In the world of enterprise procurement, SAP Supplier Relationship Management (SAP SRM) plays a crucial role in streamlining supplier collaboration, sourcing, and procurement processes. One of the fundamental aspects of any SAP system, including SRM, is authorization management, which ensures that users have access only to the data and functions necessary for their job roles. This article explores how roles and authorization objects function within SAP SRM, and how they help maintain system security and efficiency.
In SAP, a role is a collection of authorizations that define what a user can see and do within the system. Roles are created and managed using the Profile Generator (transaction PFCG).
In the context of SAP SRM, roles are tailored to match the specific responsibilities of various users involved in procurement and supplier management processes. Some common SRM-specific roles include:
Each role is mapped to relevant business processes within SRM and grants users access only to the transactions and data they need.
While roles determine what a user can do, authorization objects determine under what conditions they can do it. Authorization objects are technical constructs that define granular access control in the system.
Each authorization object contains fields (also known as authorization fields) that are checked at runtime. For example, when a user tries to create a shopping cart or approve a purchase order, the system checks whether they have the correct authorization values.
Below are some typical authorization objects used in SAP SRM:
| Authorization Object | Description |
|---|---|
BBP_ACTIV |
Controls access to SRM applications (e.g., shopping cart, sourcing cockpit) |
BBP_PDORG |
Determines user access to organizational units and purchasing groups |
BBP_PDIGP |
Controls access to purchasing groups in SRM documents |
BBP_FUNCT |
Checks authorization for functional areas (e.g., create, change, display documents) |
BBP_ATTR_CHECK |
Used to verify attributes assigned to users for document processing |
S_SERVICE |
Controls access to web services and ITS services in SRM |
S_USER_AGR, S_USER_AUT |
Relevant for role and profile administration (used by admins) |
These objects are typically tied to specific actions or documents and ensure that only users with appropriate permissions can perform sensitive operations.
SAP SRM also uses organizational attributes to fine-tune authorizations. These attributes are assigned in PPOMA_BBP (Organization Model) and are linked to user roles via their position in the organizational hierarchy.
Common SRM attributes include:
BUK – Company codePURCH_ORG – Purchasing organizationPUR_GROUP – Purchasing groupCAT – Product categoryFUNC_AREA – Functional areaBy combining these attributes with roles and authorization objects, SRM enables a flexible and scalable access control model.
Use Standard Roles as Templates: SAP delivers standard roles (e.g., SAP_BBP_STAL_EMPLOYEE, SAP_BBP_STAL_PURCHASER). Use these as a base and adjust as needed.
Follow the Principle of Least Privilege: Grant users only the minimum access they need to perform their job functions.
Use Composite Roles for User Groups: Combine multiple single roles into a composite role to simplify role assignment.
Test Authorizations Thoroughly: Use transaction SU53 to troubleshoot failed authorization checks.
Audit and Review Regularly: Periodically review role assignments to ensure compliance and prevent segregation of duties (SoD) violations.
Understanding how roles and authorization objects work in SAP SRM is essential for secure and efficient system operation. Roles define what users can do, while authorization objects control the specific conditions under which they can act. With the right setup, organizations can ensure that procurement processes are both effective and compliant with internal and external regulations.