SAP authorizations
The authorization required to configure the SDK is dependent on the SDK edition.
Authorizations for configuration
See the following tabs for more details.
SAP authorizations for end users
Prerequisite: Define SDK Profiles
Before the SAP security administrator can define their roles, the Business Analyst will
define SDK profiles in transaction /AWS1/IMG
for Amazon SDK for SAP ABAP or the Custom Business
Configuration application for SDK for SAP ABAP - BTP edition. Typically, an SDK profile will be named according to
its business function: ZFINANCE, ZBILLING, ZMFG, ZPAYROLL, etc. For each SDK profile, the
Business Analyst will define logical IAM roles with short names, such as CFO, AUDITOR,
REPORTING. These will be mapped to the real IAM roles by the IAM security
administrator.
Define PFCG or Business Roles
Note
PFCG roles are called Business Roles in SAP BTP, ABAP environment.
The SAP security administrator will then add authorization object /AWS1/SESS
to grant access to an SDK profile.
Auth Object /AWS1/SESS
-
Field
/AWS1/PROF
=ZFINANCE
Users should also be mapped to logical IAM roles for each SDK profile, depending on
their job function. For example, a financial auditor with reporting access might be authorized
for a logical IAM role called AUDITOR
.
Auth Object /AWS1/LROL
-
Field
/AWS1/PROF
=ZFINANCE
-
Field
/AWS1/LROL
=AUDITOR
Meanwhile, the CFO, with read/write authorizations, might have a PFCG role authorizing
them the logical role of CFO
.
Auth Object /AWS1/LROL
-
Field
/AWS1/PROF
=ZFINANCE
-
Field
/AWS1/LROL
=CFO
In general, a user should be authorized for only one logical IAM role per SDK profile.
If a user is authorized for more than one IAM role (for example, if the CFO is authorized
for both CFO
and AUDITOR
logical IAM roles), then Amazon SDK breaks
the tie by ensuring that the higher priority (lower sequence number) role takes effect.
As with all security scenarios, users should be given least privilege to perform their job
functions. A simple strategy for managing PFCG roles would be to name Single PFCG roles
according to the SDK profile and logical role they authorize. For example, role
Z_AWS_PFL_ZFINANCE_CFO
grants access to profile ZFINANCE
and
logical IAM role CFO
. These single roles can then be assigned to composite
roles that define job functions. Each company has their own strategy for role management, and
we encourage you to define a PFCG strategy that works for you.