What is SAP Authorization concept?: The authorization concept in SAP allows you to define what activities people can perform in the system and what they cannot do in it. It protects programs, transactions and WebUI functionalities in SAP from being used by unauthorized users. SAP authorizations are related to the user id. Most components for SAP Authorization can be found in the SAPgui, menu Architecture and Technology>System Administration>User Maintenance

How are SAP roles built up?: A single role is created and several authorization objects are assigned. A composite role consists of several single roles and has no authorization object settings of its own. An example is the SAP_ALL role, that is usually assigned to anyone that is in some way an administrator, e.g. a developer on a project. A role, composite or single, is then assigned to the user id.

What is an authorization object?: An authorization object is a SAP object, functional or technical, upon which a selection is made by assigning a value to a field of the object to restrict the authorization to the functionality (or technicality). E.g. a restriction can be made upon transaction type to be edited in the WebUI. Maintenance of roles and object id settings is done in transaction PFCG.