Security: Common Authorization Design

There are numerous method when come to authorization design and depends on the Basis administrator experience and preference. The authorization design will impact on the maintenance and effort required to maintain the user assignment in future. There are no right or wrong of the design method used, it just the matter of fact that some design would require more effort for the administrator to maintain the authorization.

This article will introduce 2 common authorization design matrix:

Scenario: User require to access TCODE: fs00

Type 1: Single role that tie to TCODE and object value

Type 2: Two separate roles, one role tie with TCODE only and the other role tie with object value

Sample of type 1:

1) Role be created with TCODE: fs00 and assign with object value

2) User be assign with one role

Sample of type 2: 

1) First role with TCODE only

2) Second role with object value only

3) User be assign with 2 roles

Conclusion:

As you can see both authorization design are achieving the same end results for the end users. It really depends on the administrator preference and deployment strategy, type 1 allow fast implementation of roles that specific to relevant user while type 2 allow flexibility or reuse of roles when changes required in future, either on the level of TCODE or object value.  Example new TCODE / obj value could be added into existing role without the need to building up a new specific role.