In this article, we will discuss the difference between permissions and assigned permissions in SAP, explaining their meanings, their functions, and the best practices.
Permissions in SAP
Permissions are rights or access privileges granted to a user or a selected entity. In the context of our discussion, this means that a user is explicitly given certain permissions without any intermediary layers. For example, a user might be granted the "Workarea Manager" permission directly.
The SAP user has the Workarea Manager permission (and Workarea: Delete! This is dangerous!) because they inherit it through Role assignment and/or OU membership.
Assigned Permissions in SAP
Assigned Permissions, on the other hand, encompass a broader spectrum of access rights. It includes not only the permissions directly assigned to a user but also those inherited through roles and organizational units (OUs). In the given scenario, if a user has the "Workarea Manager" permission, it could be due to inheriting it through role assignments or membership in specific OUs.
However, the challenge with assigned permissions lies in the lack of visibility into their origin. It becomes difficult to discern whether a user obtained a specific permission through direct assignment, role inheritance, or organizational unit membership.
The best practice, applicable not only to SAP Enable Now but across general Access Administration, emphasizes avoiding direct assignments of permissions to individual users. Instead, if necessary, the recommendation is to assign permissions to roles (and subsequently assign roles to users) or organizational units.