Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
0B
One of the first steps after the installation of R/3 and creating a client is to create users in the new
client.
Users are client-dependent i.e. a user in one client may not be a user in another client. They are
valid only for the clients in which they are created or assigned.
The users name and the user attributes comprise the User Master Record.
User Name
Assigned Client
Password (which can be changed)
Company Address
User Type
Start Menu
Logon Language
Personal Printer Settings
Time Zone
Activity Group
Authorizations
Expiration Date
Default Parameter settings
Some of the information such Company Address, Start Menu, Logon language, Printer settings
etc are optional and need not be specified.
SAP comes with certain superusers SAP* and DDIC. These two users are available for every
client in the R/3 system. By default, they are made available to every new client that is created.
SAP* has all the authorization whereas DDIC is authorized to administer the R/3 repository.
They are excluded from doing any development work in the R/3 system.
You can create a user by following the path Tools Administration User Maintenance
Users
Enter the user name and click on the Create button on the application toolbar
By default you will be in the Address element of the User Master Record. Enter the Name,
Address etc. information for each user.
1. The initial password for the user. The system will prompt the user to change the password at
first Logon.
2. User Group : User groups give an indication of activity areas and authorizations.
You can create a User Group by following the path Environment User group
Enter a user group name and click on the Continue / Enter icon
SUPER is the only user group defined the SAP system. SAP* belongs to this group.
4. User Type. It determines the type of tasks that a user can do.
There are four types of users: Dialog, BDC, Background and CPIC
Dialog User : A dialog user can work with R/3 in any way.
Background : Can only use and schedule background jobs from other dialog users. A
background user is not permitted to log onto the R/3 system and to work in
dialog mode
CPIC : Used to exchange data through the CPIC interface. Cannot work in dialog mode.
AUTHORIZATIONS
The system administrator cannot decide which business authorization a user needs because it upto
the user departments to decide the kind of permissions the user should be given or deny to carry
out his business tasks. The user department decides which authorizations the user should get. The
system administrator assigns and administers the authorizations as per the user departments
requirements of a particular user.
An authorization object is a unit, which consists of a name, fields and the possible values that
represent an action.
You can have an overview of authorization objects by following the path Tools ABAP
Workbench Development Other Tools Authorization Objects Objects
Because of the vastness of the R/3 system and its functional range, the authorization objects are
further divided into areas called as object classes.
To get the technical name of the objects in an object class, select the object class the click on the
Enter icon the application toolbar
To display the fields in the object, select the object and click on the Display icon on the
application toolbar.
The authorization field ACTVT will be present in every authorization object. Apart from this
field, the authorization objects will contain some other fields too depending on the object.
Value Meaning
01 Create
02 Change
03 Display
* All possible activities
Again the values for this field change from object to object.
You can assign your authorization values to these fields. The values of the fields decide what data
would access by the user to whom this object is assigned.
Most the times the authorizations are already defined with the value *. So you need to make
company specific value assignments to the fields.
You can also create your own authorizations with the above path by clicking on the Create icon
on the application toolbar. And you can convert these authorizations to authorization objects by
assigning values to them.
Let us now create an authorization and assign values to the fields to it. Let us create an
authorization, which will allow the user to make changes to purchasing group.
Select the object class and click on the enter icon. Select the MM:Purchasing object class.
In the next screen, you get a list of authorization objects belonging to the selected class. Click on
the Technical Names to display the names of the objects.
You can now modify the existing authorization object or create a new authorization.
Select the authorization object that you want to modify and click on the Enter icon. Here we have
selected the authorization object M_BEST_EKGC.
To create new authorization, click on the Create icon on the application toolbar
When giving a name to the authorization, adhere to the customer specific name range.
Click on the Enter icon after specifying the authorization name and its description.
You will get a screen with no authorizations values associated with the fields ACTVT and
Purchasing Group.
Select a field and click on the Maintain Values icon on the application toolbar.
Click on the dropdown arrow in the value selection box to display all the values that you can
assign to the fields.
You can assign the values displayed from such a list that you will get. You assign a range values
to a field or individual values.
As you can see from the above figure, we have assigned some values to the field ACTVT.
After assigning the values click on the Enter icon in the box.
If you want assign all the values to the field at a shot, then assign the value * to it.
After assigning the values to the fields, Save and Activate the changes by clicking on the
respective icons on the application toolbar
Click the Back icon. You should be able to see the authorization object that you created in the list
of the authorization objects.
Click the Back icon till you come to the object classes screen.
Authorizations can be created and assigned to a user individually. But that would require lot of
efforts and time. To avoid such a lengthy and time consuming process, SAP provides us with
Authorization Profiles.
Using the Authorization profiles, you can group authorizations into single profile and multiple
single profiles into composite profiles.
Like the authorizations, you can create your own single and composite profiles. However SAP
also provides with pre-defined authorization profiles.
You can maintain profiles by following the path Tools Administration User Maintenance
Profiles
Give a name to the profile and click on the Generate work area button on the toolbar.
Enter a description for the profile and select whether the profile that you want to create is a single
profile or a composite profile. In case, it is selected to be composite profile, then you will be
prompted to enter the single profile names which will make up the composite profile.
From the left-hand side drop down box, select the authorization object and from the right hand
corner drop down box, select the authorization for the authorization object.
Select the profile and click on the Activate icon to activate the profile.
If your user is a copy of SAP*, then it will have the SAP_ALL profile assigned to it. SAP_ALL
profile gives all the authorizations to the user i.e. the user has all the rights to do anything in the
system.
Enter the profile that you created to assign it to the user. Also assign the profile SAP_NEW to the
user to allow him to create new objects.
The following is the list of important profiles in the SAP R/3 system
There are time when a user while performing an action gets a message that he is not authorized to
do the action. In that it means that he has got the necessary authorizations to perform that action
and some authorizations objects are missing from his profile.
You can display list of missing authorizations for a user using the transaction code SU53
PROFILE GENERATOR
The Profile generator was made available by SAP from 3.1G onwards. Prior to 3.1G,
authorization profiles was the only method available to implement the authorization concept.
But with 3.1G, the Profile Generator (PG) was introduced by SAP. The PG is based on the
concept of authorization objects, authorizations and authorization profiles.
To use the PG, you should include the parameter auth/no_check_in_some_cases = Y in the
instance profile.
PG is started from
this point
The type of tasks that user would perform in the R/3 system is ultimately decided by the
authorizations he has.
When you use the PG, the authorization profiles are generated automatically by R/3. The
comprehensive authorization profile generated in this way is no longer manually assigned to each
user. Instead, users are assigned to one or more activity groups.
An Activity Group is a subset of the actions from the set of actions defined in the Enterprise IMG.
Now let us see the steps to implement the authorization concept using Profile Generator
1. Select the languages by clicking on the button in the Language Selection section
2. Next Generate SAP standard menu by clicking on the SAP standard menu generation item in
the Generator Menu section
3. Next Generate the company menu by clicking on point 2a in the Generate Menu section
4. Next click on the point 2b to make any additional changes manually to the company menu
Click on YES.
To create settings that are as uniform as possible in a system landscape, you can include the
generated, active enterprise menu or all menus in a transport request and transport them into
other systems. Use point 3a and 3b
6. Next execute the Transaction code SU25 to copy the SAP defaults to customer tables
To fill the SAP default values to the customer tables click on point 1 in the Installing the Profile
Generator
During a new installation, all authorizations already defined by SAP, including all the defaults
values, are first copied to customer specific tables, where you can use the Profile generator to
change them
7. You can manually change the authorization objects or composite profiles for individual
transactions. This can be done by maintaining the SAPCheck Ids and field values by choosing
Change Check Ids in the Enterprise IMG or by executing the transaction code SU24
This function lets you manually change the assignment of a transaction authorization
You can maintain the check Ids by specifying the transaction code or the authorization object
Click on Display check indictor button or the Change indicator button to change the SAP Check
Ids for the transaction code.
Now you can change the Check Ids status by clicking on the dots under U, N, C, CM
You can place the cursor on any object (eg. S_DEVELOP) and click on Field Values button(s) to
display or change the values of the fields of the selected objects
After making the changes click on Save and Click on Back icon to come out.
Note : In any case, the defaults provided by SAP will meet your requirements, so making changes
to the check ids is an activity that may not be carried out by you.
8. The next is to define the Activity group. So use the transaction code PFCG
Using the Activity Group, individual user activity menu and fields are defined.
You create activity groups that are authorized to use subtrees in the enterprise menu.
The Profile Generator generates the necessary profiles for the defined activity groups
Responsibility: Within the activity groups, you can maintain responsibilities. When you use
Responsibilities, the authorizations can be specified in greater details. For
example : to maintain a purchasing group XYZ. You create a responsibility by
assigning concrete values, such as specific company code, to a defined activity
group.
One way to use Responsibilities within Activity Groups is to maintain organizational levels.
Organizational levels are permanently defined fields in authorization objects which refer the
enterprise structure, for example, the company codes of an enterprise. The Authorization profiles
can be generated for different company codes. You can also attain this level of separation for the
different responsibilities by manually maintaining the authorizations
Using Responsibilities is optional. You use Responsibilities when you want to assign same profile
but with different values. Eg. Assigning the same profile to the different users who work with
different company codes or organizational units but perform the same tasks
If you create an activity group without responsibilities, there is 1 : 1 assignment between activity
group and authorization profile; and activity group and responsibility are identical in this case.
Defining the activity groups make the work of user administrators easier. Suppose, you want to
make changes to some authorizations, all you need to do is make the changes in the activity
group. After the changes, when the activity groups are generated, you can automatically activate
the changes for all the assigned users
Now let us create an Activity Group without responsibilities for a user to have the authorization
to use all the tools in the CCMS
Execute the transaction code PFCG and enter a Activity Group name. Click on the Basic
Maintenance radio-button. If you want to include responsibilities, the click on Overall
Maintenance radio-button
From the Menu tree select the relevant subtree for your activity group (here CCMS) by expanding
the tree
When you select the permitted activities for an activity group, a menu tree of these acitvities is
automatically generated. This menu is available as a user menu, in the SAP Session Manager, to
all the users assigned to this activity group.
The next step is to generate the authorization profile for the selected activities.
Select the current plan version for the authorizations from the drop down box and click on the
Save icon
What you get is a display of the list of all the activities that you have selected .
You can see some traffic lights. Some will be in Yellow, some may be green, some may be red
etc. These traffic signals indicate the maintenance status of the node. Click on the Key icon on the
toolbar to display what these colors mean
From, the above figure, the Yellow color means that at least one field in this node has to assigned
an value, the Green color means that all the fields in this node have assigned values. Similarly if
you see a Red light it would mean that in that particular node no values have been assigned to the
fields.
From the above screen, you manually insert authorizations by clicking on the Insert Auth. Icon on
the toolbar
Now whichever node is indicated with a yellow light, it means that you have make changes to the
fields in that node manually. So expand such nodes manually and makes changes to each
individual field one by one. This is the point at which you can add or remove values assigned to a
field.
As you from the above figure, the fields Activity & Archiving Object under the node Archiving do
not have any value assigned to them hence they are shown in yellow color.
Click on the pencil icon against the fields to assign values to such fields. You can also change
values of the fields which have values assigned to them by click on the same pencil icon against
such fields
So when you click on the pencil icon, you will get a list of field values which you can assign to
that particular field. Check the check boxes of the values that you want assign. If you want to
assign all the values then click on the Complete Authorizations button
From the above figure, you can see that we have changed the values for all the fields under
Archiving node. And that the yellow lights have turned green. So once all the fields have been
assigned values, the color of the main node also changes to green.
Similarly, you have to change the values for all the fields in the nodes whose traffic light is
yellow.
In case, you want to give all the fields complete authorizations, just double click on the main
node.
When you try to Save, you will be prompted to enter a Profile Name. Though the system
proposes a name, it does not indicate the purpose of the profile. So give your meaningful name.
Next Generate the Activity Group. Click the Back icon to come back to Basic data maintenance
screen. You see the Authorizations button turn green.
In order to assign users to the activity group, click on the Agents button
Click on the Transfer icon. You will get a Create Relationship box.
Click on the Create icon and selected users will be assigned to the activity group
Click on the User Master data Update icon on the application toolbar to update the user master
record. This will run the report RHAUTUPD. This will update the user master data.
You can click on the User master record icon on the application toolbar to update the user
master record.
After you have done this, you see the Task Profile of the users who were assigned to this activity
group, you will find this activity group included in the list of task profiles of those users.
If you make any changes to the activity group, the authorization profiles have must be
regenerated and the user master records must be updated
Use transaction code PFUD for dialog and report RHAUTUP1 for generating the authorization
profiles in the background.
Click on the Report icon to schedule a background job to run the report RHAUTUP1 .
As the number of people working in the R/3 system grows, it becomes more and more difficult
and complex task to administer. To help the systems administrator retain an overview of the R/3
system, R./3 provides special information system. Choose Tools Administration User
Maintenance. Repository infosys.
Using this tool, you can evaluate and compare the authorizations and user assignments in the
system in variety of ways.
This information tool is useful when you switch to administering authorizations using the profile
generator
You set user defaults by following the path System User Profile Own Data
Here you can do user specific settings such as users address, start menu, log on language, default
printer etc.
In case there is an authorization object missing from a users authorizations, then execute the
transaction code SU53 to find out which authorization is missing and then create another
activity group with that missing authorization object and include it in the users profile.