AGLEA Blog

SAP Roles and Profiles, what are they?

Written by Fabio Mambretti | Jan 12, 2023 11:00:00 PM

In the day-to-day these terms are often used as synonyms , but they're actually not

They can be confused and often it's not clear whether it's correct to talk about SAP profiles or roles. Let's try to underline the differences between these two terms, by starting from the past!

What are the SAP roles and profiles?

To better understand what these are, we must start from the past. In fact, in the early releases of SAP systems, there were no roles but only profiles.

 

They are, more generally, objects that allow you to assign authorizations to users who use the SAP system. Through these objects it is then possible to enable users to use the system.

 

The concept of role has been introduced more recently than thos of profile or authorization profile.

 

But let's try to give a definition and then elaborate:

 

  • A profile is a container of authorizations
  • A role is a container consisting of three parts: menu, authorizations, and user assignment.

 

Perhaps this is still not crystal clear.

 

We were saying that in the past, in order to assign authorizations to users there were only profiles. That is true.

 

In order to enable a user to execute, for example, a purchase request or an order, one had to identify all the authorization objects necessary to make these aspects of the process work.

 

All of these objects had to be precisely put into a profile and that profile had to be then assigned to the user or users.

 

This was very time-consuming and laborious, not least because who knows the more than 3000 authorization objects defined in an SAP system? The process was conducted via trial and error.

 

Roles, then, have the ability to simplify SAP authorizations management. That is, to introduce the RBAC (Role Based Access Control) Paradigm.

 

How?

 

While before through profiles (see transaction SU02 below) I had to, as security manager, know all the objects to be enabled, today, through roles I can declare what a person will have perform in transactional terms and the system will, more or less, do the rest.

 

 

This means the role (through the PFCG - Profile generator transaction) will allow me to retrieve all the necessary information (from the point of view of authorizations) so that the user, once given the role, is able to work.

Warning: profiles and roles should not be used together. Thus, profiles are a legacy of the past (still active in the system) but "hidden" through role management. So they are not to be used. Only roles are to be used!


 

Do SAP Roles make it easier to manage authorizations?

Yes, that's exactly right. Although it depends on how you structure them. Sometimes we use the metaphor of Lego bricks.

Imagine you have hundreds of pieces of various shapes and colors at your disposal. With the same number of pieces everyone can make something different. Some make works of art and some try (perhaps coming close, more or less).

Learn more about what SAP Security means here.


In the authorization environment, more generally of SAP, it really is like that: Anyone can easily make things work by trying to define an authorization concept.

But it is one thing to make them work; it is quite another to make them work as they should and specially to manage them over time in an appropriate way. 

It is common, in fact, to find situations of authorization models defined at the beginning of the project and then layered, changed without much logic by several hands over time, to the point where you must revise everything.

Not sure if your model is being managed properly?