1. SAP MM Authorization Matrix
and User roles in SAP
SAP MM BY AMAN SAKSENA
aman.kr.saksena@gmail.com
+91-8375994808
2. Overview of SAP Roles
• Authorizations are especially useful when controlling access at the application
level. They are responsible for controlling the various functions that a user can
execute.
• User's can also be authorized to view, change, enter, and delete data. While
the underlying concept of the authorizing principle may seem trivial, there are
numerous challenges that come into play during authorization
implementations.
• Security compliances, enterprise restrictions, and high costs often times deter
organizations from implementing best practices in their security architecture.
However, at the end of the day, the importance of a secure access control
framework cannot be stressed enough.
• Roles and authorizations are what enable users to execute transactions in SAP
in a secure manner. (Error in SU53 T-Code)
aman.kr.saksena@gmail.com
+91-8375994808
3. P2P Cycle Involves Variety of users
01
02
03
04
Supervisor Accountant
Maintenance
In-charge
Head of the
department
aman.kr.saksena@gmail.com
+91-8375994808
4. Need of Roles and Authorization
• Functional Consultants have a lot of questions in mind regarding this
concept and one of the main questions here is why should Functional
Consultants worry about Roles and Authorization when it is a job of
BASIS team.
• Roles and Authorizations allow the users to access SAP Standard as well
as custom Transactions in a secure way. SAP provides certain set of
generic Standard roles for different modules and different scenarios.
aman.kr.saksena@gmail.com
+91-8375994808
5. Need of Roles and Authorization
• BASIS team have a know how about the User Management(SU01/SU10),
Roles Creation, Profile Creation, Roles and Profile assignment(SAP ID),
Authorization assignments etc. but main concern in most of the cases arises
when the below questions are unanswered by BASIS team:-
1. Whom to Assign the Roles or transactions
2. What to Restrict in a transaction and for whom
3. How to authorize Custom transactions
• Hence, it becomes the role of a Functional Consultant to guide them with
the exact process flow and exact organizational chart.
aman.kr.saksena@gmail.com
+91-8375994808
9. Roles
• Single roles can be derived from their respective organizational values into derived roles. From a technical
viewpoint, derived roles are also single roles that have inherited authorization characteristics from a separate
"master" role.
1. Single Roles - Single roles are derivable from their respective organizational values. Usually when single roles are
discussed amongst professionals, the primary reference point is given to a job or position based role design. When
this is the case, all required authorizations for a user's job/position are contained in the single role. However,
there are examples where many single role designs lack some or even all of a user's required authorizations. This is
typically the case when a basic authorization role that includes transactions and authorizations that are uniform
for all users. Similarly, there will be users who will possess extra privileges in their authorization permissions.
2. Derived Roles - There are a number of differences between single and derived roles. For starters, derived roles are
composed of a "master" role and additional "child" roles that are each unique from the "master" and each other
only in their organizational values. This approach does come with a number of limitations however. For example, if
a user attempts to promote non-organizational fields to organizational fields, the user must ensure that the values
be the same within one role. To put it simply, it's not advisable to use different non-organizational fields in tandem
with derived roles since the values across all the child roles will be the same as the "master" role. As a result, all
objects will be effected.
3. Composite Roles - The most versatile role type in SAP is the composite role. Composite roles are a collection of
single roles that are capable of being grouped into a common composite role menu. The versatility results in users
being able to indirectly assign multiple single roles to a user by assigning only the specific composite role that
contains the single roles. Composite roles are heavily leveraged by SAP customers because they drastically reduce
the single roles count that are directly assigned to users. In a nutshell, a composite role can really be thought of as
a package of single roles that can guide a task-level single role.
aman.kr.saksena@gmail.com
+91-8375994808
10. How To Define a role
• The reason to define user specific activity is to simplify the management of
Roles.
• We can also define user defined roles based on the Project scenario keeping
below concept in mind:-
• There are basically three types of Roles:-
1. Master Roles – With Transactions, Authorization Objects and with all
organizational level management.
2. Derived Roles –With organizational level management and Transactions and
Authorization Object copied from Master Role.
3. Composite Roles – With restrictions based on Org. structure or function.
aman.kr.saksena@gmail.com
+91-8375994808
11. Path of Role Authorization (BASIS Team)
• You can copy and adjust these default roles in Customizing under:-
• SPRO->SAP NetWeaver->Application Server->System Administration -
>Users and Authorizations->Maintain Authorizations and Profiles
using Profile Generator->Maintain Roles (T-Code : PFCG).
aman.kr.saksena@gmail.com
+91-8375994808
12. What are the components of a role?
• Transaction Codes
• Profile
• Authorization Objects
• Organization level
2
1
3
4
aman.kr.saksena@gmail.com
+91-8375994808
13. Components of Role
• Profile: Profiles are the objects that actually store the authorization data
and Roles are the Container that contains the profile authorization data.
• Authorization Objects: Objects that define the relation between different
fields and also helps in restricting/ allowing the values of that particular
field (For ex: Authorization of LGORT S.loc. in BETA Plant)
• Authorization objects are actually defined in programs that are executed
for any particular transactions. We can also create custom authorization
objects for any particular transaction (generally custom transaction).
aman.kr.saksena@gmail.com
+91-8375994808
14. Components of Role
• Organization level: This defines actually the organizational elements
in SAP for ex: Company Code, Plant, Planning Plant, Purchase
organization, Sales organization, Work Centres, etc.
aman.kr.saksena@gmail.com
+91-8375994808
15. Roles and Authorization Concept for
Inventory Management
SAP_SR_BUYER_5; is mainly purchasing-related roles but they contain MM-IM related data, such as a goods
movement worklist.
16. Roles and Authorization Concept for
Inventory Management
aman.kr.saksena@gmail.com
+91-8375994808
17. SAP MM Roles and auth. matrix
Thank you
SAP MM BY AMAN SAKSENA
aman.kr.saksena@gmail.com
+91-8375994808