Identity Management and SAP Users, Roles and Transactions – Part1

Share this post:

A question that is often asked in identity management discussions is “will your product show me what SAP Transactions my users have access to?”. SAP is built, historically, on transactions (from the R2 mainframe CICS heritage) so the question seems to make sense. The answer is both no and yes. But the problem is that this is the wrong question for many customers’ SAP environments. This article will explain why looking at the SAP identity and access model.

A subsequent article will look at how we can represent the SAP access a user has in the Access Risk Controls for SAP module in IBM Security Identity Governance and Intelligence.

Understanding the Relationship Between SAP Users, Roles and Transactions

To undertand why the opening question is wrong, we need to understand how SAP manages who has access to what. The following figure can be found in the SAP documentation and many articles on the web. It shows the relationships between user accounts (SAP Users), access groups (SAP Roles/Profiles) and permissions/resources (SAP Authorizations, Authorization objects, fields and values).

SAP Authorization Model

We can see that SAP Users are mapped to Roles and/or Profiles. These may be composite roles or single roles, or composite profiles or manual profiles. These Roles and Profiles (lets just call them Roles for simplicity) contain SAP Authorizations comprising Authorization Objects that may have up to ten Authorization Fields with values. An Authorization can be thought of as an access rule.

Where are the transactions? These are defined as Authorization Objects, normally as a transaction code or TCODE. A user is not mapped directly to a transaction (or any other Authorization Object) they are mapped to a Role this is in turn mapped to transactions and other authorization objects. Other authorization objects may be represented as data in a transaction, like a company code.

So, we should be able to unpack the Role <-> Authorization mapping to understand what transactions a user has, right? Technically yes, we could do that. The problem is that may give a view that doesn’t represent the correct access for the user.

Understanding SAP Authorizations

This is because of the Authorization Fields and Values that can be associated with an Authorization Object (like a transaction) represent a scoping of that access. SAP may be setup to allow users in a role to run a transaction but only against the objects relating to a specific company, or only in read-only mode.

For example, have a look at the authorizations defined for a role.

SAP Authzns for a Role

This role, T016-ROLE1FB02, is allowing members of that role to access three SAP transactions; FB01, FB02, and FB03. However the way the SAP authorization model works, there is scoping applied to the access to these transactions. The Activity (ACTVT), Controlling Area (KOKRS) and Valuation View (VALUTY) fields provide that scoping. For example, the activity values of 02 (Change) and 03 (Display) mean that these three transactions can be run in read and write mode.

This is a simple example; many customer SAP environments will have far more complex authorization definitions with many fields and values applied to transactions.

Another level of complexity is that transaction codes (and other values) can have wildcards, so a role may cover a set of transactions and that set may change over time as SAP changes (but not be visible as a static list of transactions on a role). I may define a role to cover transactions FB** and at the time the authorizations were defined, the list of transactions covered by FB** is know, but over time other FB transactions are added that may change what the role represents.

So, back to our question… can we show transactions that a user can access. Yes, we could, by unpacking the authorizations associated with a role to find the transaction codes for that role and the roles mapped to the user. Does this make sense? Only when a SAP deployment is so trivial that there is no further scoping of transaction access. For example if a role gave users access to a set of transactions but there was no further limitation to what a user could do with those transactions, then knowing the transactions for a user would make sense and give a complete picture of what the user can do in SAP.

But, if there is any scoping of access or objects in a transaction (or wildcarding of transactions), then saying John Smith can access FB01, FB02 and FB03 does not tell the complete story as he may not be able to make and changes to data in those transactions or may only be able it run the transactions for a very small part of his company. In this case, presenting a list of transactions for a user is dangerous as it gives an incomplete picture of what the user can do in SAP.

In the next part of this article, we will look at how we can truly represent what a user can do in SAP using the Access Risk Controls for SAP module in IBM Security Identity Governance and Intelligence.

Click here to rate this article

Rate this article :

More Articles stories
By Gerard Boekhoud on July 24, 2019

IF001 for IGI now available

On July 19, 2019 we made  IF001 on top of IGI publicly available on FixCentral. This iFix include some strong performance improvements especially within the Access Certification module. Improvements are made in the following areas: a. Time to launch Campaign Summary Page (Especially in the event of a high number of campaigns). This improves by […]

Continue reading

By Martin Schmidt on July 11, 2019

Modernizing your B2C Portal Security – LDAP Proxy Deep Dive

In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work. Enable CI In this part we look at what needs to be done on the CI side and what information needs to be collected. We […]

Continue reading

By Martin Schmidt on May 4, 2019

Modernizing your B2C Portal Security – Desired End State

Proposition: As we have seen in part one of this series, managing customer identities for a portal can be a challenge and distraction for the business.  In this part of the series we will outline how a modernized solution for a portal security can simplify operations and free your team up to focus on the […]

Continue reading