Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
USER Concept(1)
One of the basic part of R/3 Security is user concept .
After installation of R/3 and client creation, one of the first step is
create users in the new client. It must be noted that Users are Client dependent User in one client is not be a user of another client. They are valid for only the client they were created or assigned. User Name and user attributes comprises the User Master Records By default SAP comes with two super users SAP* DDIC
These two super users are available for every client in R/3 system when a new
client is created. But the nature of these two super user are slightly different. SAP* has all the authorization DDIC is authorized to administer the R/3 repository.
Company Address
User Type Start Menu Logon Language Personal Printer Setting Time Zone Activity Groups Authorizations Expiration Date
Password Restriction(1)
Password can not be word sap or pass . Password can not begin with any sequence of three characters contained in the user-id like FREDSMITH user can not set password starts with FRE ,RED,EDS ,SMI . Password can not begin with 3 identical characters. I.e. aaamy or bbbt. When a user changes his password ,he may not use any of the last five passwords.
Password Restriction(2)
Minimum password length can be set by the by the parameter login/min_password_lng (value 3 ). Administrator can set the password expiration date by the parameter login/password_expiration_time (no of days) . Number of incorrect logons allowed for a user master record until the logon procedure is terminated , can be set by the parameter login/fails_to_session_end (value 3 ). Number of incorrect logons allowed for a user master record until logon is rejected for this user, can be set by login/fails_to_user_lock (value 3 ). The lock is released at midnight. rdisp/gui_auto_logout (in seconds) parameter sets automatically logout if user not uses sapgui defined time.if set 0 then never automatically
logout.
SAP* DDIC
EARLYWATCH
066
Create User Step 1 Use The Transaction Code SU01 for user maintenance .
USER Assignment
Users can be assigned to a single activity groups or to composite activity groups which mostly represent job roles . Users that assign to an activity group may execute the transactions, reports , or any other task in the activity group with the corresponding Authorizations.
Create Role Step 3 We can choose any one or all option at a time.
Create Role Step 4 We choose according our Requirement from SAP MENU.
We choose three from the menu .
Create Role Step 5 Our three selected menu appeared on Role menu .
1.Our chosen three will come on role menu
Choose
GOTOProject Management
Choose
To create new project
Choose
Give new name
CREATE ROLE USING SPRO Step 7 Use the transaction code PFCG to assign the authorizations related to a particular project.
1.Choose the navigation Utilities Customizing Auth 2. This screen will appear
3. Choose Add
Now follow the method of role creation. After that Z_NEW_AG_SPRO will be created
This message will come, If the user have no authorization for the TC
Authorization structure(1)
User Master Record
Authorization Profile
Composite Profile
Authorizations
Authorization Object
Authorization Fields
Authorization(1)
Authorization system of sap R/3 system is the general term which groups all the technical & management elements for granting access privileges to users to enforce the R/3 system security. By entering some authorization profile to a user, mainly administrator give to user some access on sap particular sap object. Authorization profile are group of authorizations .Instead of giving each authorization to a user ,administrator gives authorization profile to a user. Authorization profiles can be simple or composite .composite profiles contain other profiles. Authorization profile uses an activation method.When authorization or profiles are created or modified ,they must be activated to become effective. Profiles are assigned to users in the user master record.
Authorization(2)
The Authorizations determine which activities a user can perform . The system administrator cannot decide which business authorization user needs because it is up to the user department to decide the kind of permissions the user should be given to carry out his business tasks.The user department decide which authorization need the user.The system administrator assigns that authorization to the user as per the user department request. Each authorization is based on authorization object. Authorization object consists of authorization fields and possible values.
Because of the vastness of the R/3 system and its functional range,the authorization objects are further divided into areas called as Object
class.
An Authorization allows to carry out an R/3 task based on a set of field values in an authorization object Authorizations allow to determine the number of specific values or value ranges for a field. ACTVT is an authorization field which present almost all authorization object
Activities : Meaning
01 : Create or Generate 42 : Convert to DB 02 : Change 43 : Release 03 : Display 50 : Move 05 : Lock 51 : MM : Initialize pe 06 : Delete 59 : Distribute 07 : Activate, Generate 60 : Import 08 : Display change documents 64 : Generate 11 : Change number range status 65 : Reorganize 13 : Initialize number levels 70 : Administer 16 : Execute 71 : Analyze 17 : Maintain number range object 75 : Remove 21 : Transport 78 : Assign 22 : Enter, Include, Assign 90 : Copy 23 : Maintain A6 : Read with filter 24 : Archive A7 : Write with filter 33 : Read A8 : Process mass data 34 : Write DL : Download 36 : Extended maintenance UL : Upload 37 : Accept P0 : Accept CCMS CSM data 40 : Create in DB P1 : Edit CCMS CSM data 41 : Delete in DB P2 : Maintain CCMS CSM methods 12 : Maintain & generate change documents 68 : Model
* all possible values
Authorization(3)
We can assign authorization values to these fields .The values of the field decide what data would access by the user to whom this object assigned.
FIELD
Customer type(CUSTTYPE) Activity(ACTVT)
VALUE
* 02
Authorization profile(1)
An authorization profile consists group of authorization object .I.e a group of access privileges. User authorizations are not directly assigned to the user master records.Instead these authorizations are assigned as authorization profiles. Changing the contents of the authorizations inside a profile affects all users that are given that profile when this is activated. A users authorizations are loaded into the user buffer only when they logon. Changes affect all users to whom this profile is assigned and take effect only when the user logs on. Number of profiles generated depends on the number of authorizations in each activity group . A maximum 150 authorizations fit into a profile .If there are more than 150 authorizations,an additional profile is generated.
Authorization profiles beginning with a T ,like T-SM-NEW1.When more than profile created then the name will be T-SM-NEW1_1 ,T-SM-NEW1_2
Composite profile(1)
Composite profiles are sets of authorization profiles both simple & composite. A composite profile can contain an unlimited number of profiles. Composite profiles are suitable for users who have different responsibilities or job tasks in the system Making modification to any of the profiles in the list of composite profiles directly affects the access privileges of all users having that composite profile in the user master record.
The activity field in an authorization object defines the possible actions which could be performed over a particular application object.
An authorization field can be for example a user group, a company code,a purchasing group , a development class or an application area or an activity. For example activity 03 always Display . If an authorization contains two fields such as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT is 03 ,then a user containing this authorization can only display all company codes. Not all authorization objects have the ACTVT authorization field.
Authorization Object(1)
An authorization object can contain a maximum of 10 authorization fields.
Users are permitted to perform a system function only after passing the test for every field in the authorization object. Authorization objects are grouped in object classes belonging to different application areas which are used to limit the search for objects,thus making it faster to navigate among the many R/3 system objects. SAP predefined authorization objects should not be modified or deleted,except if instructed by the SAP support personnel. Deleting or changing standard authorization objects can cause severe errors in the programs that check those objects. For example ,
If actvt have values 02 for change ,03 for display and, user can maintain only purchasing group xyz ,abc can not create new purchasing group.
We get USER ASSIGNMENT , PROFILE ASSIGNMENT, TRANSACTION CODE list which assigned to the Role.
SAP_NEW is the profile which gives the permission to create a new object
Profile Generator
Profile generator(PG) tool helps the authorization administrator create,generate ,and assign authorization profiles. It is available from SAP r/3 version 3.1G
Check the parameter auth/no_check_in_some_cases =Y using the TC RZ11 ,setting before using first time profile generator .