SAP R/3 uses a very complex mechanism to assign users access to system. SAP uses Authorization Objects to assign authorizations to users. An authorization objects works as a template for an authorization to be
defined. One point to note here is that there are a maximum of 10 fields per authorization object. For users to conduct an activity in SAP, their user profiles should satisfy the authorization check for each field in the authorization defined on a specific authorization object.

To take an example, if a user wants to create a new company code, the authorization object is F_SKA1_BUK - G/L Account: Authorization for company codes. User is given authorization to authorization object
mentioned above with the relevant fields. Authorizations in SAP are classified as General authorizations, Organizational authorizations or Functional authorizations. In our example above, authorization object
F_SKA1_BUK has been assigned to function for creating a general ledger master records. SAP can be configured to check authorizartions at the company code level, chart of account level, individual master record level so as to prevent user access. I will discuss more on SAP authorizations in my future posts.

More on SAP Controls >>

SAP R/3 Inherent Controls
SAP R/3 Configurable Controls
Securing SAP* User ID
SAP IMG Implementation Guide