SAP authorizations - AWS SDK for SAP ABAP
Authorizations for configurationSAP authorizations for end users

SAP authorizations

This section covers the following topics.

Authorizations for configuration

The following authorizations are required to configure SDK for SAP ABAP.

  • S_TCODE

    • TCD = /AWS1/IMG

  • S_TABU_DIS

    • ACTVT = 02, 03

    • DICBERCLS

      Choose from the following authorization groups.

      • /AWS1/CFG - AWS SDK for SAP ABAP v1 - Config

      • /AWS1/MOD - AWS SDK for SAP ABAP v1 - Runtime

      • /AWS1/PFL - AWS SDK for SAP ABAP v1 - SDK Profile

      • /AWS1/RES - AWS SDK for SAP ABAP v1 - Logical Resources

      • /AWS1/TRC - AWS SDK for SAP ABAP v1 - Trace

SAP authorizations for end users

Prerequisite: Define SDK Profiles

Before the SAP security administrator can define their roles, the Business Analyst will define SDK profiles in transaction /AWS1/IMG. Typically, an SDK profile will be named according to its business function: ZFINANCE, ZBILLING, ZMFG, ZPAYROLL, etc. For each SDK profile, the Business Analyst will define logical IAM roles with short names, such as CFO, AUDITOR, REPORTING. These will be mapped to the real IAM roles by the IAM security administrator.

Define PFCG Roles

The SAP security administrator will then add authorization object /AWS1/SESS to grant access to an SDK profile.

Auth Object /AWS1/SESS

  • Field /AWS1/PROF = ZFINANCE

Users should also be mapped to logical IAM roles for each SDK profile, depending on their job function. For example, a financial auditor with reporting access might be authorized for a logical IAM role called AUDITOR.

Auth Object /AWS1/LROL

  • Field /AWS1/PROF = ZFINANCE

  • Field /AWS1/LROL = AUDITOR

Meanwhile, the CFO, with read/write authorizations, might have a PFCG role authorizing them the logical role of CFO.

Auth Object /AWS1/LROL

  • Field /AWS1/PROF = ZFINANCE

  • Field /AWS1/LROL = CFO

In general, a user should be authorized for only one logical IAM role per SDK profile. If a user is authorized for more than one IAM role (for example, if the CFO is authorized for both CFO and AUDITOR logical IAM roles), then AWS SDK breaks the tie by ensuring that the higher priority (lower sequence number) role takes effect.

As with all security scenarios, users should be given least privilege to perform their job functions. A simple strategy for managing PFCG roles would be to name Single PFCG roles according to the SDK profile and logical role they authorize. For example, role Z_AWS_PFL_ZFINANCE_CFO grants access to profile ZFINANCE and logical IAM role CFO. These single roles can then be assigned to composite roles that define job functions. Each company has their own strategy for role management, and we encourage you to define a PFCG strategy that works for you.