Regularly reviewing current settings and authorization fields is essential. If you’re troubleshooting issues in a live SAP system, the “Display” function is especially helpful. Documentation and field definitions should be reviewed periodically.
Use transaction SU21 to display authorization objects. After launching the transaction, search for the desired object and view its details.
Sometimes, new authorization objects are needed – especially when existing ones don’t meet new business requirements.
To create a new SAP authorization object, follow these five steps:
1. Launch transaction SU21 to access the authorization object management screen.
2. Create a new object by selecting “Create Authorization Object.”
3. Enter header data: Assign a unique name and description. Define the object class and package.
4. Define authorization fields that will control access.
5. Save and activate the object for use in the system.
Avoid modifying standard SAP authorization objects. Doing so can introduce system-wide risks. These objects are stable and designed for long-term use.
If changes to access rights are necessary, consider adjusting custom Z-objects instead. Always proceed with caution to preserve system integrity.
Standard SAP authorization objects are not truly deleted. Instead, they are moved to the object class AAAA (obsolete authorization objects) when no longer needed.
However, custom Y* or Z* authorization objects can be deleted entirely. Before doing so, ensure that deletion will not impact existing authorizations or cause system issues.
Here are some frequently used SAP authorization objects:
| Berechtigungsobjekt | Beschreibung |
|---|---|
| S_TCODE | Controls access to transactions |
| P_ORGIN | Controls access to HR master data |
| S_RFC | Authorization check for RFC access |
| S_TABU_NAM | Table maintenance via standard tools (e.g., SM30) |
| S_PROGRAM | ABAP: Program execution checks |
| S_USER_AGR | Authorization: Role checks |
| S_USER_AUT | User master maintenance: Authorizations |
A structured approach to managing authorization objects is essential for keeping your SAP system secure and efficient. Xiting is your ideal partner for optimizing SAP Controlling.
Our proprietary solutions – like the Xiting Authorizations Management Suite (XAMS) – help simplify the complexities of SAP system maintenance. Our experts are always available to provide guidance and support.
Authorization management in Controlling can be complex. That’s why we regularly offer workshops on topics like this. We’re pleased to offer you a free presentation that provides insight into our consulting approach and proprietary tools:
→ If you have questions about the presentation or would like to explore a partnership with Xiting, feel free to contact us – no strings attached!
You can check a user’s authorizations using transaction SUIM. Under the “User” section, you can run various reports to view the roles and authorizations assigned to a user. Transaction SU53 is also helpful for analyzing authorization errors. |
The following transactions are commonly used for managing SAP authorization objects:
|
AUTHORITY-CHECK is an SAP program function used to verify whether a user has the required authorizations to perform a specific action. The system compares the user’s current authorizations with the required authorization object. If the check fails, the user receives an error message. |
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from Turnstile to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Embedded Content. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information