Difference in SAP authorization: what is role and is profile?

Authorization is synonym to authorization object. Authorization object element of authorization system. It contains various fields (up to 10) which are checked during the runtime. To successful pass the authorization check each field contained in the object must be checked successfully.

Example of BW’s Authorization object: Business Explorer - Components [S_RS_COMP] has following fields: 

1. Activity (ACTVT) has following values which grant access to:

01      Create or generate

02      Change

03      Display

06      Delete

16      Execute

22      Enter, Include, Assign

2. InfoArea (RSINFOAREA) grants access to particular InfoAreas created in BW (e.g. Finance, Purchasing, etc.).

3. InfoCube (RSINFOCUBE) grants access to particular infocubes created in BW (e.g. 0QM_C04 Business Content infocube Inspection Results: General Data).

4. Name (ID) of a reporting component (RSZCOMPID) grants access to BW report’s components e.g. BEx query names.

5. Type of a reporting component (RSZCOMPTP) grants access to different BW reporting components:

CKF    Calculated key figure

QVW   Query View

REP     Query

RKF    Restricted key figure

SOB    Selection object

STR    Template structure

VAR    Variable

Notice that there are many other BW’s Authorization objects e.g.:

S_RS_COMP1 - Business Explorer - Components: Enhanced to the Owner,

S_RS_FOLD - Business Explorer - Folder View On/Off,

S_RS_HIER - Data Warehousing Workbench – Hierarchy,

S_RS_ICUBE - Data Warehousing Workbench – InfoCube,

S_RS_MPRO - Data Warehousing Workbench – MultiProvider,

S_RS_ODSO - Data Warehousing Workbench - DataStore Object,

S_RS_PARAM - Business Explorer - Variants in Variable Screen.

S_RS_TR - Data Warehousing Workbench – Transformation

S_RS_WSPAC - BW Workspace

S_RS_XCLS - Front-end Integration - Xcelsius Visualization

S_RS_LPOA - Data Warehousing Workbench - Semantically Partitioned Object

S_RS_ISRCM - Data Warehousing Workbench - InfoSource (Direct Update)

S_RS_HIER - Data Warehousing Workbench - Hierarchy

S_RS_HIST - Authorizations for TLOGO Object History

S_RS_HYBR - Data Warehousing Workbench - HybridProvider

S_RS_IOMAD - Data Warehousing Workbench  - Maintain Master Data

S_RS_ISOUR - Data Warehousing Workbench - InfoSource (Flexible Update)

R_STS_CUST - Planning: Customizing for Status and Tracking

S_RS_ADMWB - Data Warehousing Workbench - Objects

S_RS_AINX - Analytic Index

S_RS_AUTH - BI Analysis Authorizations in Role

S_RS_CPRO - Authorization Object for BW Composite Provider

S_RS_DTP - Data Warehousing Workbench - Data Transfer Process

Profile represents a grouping of authorizations (max 150 authorizations in one profile) together. Usually BW’s apps are complex ones comprised from many objects linked and working together. To be able to enable grouping of objects Profiles are used.

Finally we are coming to the Role. Role represents a container of Profiles. By this it is easier to track authorization requirements. Also role overcomes limits of profiles as it can hold only 150 authorizations).

Also note that speaking of classic SAP’s transaction codes (TA or T-codes) they are not assigned directly to the users. You need to assign into the roles. Then role is assigned to the user (TA SU01) and this automatically populates profile assignment. That’s why we see both tabs in SU01: Role tab along with Profile tab.