What is an authorization object?

Authorization objects are groups of authorization fields that control a particular activity. Authorization fields are contained within authorization objects. Authorization objects relate to a particular action while authorization fields allow for security administrators to configure specific values in that particular action. An authorization field can be populated with many values. For example a value of “01” in authorization field ACTVT (Activity) gives the user the ability to create while a value of “03” gives the user the ability to display.

SU21-Authorization Objects

SU21-Authorization Objects

Every authorization object must contain at least authorization field, but can contain up to 10 authorization fields. There are almost 1000 different authorization objects. One authorization object can control the same activity in multiple transactions. If you think about it, about 1000 different authorization objects control about 65,000 transactions.

Authorization Object Class

Authorization objects are grouped by authorization object classes. Authorization object classes are typically grouped by function areas (e.g., Human Resources, Financial Accounting, Plant Maintenance). There are about 50 different authorization object classes.

SU21-Authorization Objects

SU21-Authorization Objects

Think of authorizations like so:

Authorization Object Class >Authorization Object > Authorization Field > Authorization values

An authorization can be thought of is an authorization object and its  unique combination of fields and values. An authorization object can contain many different types combinations of authorizations.

Posted in Security | Tagged , , , , , | Leave a comment

SAP Security 101 Transaction List

Below are some common SAP Security transactions you may find helpful especially if you are new to SAP security:


Transaction Code Purpose
SU01 To create and maintain the users.
SU01D To Display Users
SU10 For mass maintenance.
SU03 For Manual creation of authorization.
SU3 For setting Address and default parameters.
PFCG For maintaining role using profile generator.
PFUD For Comparing User master in Dialog.
SUPC For generation of Mass profile.
SU24 For Maintaining Check Indicators and for Maintaining templates.
SU20 Lists down the authorization fields.
SU21 Lists the Object classes and authorization objects.
SM01 For locking the transaction from execution.
SM19 Security audit – configuration.
SM20 Security audit – reporting.
SCCL For Local Client Copy on same system between different clients.
STMS Transport Management System
RZ10 Profile configuration
RZ11 Maintain profile parameters
SU53 To display last authority check that failed
SU56 Display User buffer
SECR Audit Information System
ST01 System Trace
SUGR Maintain User groups
SUIM User Information System
SM59 Display/Maintain RFC Destinations
SM35 Batch Input Monitoring
Posted in Uncategorized | Leave a comment

User Status Security in PM

A guide on setting up user status security for Plant Maintenance is now posted. Though B_USERSTAT is used universally across modules, it used in the PM module. Statuses can be controlled on equipment, work orders, notifications, etc.

The B_USERSTAT Authorization Object

The B_USERSTAT  authorization object is the primary authorization object that is used to control access to the statuses.

B_USERSTAT Authorization Object

B_USERSTAT Authorization Object

Activity – This field has only two options. A value of 01 allows for the setting of a status and a value of 06 is to delete/remove the status. The removing of status authorization applies mainly to non-sequential user statuses (where check boxes are used). In sequential user statuses, the selection of another status does not call an authorization check on activity 06 on the deselected status. It will only call an authorization check for activity 01 for the new status selected and if it is allowed.

Authorization Key – This will give the user access to the specified authorization key. Values here correspond to table TJ10. Authorizations are used to restrict user statuses in the status profiles (table TJ30). Some authorization keys are never configured into our Security rules. This is usually done when statuses are never to be changed or done solely by an interface.

Object Category – Depending on the where the status profile is used, the above example only gives the user access to status profiles that are associated with maintenance orders (ORI). Some statuses may be used in multiple object categories. You can look up which object categories the status profile may be used in table TJ21.

Status Profile – This field allows access to specified status profiles. If the user does not have access to the status profile, the user will not be able to set the status whether or not an auth key is assigned to the user status or not.


Posted in Plant Maintenance, Security, Troubleshooting, Tutorial | Tagged , , , , , , , , , , | Leave a comment