Critical Basis Authorizations

Critical Basis Authorizations

SAP delivers ECC 6.0 with more than 3000 authorization objects. Below are the critical ones :-

Tables - Security for tables are controlled through three authorization objects, S_TABU_DIS (based on the table authorization group), S_TABU_CLI (security for client independent tables) and S_TABU_LIN (row level access to tables).

Reports - Reports/Executable programs (Executable programs are just one of many different types of programs) can be protected through S_PROGRAM. S_PROGRAM checks if the executing user has access to the program authorization group maintained as a program attribute.

Background Jobs - The basic object is S_BATCH_JOB. To administer jobs created by other users, users would also need S_BTCH_ADM. To schedule jobs with the access of another user would require S_BTCH_NAM.

Spools - S_ADMI_FCD, S_SPO_ACT, S_SPO_DEV and S_SPO_PAGE. S_SPO_ACT can be used to give access to spools with specific authorization values. S_ADMI_FCD in addition to spools controls access to a lot of system administration/Basis function.

User/Roles - A number of authorizations like S_USER_AGR, S_USER_AUT, S_USER_GRP, S_USER_OBJ, S_USER_PRO, S_USER_SAS. You can segregate the access for role admin with that of user admin by use of these objects.

BDC Sessions - S_BDC_MONI. Batch Sessions are one of the possible ways of loading data into SAP. Sessions are monitored through the SM35 transaction. S_BDC_MONI allows security on session names and the possible activites (process, lock, delete) on sessions.

ABAP Work Bench - Access to ABAP development objects is controlled through S_DEVELOP. Controls are possible on object type, object name, activity, packages.

You might have noticed that all the above authorization objects begin with S as they deal with System Administration.