SAP R/3 BASIS Training User & Authorization

USER Concept(1)
One of the basic part of R/3 Security is user concept .

After installation of R/3 and client creation, one of the first step is
create users in the new client. It must be noted that Users are Client dependent User in one client is not be a user of another client. They are valid for only the client they were created or assigned. User Name and user attributes comprises the User Master Records By default SAP comes with two super users SAP* DDIC

These two super users are available for every client in R/3 system when a new
client is created. But the nature of these two super user are slightly different. SAP* has all the authorization DDIC is authorized to administer the R/3 repository.

Transaction code for User Maintenance SU01 Navigation On menu

Tools --> Administration --> User Maintenance --> Users

User Master Record(1)

A User Master Record consists of following information: User Name Assigned Client Password (Changeable in future)

Company Address
User Type Start Menu Logon Language Personal Printer Setting Time Zone Activity Groups Authorizations Expiration Date

Default Parameter Setting

User master record maintain through the transaction code SU01. An user can be assigned to many activity groups & an activity group can be assign to many users.

Password Restriction(1)
Password can not be word sap or pass . Password can not begin with any sequence of three characters contained in the user-id like FREDSMITH user can not set password starts with FRE ,RED,EDS ,SMI . Password can not begin with 3 identical characters. I.e. aaamy or bbbt. When a user changes his password ,he may not use any of the last five passwords.

Password Restriction(2)
Minimum password length can be set by the by the parameter login/min_password_lng (value 3 ). Administrator can set the password expiration date by the parameter login/password_expiration_time (no of days) . Number of incorrect logons allowed for a user master record until the logon procedure is terminated , can be set by the parameter login/fails_to_session_end (value 3 ). Number of incorrect logons allowed for a user master record until logon is rejected for this user, can be set by login/fails_to_user_lock (value 3 ). The lock is released at midnight. rdisp/gui_auto_logout (in seconds) parameter sets automatically logout if user not uses sapgui defined time.if set 0 then never automatically

logout.

User sap* & DDIC (1)

SAP R/3 system includes in the default installation two super users DDIC & SAP* . sap* user created with the password 06071992 . DDIC user created with the password 19920706 .

EARLYWATCH user created with the password SUPPORT .

In new client sap* created with default password pass with unlimited access right . Sap* is the only super user, who does not require any user master record , because its authorization given by system code.But DDIC

maintains user master record .

It is better to deactivate the user sap* (not delete) . User DDIC (for data dictionary) is the maintenance user for certain installation & setup tasks . EARLYWATCH user is used by Sap's EARLYWATCH experts.

User sap* & DDIC(2)

Default users coming after new installation

SAP* DDIC

000 ,001,066 000, 001

EARLYWATCH

066

Create User Step 1 Use The Transaction Code SU01 for user maintenance .

Choose this button for create new user

Create User Step 2

Enter User Info

Create User Step 3

Enter these important data

Create User Step 4

Choose Role from the menu

Create User Step 5

Corresponding profile will come automatically

Create User Step 6

User can set USER-Parameters

After entering all data choose save button

Create User Step 7

User will created & Last changed by also modified

USER CREATION COMPLETE NOW .

Activity Group(1) or ROLE

A role or activity group is a collection of R/3 transactions ,authorizations and additional objects . Administrator can create ,display ,change ,copy & transport a Role . Transaction code

PFCG used to maintain Role.

Composite Activity Group or Role

Composite activity groups are made up of a collection of activity groups. Users assigned to a composite activity are automatically added to the activity groups during a user comparison. Composite activity groups themselves do not contain any authorization data .

USER Assignment
Users can be assigned to a single activity groups or to composite activity groups which mostly represent job roles . Users that assign to an activity group may execute the transactions, reports , or any other task in the activity group with the corresponding Authorizations.

Create Role Step 1

Use Transaction code PFCG to maintain role /activity group

Choose the option Create

Create Role Step 2 Now to create the role choose menu

2.Choose the option MENU 1.Enter The Description

Created user name will display

Create Role Step 3 We can choose any one or all option at a time.

To create ROLE Choose any one

Create Role Step 4 We choose according our Requirement from SAP MENU.
We choose three from the menu .

Create Role Step 5 Our three selected menu appeared on Role menu .
1.Our chosen three will come on role menu

2.Again we choose Transaction

Create Role Step 6

Assign the transaction codes using the button Assign Transaction

Create Role Step 7

Then chosen transaction code appeared on Role Menu

Create Role Step 8

1.Choose Authorizations from TAB

2.Choose the button Change authorization data

Create Role Step 9

1.Choose Range of values Or Full Authorization

Create Role Step 10

These authorization will come on the ROLE

Create Role Step 11

Change the authorizations & save Color have changed

Save the profile give the name of the profile

Create Role Step 12

Get the message Profiles created

Create Role Step 13

Choose the option USER COMPARE
Assign the USER To whom this role have to assign

Choose the option Complete compare

Create Role Step 14

Open the user to whom the role have to assign

Create Role Step 15

Assigned profile appeared on the user Profile list

Create Role Step 16

Again create role from other created role using PFCG

Choose the option From Other role

Create Role Step 17

Choose one role from Before created or sap defined role

Create Role Step 18

Choose the options from the list

Create Role Step 19

Again create role from area menu using PFCG

1.Chosen menu Comes to the role menu

2. Now choose From Area Menu

Create Role Step 20

Choose one PC14

Create Role Step 21

Choose the option Payroll

Create Role Step 22

Chosen option Payroll will come

Now perform the step 8

CREATE ROLE USING SPRO Step 1

Choose
GOTOProject Management

Use Transaction Code SPRO to create a new project

CREATE ROLE USING SPRO Step 2

Choose
To create new project

All created project will show .

Choose
Give new name

CREATE ROLE USING SPRO Step 3

Enter the DATE here

CREATE ROLE USING SPRO Step 4

Specify the scope of the project

Select the modules which are required

Choose the button

CREATE ROLE USING SPRO Step 5

1. Select the option Generate Project IMG

3.Project creation start in background.

2. Choose this option

CREATE ROLE USING SPRO Step 6

Project PROJ_TEST created in background

CREATE ROLE USING SPRO Step 7 Use the transaction code PFCG to assign the authorizations related to a particular project.

Choose create option for new role

CREATE ROLE USING SPRO Step 8

1.Choose the navigation Utilities Customizing Auth 2. This screen will appear

3. Choose Add

4. This screen appears Choose IMG PROJECT

CREATE ROLE USING SPRO Step 9

Choose one project from the list e.g. PROJ_TEST

CREATE ROLE USING SPRO Step 10

All transaction code related to the project PROJ_TEST will appear

Now follow the method of role creation. After that Z_NEW_AG_SPRO will be created

Use the transaction code SU53(1)

One user ,tring to Work on transaction code IL08 .But he is not authorized to doing that job .

This message will come, If the user have no authorization for the TC

Use the transaction code SU53(2)

Using the transaction code SU53 we can find which authorization need to perform the task .

This is the missing authorizations This are the available authorizations

Authorization structure(1)
User Master Record

Authorization Profile

Composite Profile

Authorizations

Authorization Object

Profile/ Composite Profile

Authorization Fields

Authorization(1)
Authorization system of sap R/3 system is the general term which groups all the technical & management elements for granting access privileges to users to enforce the R/3 system security. By entering some authorization profile to a user, mainly administrator give to user some access on sap particular sap object. Authorization profile are group of authorizations .Instead of giving each authorization to a user ,administrator gives authorization profile to a user. Authorization profiles can be simple or composite .composite profiles contain other profiles. Authorization profile uses an activation method.When authorization or profiles are created or modified ,they must be activated to become effective. Profiles are assigned to users in the user master record.

Authorization(2)
The Authorizations determine which activities a user can perform . The system administrator cannot decide which business authorization user needs because it is up to the user department to decide the kind of permissions the user should be given to carry out his business tasks.The user department decide which authorization need the user.The system administrator assigns that authorization to the user as per the user department request. Each authorization is based on authorization object. Authorization object consists of authorization fields and possible values.

Because of the vastness of the R/3 system and its functional range,the authorization objects are further divided into areas called as Object

class.

An Authorization allows to carry out an R/3 task based on a set of field values in an authorization object Authorizations allow to determine the number of specific values or value ranges for a field. ACTVT is an authorization field which present almost all authorization object

Activities : Meaning
01 : Create or Generate 42 : Convert to DB 02 : Change 43 : Release 03 : Display 50 : Move 05 : Lock 51 : MM : Initialize pe 06 : Delete 59 : Distribute 07 : Activate, Generate 60 : Import 08 : Display change documents 64 : Generate 11 : Change number range status 65 : Reorganize 13 : Initialize number levels 70 : Administer 16 : Execute 71 : Analyze 17 : Maintain number range object 75 : Remove 21 : Transport 78 : Assign 22 : Enter, Include, Assign 90 : Copy 23 : Maintain A6 : Read with filter 24 : Archive A7 : Write with filter 33 : Read A8 : Process mass data 34 : Write DL : Download 36 : Extended maintenance UL : Upload 37 : Accept P0 : Accept CCMS CSM data 40 : Create in DB P1 : Edit CCMS CSM data 41 : Delete in DB P2 : Maintain CCMS CSM methods 12 : Maintain & generate change documents 68 : Model
* all possible values

Authorization(3)
We can assign authorization values to these fields .The values of the field decide what data would access by the user to whom this object assigned.

FIELD
Customer type(CUSTTYPE) Activity(ACTVT)

VALUE
* 02

* all possible values , 02 display only

Authorization profile(1)
An authorization profile consists group of authorization object .I.e a group of access privileges. User authorizations are not directly assigned to the user master records.Instead these authorizations are assigned as authorization profiles. Changing the contents of the authorizations inside a profile affects all users that are given that profile when this is activated. A users authorizations are loaded into the user buffer only when they logon. Changes affect all users to whom this profile is assigned and take effect only when the user logs on. Number of profiles generated depends on the number of authorizations in each activity group . A maximum 150 authorizations fit into a profile .If there are more than 150 authorizations,an additional profile is generated.

Authorization profiles beginning with a T ,like T-SM-NEW1.When more than profile created then the name will be T-SM-NEW1_1 ,T-SM-NEW1_2

Composite profile(1)
Composite profiles are sets of authorization profiles both simple & composite. A composite profile can contain an unlimited number of profiles. Composite profiles are suitable for users who have different responsibilities or job tasks in the system Making modification to any of the profiles in the list of composite profiles directly affects the access privileges of all users having that composite profile in the user master record.

Authorization Object field(1)

Authorization fields represent values for individual system elements which are supposed to undergo authorization checking to verify a user's authorization.

The activity field in an authorization object defines the possible actions which could be performed over a particular application object.

An authorization field can be for example a user group, a company code,a purchasing group , a development class or an application area or an activity. For example activity 03 always Display . If an authorization contains two fields such as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT is 03 ,then a user containing this authorization can only display all company codes. Not all authorization objects have the ACTVT authorization field.

Authorization Object(1)
An authorization object can contain a maximum of 10 authorization fields.
Users are permitted to perform a system function only after passing the test for every field in the authorization object. Authorization objects are grouped in object classes belonging to different application areas which are used to limit the search for objects,thus making it faster to navigate among the many R/3 system objects. SAP predefined authorization objects should not be modified or deleted,except if instructed by the SAP support personnel. Deleting or changing standard authorization objects can cause severe errors in the programs that check those objects. For example ,

MM_E stands for the object class Materials Management-Purchasing

There is an authorization object M_BEST_EKG for die ordering .

M_BEST_EKG object consists of 2 authorization fields

1. 2.

ACTVT to define user activity with values 02 ,03 EKGR

to define purchasing group with values xyz ,abc .

If actvt have values 02 for change ,03 for display and, user can maintain only purchasing group xyz ,abc can not create new purchasing group.

FIND USERS BY ADDRESS DATA

Use Transaction code S_BCE_68001393 Navigation Path Tools Administration User Maintenance Information System Users By Address Data

Restricting Password String

To avoid the use of passwords which start with similar words . Use Transaction code SM30 Maintain Table USR40 Where * substitutes a group of characters & ? a single character .

User can not use these string as a password

Role assigned to Which Users(1)

Use Transaction code: SE38 Program :RSUSR070 Navigation Path Tools Administration User Maintenance Information System Roles By Role Name

Role assigned to Which Users(2)

After Entering the Role we get the following screen

We get USER ASSIGNMENT , PROFILE ASSIGNMENT, TRANSACTION CODE list which assigned to the Role.

Role assigned to Which Users(3)

List of users Which assigned to the Particular Role

Role assigned to Which Users(4)

List of Profiles assigned to the particular Role

Role assigned to Which Users(5)

List of Transaction codes assigned to the particular Role

Maintaining the Object Class

Using the transaction code SU03 User can maintain the object class

Available authorizations of the logon user(1)

Using the transaction code SU56 we get the authorization & authorization object assigned to a user.

Double Click on the Authorization object to get the details .

Available authorizations of the logon user(2)

Authorization fields corresponding to the Authorization Object.

Double Click on the permitted values to get the details .

Available authorizations of the logon user(3)

Double Click on the Authorizations to get the details .

To get the details of an Authorization Object(1)

Use Transaction Code SE38 then Use program : RSUSR040 Consider an Authorization object S_DEVELOP

To get the details of an Authorization Object(2)

Authorization Object & corresponding Object Class.

To get the details of an Authorization Object(3)

Authorization Fields Associated with the Authorization object

Double click on Permitted Activities

To get the details of an Authorization Object(4)

Use Transaction Code SU03

Double click on object class BC_C

To get the details of an Authorization Object(4)

Use Transaction Code SU03

Important Authorization profiles

SAP_ALL All authorization in R/3 system SAP_NEW To create new objects S_A.CUSTOMIZ Customizing (for all system setting activity) S_A.DEVELOP Developers with all authorizations to work in ABAP WB. S_A.SHOW Basis :Display authorization only S_A.USER System Administrator S_ABAP_ALL All authorizations for ABAP S_ADMI_SPO_A spool :all administration authorization S_ADMI_SPO_D spool :device administration S_ADMI_SPO_E spool :extended administration S_ADMI_SPO_J spool :job administration for all clients S_ADMI_SPO_T spool :Device type administration

SOME IMPORTANT TABLES

USR01 Contains the runtime data of the user master records USR02 The table containing logon information such as the password USR03 Includes the users' address information USR04 Contains users' authorizations USR05 It is the users' parameter ID table USR09 Contains user menus USR10 It is the table for user authorization profiles USR11 Contains the descriptive texts for profiles USR12 It the user master authorization values table USR13 Contains the descriptive short texts for authorizations USR14 Contains the logon language versions per user USR30 Includes additional information for user menus TOBJ Authorization objects table containing the authorization fields for each. TACT Contains the list of standard activities in the system. TACTZIs the table which defines the relationship between the authorization objects and the activities in those objects containing the Activity authorization field. TSTC Is the transaction code table where authorization objects and values can be defined.

Create a super user(1)

It is sap recommended do not use sap* ,create one super user . SAP_ALL is only profile defining that user can create one super user & with the authorization of creation of a new object.

SAP_NEW is the profile which gives the permission to create a new object

Profile Generator
Profile generator(PG) tool helps the authorization administrator create,generate ,and assign authorization profiles. It is available from SAP r/3 version 3.1G

Check the parameter auth/no_check_in_some_cases =Y using the TC RZ11 ,setting before using first time profile generator .