Difference between Role, Authorization Object/s, and Profile

One may question what a role is as a functional consultant and how it differs from the authorization object and profile. While the Security team is primarily responsible for assigning a user the necessary Role, the Functional Consultant must also provide ideas about the necessary Transactions, limits inside a Transaction, and how these restrictions should change based on the user.

Let's define a user to start off this blog. Simply said, we can only log in with a username and password if the system already has our users created in it. To create a user in SAP, use transaction code SU01. Users may be created, changed, destroyed, locked, unlocked, and copied to make new ones using this Tr. Code. Usually, there are requirements before a user may be created in a project. By completing the access form and entering all the necessary information, the user or the concerned management first requests the establishment of a user. This is followed by one or more steps of approval, and then the Security team creates the user..

Tr.Code: SU01 (User creation)

The security consultant fills out all of the required fields in this section's tabs before saving it to create a user.

Once a user has been created and shared with the appropriate Functional Consultant (user), he or she should be able to access the system using their login information. A user must be given the necessary Roles in order for him to carry out all the tasks that are expected of him. These Roles will produce a Profile, which contains Authorization Objects in turn.

So, what exactly are a role and a profile? What distinguishes roles from profiles? How does a Role become a Profile? Which authorization objects will provide the user with the required authorizations? Are they connected to the Profile? What about the Tr. Code, and how does it fit in?

You will comprehend all of these things in full by the end of this blog. Starting with the Role

Role:

The method for granting users authorizations is through roles. For instance, the person in the image below can only access the tables in SAP since he has been given a role relating to table display. He won't be able to establish another user for his colleague using the Tr. Code SU01 since he could be lacking the necessary authorizations.

The Profile is automatically assigned once the user's Roles are allocated. Let's first define authorization before examining what a profile is and how they are related to one another.

Authorization

Authorization objects serve as indicators of authorization.

The region of the Authorization Objects is revealed by Object Class.

A set of 10 Authorization Fields make up an Authorization Object (max)

The Tr. Code where all of the Authorization Objects are visible is SU21. You can see a number of object classes that make up a region or domain in the illustration below. There are a certain number of Authorization Objects within each Object Class. For illustration, let's enlarge the Object Class Transportation Management Solution.

When one of the Authorization Objects is clicked again, T_TR_FWO all of the Authorization Fields within the Authorization Object are shown.

You should be able to view all the Authorization Fields as well as the types of Authorizations for each Field by selecting Display Object Documentation at the bottom. To be more explicit, the Forwarding Order Type(s) can be given in the first Field TM FWOTYPE, and the Type(s) of Authorizations, such as 01-Create, 02-Update, 01-Display/read, and so on..., are described in the Field ACTVT. The user is permitted to operate on all sorts of forwarding orders if the Field TM FWOTYPE is left empty, naturally also dependent on the entries in the Field ACTVT.

Now that you are aware of what an authorization object is, let's attempt to comprehend how they relate to TR codes..

The Tr. Code SU24 shows the necessary authorization objects for any Tr. Code.

Tr. Code: SU24 (Authorization Objects for a Tr. Code)

By excluding the field Default Status "Yes," for instance, you may view the Authorization Objects for the Transaction BP.

As was said before, by choosing any Authorization Object, you ought to be able to view the relevant Authorization Fields in the Tr. Code SU21. You may examine the Authorization Fields and permissible values, for instance, for the Authorization Object B_BUPA_RLT.

Authorization Objects and their relationship to Tr. Codes are now understood to be what they are.

The Role is made up of the associated Authorization Objects and Tr. Codes. Let's say that the user need access to the following Tr. Codes in order to better comprehend it.

Sales order creation – VA01

Change Sales Order – VA02

Display Sales Order – VA03

Role: Three TR codes plus any relevant authorization objects.

Note: Tr. Codes and Authorization Objects must be issued to a user through a Role since they cannot be assigned to a user directly.

Next, let's attempt to grasp what a Profile is before looking at the process to establish a role.

Profile:

The objects that house the authorization data are profiles. Two different sorts of profiles exist. Those are

Standard

Generated

Generated Profiles cannot be assigned to a user directly, however SAP provides Standard Profiles that may be assigned to a user directly using SU01. Since the Standard Profile grants more access than the user needs, it is advised to construct a Role and assign it to the users, who will then receive the Generated Profile. While creating a role, we will observe how a profile is built.

Creation of Role:

Tr. Code: PFCG

In accordance with a certain naming standard, type the role name. To create a role, select Single Role.

Save it after adding the necessary information to the Description tab. Observe the alterations upon saving.

The list of Tr. Codes is displayed on the Menu tab. Continue entering the necessary Tr. Codes for the Role by selecting Add Transaction from the menu below. The Menu tab turns green once all the necessary Tr. Codes have been inserted. Click the Switch On Technical Names tab next to the Print tab to display both the Technical Names and the Tr. Codes.

In the Authorizations tab, scroll down and click on Change Authorization Data

The list of Authorization Objects associated to the Tr. Codes added in the preceding stage should be visible under the Menu tab.

Remember from part 2 that you may go to SU24, input the Tr. Code, and identify the appropriate Authorization Objects? This will allow you to confirm which Authorization Objects are associated with specific Tr. Codes. Let's verify the authorization objects for the Tr. Code SE38 in SU24, for instance, which is one of the two Tr. Codes we added to the Menu tab.

Tr. Code: SU24

Authorization Objects for the Tr. Code SE38

Similarly, we can verify for the other Tr. Code/s.

Drilling deeper on Authorization Objects will provide the required Authorization Fields and Values.

Authorization Fields with Authorizations

We now have the Role Description and Required Tr. Codes inserted, which resulted in the creation of the Authorization Objects with corresponding Authorization Fields and Values. You must select Generate Profile from the top menu next to the delete button in order to create a profile.

Note: The name of a generated profile always begins with the letter T. When you return once the Profile has been produced, you will see that the Authorization Tab's colour has changed from red to green. The profile text and name have both been modified.

At this stage, this is how it looks like

The User's Role must then be assigned as the next step. Tr. Code SU01 can be used to do this. The relevant Profile is also added to the user when the Role is added, and it can be seen under the Profile Tab. In the previous example, you can also add the user by selecting the User tab adjacent to the Authorizations tab and adding them there.