SAP Application Security: Derived vs. Enabler Role Concept Desiign

What is a derived role?

  • SAP Standard to allow for organizational data restriction and reduce role administration tasks
  • Parent (Master Role) and Child (Derived Role(s)) concept where the child role will have identical attributes to the parent role
  • Parent role will have wide-open access to all organizational level entities
  • Child Role will have limited access to a specific organizational unit (i.e. Company Code 1000)
  • Simplified maintenance at derived role level as only organizational levels need to be maintained
  • Minimizes human error during authorization maintenance using automation and reduced testing efforts
Pros Cons
No Updates Needed Post-Upgrade Increased number of technical security roles
Eliminates Human Error
Simplification of Role Administration Tasks
Program to mass update values in org level window
Decreases level of effort required for testing

What is an enabler role?

  • Non-standard approach to allow for organizational restriction and reduce number of technical roles
  • Single, manually created, Authorization Object-only technical role (without t-codes) that provides access to a restricted organizational level unit (i.e. Company Code 1000)
  • Authorization objects in Functional Roles need to be “disabled”
  • A single common authorization object may be responsible for a particular organizational security check in hundreds of transaction codes. This can be contained in one enabler role.
Pros Cons
Reduced number of technical security roles All Enabler Roles Updated Post- Upgrade
Flexibility in complex / low level data restriction designs/build No automation to maintain authorization objects within enabler roles
Frequency of human error increases
More complex org structure = more complex enabler role design
Non-standard SAP approach