SAP Authorization Concepts: Roles and Objects

Why the authorization concept matters

The SAP authorization concept is the foundation of every access control conversation. SOX testing is built on the concept. SoD analysis depends on the concept. Privileged access management interprets the concept. Without a clear reference model of authorization objects, profiles, single roles, and composite roles, the organization cannot answer the most common audit question. Why does this user have this access. The reference model is the answer.

This article documents the reference model that explains how user transactions resolve to authorization checks, the role construction patterns that produce maintainable access, and the operating discipline that keeps the authorization estate audit defensible. Reference the SAP security audit pillar, the compliance framework pillar, and the authorization audit expertise.

Authorization objects, fields, and values

An authorization object is the technical unit that protects an SAP function. Each object contains one or more fields. Each field contains one or more values. When a user executes a transaction, the program code calls AUTHORITY CHECK against the relevant authorization object with required values. The check passes if the user has authorization for the object with the matching field values. The check fails if the user does not. The pattern is consistent across the SAP estate and applies in S/4HANA exactly as in ECC.

The customer position is to know which authorization objects protect the customer specific transactions and to maintain field value discipline at the role design level. Reference the authorization audit guide paper, the role design analysis, and the critical authorizations analysis.

Single roles, composite roles, and derived roles

A single role is the role construction unit that contains a specific menu of transactions, the authorization object values the menu requires, and the profile that is generated from the values. A composite role is a container that bundles multiple single roles into a position aligned package. A derived role is a single role that inherits from a master role and carries organizational level field values that the master leaves open. The three constructs together support the role architecture that scales across thousands of users.

The customer position is to use derived roles for organizational separation, single roles for functional separation, and composite roles for position alignment. Reference the role design analysis, the GRC implementation analysis, and the SoD conflicts analysis.

Derived role architecture reduces role count from 1500 to 2500 single roles down to 200 to 400 master roles in a typical Fortune 500 estate, which directly improves maintainability and audit defensibility.

Profile generation and SU24 maintenance

Profile generation is the technical process by which the Profile Generator transaction PFCG converts the menu of transactions assigned to a single role into the authorization object values the menu requires. The conversion uses the SU24 customer table that maps each transaction to its default authorization object values. SU24 maintenance is the technical discipline of keeping the customer SU24 table aligned to the SAP delivered defaults plus the customer specific overrides. Without maintained SU24 the profile generation produces under authorized or over authorized roles.

The detail is in our user counting methodology (cross cluster reference), the user access review analysis, and the role design analysis. The authorization audit expertise documents the full senior advisor methodology.

Operating discipline that keeps the estate audit defensible

The operating discipline that keeps the SAP authorization estate audit defensible has four anchors. First, the SU24 maintenance discipline that aligns the customer table to changes in the SAP delivered defaults. Second, the role naming convention discipline that allows the auditor to identify role purpose from the role name. Third, the role review discipline that re examines each single role on a defined cycle. Fourth, the change management discipline that captures role changes in the transport system with documented approval.

The implementation detail is in our license audit pillar (cross cluster reference), the firefighter ID analysis, the security notes patch analysis, and the critical authorizations analysis. The authorization audit guide paper documents the full discipline framework.