SAP authorizations
This section covers the following topics.
Authorizations for configuration
The following authorizations are required to configure SDK for SAP ABAP.
-
S_
TCODE
-
TCD
=/AWS1/IMG
-
-
S_TABU_DIS
-
ACTVT
=02
,03
-
DICBERCLS
Choose from the following authorization groups.
-
/AWS1/CFG
- AWS SDK for SAP ABAP v1 - Config -
/AWS1/MOD
- AWS SDK for SAP ABAP v1 - Runtime -
/AWS1/PFL
- AWS SDK for SAP ABAP v1 - SDK Profile -
/AWS1/RES
- AWS SDK for SAP ABAP v1 - Logical Resources -
/AWS1/TRC
- AWS SDK for SAP ABAP v1 - Trace
-
-
SAP authorizations for end users
Prerequisite: Define SDK Profiles
Before the SAP security administrator can define their roles, the Business Analyst will
define SDK profiles in transaction /AWS1/IMG
. Typically, an SDK profile will be
named according to its business function: ZFINANCE, ZBILLING, ZMFG, ZPAYROLL, etc. For each
SDK profile, the Business Analyst will define logical IAM roles with short names, such as
CFO, AUDITOR, REPORTING. These will be mapped to the real IAM roles by the IAM security
administrator.
Define PFCG Roles
The SAP security administrator will then add authorization object /AWS1/SESS
to grant access to an SDK profile.
Auth Object /AWS1/SESS
-
Field
/AWS1/PROF
=ZFINANCE
Users should also be mapped to logical IAM roles for each SDK profile, depending on
their job function. For example, a financial auditor with reporting access might be authorized
for a logical IAM role called AUDITOR
.
Auth Object /AWS1/LROL
-
Field
/AWS1/PROF
=ZFINANCE
-
Field
/AWS1/LROL
=AUDITOR
Meanwhile, the CFO, with read/write authorizations, might have a PFCG role authorizing
them the logical role of CFO
.
Auth Object /AWS1/LROL
-
Field
/AWS1/PROF
=ZFINANCE
-
Field
/AWS1/LROL
=CFO
In general, a user should be authorized for only one logical IAM role per SDK profile.
If a user is authorized for more than one IAM role (for example, if the CFO is authorized
for both CFO
and AUDITOR
logical IAM roles), then AWS SDK breaks
the tie by ensuring that the higher priority (lower sequence number) role takes effect.
As with all security scenarios, users should be given least privilege to perform their job
functions. A simple strategy for managing PFCG roles would be to name Single PFCG roles
according to the SDK profile and logical role they authorize. For example, role
Z_AWS_PFL_ZFINANCE_CFO
grants access to profile ZFINANCE
and
logical IAM role CFO
. These single roles can then be assigned to composite
roles that define job functions. Each company has their own strategy for role management, and
we encourage you to define a PFCG strategy that works for you.