Community
Enterprise Resource Planning Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Transitioning Projects from ACL to Object-Based Authorization (OBA)

aarti_malik
Associate
Associate
‎2025 Dec 10 5:25 PM
0 Likes
461

With the introduction of Object-Based Authorization (OBA) in SAP S/4HANA, organizations can manage project-level access with far greater precision and control. Whether your existing projects use Access Control Lists (ACL) or have no access control configured at all, SAP provides a clear path to transition them into the OBA framework along with all associated sub-elements.

For More details on OBA, refer to blog Introducing Object-Based Authorization (OBA) in SA... - SAP Community

ACls are not part of SAP’s strategic architecture going forward and we do not plan any further investments into ACLs. Below are some advantages of OBA :-

  • Improved performance (because of abandonment of org units and equal prioritization of local vs inherited and user and user group authorizations)
  • Enabled usage in modern ODATA and CDS view based architectures (because of abandonment of org units and equal prioritization of local vs inherited and user and user group authorizations)
  • Streamlined logic (inheritance in all cases, and equal prioritization of local vs inherited and user and user group authorizations) similar to modernized authorization concepts in PPM

This article provides a structured overview of the transition process and highlights the key differences between ACL and OBA to support a smooth transition.

1. Activate OBA in Project and Network Profiles

The first step is to enable Object-Based Authorization within the Project Profile and Network Profile settings. Once OBA is activated:

  • The ACL section becomes disabled (greyed out) and can no longer be edited.
  • The change is irreversible; a profile cannot revert from OBA back to ACL.

This ensures that all future access control for the project is handled exclusively using the OBA framework.

2. Run the Transition Report

Next, execute the report RPSOBA_MIGRATE to transition  all relevant projects from ACL to OBA authorization concept. After successful execution, each project will be updated with the following default authorization assignments:

  • The User Group defined in the Project Profile is assigned Admin authorization at the Project Definition level, and this authorization is automatically inherited by all sub-objects.
  • The user executing the transition report is granted Admin authorization at the Project Definition level, also inherited by all sub-objects.
  • The User Group from the Network Profile receives Admin authorization at the Network Header level, with inheritance applied to its sub-elements.

This step ensures that administration rights are preserved and properly cascaded throughout the project hierarchy.

3. Archival of Legacy ACL Records

During transition, all deleted ACL records for the project and its sub-elements are stored in the table PSACL_TAB_MIG. This serves as a historical archive and can be referenced later if needed.

By following these steps, organizations can smoothly transition to the Object-Based Authorization model, benefiting from a more granular, scalable, and maintainable security structure within their project management framework.

Key Differences Between ACL and OBA in SAP S/4HANA

 While Object-Based Authorization (OBA) builds on the foundational concept of Access Control Lists (ACL), there are several important differences that customers should be aware of when transitioning from ACL to OBA.

1. Supported Authorization Objects

In OBA, authorizations can be assigned only to Users and User Groups.
The Authorization Group (Organization Unit)—previously available in ACL—is not supported in OBA.

For customers migrating older projects that contained organization unit–based authorization groups, these must be converted into User Groups and then assigned within the OBA framework to maintain equivalent access behaviour.

2. Inheritance Behaviour

OBA applies a stricter inheritance model compared to ACL.
In OBA, authorizations are always inherited from a parent object down to all of its subordinate objects.
This ensures consistent access across the project hierarchy but also means that selective blocking or non-inheritance—possible in ACL—is no longer supported.

3. Create vs. Write Access Controls

Under ACL, users who had write access implicitly also had create access.
OBA introduces greater flexibility by decoupling these permissions. With OBA, customers can explicitly decide whether a write authorization should include create access by setting the Create Indicator for the corresponding authorization type.

This allows more granular and secure control over user actions within the project structure.