Register Login

Difference between Permissions and Assigned Permissions

Updated Dec 13, 2023

In this article, we will discuss the difference between permissions and assigned permissions in SAP, explaining their meanings, their functions, and the best practices.

Permission vs Assinged Permission in SAP

Permissions in SAP

Permissions are rights or access privileges granted to a user or a selected entity. In the context of our discussion, this means that a user is explicitly given certain permissions without any intermediary layers. For example, a user might be granted the "Workarea Manager" permission directly.

For Example: 

The SAP user has the Workarea Manager permission (and Workarea: Delete! This is dangerous!) because they inherit it through Role assignment and/or OU membership.

Assigned Permissions in SAP

Assigned Permissions, on the other hand, encompass a broader spectrum of access rights. It includes not only the permissions directly assigned to a user but also those inherited through roles and organizational units (OUs). In the given scenario, if a user has the "Workarea Manager" permission, it could be due to inheriting it through role assignments or membership in specific OUs.

However, the challenge with assigned permissions lies in the lack of visibility into their origin. It becomes difficult to discern whether a user obtained a specific permission through direct assignment, role inheritance, or organizational unit membership.


The best practice, applicable not only to SAP Enable Now but across general Access Administration, emphasizes avoiding direct assignments of permissions to individual users. Instead, if necessary, the recommendation is to assign permissions to roles (and subsequently assign roles to users) or organizational units.