2. 26/01/2017 2
Authorisations in SAP: best practices
1. Role naming conventions
Role naming convention
Lack of naming convention, inconsistent naming convention or inappropriate naming convention is
the most basic mistake that an organisation can make. And this does not just impact the user
administrator (who may not be able to identify with the roles after some time), it adversely impacts
business users as well as auditors. Business users are often not conversant with transaction codes
and authorization objects and rely on the role name and description to understand the role. Without a
good and consistent naming convention, they may struggle to make sense of the roles.
SOLUTION: Define logic naming convention and respect this naming convention at all times.
Example: ZS/C_XX_<Description>/<Job>_YYYY
with S = Single role / C = Composite role
XX = Domain (CA, GL, AP etc.)
<Description> (single role) = Description (GLMAST_MAINT for g/l account maintenance,
GLMAST_DISPL for g/l account display, etc.)
<Job> (composite role) = Job (MMPUR for purchaser, FITR for treasury, FIGEN for
accountants etc.)
YYYY = Master / Organisational unit (MAST if master role, #### for Company 1, etc.)
3. 26/01/2017 3
Authorisations in SAP: best practices
2. Role design
Role design
Use different types of roles correctly.
Single roles
Composite roles
Master / parent roles
Derived / child roles
SOLUTION: Correctly design roles using authorisation matrix.
4. 26/01/2017 4
Authorisations in SAP: best practices
2. Role design
1. Define single roles
2. Assign single roles to composite roles
3. Define slave roles
4. Assign composite roles to users
5. 26/01/2017 5
Authorisations in SAP: best practices
2. Role design: Master / derived roles
Concept
A derived role has identical attributes (transactions / authorization object values) as it parent
except the values of the organizational level fields (plant, company code, sales organisation
etc. ).
Advantage
Thus maintenance is simplified as only the organisational levels have to be maintained at the
derived role level. This also ensures that there is no opportunity to make mistakes during
authorisation maintenance for the multitude of derived roles and also reduces testing effort for
roles.
6. 26/01/2017 6
Authorisations in SAP: best practices
2. Role design: Master / derived roles
Example
Master role Derived role
Transactions and authorisations Derived role
are maintained in the master role is assigned to
master role
Organisation levels are not assigned
in master role Organisational
levels are assigned
8. 26/01/2017 8
Authorisations in SAP: best practices
4. Document changes in authorisations
Document changes to authorisation roles
9. 26/01/2017 9
Authorisations in SAP: best practices
5. Non-maintained authorisations
Unmaintained authorisations
Many user administrators leave unmaintained authorisation (i.e. objects with some
unmaintained field values) in the profile. Such unmaintained authorization often become big
nuisance in long run. They are also one of the most common reason behind false positives
raised during authorization review.
SOLUTION: Maintain all authorisation objects in the authorisation profile.
10. 26/01/2017 10
Authorisations in SAP: best practices
Tip 1 for maintaining authorisations: deactivate but keep the standard
When changing authorisation objects the best way is to make a copy, deactivate the standard,
and make changes to the copy.
11. 26/01/2017 11
Authorisations in SAP: best practices
Tip 2 for maintaining authorisations: Read old status and merge with new data
Use option ‘Read old status and merge with new data’
If you have a ‘Standard’ and a ‘Change’, the option ‘Read old status and merge with old data’ will not
insert a new authorisation object.