Authorization Fields – Just a Quick Explanation
Authorization fields are the basic elements of an authorization object.
For example, in an authorization object for a company code, if you’d like to allow the user to use screens in company code 1000 in “Display” mode only, but company code 2000 in “Change” and “Display” modes, you will probably define the object with two instances:
- Company 1000, Activity “Display” – in technical terms BUKRS = 1000, ACTVT = 03
- Company 2000, Activities “Change” and “Display” – in technical terms BUKRS = 2000, ACTVT = 02, 03
And then you’d put these instances into an authorization role and grant the role to the user.
Now, for the Stats
We’re working on a large project with a huge amount of authorization data. In order to estimate how much disk space to allocate, we needed some statistics about authorization fields. When we dug into the data, we found some surprising answers that we thought would be fun to share…
What’s the Average Number of Authorization Fields in an Authorization Object?
It’s interesting to see that although SAP has 10 possible spots for authorization fields per each authorization object, most standard SAP authorization objects (44%) include only two authorization fields. While this is not a huge surprise, we’d expect that the majority of the rest of the SAP authorization objects would include three authorization fields, but it’s not – 25% of the authorization objects include a single field! See the stats for yourself, below:
What are the most popular authorization fields?
Well, the answer won’t shock you – the most popular field is ACTVT (i.e. “Activity”), which is the type of access to grant. However the top 5 list is not so trivial…
See the data of the top 5 authorization fields, below:
Although I would guess the No.1 position on my own, I was surprised to see TCD in fifth place. It means that there are many, many authorization objects that contain TCD… Another unexpected fact is that TCD is not being used only in the authorization object S_TCODE, but there are more authorization objects that include field TCD. Did you know this fact?
What’s the Most Controlled Application Area?
Each authorization object is related to an application area. For example, the famous object P_LOG (Personnel Planning) belongs to the HR module.
It’s interesting to see which application area has many objects (a high level of separation and control) and which application area has only a few.
So, without further ado, here’s the data:
It looks like BASIS is the most crowded application area, which for experienced people doesn’t make sense. However, if we add up all the financial sub-modules, we’d see that FI-CO is the big winner here. For me, that is to be expected.
We Want to Hear From You – Ask for a Stat.
Do you have statistics that you are interested in finding out about? We’re sitting on a goldmine of data and we can give you some more very interesting stats. Just ask us by leaving your question in the comments section below, and we’ll do our best to answer.