Register Login

Traffic lights in SAP Security

There are three lights namely- red, green and yellow.

1. Red – This simply refers that the authorization objects are in inactive state and it is not considered in the user profile.

2. Green – When you provide a value to the relevant field of an object, it is considered as an active object. Once the transaction is called, the relevant authorization object is checked, which was assigned to the user profile (Note : The relevant authorization object for a transaction is check by using the transaction code su24 )

3. Yellow – This is confusing one! In case, you add an authorization object P_ORGIN in role 1 and leave the appropriate authorization field as blank, (only activity as *) and in yellow state, then it is assigned to the user known as James. We later make another role and then add the same authorization object to this role 2 and provide activity as R (read only) and provide some personal areas.

Here, SAP woks in a combination. (It is to be noted that generally SAP work in authorization objects in combination but not in HR auth objects).

At this point in time, the activity field from role 1 and remaining from role 2. So an error message is thrown up.

Should we leave the role as yellow?

Sometime due to a requirement, the user can access some sales area. In this case, the role 1 which was assigned to the user has access to the sales area and we only provide activity in the new role 2, to ensure that user can access these in a combination.

SAP recommends that it is not advisable to leave the role as Yellow, and we need to create a role in an active or inactive state. Fr satisfying the requirement, we will create a separate role for this kind. It is not possible to manage the roles and profile assignment once the business extends.