- SAP Managed Tags
How They Work
When a user attempts to access an SAP object, the system checks two things:
1️⃣Whether the user has the necessary authorization (through roles and profiles)
2️⃣Whether the user is authorized for the specific authorization group assigned to that object
If an object belongs to an authorization group that the user cannot access, the system will deny access even if the user has other relevant permissions.
Common Use Cases
Table Protection: Database tables containing sensitive information (like payroll data, financial records, or personal information) are assigned to specific authorization groups. Only users with appropriate clearance can access these tables through transactions like SE16 or development tools.
Program Security: Custom programs or reports can be assigned authorization groups to ensure only designated users can execute them, particularly useful for programs that manipulate critical business data.
Configuration and Assignment
Authorization groups are typically defined in customization tables and then assigned to objects through various methods depending on the object type. Users are granted access to authorization groups through their roles, which contain authorization objects (like S_TABU_DIS for table access) that specify which authorization groups they can access.
Demo
Create new authorization group in the SM30, view name V_TPGP.
Add this group to the program (see explanation above). Now if the user without appropriate clearance try to execute the report the error message will be appears.
Add the group to the related field of the object.
The role should be assigned to the user.
Now the program can be executed
Bluesky| User | Count |
|---|---|
| 58 | |
| 51 | |
| 50 | |
| 37 | |
| 33 | |
| 32 | |
| 32 | |
| 31 | |
| 29 | |
| 27 |
