aman.kr.saksena@gmail.

com
+91-8375994808

SAP MM Authorization Matrix

and User roles in SAP

SAP MM BY AMAN SAKSENA

 Overview of SAP Roles

• Authorizations are especially useful when controlling access at the application

level. They are responsible for controlling the various functions that a user can
execute.
• User's can also be authorized to view, change, enter, and delete data. While
the underlying concept of the authorizing principle may seem trivial, there are
numerous challenges that come into play during authorization
implementations.
• Security compliances, enterprise restrictions, and high costs often times deter
organizations from implementing best practices in their security architecture.
However, at the end of the day, the importance of a secure access control
framework cannot be stressed enough.
• Roles and authorizations are what enable users to execute transactions in SAP
in a secure manner. (Error in SU53 T-Code)

aman.kr.saksena@gmail.com
+91-8375994808
 Supervisor Accountant
01

04 02

03 Head of the
Maintenance
In-charge department

P2P Cycle Involves Variety of users

aman.kr.saksena@gmail.com
+91-8375994808
 Need of Roles and Authorization

• Functional Consultants have a lot of questions in mind regarding this

concept and one of the main questions here is why should Functional
Consultants worry about Roles and Authorization when it is a job of
BASIS team.
• Roles and Authorizations allow the users to access SAP Standard as well
as custom Transactions in a secure way. SAP provides certain set of
generic Standard roles for different modules and different scenarios.

aman.kr.saksena@gmail.com
+91-8375994808
 Need of Roles and Authorization

• BASIS team have a know how about the User Management(SU01/SU10),

Roles Creation, Profile Creation, Roles and Profile assignment(SAP ID),
Authorization assignments etc. but main concern in most of the cases arises
when the below questions are unanswered by BASIS team:-

1. Whom to Assign the Roles or transactions

2. What to Restrict in a transaction and for whom
3. How to authorize Custom transactions

• Hence, it becomes the role of a Functional Consultant to guide them with

the exact process flow and exact organizational chart.

aman.kr.saksena@gmail.com
+91-8375994808
Roles Org. Chart

aman.kr.saksena@gmail.com
+91-8375994808
Authorization Matrix based on roles

aman.kr.saksena@gmail.com
+91-8375994808
Authorization Matrix role mapping with App IDs

aman.kr.saksena@gmail.com
+91-8375994808
 aman.kr.saksena@gmail.com
+91-8375994808 Roles

• Single roles can be derived from their respective organizational values into derived roles. From a technical
viewpoint, derived roles are also single roles that have inherited authorization characteristics from a separate
"master" role.
1. Single Roles - Single roles are derivable from their respective organizational values. Usually when single roles are
discussed amongst professionals, the primary reference point is given to a job or position based role design. When
this is the case, all required authorizations for a user's job/position are contained in the single role. However,
there are examples where many single role designs lack some or even all of a user's required authorizations. This is
typically the case when a basic authorization role that includes transactions and authorizations that are uniform
for all users. Similarly, there will be users who will possess extra privileges in their authorization permissions.
2. Derived Roles - There are a number of differences between single and derived roles. For starters, derived roles are
composed of a "master" role and additional "child" roles that are each unique from the "master" and each other
only in their organizational values. This approach does come with a number of limitations however. For example, if
a user attempts to promote non-organizational fields to organizational fields, the user must ensure that the values
be the same within one role. To put it simply, it's not advisable to use different non-organizational fields in tandem
with derived roles since the values across all the child roles will be the same as the "master" role. As a result, all
objects will be effected.
3. Composite Roles - The most versatile role type in SAP is the composite role. Composite roles are a collection of
single roles that are capable of being grouped into a common composite role menu. The versatility results in users
being able to indirectly assign multiple single roles to a user by assigning only the specific composite role that
contains the single roles. Composite roles are heavily leveraged by SAP customers because they drastically reduce
the single roles count that are directly assigned to users. In a nutshell, a composite role can really be thought of as
a package of single roles that can guide a task-level single role.
 How To Define a role

• The reason to define user specific activity is to simplify the management of

Roles.
• We can also define user defined roles based on the Project scenario keeping
below concept in mind:-

• There are basically three types of Roles:-

1. Master Roles – With Transactions, Authorization Objects and with all
organizational level management.
2. Derived Roles –With organizational level management and Transactions and
Authorization Object copied from Master Role.
3. Composite Roles – With restrictions based on Org. structure or function.
aman.kr.saksena@gmail.com
+91-8375994808
 Path of Role Authorization (BASIS Team)

• You can copy and adjust these default roles in Customizing under:-

• SPRO->SAP NetWeaver->Application Server->System Administration -

>Users and Authorizations->Maintain Authorizations and Profiles
using Profile Generator->Maintain Roles (T-Code : PFCG).

aman.kr.saksena@gmail.com
+91-8375994808
What are the components of a role?

4
• Transaction Codes
3

• Profile
2

• Authorization Objects 1

• Organization level

aman.kr.saksena@gmail.com
+91-8375994808
 Components of Role

• Profile: Profiles are the objects that actually store the authorization data
and Roles are the Container that contains the profile authorization data.

• Authorization Objects: Objects that define the relation between different

fields and also helps in restricting/ allowing the values of that particular
field (For ex: Authorization of LGORT S.loc. in BETA Plant)

• Authorization objects are actually defined in programs that are executed

for any particular transactions. We can also create custom authorization
objects for any particular transaction (generally custom transaction).

aman.kr.saksena@gmail.com
+91-8375994808
 Components of Role

• Organization level: This defines actually the organizational elements

in SAP for ex: Company Code, Plant, Planning Plant, Purchase
organization, Sales organization, Work Centres, etc.

aman.kr.saksena@gmail.com
+91-8375994808
 Roles and Authorization Concept for
Inventory Management

SAP_SR_BUYER_5; is mainly purchasing-related roles but they contain MM-IM related data, such as a goods
movement worklist.
Roles and Authorization Concept for
Inventory Management

aman.kr.saksena@gmail.com
+91-8375994808
 SAP MM Roles and auth. matrix

Thank you

SAP MM BY AMAN SAKSENA

aman.kr.saksena@gmail.com
+91-8375994808