Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

Clarification on roles and authorisation

Active Participant
0 Kudos


Can anybody link all these terminlogies in logical manner



Authorisation groups

Authorisation objects




0 Kudos

Roles and profile are same. Profile is SAP way of naming.

Every role will have profile assigned to it. Otherwise when you create a role and generate it you will get a profile(number).

roles->list of tcodes-> Every tcode will have authorization object

Authorization object--> will have fields and values

Former Member
0 Kudos

Profiles used to be created manually: Authorization objects, which are checked in the code of programs / transactions, were manually added to profiles and the profiles were directly assigned to users.

This approach has a problem: How do you know which authorization objects are needed by which program / transaction? That is one reason why there are still so many SAP_ALL users.

Today, roles should be created by assigning transactions to the role via the SAP menu (see PFCG). The required authorization objects will then be automatically added (which objects are needed by which transaction is maintained in SU24). Technically, one or more profiles are "generated" for each role. Also, when assigning roles you explicitly also assign the generated profiles to the user master.

Generally: 1. Do not use SAP_ALL users in productive systems. Auditors do not like this. 2. Do not directly assign profiles to users. Always assign roles.

Check with below links :

check following links :

check the link..

Authorization Object Creation



Message was edited by:

Seshu Maramreddy

Former Member
0 Kudos

Assigning Authorizations


A single administrator (superuser) or a group of administrators assign authorizations, depending on the size and organization of your company. By assigning authorizations, the administrator determines (within the range of possibilities defined by the programmer) which functions a user may execute or which objects he or she may access.

Process Flow

As an administrator, you perform the following steps to assign authorizations:

Maintaining authorizations for each authorization object

An authorization is the combination of permissible values in each authorization field of an authorization object.

· Generating Authorization Profiles

Authorizations are grouped in authorization profiles in such a way that the profiles describe work centers, for example, flight reservation clerk.

We recommend that your system administrator automatically sets up authorization profiles using the Profile Generator (see Role Maintenance). If necessary, the administrator can also set up an authorization profile manually by choosing Tools ®Administration, User maintenance ® Profiles (see Creating and Maintaining Authorizations and Profiles Manually).

· Assigning authorization profiles to a user master record

By assigning the roles, you assign the corresponding authorization profiles (work centers) to a user master record.


When an authorization check takes place, the system compares the values entered by the administrator in the authorization profile with those required by the program for the user to execute a certain activity.