Whenever we talk about security concepts, two terms are commonly tossed around, leading to confusion—authentication and authorization. Authentication is when the user logs on to an SAP system with a user name and password or other credentials. An authentication provider validates if your user name and password are correct and allows you to log on. Authentication determines “who you are” but not “what you can do.”
Once a user is authenticated, authorizations come into play to define what the end user can do in the system. A user without authorizations can still log on to the system but is not enabled to use any functionalities within due to missing authorizations. At this point, the user is authenticated, but not authorized.
A common concern is designing authorizations in the right way so your organization can manage access effectively and efficiently. In this chapter, we’ll focus on the term “authorization,” describing its necessity, its various types, and how it fits into the SAP world.