Even though Authorization Objects are the most basic components in the SAP authorization world, they make SAP much more secure. Many organizations argue that you should use Authorization Objects like you spice food: If spices are used properly, there’s total harmony and you can’t live without them. But if they are overused, they ruin the dish and the whole authorization mechanism becomes too difficult to handle.
In general, Authorization Objects add the extra security layer to T-Codes, the layer in which you can do things like limit the user to view certain material groups or materials in a specific department (via T-Code MM03), or create financial documents for only specific company codes
It’s Important to Define Sensitive Authorization Objects
Organizations should have a list of sensitive Authorization Objects. So how do you get this list? Ask the questions, “What are our most important Authorization Objects? Why is this one so important? And this one?”
Because sensitive Authorization Objects should be carefully inspected: (a) They should be carefully granted to the right employees, (b) They should be inspected thoroughly in periodic authorization review processes, and (c) An alert should be issued when they are granted to new users.
Please note that (c) is no less important than (a) and (b) because granting sensitive objects to the wrong person might imply an intention of fraud, and an alert for this might save the CISO’s job.
Which Are the Three Most Important Authorization Objects to Most Companies?
It’s interesting to compare your list with others. The following three Authorization Objects are the most commonly used by our customers:
- F_BKPF_BUK: Control to which company code the user is allowed to post financial documents
- V_VBAK_AAT and V_VBAK_VKO: Authorizations for Sales Document Types and Areas
- HR Objects: P_ORGIN and PLOG – To restrict access to certain infotypes and other HR areas
*This list was prepared using ProfileTailor Dynamics Role Matrix to easily identify the most commonly used Authorization Objects in roles.