Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The Three Top Authorization Objects: What Are They?

  • Font size: Larger Smaller
  • Hits: 5862
  • Print

Even though Authorization Objects are the most basic components in the SAP authorization world, they make SAP much more secure. Many organizations argue that you should use Authorization Objects like you spice food: If spices are used properly, there’s total harmony and you can’t live without them. But if they are overused, they ruin the dish and the whole authorization mechanism becomes too difficult to handle.


In general, Authorization Objects add the extra security layer to T-Codes, the layer in which you can do things like limit the user to view certain material groups or materials in a specific department (via T-Code MM03), or create financial documents for only specific company codes. If you’d like to learn more about Authorization Objects, please refer to our successful article, SAP Authorizations Concept – Simplified.


It’s Important to Define Sensitive Authorization Objects

Organizations should have a list of sensitive Authorization Objects. So how do you get this list? Ask the questions, “What are our most important Authorization Objects? Why is this one so important? And this one?”

Because sensitive Authorization Objects should be carefully inspected: (a) They should be carefully granted to the right employees, (b) They should be inspected thoroughly in periodic authorization review processes, and (c) An alert should be issued when they are granted to new users.

Please note that (c) is no less important than (a) and (b) because granting sensitive objects to the wrong person might imply an intention of fraud, and an alert for this might save the CISO’s job.


Which Are the Three Most Important Authorization Objects to Most Companies?

It’s interesting to compare your list with others. The following three Authorization Objects are the most commonly used by our customers:

  • F_BKPF_BUK: Control to which company code the user is allowed to post financial documents
  • V_VBAK_AAT and V_VBAK_VKO: Authorizations for Sales Document Types and Areas
  • HR Objects: P_ORGIN and PLOG - To restrict access to certain infotypes and other HR areas

*This list was prepared using ProfileTailor Dynamics Role Matrix to easily identify the most commonly used Authorization Objects in roles.

Now It’s Your Turn
Now from your experience - What are the top three Authorization Objects in your organization? Please leave your comments below.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


No post has been created yet.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India