Important Authorization Objects
SAP delivers ECC 6.0 with more than 3000 authorization objects. Remembering even a tiny fraction of the total number is a daunting task. SAP help provides adequate documentation on the fields and use of most, if not all, the delivered objects. So instead of repeating existing information here, I would just mention a few of the existing authorization objects and their applications.
- Tables – Security for tables are controlled through three authorization objects, S_TABU_DIS (based on the table authorization group), S_TABU_CLI (security for client independent tables) and S_TABU_LIN (row level access to tables).
- Reports – Reports/Executable programs (Executable programs are just one of many different types of programs) can be protected through S_PROGRAM. S_PROGRAM checks if the executing user has access to the program authorization group maintained as a program attribute.
- Background Jobs – The basic object is S_BTCH_JOB. To administer jobs created by other users, users would also need S_BTCH_ADM. To schedule jobs with the access of another user would require S_BTCH_NAM.
- Spools – S_ADMI_FCD, S_SPO_ACT, S_SPO_DEVand S_SPO_PAGE. S_SPO_ACT can be used to give access to spools with specific authorization values. S_ADMI_FCD in addition to spools controls access to a lot of system administration/Basis function.
- User/Roles – A number of authorizations like S_USER_AGR, S_USER_AUT, S_USER_GRP, S_USER_OBJ, S_USER_PRO, S_USER_SAS. You can segregate the access for role administration with that of user administration by use of these objects.
- BDC Sessions – S_BDC_MONI. Batch Sessions are one of the possible ways of loading data intoSAP. Sessions are monitored through the SM35 transaction. S_BDC_MONI allows security on session names and the possible activites (process, lock, delete) on sessions.
- ABAP Work Bench – Access to ABAP development objects is controlled through S_DEVELOP. Controls are possible on object type, object name, activity, packages.
You might have noticed that all the above authorization objects begin with S as they deal with System Administration. I have purposely not included authorization belonging to the individual application components like MM, FICO, SD or HR as a discussion of these do nt make sense without discussing the applications themselves. So, we keep these for a later post.
Just Great.
what about S_TABU_NAM
Sure. This is just a sprinkling about the different auth objects used.
Hi ANINDA
You have great job. I have one question, what is the main diff b/w s_tabu_dis and s_tabu_nam?
There are other posts in this site which talk about the differences. Do search for them. Thanks.
hi aninda
Can you list out wht can be critical objects for a end user to have in Security point of view.
The below list is fie:
1 – S_USER_GRP
2 – S_ADMI_FCD
3 – S_BTCH_ADM
4 – S_BTCH_JOB
5 – S_BTCH_NAM
6 – S_DATASET
7 – S_TABU_DIS
The below should have only display access:
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_USER_PRO
Thanks
Hello,
Could you please list out important objects for role designing for below.
ABAP
BASIS
Regards,
Pravin A
For ABAP, the most important object is S_DEVELOP. For Basis, there are multiple different objects which secure different parts of the system. The best option imho is to check for the various objects under the various object classes and then take a call on which ones you need. Also, possible is to use the SAP provided roles as templates when creating new roles.