User Authorization

SAP R/3 Document : Users & Authorizations Ver. : 4.
0B
R/3 USERS AND AUTHORIZATIONS
The user concept is one of the basic parts of R/3 security.
One of the first steps after the installation of R/3 and creating a client is to create users in the new
client.
Users are client-dependent i.e. a user in one client may not be a user in another client. They are
valid only for the clients in which they are created or assigned.
The users name and the user attributes comprise the User Master Record.
A User Master Record consists of the following information :
User Name
Assigned Client
Password (which can be changed)
Company Address
User Type
Start Menu
Logon Language
Personal Printer Settings
Time Zone
Activity Group
Authorizations
Expiration Date
Default Parameter settings
Some of the information such Company Address, Start Menu, Logon language, Printer settings
etc are optional and need not be specified.
SAP comes with certain superusers SAP* and DDIC. These two users are available for every
client in the R/3 system. By default, they are made available to every new client that is created.
SAP* has all the authorization whereas DDIC is authorized to administer the R/3 repository.
They are excluded from doing any development work in the R/3 system.
Created / Compiled by : P. M. V. Subba Rao 1

SAP R/3 Document : Users & Authorizations Ver. : 4.0B
You can create a user by following the path Tools Administration User Maintenance
Users
Alternatively you can use the transaction code SU01
Enter the user name and click on the Create button on the application toolbar

By default you will be in the Address element of the User Master Record. Enter the Name,
Address etc. information for each user.
Click on the Logon Data tab to enter the logon properties.

Here you can specify
1. The initial password for the user. The system will prompt the user to change the password at
first Logon.
2. User Group : User groups give an indication of activity areas and authorizations.
You can create a User Group by following the path Environment User group
Click on the Create icon.
Enter a user group name and click on the Continue / Enter icon
SUPER is the only user group defined the SAP system. SAP* belongs to this group.

3. Validity period for the user
4. User Type. It determines the type of tasks that a user can do.
There are four types of users: Dialog, BDC, Background and CPIC
Dialog User : A dialog user can work with R/3 in any way.
BDC : Can use and execute batch input sessions
Background : Can only use and schedule background jobs from other dialog users. A
background user is not permitted to log onto the R/3 system and to work in
dialog mode
CPIC : Used to exchange data through the CPIC interface. Cannot work in dialog mode.

AUTHORIZATIONS
The authorizations determine which activities a user can perform.
Authorization maintenance is either the sole responsibility of the users departments, or

authorizations must be maintained in close cooperation with the user departments.
The system administrator cannot decide which business authorization a user needs because it upto
the user departments to decide the kind of permissions the user should be given or deny to carry
out his business tasks. The user department decides which authorizations the user should get. The
system administrator assigns and administers the authorizations as per the user departments
requirements of a particular user.
Each Authorization is based on an authorization object.
An authorization object is a unit, which consists of a name, fields and the possible values that
represent an action.
You can have an overview of authorization objects by following the path Tools ABAP
Workbench Development Other Tools Authorization Objects Objects
Alternatively you can use transaction code SU21.
Because of the vastness of the R/3 system and its functional range, the authorization objects are
further divided into areas called as object classes.

To get the technical name of the objects in an object class, select the object class the click on the
Enter icon the application toolbar
To display the fields in the object, select the object and click on the Display icon on the
application toolbar.
The authorization field ACTVT will be present in every authorization object. Apart from this
field, the authorization objects will contain some other fields too depending on the object.

The ACTVT field can contain values :
Value Meaning
01 Create
02 Change
03 Display
* All possible activities
Again the values for this field change from object to object.
You can assign your authorization values to these fields. The values of the fields decide what data
would access by the user to whom this object is assigned.
Most the times the authorizations are already defined with the value *. So you need to make
company specific value assignments to the fields.
You can also create your own authorizations with the above path by clicking on the Create icon
on the application toolbar. And you can convert these authorizations to authorization objects by
assigning values to them.
Let us now create an authorization and assign values to the fields to it. Let us create an
authorization, which will allow the user to make changes to purchasing group.
Follow the path Tools Administration User Maintenance Authorizations.
Select the object class and click on the enter icon. Select the MM:Purchasing object class.
In the next screen, you get a list of authorization objects belonging to the selected class. Click on
the Technical Names to display the names of the objects.

You can now modify the existing authorization object or create a new authorization.
Select the authorization object that you want to modify and click on the Enter icon. Here we have
selected the authorization object M_BEST_EKGC.
To create new authorization, click on the Create icon on the application toolbar

When giving a name to the authorization, adhere to the customer specific name range.
We are creating an authorization to maintain a purchasing group XYZ.
Click on the Enter icon after specifying the authorization name and its description.
You will get a screen with no authorizations values associated with the fields ACTVT and
Purchasing Group.
Select a field and click on the Maintain Values icon on the application toolbar.

Click on the dropdown arrow in the value selection box to display all the values that you can
assign to the fields.
You can assign the values displayed from such a list that you will get. You assign a range values
to a field or individual values.
As you can see from the above figure, we have assigned some values to the field ACTVT.
After assigning the values click on the Enter icon in the box.

If you want assign all the values to the field at a shot, then assign the value * to it.
So you do the above process for each field in the object.
After assigning the values to the fields, Save and Activate the changes by clicking on the
respective icons on the application toolbar
Click the Back icon. You should be able to see the authorization object that you created in the list
of the authorization objects.
Click the Back icon till you come to the object classes screen.

A field can be assigned a maximum of 10 values.
Authorizations can be created and assigned to a user individually. But that would require lot of
efforts and time. To avoid such a lengthy and time consuming process, SAP provides us with
Authorization Profiles.
Using the Authorization profiles, you can group authorizations into single profile and multiple
single profiles into composite profiles.
Like the authorizations, you can create your own single and composite profiles. However SAP
also provides with pre-defined authorization profiles.
You can maintain profiles by following the path Tools Administration User Maintenance
Profiles
Alternatively you can also use the transaction code SU02.
Now let us create a test profile.
Give a name to the profile and click on the Generate work area button on the toolbar.

Click on the Create icon to create a profile
Enter a description for the profile and select whether the profile that you want to create is a single
profile or a composite profile. In case, it is selected to be composite profile, then you will be
prompted to enter the single profile names which will make up the composite profile.
Select the Single Profile and click on the Enter icon.

From the left-hand side drop down box, select the authorization object and from the right hand
corner drop down box, select the authorization for the authorization object.

Save and Activate the changes.
The change status should turn to Active .
Click the Back icon. The profile has been created.

Select the profile and click on the Activate icon to activate the profile.
You can assign these profiles to the users now.
Goto the Profiles tab in the user maintenance screen
If your user is a copy of SAP*, then it will have the SAP_ALL profile assigned to it. SAP_ALL
profile gives all the authorizations to the user i.e. the user has all the rights to do anything in the
system.

Enter the profile that you created to assign it to the user. Also assign the profile SAP_NEW to the
user to allow him to create new objects.
Save the changes and the user will be created.

The following is the list of important profiles in the SAP R/3 system
Profile Name Description
SAP_ALL All authorizations in the R/3 system

SAP_NEW All the authorization objects added in an R/3 upgrade for existing
functions
S_A.ADMIN Operator without configuration authorizations in the R/3 system
S_A.CUSTOMIZ Customizing
S_A.DEVELOP Developers with all authorizations to work with ABAP Workbench
S_A.DOKU Technical Writers
S_A.SHOW Basis:Display authorizations only
S_A.SYSTEM System Administrators (Superusers)
S_A.USER User (Basis Authorizations)
S_ABAP_ALL All authorizations for ABAP
S_ADDR_ALL All authorizations for central address administration
S_ADMI_SAP Administration authorizations (except spool configuration)
S_ADMI_SPO_A Spool : All administration authorizations
S_ADMI_SPO_D Spool : Device Administration
S_ADMI_SPO_E Spool : Extended administration
S_ADMI_SPO_J Spool : Job administration for all clients
S_ADMI_SPO_T Spool : Device Type administration
S_LANG_ALL All authorizations for language administration
S_SPOOL_ALL Spool : All authorizations to administer spool request, including reading
inbound output requests
S_SPOOL_LOC Spool : All authorizations except general read authorizations
S_SPO_ATTR_A Spool : Change all attributes
S_SPO_AUTH_A Spool : Change all spool requests
S_SPO_BASE_A Spool : Visibility and one-time printing
S_SPO_DELE_A Spool : Delete spool requests
S_SPO_DEV_A Spool : Administer all spool devices
S_SPO_DISP_A Spool : Display contents of all spool requests
S_SPO_FEP Spool : Front-end printing
S_SPO_PAG_ALL Spool : Unlimited number of pages on all devices
S_SPO_PRNT_A Spool : One time printing
S_SPO_REDI_A Spool : Reroute all requests
S_SPO_REPR_A Spool : Print all requests multiple times
There are time when a user while performing an action gets a message that he is not authorized to
do the action. In that it means that he has got the necessary authorizations to perform that action
and some authorizations objects are missing from his profile.
You can display list of missing authorizations for a user using the transaction code SU53

PROFILE GENERATOR
The Profile generator was made available by SAP from 3.1G onwards. Prior to 3.1G,
authorization profiles was the only method available to implement the authorization concept.
But with 3.1G, the Profile Generator (PG) was introduced by SAP. The PG is based on the
concept of authorization objects, authorizations and authorization profiles.
To use the PG, you should include the parameter auth/no_check_in_some_cases = Y in the
instance profile.
The PG is started from the Enterprise IMG.
PG is started from
this point
The type of tasks that user would perform in the R/3 system is ultimately decided by the
authorizations he has.
When you use the PG, the authorization profiles are generated automatically by R/3. The
comprehensive authorization profile generated in this way is no longer manually assigned to each
user. Instead, users are assigned to one or more activity groups.
An Activity Group is a subset of the actions from the set of actions defined in the Enterprise IMG.

Now let us see the steps to implement the authorization concept using Profile Generator
Execute the transaction code SSM1
1. Select the languages by clicking on the button in the Language Selection section
2. Next Generate SAP standard menu by clicking on the SAP standard menu generation item in
the Generator Menu section

3. Next Generate the company menu by clicking on point 2a in the Generate Menu section
4. Next click on the point 2b to make any additional changes manually to the company menu

5. Next activate the company menu by clicking on point 2c
Click on YES.
To create settings that are as uniform as possible in a system landscape, you can include the
generated, active enterprise menu or all menus in a transport request and transport them into
other systems. Use point 3a and 3b
6. Now the next step is to activate profile generator
Click on the Activate profile generator item (highlighted area)

6. Next execute the Transaction code SU25 to copy the SAP defaults to customer tables
To fill the SAP default values to the customer tables click on point 1 in the Installing the Profile
Generator
During a new installation, all authorizations already defined by SAP, including all the defaults
values, are first copied to customer specific tables, where you can use the Profile generator to
change them

7. You can manually change the authorization objects or composite profiles for individual
transactions. This can be done by maintaining the SAPCheck Ids and field values by choosing
Change Check Ids in the Enterprise IMG or by executing the transaction code SU24
This function lets you manually change the assignment of a transaction authorization
You can maintain the check Ids by specifying the transaction code or the authorization object

For example we have taken the transaction code SE38
Click on Display check indictor button or the Change indicator button to change the SAP Check
Ids for the transaction code.
Let us click on the Change Indicator button
Now you can change the Check Ids status by clicking on the dots under U, N, C, CM

You can place the cursor on any object (eg. S_DEVELOP) and click on Field Values button(s) to
display or change the values of the fields of the selected objects
After making the changes click on Save and Click on Back icon to come out.
Note : In any case, the defaults provided by SAP will meet your requirements, so making changes
to the check ids is an activity that may not be carried out by you.

8. The next is to define the Activity group. So use the transaction code PFCG
Using the Activity Group, individual user activity menu and fields are defined.
You create activity groups that are authorized to use subtrees in the enterprise menu.
The Profile Generator generates the necessary profiles for the defined activity groups
Responsibility: Within the activity groups, you can maintain responsibilities. When you use
Responsibilities, the authorizations can be specified in greater details. For
example : to maintain a purchasing group XYZ. You create a responsibility by
assigning concrete values, such as specific company code, to a defined activity
group.
One way to use Responsibilities within Activity Groups is to maintain organizational levels.
Organizational levels are permanently defined fields in authorization objects which refer the
enterprise structure, for example, the company codes of an enterprise. The Authorization profiles
can be generated for different company codes. You can also attain this level of separation for the
different responsibilities by manually maintaining the authorizations
Using Responsibilities is optional. You use Responsibilities when you want to assign same profile
but with different values. Eg. Assigning the same profile to the different users who work with
different company codes or organizational units but perform the same tasks
If you create an activity group without responsibilities, there is 1 : 1 assignment between activity
group and authorization profile; and activity group and responsibility are identical in this case.
Defining the activity groups make the work of user administrators easier. Suppose, you want to
make changes to some authorizations, all you need to do is make the changes in the activity
group. After the changes, when the activity groups are generated, you can automatically activate
the changes for all the assigned users
Activity Groups are created in three steps :
a. Choose the activities from the enterprise menu

b. Maintain the authorization fields in the authorization profiles, using responsibilties
c. Assign the users or organizational units
Now let us create an Activity Group without responsibilities for a user to have the authorization
to use all the tools in the CCMS

Execute the transaction code PFCG and enter a Activity Group name. Click on the Basic
Maintenance radio-button. If you want to include responsibilities, the click on Overall
Maintenance radio-button
Click on the Create icon on the toolbar
You will be asked to whether you want maintain responsibilities. Click on NO

Click on Menu button
From the Menu tree select the relevant subtree for your activity group (here CCMS) by expanding
the tree
Save the selection.

Return to Basic maintenance screen by clicking on the Back icon
When you select the permitted activities for an activity group, a menu tree of these acitvities is
automatically generated. This menu is available as a user menu, in the SAP Session Manager, to
all the users assigned to this activity group.
The next step is to generate the authorization profile for the selected activities.
Click on the Authorizations button

Select the current plan version for the authorizations from the drop down box and click on the
Save icon
What you get is a display of the list of all the activities that you have selected .
You can see some traffic lights. Some will be in Yellow, some may be green, some may be red
etc. These traffic signals indicate the maintenance status of the node. Click on the Key icon on the
toolbar to display what these colors mean

From, the above figure, the Yellow color means that at least one field in this node has to assigned
an value, the Green color means that all the fields in this node have assigned values. Similarly if
you see a Red light it would mean that in that particular node no values have been assigned to the
fields.
From the above screen, you manually insert authorizations by clicking on the Insert Auth. Icon on
the toolbar
Now whichever node is indicated with a yellow light, it means that you have make changes to the
fields in that node manually. So expand such nodes manually and makes changes to each
individual field one by one. This is the point at which you can add or remove values assigned to a
field.
As you from the above figure, the fields Activity & Archiving Object under the node Archiving do
not have any value assigned to them hence they are shown in yellow color.

Click on the pencil icon against the fields to assign values to such fields. You can also change
values of the fields which have values assigned to them by click on the same pencil icon against
such fields
So when you click on the pencil icon, you will get a list of field values which you can assign to
that particular field. Check the check boxes of the values that you want assign. If you want to
assign all the values then click on the Complete Authorizations button
After selecting the values, click on the Copy icon.

From the above figure, you can see that we have changed the values for all the fields under
Archiving node. And that the yellow lights have turned green. So once all the fields have been
assigned values, the color of the main node also changes to green.
Similarly, you have to change the values for all the fields in the nodes whose traffic light is
yellow.
In case, you want to give all the fields complete authorizations, just double click on the main
node.
Save and Generate the changes by clicking on the respective icons

When you try to Save, you will be prompted to enter a Profile Name. Though the system
proposes a name, it does not indicate the purpose of the profile. So give your meaningful name.
Next Generate the Activity Group. Click the Back icon to come back to Basic data maintenance
screen. You see the Authorizations button turn green.

In order to assign users to the activity group, click on the Agents button
Click on the User button on the toolbar to

Select the users by checking the check boxes
Click on the Transfer icon. You will get a Create Relationship box.

Click on the Create icon and selected users will be assigned to the activity group
Click on the Execute icon

Click on the User Master data Update icon on the application toolbar to update the user master
record. This will run the report RHAUTUPD. This will update the user master data.
You can click on the User master record icon on the application toolbar to update the user
master record.

After you have done this, you see the Task Profile of the users who were assigned to this activity
group, you will find this activity group included in the list of task profiles of those users.
You can also assign authorizations for limited period of time
If you make any changes to the activity group, the authorization profiles have must be
regenerated and the user master records must be updated
Use transaction code PFUD for dialog and report RHAUTUP1 for generating the authorization
profiles in the background.
PFUD screen looks like this :
Click on the Report icon to schedule a background job to run the report RHAUTUP1 .

As the number of people working in the R/3 system grows, it becomes more and more difficult
and complex task to administer. To help the systems administrator retain an overview of the R/3
system, R./3 provides special information system. Choose Tools Administration User
Maintenance. Repository infosys.
Using this tool, you can evaluate and compare the authorizations and user assignments in the
system in variety of ways.
Just double-click on the options.
This information tool is useful when you switch to administering authorizations using the profile
generator

You set user defaults by following the path System User Profile Own Data
Here you can do user specific settings such as users address, start menu, log on language, default
printer etc.
In case there is an authorization object missing from a users authorizations, then execute the
transaction code SU53 to find out which authorization is missing and then create another
activity group with that missing authorization object and include it in the users profile.

User Authorization

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

User Authorization

Caricato da

Copyright:

Formati disponibili

SAP R/3 Document : Users & Authorizations Ver. : 4.

R/3 USERS AND AUTHORIZATIONS

The user concept is one of the basic parts of R/3 security.

A User Master Record consists of the following information :

Created / Compiled by : P. M. V. Subba Rao 1

Alternatively you can use the transaction code SU01

Created / Compiled by : P. M. V. Subba Rao 2

Click on the Logon Data tab to enter the logon properties.

Created / Compiled by : P. M. V. Subba Rao 3

Here you can specify

Click on the Create icon.

Created / Compiled by : P. M. V. Subba Rao 4

3. Validity period for the user

BDC : Can use and execute batch input sessions

Created / Compiled by : P. M. V. Subba Rao 5

The authorizations determine which activities a user can perform.

Authorization maintenance is either the sole responsibility of the users departments, or

Each Authorization is based on an authorization object.

Alternatively you can use transaction code SU21.

Created / Compiled by : P. M. V. Subba Rao 6

Created / Compiled by : P. M. V. Subba Rao 7

The ACTVT field can contain values :

Follow the path Tools Administration User Maintenance Authorizations.

Created / Compiled by : P. M. V. Subba Rao 8

Created / Compiled by : P. M. V. Subba Rao 9

We are creating an authorization to maintain a purchasing group XYZ.

Created / Compiled by : P. M. V. Subba Rao 10

Created / Compiled by : P. M. V. Subba Rao 11

So you do the above process for each field in the object.

Created / Compiled by : P. M. V. Subba Rao 12

A field can be assigned a maximum of 10 values.

Alternatively you can also use the transaction code SU02.

Now let us create a test profile.

Created / Compiled by : P. M. V. Subba Rao 13

Click on the Create icon to create a profile

Select the Single Profile and click on the Enter icon.

Created / Compiled by : P. M. V. Subba Rao 14

Created / Compiled by : P. M. V. Subba Rao 15

Save and Activate the changes.

The change status should turn to Active .

Click the Back icon. The profile has been created.

Created / Compiled by : P. M. V. Subba Rao 16

You can assign these profiles to the users now.

Goto the Profiles tab in the user maintenance screen

Created / Compiled by : P. M. V. Subba Rao 17

Save the changes and the user will be created.

Created / Compiled by : P. M. V. Subba Rao 18

Profile Name Description

SAP_ALL All authorizations in the R/3 system

Created / Compiled by : P. M. V. Subba Rao 19

The PG is started from the Enterprise IMG.

Created / Compiled by : P. M. V. Subba Rao 20

Execute the transaction code SSM1

Created / Compiled by : P. M. V. Subba Rao 21

Created / Compiled by : P. M. V. Subba Rao 22

5. Next activate the company menu by clicking on point 2c

6. Now the next step is to activate profile generator

Click on the Activate profile generator item (highlighted area)

Created / Compiled by : P. M. V. Subba Rao 23

Created / Compiled by : P. M. V. Subba Rao 24

Created / Compiled by : P. M. V. Subba Rao 25

For example we have taken the transaction code SE38

Let us click on the Change Indicator button

Created / Compiled by : P. M. V. Subba Rao 26