CA940 - SAP R/3 Application Security Concept - hservers.org

SAP AG 2001

CA940 - SAP R/3 Authorization Concept

SAP AG

CA940CA940SAP R/3 ApplicationSecurity ConceptSAP R/3 ApplicationSAP R/3 ApplicationSecurity ConceptSecurity Concept

n System R/3

n Release 4.6C

n March 2001

n Material Number: 5004 4565

SAP AG 2001

Copyright 2001 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted inany form or for any purpose without the express permission ofSAP AG. The information contained herein may be changedwithout prior notice.

All rights reserved.

Copyright

Trademarks:

n Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

n Microsoft® , WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

n IBM®, DB2®, OS/2®, DB2/6000® , Parallel Sysplex®, MVS/ESA®, RS/6000® , AIX® , S/390®, AS/400® , OS/390® , and OS/400® are registered trademarks of IBM Corporation.

n ORACLE® is a registered trademark of ORACLE Corporation.

n INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.

n UNIX®, X/Open®, OSF/1® , and Motif® are registered trademarks of the Open Group.

n HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

n JAVA® is a registered trademark of Sun Microsystems, Inc.

n JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

n SAP, SAP Logo, R/2, RIVA, R/3, ABAP, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.

SAP AG 2001

Workplace

MY301 2 daysR/3 Security Concepts

CA940 3 days

Level 2 Level 3

mySAP.com Workplace

ALL

User Administrator/Application Consultant

Employee Self Service

HR250 3 days

Security and Auditing

BC940 3 days

TCC Workplace

BC350 3 days

Mini - Applikations

MY305 1 day

Drag & Relate

MY310 2 days

Employee/Application Consultant

System Administrator/Technology Consultant

System Administrator/Technology Consultant

Application Consultant

Technology Consultant/ Application Consultant

SAP AG 2001

Course Prerequisites

l SAP 20 (mySAP Application Fundamentals)or equivalent knowledge

l SAP 50 (mySAP Technical Fundamentals)

l Knowledge of at least one R/3 application area gained in Level 2 and/or Level 3 courses

SAP AG 2001

l Participant

n Project Team Members

n Authorization Administrators

n User Administrators

l Duration: 3 Days

Target group

Notes to the user

n The training materials are not self-teach programs. They complement the course instructor's explanations. On the sheets, there is space for you to write down additional information.

SAP AG 2001

Course Content

Unit 8 Access Control and UserAdministration

Unit 9 Analysis and MonitoringFunctions

Unit 10 Special Authorization Components

Unit 11 Transporting AuthorizationComponents

Unit 12 Central User Administration

Unit 13 mySAP.com and the mySAP Workplace

Unit 1 Introduction

Unit 2 Conception withASAP Methodology

Unit 3 Elements of the R/3Authorization Concept

Unit 4 The User Master

Unit 5 Working with the ProfileGenerator

Unit 6 Profile Generator: Installation and Upgrade

Unit 7 Integration intoOrganizational Management

Preface

Exercises and Solutions

Appendix

SAP AG 2001

l Security Requirements

l SAP Security Levels

l SAP Access Control

l Users, Roles and Authorizations

l Technical Implementation of Roles

Contents:

Introduction

SAP AG 2001

l Describe the SAP authorization concept as part ofa comprehensive security concept

l Explain the access control mechanisms

l Explain how users, roles and authorizations arerelated

l Describe the technical implementation of a role-based authorization concept

At the conclusion of this unit, you will be able to:

Introduction Unit Objectives

SAP AG 2001

Analysis and Monitoring Functions

Overview Diagram (1)

Conception withASAP Methodology

Elements of the R/3 Authorization Concept

The User Master Record

Central User Administration

Access Control and User Administration

Working with the Profile Generator

Special Authorization Components

Integration into Organizational Management

Profile Generator:Installation/Upgrade

Transporting AuthorizationComponents

Introduction 111

mySAP.com and the Workplace

SAP AG 2001

l Authorizations are used to control access at theapplication level. The system must additionally beprotected at the operating system, database,network and frontend levels in order to implementa comprehensive security concept. These conceptsare dealt with in the training course BC940. At theapplication level, roles are at the heart of teh SAPR/3 authorization concept.

Introduction: Business Scenario

SAP AG 2001

Security Expectations

l Protection of sensitive business data according to

n Laws

n Agreements

n Policies

l Advantageous cost-benefit relation

l Should not obstruct business processes

n Protection of sensitive data:

� A company must meet certain legal requirements based on their country of operation. Specific laws (such as protection of employees) must be observed.

� A company must be able to protect and adhere to agreements made with partners and vendors

� A company must publish and enforce security policies, so that a secure environment can be established and maintained.

n Cost-Benefit Relation

� A company should concentrate security costs on areas in which a clear benefit can be realized. Protecting company assets that can be replaced at a lower cost in the event of a loss is an unnecessary investment of time and money.

� It is impossible to ensure complete security against all potential threats. Therefore, a company must be able to weigh up the extraordinary risks of a threat against the costs of a security system.

n Obstruction of Business Process

� A secure environment should be transparent enough to avoid obstructing a company's business processes.

SAP AG 2001

l Technologyn Hardware Routern DB Backup

n Password Rulesn Authorizations

n ...

l Organisationn Proceduresn Training

l Environmentn Fire Alarmsn Water Detection

l Technologyn Disk Crashn Power Supply

InterruptionThreats

Measures

Assets

l Personsn Incorrect Operation

n Hackers

l Environmentn Floods

n Earthquakes

Security - Overview

l Hardwarel Softwarel Datal Persons

n When developing a security concept, you must first determine WHAT you want to make safe. Which assets must be protected? To which categories do these assets belong (for example: hardware, software, data, persons)? When assigning assets to categories, consider the consequences of losing these assets. When calculating the value of fixed assets, for example, you should take into account the loss of value due to depreciation, damage or theft.

n You must also determine AGAINST WHAT you want to protect your assets. What are potential dangers? Sources of danger could be, for example, technology, the environment, or persons.

� Technology: Processing errors (caused by applications or operating systems), viruses, power supply interruption, hardware failure.

� Persons: Important employees leaving the company, dissatisfied or inexperienced employees.

� Environment: Fire, flood, dust, earthquakes.

n Once you have identified your assets and the potential sources of danger, you can develop security mechanisms. You must set up an appropriate protective measure for each source of danger. Thses measure should also be assigned to different categories (for example: organizational, technical, environmental).

� Organizational Measures: Training, internal security policy, procedures, roles, responsibilities.

� Environmental measures protect physical system components against natural sources of danger.

SAP AG 2001

Security Considerations

Access control, virus scanners, encryption

Access control, packetfiltering, encryption

Layer Components

GUI,Browser,PC

SAProuter,Network,SNC

Presentation

Communication

SAP users, passwordrules, authorizations

Access to SAP tables, backup, consistency

Access to SAP files, OS services

Application modules, work processes, interfaces

Relational database

UNIX,Windows NT,OS/ 400, OS 390

Application

Database

Operating System

Encryption, certificates, Single Sign-OnITSWeb Connection

SAP Course

CA940

BC

940

BC

940

SAP Security Levels

n SAP systems are made safe at a variety of levels. Each level has its own protection mechanisms.

n To avoid unathoirzed system access, for example, system and data access control mechanisms are provided at the application level.

n When protecting an SAP system, you must consider the following:

� Security must be implemented at all levels, since the overall security depends on the weakest part.

� A complex authorization concept is therfore only one aspect of an overall security concept.

n This course deals only with the security mechanisms at application level. All other levels are covered in the SAP training course BC940.

SAP AG 2001

DataData

FunctionsFunctions

l System Access Control

n Users must identify themselvesin the system

n Configuration of system accesscontrol (e.g. password rules)

l Access Control

n Access rights for functions anddata must be granted explicityusing authorizations

n Authorization checks for

w Transaction/report calls

w Program execution

SAP Access Control

n In order to work with an SAP system, users require unique user IDs. A user master record must be created in the system for each user. This user master record also contains the password that the system prompts the user to enter when logging on.

n There are numerous mechanisms for preventing unauthorized access to an SAP system that can raise the security level of a system if configured appropriately. These configurable settings include, for example, the minimum length and the expiry date of passwords.

n To protect business data and functions against unauthorized access, SAP programs utilize authorization checks. In order to pass an authorization check of this type, a user needs the appropriate authorization.

n Authorizations are assigned in the form of roles, which are entered into the user master record.

SAP AG 2001

CreatePurchaseRequisition(ME51)

OrderPurchaseRequisition(ME58)

ReleasePurchaseRequisition(ME54)

Employees have roles with specific functions and need authorizations for these functions Employees Employees have roles roles with specific functions functions and need authorizations authorizations for these functions

Users, Roles, and Authorizations

KarenKaren

SusanSusan

JohnJohn

Pro

curem

ent

l Employeel Service

Representative

l Employeel Service

RepresentativelManager

l Employeel Purchaser

Authorization to createpurchase requisitions

Authorization to releasepurchase requisitions

Authorization to createpurchase orders

n People perform roles that belong to business scenarios. In the example above, KAREN performs the EMPLOYEE role in the PROCUREMENT business scenario.

n A person can have more than one role. SUSAN, for example, performs the roles EMPLOYEE, SERVICE REPRESENTATIVE, AND MANAGER.

n A role is a group of activities performed within business scenarios. For example, the activity CREATE PURCHASE REQUISITION belongs to the EMPLOYEE role.

n A role generally includes all activities that may occur in the respective scenario. For example, the activity CREATE PURCHASE REQUISITION is sufficient to allow the EMPLOYEE to take part in the PROCUREMENT scenario.

n A single role can be involved in several scenarios . The EMPLOYEE, for example, participates in the SELF-SERVICES and the REPORTING scenarios, among others.

n A single scenario may require the participation of multiple roles. For example, the EMPLOYEE, MANAGAER, and the PURCHASER are all involved in the PROCUREMENT scenario.

n Business scenarios are groups of activities performed by one or more employees in their respective roles. the PROCUREMENT scenario, for example, comprises the activities CREATE PURCHASE REQUISITION, RELEASE PURCHASE REQUISITION and CREATE PURCHASE ORDER.

n Activities are associated with specific system functions that can only be accessed with the proper authorization.

SAP AG 2001

RoleProfessional Purchaser

RoleProfessional Purchaser

Technical Implementation of Roles

l Role Menu

n Accessible Transctions, Reports,Web Links

n Structure of the Menus/AccessPaths

l Authorizations

n Selective Access to BusinessFunctions and Data

l User

n To implement roles technically, you must create (composite) roles using the Profile Generator.

n A role consists of the folowing components:

� Role Menu The role menu contains the transactions and reports to which the users of the role should have access.

� Authorizations The authorizations define the access rights for business functions and data.

� Users To grant the access rights of a role to a user, you must assign the user to the role. You can assign users using either the Profile Generator or user administration.

n SAP delivers a large number of predefined roles with SAP systems. Customers can use these roles as templates and customize them to meet their individual requirements. Über den Report RSUSR070 können Sie sich alle von SAP ausgelieferten Rollenvorlagen anzeigen lassen.

SAP AG 2001

SAP Easy Access - User-Specific Menus

Menu Edit Favorites Extras System Help

Other menu Create menu Assign users

Role BC_USER_ADMIN

Favorites

SM51 List of SAP Systems

User Administration

SU01 - User Maintenance

PFCG - Role Maintenance

SU01D - Display User

SU05 - Internet User Maintenance

SU10 - User Mass Maintenance

SUGR - Maintain User Groups

n SAP systems support the setup of user-friendly personal user menus.

n When creating the roles, the system administrator specifies the required functions including their descriptions. Both can be chosen as required.

n Once a user has been assigned a particular role, the appropriate personal menu for that user is automatically displayed when the user log on to the system. The menu is based on the assigned activities.

n In addition to the functions preset by the administrator, users can choose tehir own "Favorites". There are two ways to do this: Users can drag the desired function with the mouse into the relevant menu area, or they can select the transaction and then choose Add to Favorites to add the function to their list of favorites.

n If the user calls a transaction, the personal menu is hidden so that the entire screen can be used for transaction processing. If the user quits the transaction or opens a new session, the menu is shown again in the foreground.

SAP AG 2001

l Describe the SAP authorization concept as part ofa comprehensive security concept

l Explain the access control mechanisms

l Explain how users, roles and authorizations arerelated

l Describe the technical implementation of a role-based authorization concept

You are now able to:

Introduction: Unit Summary

SAP AG 2001

l ASAP methodology for creating an authorization concept

l Project preparation

l Analysis and design of the authorization concept

l Implementation of the authorization concept

l Testing and quality assurance

l Cutover

Contents:

Conception with ASAP Methodology

SAP AG 2001

l List the steps necessary to implement anauthorization concept

l Describe the activities to be performed in eachstep

l Assign responsible persons to each activity

l Use the ASAP procedure model for implementingan authorization concept for your own projects


Conception with ASAP Methodology: Unit Objectives

SAP AG 2001



Elements of the R/3 Authorization Concept










Introduction

222Conception with ASAP Methodology

SAP AG 2001

l Before going live, your company wants toimplement an authorization concept.

l The steps required to realize the authorizationconcept must be planned in the context of theentire implementation process.

l During the planning phase you want to estimatethe time and personnel resources needed.

Conception with ASAP Methodology: BusinessScenario

SAP AG 2001

ProjectPreparation

BusinessBlueprint

Implementation

FinalPreparation Go Live &

Support

ContinuousImprovement

Authorizations and ASAP

l ASAP: SAP R/3 Project Implementation Procedure

l ASAP Components:

n Project Plan ("Roadmap")

n Additional Information ("Knowledge Corner")

n Question and Answer Database

l Integration of Authorization Assignment and UserAdministration in the Business Blueprint and ImplementationPhases.

n AcceleratedSAP (ASAP) is a comprehensive method for accelerating SAP R/3 implementation projects. The combination of the set of ASAP components ensure quick and efficient implementation of the SAP R/3 System.

n The ASAP Roadmap, a process-oriented, comprehensible, compressed project plan, leads the implementation process step by step. ASAP describes how to implement an authorization concept.

n At the highest level the ASAP Roadmap comprises five phases:

� Project Preparation Inclusion of all relevant decision-makers for the SAP R/3 implementation and selection of the internal and external members of the project team.

� Business Blueprint Determine the business requirements of the implementing company. The Business Blueprint is a visual representation of the status of the company which is to be realized in the SAP R/3 implementation.

� Implementation Configuration and fine-tuning of the SAP R/3 System.

� Final Preparation Test all interfaces, train users, migrate business data into the SAP R/3 System.

� Go Live & Support Start SAP R/3 production operation, specify procedures and benchmarks to permanently monitor the gains of the investment in SAP R/3.

SAP AG 2001

Role and Authorization Concept: Steps

PreparationPreparation AnalysisAnalysis

& & Conception Conception

l A Role and Authorization Concept is Implemented in 5 Steps

l Each Step Comprises Different Activities

l Each Activity is Associated with a Responsible Person

l User Administration and Authorization ManagementOrganization is Parallel to User and Authorization ConceptImplementation

Implement-Implement- ationation

QualityQuality Assurance Assurance

& Tests& Tests CutoverCutover

Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy

n To fulfill a certain task, the employee responsible must normally use several applications. The transactions and reports used for a business activity can be combined into roles.

n It is important that users can only process those tasks that they are authorized to perform, and are prevented from making unintentional or incorrect changes in system areas which are outside their competence. As all SAP components use authorizations to control access to their functions, administrators only assign those authorizations to each role that are are necessary to perform the role-specific tasks.

n Besides authorizations, a role comprises the user menu specifications. When a user logs on to an SAP system, the system displays a user-specific menu, with selected transactions, reports, and Internet links in the form of a tree structure. This menu is based on the assigned role. Users can only access transactions and reports that they are authorized to use. This eliminates unnecessary functions from the navigation structure.

n When developing the role and authorization concept, the challenge is to coordinate business requirements at a cross-department level and protect sensitive data against potential dangers.

n This is why we recommend that you develop the role and authorization concept as a separate project. You should folow the procedure explained in thsi training course and use the ASAP Roadmap as orientation.

SAP AG 2001

Measures:

l Set Up a Team for User Roles and Authorizations

l Clarify Prerequisites for Authorization Assignment

l Train the Team for User Roles and Authorizations

l Trigger Role and Authorization Project

Step 1: Preparation

PreparationPreparation Implement- ation

Analysis &

Conception

Quality Assurance

& Tests Cutover

n Set up a team responsible for the specification and implementation of the user roles and the authorization concept.

n Identify the business areas affected and their special security requirements. Like the control mechanisms selected, these can vary from area to area. Normally, the security requirements of the Human Resources department are more demanding than those of other departments. Therefore you must first determine the desired security level.

n Note: Consider the differente security requirements for production, test and development environments. Also bear in mind that user roles often need to access multiple systems and may therefore require different functions and authorizations depending on the system.

n Train the team for roles and authorizations with regard to specification and implementation topics.

n The team members must be familiar with the basic principles of the SAP authorization concept and the available control and administration tools (central user administration, Global User Manager, and so on). The members responsible for implementation must be able to use the Profile Generator.

n Since the role and authorization project requires the cooperation of various business areas and departments, SAP recommends that you inform the responsible employees of the project targets set and establish communication channels at an early stage to ensure efficient handling.

SAP AG 2001

BASISPP

HRSD/ MM

FI/ CO KUKU

BCBC

KUKUKUKU

KUKU

BCBC

KUKU

Team for User Roles and Authorizations

KU = Key User BC = Basis User (technical

authorization management)

n When developing the role and authorization concept, the challenge is to coordinate business requirements at a cross-department level and protect sensitive data against potential dangers.

n While user roles and the authorization concept are specified with the cooperation of the individual business areas, they are normally implemented by the IT department. This is why you must set up a cross-area and cross-department project team.

n The team members have the following tasks:

� Create SAP R/3-dependent role descriptions in teh "Analysis & Conception" step.

� Cooperate with the IT department during implementation.

� Set up and run through test scenarios.

n To ensure that both the authorization concept and the procedures for user administration and authorization management comply with the control regulations of the company, the internal invoice verification department must be involved in the authorization project at an early stage.

SAP AG 2001

Step 2: Analysis & Conception

Preparation Implement- ation

Quality Assurance

& Tests Cutover

AnalysisAnalysis & &

Conception Conception

Measures:

l Determine User Roles

l Complete Roles

l Determine Framework for Implementing the Roles

l Check Framework for Implementing the Roles

n Specifiaction of the role and authorization concept:

� Identify required roles. Determine task profiles based on the organization chart and a business process analysis. Check if SAP role templates can be used.

� Specify relevant applications functions (transactions, reports, Web links) to the roles. Make any required adjustments if role templates are used.

� Specify if the roles are higher-level roles or specific roles; that is, if they are subject to any restrictions resulting from organizational or application-specific control mechanisms.

� Identify required composite and individual roles for implementing the roles and the authorization concept.

n Check the role and authorization concept. To detect any shortcomings in conception before actual implementation, SAP recommends that you create a prototype of the concept.

SAP AG 2001

Authorization List - Role Design

Business Processes Financial Accounting General Ledger Processing Closing Operations

Profit and Loss Adjustment General ledger: Profit and Loss Adjustment

General ledger: Update Balance Sheet Adj. General ledger: Post Balance Sheet Readj. General ledger: Balance Sheet Readj., Log General ledger: B/S Readj., Spec. Functions

Accounts Payable Accounting Invoices and Credit Memos Parked Document Posting [Vendors] Post Parked Document

Change Parked Document

Display Parked Document Change Parked Doc. (Header) Document Changes: Parked Documents

Reject Parked Document Vendor Account Analysis

Balance Analysis Customer Account Analysis Vendor Account Balance Display Vendor Balances

Vendor Line Items

Correspondence with Vendors Correspondence with Vendors Correspondence: Print Requests Correspondence: Print Internal Docs.

Correspondence: Delete Requests Correspondence: Maintain Requests

Instruction...

Enterprise area Role name

Scope Scope Scope

Analysis: Determine User Roles

F.50

F.5DF.5EF.5FF.5G

FBV0FBV2FBV3FBV4

FBV5FBV6

FD11FK10FK10NFBL1N

F.61F.62F.63

F.64

n The Question and Answer database (Q&Adb) is used in the Business Blueprint phase of the ASAP project to analyze and determine the implementation scope. This database displays all business processes that can be modeled in SAP R/3 as a tree structure (reference structure). When creating the Business Blueprint, you determine which processes are to be implemented in SAP R/3.

n Starting with ASAP Release 4.6B, user roles can also be created in the Q&Adb and linked with the associated business processes. The relevant link information is passed to the authorization list, which is used to complete the role specifications.

n Using the authorization list, the user roles created in the Q&Adb are completed. When this list is created, the processes and roles specified are adopted.

n SAP systems are delivered with a number of role templates in which the associated application functions (transactions and reports), teh user menu and the authorization data are predefined. These templates can be used as a basis for analyzing and developing the company-specific roles and the authorization concept.

SAP AG 2001

FI_Manag AP_Manag AP_ AccAuthorization List - Role Design









Vendor Line Items



Instruction...

Enterprise area Rollenname

Scope Scope Scope

FI FI FI

xxxx

x

x x xx x xx x xx x xx x xx x x

x x x x

x x x x

Conception: Complete User Roles (1)

F.50

F.5DF.5EF.5FF.5G

FBV0FBV2FBV3FBV4

FBV5FBV6

FD11FK10FK10NFBL1N

F.61F.62F.63

F.64

n The authorization list is a Microsoft Excel table helping the project team to model the user roles before they are implemented in SAP R/3. Using this list, the roles can be developed before the system is installed.

n In the authorization list, you create user roles and specify the associated transactions. It consists of two views:

� Process View (Role Design - Q&Adb scope)The process view is generated from the Q&Adb. This view shows the processes that were selected when the Business Blueprint was created. The process hierarchy displayed corresponds to the reference structure of the Q&Adb. In this view, you can speficy user roles and link them with processes.

� Transaction Overview per Role (T-Codes per Role)In the transaction overview, you can generate an overview of the transactions assigned to each role (according to the modeling).

SAP AG 2001

Balance Analysis

Vendor LineItems

DisplayVendor

Balances

MaintainAccountBalances

G/L DocumentMaintenance

Accounts PayableAccounting Manager

PostDocuments

ChangeDocuments

........

Activity Block(Group of RelatedActivities)Role

ActivitiesTransactions,Reports

User RoleComposite Role

Accounts Payable Accountant

UserUser Master Record

Technical Conception: Role Implementation (1)

n User roles are technically implemented using individual, composite, and dervied roles. Based on the transactions and reports selected for each role, the Profile Generator automatically determines all authorizations required for performing the functions specified, and creates the corresponding authorization profile.

n Using individual, composite, and derived roles, you can model the role structure in two ways:

� You can model each role as an individual role that contains all required functions. If some functions are used unchanged in multiple roles, the associated transactions and reports are contained in several individual roles. If general function modifications are required, this consequently affects several individual roles.

� Alternatively, you can model each role as a composite role consisting of individual and derived roles. In this case, the individual and derived roles represent activity blocks, that is, groups of interrelated functions (for example: all functions needed for a specific business scenario). Since individual and derived roles contain encapsulated functions, they can be used in multiple or composite roles. The advantage of this approach is that multiple access to transactions used in several individual roles is avoided. Therefore, organizational or process-related modifications that affect several user roles can be applied by adjusting a single role.

SAP AG 2001

FI_Manag AP_Manag AP_ AccAuthorization List - Role Design









Vendor Line Items



Instruction...

Enterprise Area Role Name

Scope Scope Scope

FI FI FI

xxxx

x

x x xx x xx x xx x xx x xx x x

x x x x

x x x x

Conception: Complete User Roles (2)

F.50

F.5DF.5EF.5FF.5G

FBV0FBV2FBV3FBV4

FBV5FBV6

FD11FK10FK10NFBL1N

F.61F.62F.63

F.64

n Modeling the role structure: Analyze the authorization list and determine the areas in which access to several roles is needed. Solche Tätigkeitsblöcke können als Rollen realisiert werden.

n To simplify implementaion, you can subsequently modify roles during the technical conception phase, for example, by choosing additional functions to use activity blocks already defined.

n Note that access to the same transactions and reports is not a sufficient criterion for the existence of an activity block. Since authorizations may even vary at field level, you must implement the different variants of acitivity blocks as separate or derived roles.

n Even if you implement each role as a separate role, certain functions are encapsulated in separate foles (for example, the basis authorizations of the end-users).

SAP AG 2001

BalanceAnalysis

Correspondence

Accounts Payable Accounting Manager

Accounts Payable Accountant

MaintainDocuments

MaintainDocuments

MaintainDocuments

ClosingOperations

BalanceAnalysis

Correspondence

MaintainDocuments

ClosingOperations

Financial Accounting Manager

Technical Conception: Role Implementation (2)

n During the first conception and implementation approach, individual functions are encapsulated in separate roles (for example, the Basis authorizations of the end-users).

n From a technical point of view, all elements of the authorization concept must be assigned a unique identifier. This is why you must define individual naming conventions for all role types.

n You can define naming conventions based on different criteria, for example, country, business area (FI, CO, ...), or application component (FI-AP, CO-PA, ...).

n If you want to decentralize user and authorization management, the naming conventions are also required for administrative purposes. In this case, the access rights of the decentral administrators should be limited to those (composite) roles that belong to a specific business area and thus apply only to a restricted namespace.

n Since roles are divided into individual and derived roles, the user roles created in this step may be different from the original specification defined during the development phase. For example, the roles may contain more or fewer activities (transactions and reports). This is why you must check that the roles have been properly defined before implementation.

n SAP recommends that you carry out a test implementation of the user roles and authorization concept in order to check the technical conception.

SAP AG 2001

Step 3: Implementation

Preparation Quality

Assurance & Tests

Cutover Analysis

& Conception

Implement-Implement- ationation

Measures:

l Create Roles

l Create Derived Roles

l Create Composite Roles

n From a technical point of view, user roles are implemented as composite roles using the Profile Generator. Composite roles consist of individual and composite roles that each contain the relevant authorizations and menu data. Authorizations specify the scope of access to data and functions. User menus use hierarchical structures to specify the access path to the transactions, reports and Internet pages released for a specific user.

n You create user roles in the following way:

� Create individual roles: Individual roles either describe higher-level functions that are independent of organizational or application-specific restrictions or are used as templates for creating derived roles that are not subject to any restrictions.

� Having checked the individual roles used as the derivation basis, you create the derived roles. These contain the desired organizational or application-specific restrictions. For each responsibility area, you create a derived role from an existing individual role.

� Finally, the composite roles are created from the implemented individual and derived roles as the technical counterparts of the user roles.

SAP AG 2001

Step 4: Quality Assurance & Tests


Cutover Analysis

& Conception

QualityQuality Assurance Assurance

& Tests& Tests

Measures:

l Test User Roles and Authorization Concept

l Release Roles and Authorization Concept

n To ensure that productive operation is not affected, it is important to thoroughly test the user roles in connection with the authorizations before you switch over to production. In addition, the responsible area manager must approve of the role and authorization concept implemented.

n To standardize the test, the relevant process flows must be determined and published. You should use predefined test scenarios that cover all business processes implemented.

n The test scenarios should include both positive and negative checks of the authorizations of the individual roles. The positive test checks whether the functions are executed as desired, while the negative test must confirm that all restrictions defined are observed. For example, a human resources administrator can display the users for a specific work center, but not the records for other work centers. The test scenarios must cover all functions that are to be performed by a user role.

n If a function cannot be called during the test, you must correct the user roles and the authorization concept. Note that changes may affect several (derived) roles. In extreme cases, you must revise the entire role and authorization concept.

n You may also be required to modify the user menus in order to simplify access to the functions. To ensure that the system becomes more user-friendly, the project team responsible should closely cooperate with the representatives of the relevant business areas.

n After fine-tuning the user roles, you must repeat the tests as often as necessary until the user roles implemented completely comply with the security and usability requirements.

SAP AG 2001

Step 5: Cutover


Quality Assurance

& Tests

Analysis &

Conception CutoverCutover

Measures:

l Set Up Productive Environment

l Create User Master Records for Productive Users

l Accept Role and Authorization Project

n Before you create the productive users, you must configure central user management and create the master records for user management in your production environment.

n To simplify the creation of the individual user master records, you first create model records. These model records are used as copy templates for the records of the productive users. In the central system, create a user master record for each role specified in the company-wide role matrix (authorization list). If a role is subdivided into several responsibility areas that are subject to organizational restrictions (company code, cost center, plant, and so on) or application-specific control mechanisms (for example, FI authorization groups), you must create a separate record for each responsibility area. Be sure to maintain the additional data (parameters, printers, and so on).

n After consulting the area managers (data owners), define the roles for each user. Consider that some users may have several roles or different roles in various logical systems (clients). Enter the assignments in a user and role matrix.

n To create a master record for a user, you copy the model record for the relevant role and customize this record as required.

n Get the final approval of the area managers with regard to the users created and communicate all access-relevant data (system, client, ID, and password) to the end-users.

SAP AG 2001

User and Authorization Administration Strategy


Quality Assurance

& Tests Cutover

Analysis &

Conception

Determine User andDetermine User and Authorization Administration StrategyAuthorization Administration Strategy

Measures:

l Specify Technical User and Authorization Administration

Strategy

l Specify User and Authorization Administration Procedure

l Train Users and Authorization Administrators

n The SAP environment offers various possibilities for managing users. Users distributed in a far-reaching system landscape can be managed from within a central system: All users are initially created in a central logical system (client) and then distributed to the other clients of the entire installation.

n Before you set up a central user management, you must determine which processes (for example, assigning or locking roles) can be run locally, and if modifications made in local systems (for example, address changes) should be passed on to the central system. A consistent central user management can be set up for such different SAP systems as SAP R/3, APO, and CRM.

n After the role and authorization concept is implemented, the members of the project team are normally no longer responsible for managing users and authorizations. Depending on how the tasks are distributed in the company, the users are managed either centrally (for example, using a help desk) or decentrally (by local location or department administrators). You must assign and train employees for this purpose.

SAP AG 2001

Development System User Administration System

User and Authorization Administration Strategy

System Administrator

Authorization DataAdministrator

CreateRole

ActivateProfile

MaintainRole

Authorization ProfileAdministrator

UserAdministrator

MaintainUsers

AssignRole

n Managing authorizations includes creating, activating, changing, deleting, and transporting roles, while managing users means defining, changing, deleting, locking and monitoring users, and assigning passwords and authorizations. The user and authorization management tasks should be distributed among several administrators (for example, separate user, authorization data, and profile administrators). By dividing the tasks, you ensure that no single administrator gets full control of user authorizations (security checking principle requiring at least two persons).

n By assigning the user maintenance tasks to local administrators that represent individual departments or locations, you can even further decentralize user and authorization management. Having an administrator on site can also be desirable since first-time users accessing the system often need to be introduced to their task-specific user role. In addition, decentral administrators are useful for reporting since they know to whom the user IDs refer.

n From a technical point of view, decentralization is achieved by subdividing the users into user groups and limiting the rights of the local administrators with regard to the assignment of authorizations. Decentral administrators may only maintain the users of the group that has been assigned to them. In addition, decentral administrators should only be allowed to assign authorizations that are required in their department or at their site in accordance with the naming conventions of user roles.

SAP AG 2001

l List the steps necessary to implement anauthorization concept

l Describe the activities to be performed in eachstep

l Assign responsible persons to each activity

l Use the ASAP procedure model for implementingan authorization concept for your own projects


Conception with ASAP Methodology: Unit Summary

Exercises

Unit: Conception with ASAP Methodology

At the conclusion of these exercises you will be able to

• Describe the individual worksheets of the authorization list

• Define roles in the authorization list

• Assign transactions to these roles

• Group transactions

• Generate an overview of the roles with the relevant transactions

Open the Excel file AL-CA940.XLS which you can find in the shared folders and answer the following questions.

The general repository is in the Business Workplace.

Menu Path: Menu → Office → Workplace → General repository → CA940

Double-click the Excel file to open it. On the dialog box that appears choose Enable Macros.

Save the Excel file on your hard disk under the name AL-CA940-##.

1-1-1 Which master data was copied from ASAP Q&Adb level 3? Master data for _________________________ and _________________________

1-1-2 Which business processes were copied from ASAP Q&Adb level 5? ______________________________________________________ ______________________________________________________

1-1-3 Which transaction codes were copied for the sales order processing business process? ______________________________________________________

1-2 Define roles for the enterprise areas:

• Financial Accounting (FI)

• Sales and Distribution (SD) and

• Materials Management (MM)

and assign transactions to these roles.

1-2-1 a) Create the role for an Accounts receivable accountant (AccRec). To do this, enter FI in the column header for Enterprise area and AccRec as role name on the Roles Design – Q&Adb Scope worksheet.

b) Assign all transactions of the Manual Incoming Payments business process to the accounts receivable accountant by placing an 'x' for these transactions in the AccRec column. The accounts receivable accountant should also be able to maintain the accounting views of the accounts receivable master.

1-2-2 Define a role SDClerk for a Sales and Distribution clerk, and assign all transactions of the Sales Order Processing (Standard) business process as well as transactions for maintaining the SD views of the accounts receivable master records to this role.

1-2-3 Define a role SDMan for the Sales and Distribution manager, and assign all transactions of the Sales Order Processing (Standard) business process as well as transactions for maintaining all (accounting and sales and distribution) views of the accounts receivable master to this role.

1-2-4 Define a role for a warehouse supervisor (Whouse) for the MM enterprise area. Assign the transactions of the Goods Receipt Processing business process to this role.

1-2-5 Add transactions MM03, MM04, and MM19 for displaying material master data to all roles.

1-3 Go to the second worksheet, T-Codes per Role. Generate an overview of the transactions and roles by pressing the appropriate button.

How many transactions were chosen for the individual roles: AccRec _____________ Transactions SDClerk _____________ Transactions SDMan _____________ Transactions Whouse _____________ transactions

1-4 Combine these transactions into meaningful roles to ensure that these single roles can be reused in composite roles.

There are several ways to do this.

Go back to the first worksheet Roles Design – Q&Adb scope.

1-4-1 Combine several transactions into roles so that these single roles can be reused in composite roles. To do this, you can color-code or draw a border around the roles on a cross-role basis.

1-4-2 Assign a name to the roles, and enter the relevant transactions into the following table.

Role Name Transactions for this Role

Solutions

Unit: Conception with ASAP Methodology

1-1 Open Excel file AL-CA940.XLS, which is in the general Business Workplace repository of your SAP R/3 System, and answer the following questions.

The general repository is in the Business Workplace.

Menu Path: Menu → Office → Workplace → General repository → CA940

1-1-1 General master data for Material master and Accounts receivable master record

1-1-2 Customer quotation processing Sales order processing Goods receipt processing Manual incoming payments

1-1-3 VA01 VA02 VA03 VA05 V.01

1-2 Excel authoriation list on the Roles Design – Q&Adb worksheet

Enterprise area>>> FI SD SD MM

Role name >>> AccRec SDClerk SDMan Whouse

R/3 Links:

T Code

Responsibilities:

Owner

Scope Scope Scope Scope

MM01

MM02 MM03 x x x x

MM19 x x x x

MM04 x x x x

FD01 x x FD02 x x

FD03 x x

VD01 x x VD02 x x

VD03 x x

VA21 x x

VA22 x x

VA23 x x VA25 x x

VA01 x x

VA02 x x

VA03 x x VA05 x x

V.01 x x

MB1C x MB90 x

VL21 x

F-18 x

F-26 x F-28 x

1-3 The button for generating the transaction and role overview is located in cell A4.

1-4 Go back to the first worksheet Roles Design – Q&Adb scope.

1-4-1 Several solutions are possible. Model solution as sample authorization concept: See next page or exercise 1 for unit Working with the Profile Generator 1

1-4-2 In the following table, the role names are presented in accordance with the example authorization concept. The example authorization concept is presented graphically on the next page.


GR##_MM_MAT_DISP MM03, MM04, MM19

GR##_FI_ACCRECI_MAINT FD01, FD02, FD03

GR##_SD_CUST_MAINT VD01, VD02, VD03

GR##_SD_SALES VA21, VA22, VA23, VA25, VA01, VA01, VA03, V.01

GR##_MM_WE_POST MB1C, MB90, VL21

GR##_FI_IP_POST F-18, F-26, F-28

Sample Authorization Concept



R/3 Links:

T Code


MM01 MM02

MM03 x x x x

MM19 x x x x

MM04 x x x x

FD01 x x

FD02 x x FD03 x x

VD01 x x

VD02 x x

VD03 x x

VA21 x x

VA22 x x

VA23 x x VA25 x x

VA01 x x VA02 x x

VA03 x x VA05 x x

V.01 x x

MB1C x

MB90 x

VL21 x

F-18 x

F-26 x F-28 x

GR##_MM_MAT_DISPL

GR##_MM_GR_POST

GR##_FI_IP_POST

Activity groups

GR##_FI_ACCREC_MAINT

GR##_SD_CUST_MAINT

GR##_SD_SALES

SAP AG 2001

l Overview of the elements of the SAP R/3 authorizationconcept

l Authorization fields, objects, and object classes

l Authorizations and authorization profiles

l Authorization check in the program

l Security Checks during Transaction Start

l Roles and authorization profiles

l Roles and the Easy Access menu

Contents:

Elements of the SAP R/3 Authorization Concept

SAP AG 2001

l List the elements of the authorization conceptsand know the differences between them

l Describe the authorization concept as a whole

l Know how and when authorization checks areperformed

l Explain the meaning of an authorization object.


Elements of the SAP R/3 Authorization Concept:Unit Objectives

SAP AG 2001





Introduction








33



SAP AG 2001

l The SAP R/3 authorization concept preventsunauthorized access to the system and to data andobjects within the system. Users that are toperform specific functions in the SAP R/3 Systemneed a user master record with the relevantauthorizations.

Elements of the SAP R/3 Authorization Concept:Business Scenario

SAP AG 2001

Authorizationobject class

Authorizationobject

Authorization Berechtigungs-profil

Role

User

Authorization field:

Overview of the elements of the SAP R/3authorization concept

n Authorization field: Smallest unit against which the check should be run (ACTVT, BUKRS).

n Authorization Object: Groups 1 to 10 authorization fields together. These fields are then checked simultaneously (example: F_LFA1_APP Creditor: Application authorization).

n Authorization object class: Logical grouping of authorization objects (for example, all authorization objects for object class FI).

n Authorization: An instance of an authorization object, that is, a combination of allowed values for each authorization field of an authorization object.

n Authorization profile: Contains instances (authorizations) for different authorization objects.

n Role: Is generated using the Profile Generator (Transaction PFCG), and allows the automatic generation of an authorization profile. A role describes the activities of an SAP R/3 user.

n User Master Record: Used for logging on to SAP systems and grants restricted access to functions and objects of SAP systems based on authorization profiles.

n Naming conventions for custom developments (see SAP Notes 20643 and 16466):

� Authorizations and authorization profiles are Customizing objects and must therefore not be in the customer namespace (Y, Z). They must not contain an underscore in the second position.

� Authorization classes, objects, and fields are development objects and must begin with Y or Z (customer namespace).

SAP AG 2001

Authorization Fields, Objects, Object Classes

Authorization Fields Authorization Objects AuthorizationObject Classes

BUKRS

ACTVT

WERKS

BEGRU

M_RECH_BUK

F_BKPF_BUK

F_KNA1_BUK

C_KAPA_PLA

C_ARPL_WRK

M_MSEG_WWA

V_KNA1_BRG

C_DRAW_BGR

MM_R

FI

PP

MM_B

SD

CV

n Example:

The authorization fields BUKRS (company code) and ACTVT (activity) are used in the following authorization objects, among others:

� M_RECH_BUK: Authorizaiton to release blocked invoices for specific company codes

� F_BKPF_BUK: Authorization to edit documents for specific company codes.

� F_KNA1_BUK: Authorization to maintain the accounts receivable master for specific company codes.

In the authorizations for each authorization object, you can specify which activities (such as create, change, display, and so on) may be performed in which company code. Each object has a specific number of allowed activities, which are described in the object documentation.

n All possible activitie s (ACTVT) are stored in table TACT (transaction SM30).

n The valid activities for each authorization object can be found in table TACTZ (transaction SE16).

SAP AG 2001

Authorization

BUKRS 1000, 2000ACTVT 01, 02, 03 1000 2000 3000 2000 3000

Authorization AAuthorization A

BUKRS

ACTVT

CreateChangeDisplay

BUKRS 1000, 2000, 3000ACTVT 03 1000 2000 3000 2000 3000

Authorization BAuthorization B

BUKRS

ACTVT

CreateChangeDisplay

n Example:

� Authorization A allows the user to perform create, change and display activitites in company codes 1000 and 2000.

� Authorization B allows the user to perform only the display activity in company codes 1000, 2000, and 3000.

n If the user has authorization A and authorization B, they work together. This means that the user can perform create, change and display activities in company codes 1000 and 2000, can only perform the display activity in company code 3000.

SAP AG 2001

Authorizations and Authorization Profiles

AuthorizationObjects

WorkCenter 1

WorkCenter 2

WorkCenter 3

F-22, F-27FB02, FB03

F-43, F-41FB02, FB03

01, 02, 031000

01, 02, 031000, 2000

01, 02, 03A, D, S

01, 02, 03K

....... .......

S_TCODETCD

F_BKPF_BUK

ACTVTBUKRS

F_BKPF_GSPACTVTGSBER

F_BKPF_KOAACTVTKOART.......

01, 02, 032000

Authorization

AuthorizationProfile

F-22, F-27FB02, FB03

01, 02, 031000

01, 02, 032000

01, 02, 03D.......

031000

n You can define several different authorizations for an authorization object. This means that an authorization object has various instances.

n Example: Authorization object F_BKPF_BUK has the following authorizations:

� Work center 1: Authorized to create, change and display documents in company code 2000.

� Work center 2: Authorized to create, change and display documents in company code 1000.

� Work center 3: Authorized to display documents in company code 1000.

n You can assign multiple authorizations to a work center. Grouped together, these authorizations are called an authorization profile.

n Example: Work center 2 has the following authorization profile:

� Authorization to perform transaction codes F-22, F-27, FB02, and FB03.

� Authorization to create, change and display documents in company code 1000.

� Authorization to create, change and display documents in business area 2000.

� Authorization to create, change and display document items for the accounts receivable account type.

SAP AG 2001

Authorization Check in the Program

ChangeAccountingDocument

Transaction FB02Program SAPMF05L

....

AUTHORITY-CHECKOBJECT ´F_BKPF_BUK´ID ́ ACTVT´ FIELD ´02´ID ́ BUKRS´ FIELD BUK.

IF SY-SUBRC NE 0.MESSAGE E083 WITH BUK.

ENDIF......

UserAuthorizations

Object F_BKPF_BUKAuthorization BUK

1000

Check

Result

Field ValueACTVT 02, 03BUKRS 1000

Authorization BUK 1000Authorization BUK 1000

n Authorization checks in programs are performed using the ABAP command AUTHORITY-CHECK.

n A program may contain any number of authorization checks.

n Example: The user wants to call transaction FB02. An AUTHORITY-CHECK is coded in the ABAP program SAPMF05L which calls transaction FB02. The following authorization is checked:

� Authorization object F_BKPF_BUK

� Authorization field ACTVT (activity) on value 02 (change).

� Authorization field BUKRS (company code) on value 1000.

n Only if the user has the authorization object F_BKPF_BUK with the authorization fields ACTVT (02) and BUKRS (1000) as authorization is he allowed to perform the transaction.

n After the authorization check, the system gives back a return code. The valid return codes for the AUTHORITY-CHECK statement are:

� 0: The user has the authorization for the authorization object with the correct field values

� 4: The user has an authorization for the the authorization object, but the values checked are not assigned to the user.

� 12: The user does not have any authorization for the authorization object in the user buffer

SAP AG 2001

Security Checks during Transaction Start

ChangeAccountingDocument

System Program

Authorization for transaction (Authorization ObjectS_TCODE)?

Authorization for authorization object in table TSTCA?

NoNo

NoNo

ABAP ProgramAuthorization Checks

STOPSTOP

YYEESS

Initial Screen

Next Screen

n When startinga transaction, a system program executes a series of checks to ensure the user has the appropriate authorizations.

n Step 1: Check if the user has the authority to start the transaction. Authorization object S_TCODE (transaction start) contains the authorization field TCD (transaction code). The user must have the authorization for the transaction code to be started (e.g. FK01, Create Vendor).

n Step 2: Check if an authorization object is assigned to the transaction code. If this is the case, the system checks if the user has an authorization for this authorization object. The transaction code / authorization object assignment is stored in table TSTCA.

n If any of the above steps fail, the transaction will not begin, and the user will receive a message.

n NOTE: The ABAP statement AUTHORITY-CHECK is used to check the authorization object assigned to the transaction. The check is performed during transaction start by the ABAP programm called by the transaction.

SAP AG 2001

Roles and Authorization Profiles

Create Roles Using the Profile Generator (PFCG)

Choose Activities(Transactions, Reports, Web links)

Maintain AuthorizationData (Define Authorization Objects) Generation

User Menu

Authorization Profile

Authorization forAuthorization Object xxx....

n To provide users with user-specific menus after they have logged on to an SAP R/3 System, you use roles. These are defined using the Profile Generator.

n A role is a set of functions describing a specific work area. The 'Accounts Receivable Accountant' role, for example, contains transactions, reports, and/or Internet/Intranet links that an accountant needs for his or her daily work. In the role, you also assign the authorizations that users need to access the transactions, reports, and so on contained in the menu.

n A role can be assigned to any number of users.

n A large number of roles are delivered with the standard SAP R/3 System. Before you define your own roles, check if one of the user roles delivered as part of the standard SAP R/3 System can be used. The predefined roles are delivered as templates, and begin with the prefix SAP_.

n To automatically generate an authorization prof ile, you must first create a role. In the role, you organize transactions, reports, or Web addresses in a user menu. This user menu appears when the user to which the authorization profile is assigned logs on to the SAP R/3 System. A user menu contains activities that are required by a group of users for their work area.

SAP AG 2001

Roles and the Easy Access Menu

Menu Edit Favorites Extras System Help

Other menu Create menu Assign users

Role SAP_BC_USER_ADMIN_AG

Favorites

SU01 User Maintenance

User Administration

SU01 - User Maintenance

PFCG - Role Maintenance

SU01D - Display User

SU05 - Internet User Maintenance

SU10 - User Mass Maintenace

SUGR - Maintain User Groups

n The new user menu SAP Easy Access provides a user-specific point of entry into the SAP R/3 System.

n The user menu contains only those transactions, reports and Web addressses needed by the users for their daily work processes.

n The user menus are created using the Profile Generator.

n For users with system administrator authorization, the SAP Easy Access menu provides some additional functions for:

� Creating Roles

� Calling menus for roles and assigning them to users

n In order to be able to use these extended functions, you need authorizations for the following authorization objects: Authorization Object Value

S_USER_TCD PFCG S_USER_PRO * S_USER_AUT * S_USER_GRP *

SAP AG 2001

l Describe the elements of the authorizationconcept

l Describe the process flow of an authorizationcheck in the program

l Describe the authorization checks duringtransaction start

l Describe the differences between roles andauthorization profiles

l Explain what the relationship between roles andthe Easy Access menu


Elements of the SAP R/3 Authorization Concept: UnitSummary

Exercises

Unit: Elements of the SAP R/3 Authorization Concept


• Distinguish between the elements of the authorization concept

• Display a user master record and find out the authorizations of a specific user

• Find out the meaning of an authorization object

1-1 Display the master record of user CA940-##.

1-1-1 Are roles assigned to the user? If yes, which ones? ______________________ _____________________________________________

1-1-2 Is an authorization profile assigned to the user? If yes, which one/s? _____________________ ____________________________________________

1-1-3 Display the details for the authorization profile CA940_PLUS.

Double-click the profile name to go to the detail screen of the authorization profile.

Expand the tree structure of the authorization profile.

Do you have authorizations for the following authorization objects? - F_BKPF_BUK? _____ - PLOG? _____ - S_TCODE? _____ - S_USER_GRP? _____ What is the name of your authorization(s) for the object S_USER_GRP? ______________________________________________________ Which authorization fields does the object S_USER_GRP consist of? _______________________________________________________ Which authorization values do you have for the authorization object S_USER_GRP? _________________________________________________________ From the detail screen of the authorization profile, go back to the display of the user master record.

1-1-4 Navigate to the Information System using the SAP menu (Tools → Administration → User Maintenance → Information System). Expand the structure for the node Authorization Objects, and select the report List Authorization Objects by object name, text by double-clicking it. Select the authorization object S_USER_GRP. To which authorization object class is the authorization object S_USER_GRP assigned? ____________________ Display the documentation for this authorization object. In which transactions is the authorization object checked? _________________________________________________________ Which activities are possible? _________________________________________________________ Exit the report List Authorization Objects by object name, text.

1-1-5 In the information system, double-click the report Authorization Objects by object class from the node Authorization objects. Choose the All Selections icon. Select the authorization object class from exercise 1-1-4. How many authorization objects have a name beginning with S_USER? ____________________ Get information about the authorization object S_USER_TCD by displaying the documentation. What is controlled with this authorization object? _________________________________________________________ _________________________________________________________ _________________________________________________________ Which authorization fields does the object consist of? ____________________ How many authorization objects are assigned to the selected authorization object class? (Note: The number of authorization objects is indicated at the end of the list.) ____________________ Exit the report Authorization objects by object class.

1-1-6 Expand the structure for the node Roles, and select the report Roles by role name by double-clicking it. Select the role CA940_SD_SALES. Display the transaction assignment of the role. How many transactions are assigned to the role? (Note: The number of transactions is indicated at the end of the list.) ____________________ Does this role authorize a user to call transaction VA03? ____________________ Does this role authorize a user to call transaction MM03? ____________________

The following exercise is optional.

1-2 Display the definition of transaction FB03.

Menu Path: Menü → ABAP Workbench à Development à Other Tools à Transactions.

1-2-1 Which authorization object is checked when the transaction is called? ____________________

1-2-2 Which authorization values must exist for the authorization check to be positive and the transaction to be started? ____________________

Solutions

Unit: Elements of the SAP R/3 Authorization Concept

1-1 Menu: Tools → Administration → User Maintenance → SU01 - Users Enter CA940-## and choose the Display (F7) icon.

1-1-1 Choose the Roles tab. Yes: CA940_DISPLAY CA940_PLUS CA940_USER

1-1-2 Choose the Profiles tab. Yes: CA940_DISP CA940_DISP1 CA940_DISP2 CA940_DISP3 CA940_DISP4 CA940_PLUS CA940_TRAI

1-1-3 Double-click the profile name to go to the detail screen of the authorization profile. Expand the tree structure of the authorization profile. Authorization for authorization object: - F_BKPF_BUK? Nein - PLOG? No - S_TCODE? Yes - S_USER_GRP? Yes Name of the authorizations for object S_USER_GRP: CA940_PLUS00 CA940_PLUS01

Authorization fields for authorization object S_USER_GRP: ACTVT Activity CLASS User group in user master maintenance Authorization values for authorization object S_USER_GRP: Authorization CA940_PLUS00: ACTVT 05 CLASS Z* Authorization CA940_PLUS01 ACTVT 03, 08 CLASS * From the detail screen of the authorization profile, go back to the display of the user master record.

Exit the transaction.

1-1-4 Navigate to the Information System using the SAP menu: Tools → Administration → User Maintenance → Information System. Expand the structure for the node Authorization Objects, and select the report List Authorization Objects by object name, text by double-clicking it. Select the authorization object S_USER_GRP. Authorization object class for authorization object S_USER_GRP: BC_A Select the authorization object and choose the Documentation pushbutton. Transactions with integrated check of S_USER_GRP: SU01, SU10, SU12, PFCG, SUUM, SUUMD Possible activities: 01: Create 02: Change 03: Display 05: Lock, unlock 06: Delete 08: Display change documents 22: Add users to roles 24: Archive 78: Assign 68: Model Exit the report List Authorization Objects by object name, text.

1-1-5 In the information system, double-click the report Authorization Objects by object class from the node Authorization objects. Choose the All Selections icon. Select the authorization object class BC_A and the authorization object S_USER*. Number of authorization objects beginning with S_USER: 8 authorization objects Select the authorization object and choose the Documentation pushbutton. Documentation for authorization object S_USER_TCD: The authorization object determines which transactions administrators may assign to a role and for which transactions they may grant the transaction code authorization (object S_TCODE). Please note that you may maintain transaction intervals for authorization object S_TCODE in the Profile Generator only if you have complete S_USER_TCD authorization. Otherwise, you may only maintain single values for the object S_TCODE. Which authorization fields does the object consist of? TCD: Transactions which administrators may assign to the role and for which they may grant the authorization to start the transaction in the Profile Generator. Number of authorization objects in object class BC_A: (The number of authorization objects is indicated at the end of the list.) 62 authorization objects Exit the report Authorization objects by object class.

1-1-6 Expand the structure for the Roles node, and select the report Roles by role name by double-clicking it. Select the role CA940_SD_SALES. Display the transaction assignment of the role (by choosing the corresponding pushbutton). Number of transactions: (The number of transactions is indicated at the end of the list.) 28 transactions Does this role authorize a user to call transaction VA03? Yes Does this role authorize a user to call transaction MM03? No


1-2 Display the definition of transaction FB03.

Menu Path: Menu → Tools à ABAP Workbench à Development à Other tools à Transactions (or transaction SE93)

1-2-1 Which authorization object is checked when the transaction is called? F_BKPF_BUK

1-2-2 Which authorization values must exist for the authorization check to be positive and the transaction to be started? Activity 03 Company code is not checked here, and it is therefore irrelevant which values appear here in the user master.

SAP AG 2001

l Identifying users by means of the user master record

l SAP R/3 user types

l Components of the user master record

l User buffer

l Change documentation

Contents:


SAP AG 2001

l List the different SAP R/3 user types

l Distinguish between the components of the usermaster record

l Create and change user master records

l Evaluate change documents

l Display and archive change documents

l Analyze the user buffer

l Understand the function of the user buffer andevaluate the buffered user authorizations


The User Master Record: Unit Objectives

SAP AG 2001






Introduction





Integration into Organisational Management


44Transporting AuthorizationComponents


SAP AG 2001

l To access the SAP R/3 System and work with thedata in the system, a user master record withappropriate authorizations is required. Otherelements of the user master record make it easierto work with the SAP R/3 System.

The User Master Record: Business Scenario

SAP AG 2001

User Master Record Components

Personal Personal DataData ,,CommunicationCommunicationDataData, , CompanyCompany

AddressAddress

User GroupUser Group,,User User Type,Type,

Validity PeriodValidity Period

Start Start MenuMenu,,LogonLogon LanguageLanguage ,,Standard PrinterStandard Printer

Default Default Parameter Parameter IDsIDs

Assignment of Assignment of RolesRoles

Assignment of Assignment of ProfilesProfiles

Address Logon Data Defaults Parameters Roles Profiles Groups

Display Display UserUser

Saved

User

Last changed by

Assignment ofAssignment ofUser GroupsUser Groups

n A user can only logon to an SAP system if a user master record with a password exists. The user master determines the actions individual users are allowed to perform in the SAP system.

n User master records are client-specific. You must maintain user master records for each client in an SAP system.

n The following authorization objects are required to create and maintain user master records:

� S_USER_GRP: User Master Maintenance: Assign user groups

� S_USER_PRO: User Master Maintenance: Assign authorization profile

� S_USER_AUT: User Master Maintenance: Create and maintain authorizations

n By choosing System -> User profile -> Own data (transaction SU3), users can themselves maintain the Address, Defaults, and Parameters tabs.

SAP AG 2001

The User Master Record: Logon data



User Group for Authorization Check

Validity Period

Other data

Dialog

Service

Referenz

System

User Type

Valid from

Valid until

Accounting Number

Cost Center

User

Last changed by Status

References

Saved

n When creating a new user, you must enter an initial password for that user on the Logon data tab. All other data is optional.

n The alias is an alternative identification for an SAP user. A user can be assigned an alias name. In this way, up to 40 characters can be used when assigning user names (allowing longer, more descriptive names). The user can then be identified either using the (12 character) user name or using the alias. The alias is used primarily when users are created from Internet transactions using Self-Service. There, only the alias is specified.

n User group for authorization check : User group to which this user is to be assigned. If the user maintenance tasks are to be distributed to several user administrators, the user must be assigned to a group. Only the administrator with authorization for that group may then change the master record. If a user master record is not assigned to a group, any user administrator may change it.

n User Type: The system proposal is Dialog (normal dialog user). The other user types can be assigned if special kinds of processing have to be performed.

n Other data: For each user or user group, you should assign an accounting number which you can choose as required. In the accounting system (ACCOUNTING-EXIT), system usage of that user is settled using this accounting number (for example, the cost center).

SAP AG 2001

SAP R/3 User Types

n Dialog users are used for individual, interactive sessions in the SAP R/3 System.

� Check for expired/initial passwords

� Possible to change your own password

� Check for multiple dialog logon

n A Service user is available to an larger, anonymous user group and allows interactive access to the system.

� No check for expired/initial passwords

� Only user administrators can change the password

� Multiple logon permitted

n System users are not capable of interaction and are used to perform certain system activities, such as background processing, ALE, Workflow, and so on.

n A Reference user is, like a System user, a general, non-personally related, user. Additional authorizations can be assigned within the system using a reference user. A reference user for additional rights can be assigned for every user in the Roles tab.

SAP AG 2001

l Start menu

n Assigns the initial area menu

l Logon language

n Assigns default language to beused if not entered in the loginscreen by the user

l Output controller

n Assigns the default printer

l Time zone

l Decimal notation

l Date format

The User Master Record: Defaults

n Start menu

� In this field you can specify an area menu which you can choose using the possible entries help. The SAP menu (SAP Easy Access) then only contains the components of this area menu.

Example: A user needs the credit management transactions to perform the daily work. If you enter FRMN as the start menu in that user's data, the SAP menu displays only the transactions of credit management.

In transaction SSM2, you can specify the initial menu on a system-wide basis.

n Logon language

� System language when the user logs on. On the logon screen, the user can choose another language if required.

SAP AG 2001

The User Master Record: Parameters

Parameters Value Text

Company Code

Transaction FK03 (Display Vendor)

Vendor:Company Code: 1000


References

User

Last changed by


Saved

n Using a parameter ID, a field can be filled with default values from the SAP memory.

n Example: A user has only the authorization for company code 1000. When a transaction starts, this company code is saved to the memory using the corresponding parameter ID. On all subsequent screens, all fields referencing the company code data element are then automatically filled with the value 1000.

n A field on a screen is only filled automatically with the value saved under the parameter ID of the data element, if you have explicitly allowed this in the Screen Painter.

SAP AG 2001

The User Master Record: Roles


Single Role

User

Last changed by


References

Role Type Valid from Valid until Text

Reference user for additional rights

Saved

n A role is a set of functions describing a specific work area. In the role, you organize transactions, reports or Web addresses in a user menu. A role can be assigned to any number of users.

n On the Roles tab, you can use the possible entries help (F4 help) to display all available roles and then choose one from that list.

n You can define a link to the user master record for a specific validity period that you have to enter.

SAP AG 2001

The User Master Record: Profiles


References

User

Last changed by Saved


Profile for Role MY_FI_AR_DISPLAY_MASTERDATA

n On the Profiles tab, you assign authorization profiles to a user.

n You can assign a large number of authorization profiles (approximately 150) to a user.

n Each profile grants the user a number of authorizations.

n Basically, you should maintain all profiles with the Profile Generator, except if you have to postprocess profiles that were created manually.

n Profiles that were generated using the Profile Generator should never be added directly to the user master record. After a user comparison in the Profile Generator, the profiles are automatically added to the user master record.

n The SAP R/3 System contains predefined profiles.

� SAP_ALL: All authorizations in the SAP System (superuser authorizations).

� SAP_NEW: Authorizations for new authorization objects in existing functions.

SAP AG 2001

User Buffer

UserWolfMeier

RoleMY_FI_AR_DISPLAY_MASTER_DATA

Authorization ProfileT-T0030107

Logon to the SAP R/3 System

User BufferObject Authorization...........F_BKPF_KOA T-T003010700F_KNA1_AEN T-T003010700F_KNA1_APP T-T003010700F_KNA1_APP T-T003010701F_KNA1_BED T-T003010700F_KNA1_BUK T-T003010700F_KNA1_GEN T-T003010700F_KNA1_GEN T-T003010701...............

n When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer.

n For example, if user Smith logs on to the system, his user buffer contains all authorizations of role MY_FI_AR_DISPLAY_MASTER_DATA.

n The user buffer can be displayed in transaction SU56.

n A user would fail an authorization check if:

� The authorization object does not exist in the user buffer

� The values checked by the application are not assigned to the authorization object in the user buffer

� The user buffer contains too many entries and has overflowed

n The number of entries in the user buffer can be controlled using the system profile parameter auth/number_in_userbuffer.

SAP AG 2001

Mass Changes

n Most changes that can be made for individual users in the context of user administration can also be made for a selected number of users.

n Logon data, defaults, parameters, roles and profiles can be changed for a specific groups of users.

n By choosing Environment → Mass Changes (Transaction SU10) in user maintenance, you can make changes to a selected group.

n After every mass change, the system asks in a dialog window if you want a log. The log shows who made which changes in which system, and when.

n The log contains multiple message levels that you can, if you wish, expand using the appropriate pushbuttons. If there is a long text for a particular message, this can also be displayed by choosing the pushbutton that appears next to the message.

n You can make certain settings for the log display under Settings and the Color legend expla ins the colors used in the display.

n You can print the log, or save it to a file on your PC.

SAP AG 2001

Change Documentation and Archiving

online offline

Archive files TapeRelevant tables for change documentsRelevant tables for change documents

Change history for logon data

Change history for authorizationsChange history for authorization profiles

Change history for authorization values

USH02

USH04

USH10

USH12

Archiving procedure

n Displaying change documents: Choose Information -> Information system and then Change documents on the overview screen that appears to display a list of changes made to user master records, authorization profiles or authorizations.

n Archiving change documents: User master records and authorizations are saved in USR* tables. Using the archiving function, you can reduce the memory space occupied by the USR* tables in the database. Change documents are saved in USH* tables. The archiving function deletes change documents from the USH* tables that are no longer needed.

n You can archive the following change documents or change records relating to user master records and authorizations from the USH* tables:

� Changes to authorizations (archiving object US_AUTH)

� Changes to authorization profiles (archiving object US_PROF)

� Changes to the authorizations assigned to a user (archiving object US_USER)

� Changes to a user's password or to defaults stored in the user master record (archiving object US_PASS)

SAP AG 2001

l List the different SAP R/3 user types

l Distinguish between the components of the usermaster record

l Create and change user master records

l Evaluate change documents

l Display and archive change documents

l Analyze the user buffer

l Understand the function of the user buffer andevaluate the buffered user authorizations


The User Master Record: Unit Summary

Exercises

Unit: The User Master Record

At the conclusion of this exercise, you will be able to:

• Create and change user master records as well as evaluate changes

• Know the components of the user master record

• Use predefined work center examples

• Create multiple users in one step

• Understand the principle of the user buffer and evaluate the buffered user authorizations

1-1 Create a new user group ZGR## with a description of your choice.

1-2 Create a user master record for a dialog user GR##-ADM.

1-2-1 Enter address data of your choice.

1-2-2 Enter an initial password of your choice and assign the user to user group ZSUPER. Initial Password: _____________________________________

1-2-3 Assign the logon language that you have used yourself for logging on.

1-2-4 Save your user master record.

1-3 Assign a predefined work center example to your new user master record. To do this, choose Other menu on the SAP Easy Access initial screen.

1-3-1 Choose the role CA940_BC_ADMIN.

1-3-2 Assign your new user GR##-ADM to the role. Enter the user ID and choose Add users. Ensure that the user master record is automatically compared.

1-4 Go from the Other menus display to the SAP menu display. Change the user master record of your user GR##-ADM.

1-4-1 Check the following points: Is a role assigned to the user? Which role is it? ____________________

1-4-2 Link your user with another role. Choose the role CA940_PLUS.

1-4-3 Are authorization profiles assigned to your user? Which authorization profile(s)? ____________________

1-5 Display the change documents for your user GR##-ADM by calling up the information system for users and authorizations and selecting the report Change documents for user. Display the changes made to the authorizations. Does the list tell you that creating the user master record and assigning the user to roles were separate steps? __________________________________________________________________

1-6 Log on to the system as user GR##-ADM.

1-6-1 Do you need to enter a logon language? ____________________

1-6-2 Set your own password.

1-6-3 Check the user menu: Which functions does it contain? List some examples. ____________________________________________________________

1-6-4 Check the user buffer by calling the function Analyze user buffer in your user menu. How many authorizations are available? ____________________ For which authorization objects? List some examples. ____________________________________________________________

1-7 Log off as user GR## and log on again as user CA940-##.

1-8 Create additional master records using the User Mass Maintenance transaction.

1-8-1 In the User column, enter the following user names and choose Create.

User name

GR##-FI1

GR##-FI2

GR##-SD1

GR##-SD2

GR##-MM1

GR##-MM2

1-8-2 Enter the user group ZGR## and the logon language that you use into the corresponding fields.

1-8-3 Save the users with log. Expand the log completely and enter the initial passwords generated into the following tables beside the user names.

User name Password generated

GR##-FI1

GR##-FI2

GR##-SD1

GR##-SD2

GR##-MM1

GR##-MM2

Solutions

Unit: The User Master Record

1-1 Menu: Tools → Administration → User Maintenance → Maintain User Groups (SUGR) Enter ZGR## and choose the Create user group (F8) icon.

1-2 Menu: Tools → Administration → User Maintenance → SU01 - Users Enter GR##-ADM and choose the Create (F8) icon.

1-2-1 On the Address tab

1-2-2 On the Logon data tab

1-2-3 On the Defaults tab

1-2-4 Save your user master record.

1-3 Assign a predefined work center example to your new user master record. To do this, choose Other menu on the SAP Easy Access initial screen.

1-3-1 Choose the role CA940_BC_ADMIN.

1-3-2 Assign the new user GR##-ADM to this role. To do this, choose Assign users on the SAP Easy Access initial screen. Enter the user ID and choose Add users. Ensure that the user master records are compared automatically by choosing Yes on the system prompt that appears next.

1-4 Swich from the other menu display to the SAP standard menu display by choosing Menu→ SAP Menu. Change the user master record of your user GR##-ADM.

1-4-1 Menu: Tools → Administration → Benutzerpflege → Users (SU01) Role CA940_BC_ADMIN

1-4-2 Enter CA940_PLUS on the Roles tab.

1-4-3 Authorization profiles assigned: CA940_BC_A CA940_PLUS

1-5 Menu: Tools → Administration → User Maintenance → Information system Change documents For user Choose the Change documents for user report. Display the changes made to the authorizations. The different time stamps tell you that the changes were made one after another.

1-6 Log on to the system as user GR##-ADM.

1-6-1 No, the logon language is set in the user master.

1-6-2 Set a new user password

1-6-3 Users Display Users User Mass Maintenance Maintain User Groups Analyze User Buffer Information System ....

1-6-4 Check the user buffer by calling the function Analyze user buffer in your user menu. Menu: User Maintenance → Analyze user buffer (SU56) Number of authorizations 13 For which authorization objects? List some examples. S_TCODE S_USER_AGR S_USER_GRP S_USER_PRO

1-7 Menu: System → Log off

1-8 Menu: Tools → Administration → User Maintenance → SU010 - User Mass Maintenance

1-8-1 In the User column, enter the following user names and choose the Create - F8 icon.

User name

GR##-FI1

GR##-FI2

GR##-SD1

GR##-SD2

GR##-MM1

GR##-MM2

1-8-2 Logon data tab: Enter ZGR## Constants tab: Enter DE

1-8-3 Save the users with log. Expand the log completely and enter the initial passwords generated into the tables contained in the exercise part.

SAP AG 2001

l This unit describes how to design SAP Easy Accessuser menus for the various work centers (or roles) inyour company and how to automatically generateauthorization profiles for those menus.

l The first part of this unit deals with simpler basicmaintenance. The focus is placed on the creation ofmenus and the associated authorizations, profiles, anduser assignments.

l The second part deals with more advanced topics:The focus here is placed on derived and compositeroles.

Contents:


SAP AG 2001

l Perform the steps involved in assigningauthorizations with the Profile Generator

l Copy, change, and create roles and determinetheir activities

l Display and maintain authorizations that weregenerated automatically


Working with the Profile Generator: Unit Objectives

SAP AG 2001


Conception with ASAPMethodology

Elements of the SAP R/3Authorization Concept



Introduction


Working with the ProfileGenerator



Profile Generator: Installation/Upgrade

555




SAP AG 2001

l When you create authorizations and authorizationprofiles for groups of users, you should use theProfile Generator. Based on selected menufunctions, the Profile Generator automaticallygenerates authorization data and offers it forpostprocessing.

Working with the Profile Generator:Business Scenario

SAP AG 2001

The Profile Generator

What is the Profile Generator?

n The Profile Generator is a central tool for generating authorizations and authorization profiles and assigning them to users.

n In the Profile Generator, system administrators choose transactions, menu branches (from the SAP menu) or area menus. The functions chosen correspond to the field of activity of a user or a group of users. The Profile Generator offers various maintenance views:

� A Simple view (Menu maintenance for the Workplace)

� Basic maintenance (menus, profiles, and other objects)

� Overview (Organizational Management and workflow)

n The menu tree set up by system administrators for users with a specific role within the company corresponds to the user menu that appears if a user (to which the corresponding role is assigned) logs on to an SAP system.

n The Profile Generator automatically provides the corresponding authorizations for the functions chosen. Some of these authorizations have default values. Traffic light symbols tell you which values you need to maintain.

n In the final step, the Profile Generator generates an authorization profile and assigns the role to the users.

SAP AG 2001

Roles

Weblink

ReportReportzzzzzz

TransactionTA3

Weblink

ReportReportXYZXYZ

TransactionTA4

TransactionTA5

Weblink

TransactionTA1

TransactionTA2

RoleXYZ

RoleXYZ

What are roles?

n A role is a set of functions describing a specific work area. The 'Accounts Receivable Accountant' role, for example, contains transactions, reports, and/or Internet/Intranet links needed by accountants for their daily work. In the role, you also assign the authorizations that users - such as Accounts Receivable Accountants - need to access the transactions, reports, and so on contained in the menu.

n Roles are used to implement the menus that users can work with after they have logged on to an SAP system. You can use roles predefined by SAP and custom roles. You can find the predefined roles by choosing Tools -> Administration -> User Maintenance -> Roles, or alternatively by choosing Menu -> Display menu of a role, or by clicking the Other menu pushbutton.

n You can display the role templates delivered by SAP using report RSUSR070.

n Besides the normal logon users, you can also assign object types such as jobs, organizational units or positions to roles (see unit 'Integration into Organizational Management').

SAP AG 2001

The Profile Generator: Steps

Role

ProfileGenerator

Work centre

description:

- Activity 1

- Activity 2

- ...

Description Menu Authorizations User

Define Role Names

• Define Activities• Design User Menus

• MaintainAuthorization Data• GenerateAuthorization Profile

• Assign Users• Adjust User Master Records

n To call the Profile Generator, choose Create menu on the SAP Easy Access initial screen, or choose the following menu path: Tools -> Administration -> User Maintenance -> Roles. The transaction code is PFCG.

n In the first step, you define the activities for the user role. The result of this definition process is a role (or several roles) that collects all activities of the role - represented by transactions, reports, and Web addresses.

n Simultaneously you determine how the menu tree for the new user role should look like.

n Afterwards, the authorizations for the activities selected are generated. This step normally involves the highest administrative maintenance effort.

n Subsequently, the users are assigned to the roles.

n Finally, the user masters of the users assigned to the roles are adjusted.

SAP AG 2001

Profile Generator: Views

Basic Maintenance: • Menu• Authorizations• Agents

Overview:• Menu• Authorizations• Tasks• Agents• Organisational Management

Role SAP_FI_AR_MASTER_DATA

Description Accounts Payable Clerk

Display Change Create Create Composite Role

Simple Maintenance (Workplace Menu Maintenance)

Basic Maintenance (Menus, Profiles, Other Objects)

Overview (Organisational Management and Workflow)

Information

Simple Maintenance: • Menu• Agents

Simple Maintenance: • Menu• Agents

n Using the simple maintenance, you can definte role for the Workplace

n Basic maintenance allows you to

� Access all the functions for role maintenance

� Assign roles only to SAP R/3 users

n The Overview (Organizational Management) displays all assignments and data for a role.

n This view is useful for users in Personnel Planning and Development, particularly for Organizational Management and workflow. The Overview allows you to:

� Access all the functions for role maintenance

� Change the validity period of the role

� Link tasks with an role

� Assign roles to objects in the organizational plan and delimit the validity dates for each assignment

SAP AG 2001

Profile Generator: Steps

Define Role Name

Determine Activities

Design User Menus

Maintain Authorization Data

Generate Authorizaion Profile

Assign Users

Adjust User Master Records

SAP AG 2001

Role

Description

MY_ROLEFI: Accounts Payable Accountant

Display Change Create Create Composite Role

Information

Role

Descrption FI: AccountsPayable Accountant

Description Menu Authorizations User Pers ...

Information Other Role

Beschreibung Menü Berechtigungen Benutzer

Define Role Name and Description

n Note that the roles delivered by SAP begin with the prefix ‘SAP_’. If you want to create your own user roles, do not use the SAP namespace.

n Individual and composite roles are not differentiated by name by SAP. When creating your own roles, you should develop a naming concept that differentiates between individual and composite roles.

SAP AG 2001

Define Role Name


Design User Menus



Assign Users


Profilgenerator: Arbeitsschritte

SAP AG 2001


WebLink

TransactionTA1

Role 1

Role 2

TransactionTA1

???

TransactionTA2

ReportReportxyzxyz

TransactionTA1 Web

LinkReportReport

xyzxyz

ReportReportxyzxyz

TransactionTA1

WebLinkTransaction

TA3

TransactionTA1

TransactionTA1

ReportReportxyzxyz


n Defining the roles: Using roles, you define which activities are assigned to a specific role in the company. The authorization administrator chooses those transactions in the Profile Generator that users with a specific role in the company must perform regularly. The administrator also chooses any Web addresses if these are useful for the daily work of a role holder (for example, a weather forecast service would be of interest to field service personnel). In addition, frequently needed reports can also be added to the user menu.

n You can create completely new roles if required. In most cases, however, it is easier to use the roles (roles) delivered by SAP as a copy template and then change them to meet your requirements. In the following example, an SAP role was copied as the role MY_ROLE (to copy a role, choose Copy role on the initial screen and Copy selectively on the dialog box that appears next). This new role was then slightly modified. You can choose any name for roles. However, names must not begin with "SAP_".

SAP AG 2001


Define Role Name


Design User Menus



Assign Users


SAP AG 2001

Design Menus

TransactionTA3

Define Functions

ReportReportxxxxxx

ReportReportzabzab

ReportReportxyzxyz

WebLink

WebLink

WebLink

CustomizeMenuStructure

TransactionTA2

TransactionTA1

CorrespondenceClosingReportingWithholding TaxInformation SystemOtherAddresses

From the SAP Menu

From Other Role

From Area Menu

Import From File

Translate Node

Display Documentation

Find in Docu.

Role MY_ROLE

Description FI: Accounts Payable Accountant - (Template Copy)

Description Menu Authoirzations Users Pers ..

URL - www.mysap.comURL - Route PlannerSM04 - User ListSE16 - Data BroswerAccount Master Data

FK01 - Create VendorFK02 - Change VendorFK03 - Display VendorFK04 - Display ChangesFK05 - Lock VendorFK06 - Set Deletion FlagConfirmation of ChangeCompare

Transaction Report Other All

T70CLNT400

Distributedrag&drop

Role Menu


n Changing the functions: You can adjust the transactions listed in the menu tree of a role to meet your individual requirements:

� You can delete transactions that you do not need, or add new ones (by choosing the Transaction pushbutton or by copying transactions from other menus or roles).

� You can add reports (by choosing the Report pushbutton). The Profile Generator generates a transaction code (which is either created automatically or which you define yourself) that can be used to start the report from the menu.

� You can also add Internet pages (by choosing the Other pushbutton). Similarly, you can add links to documents (such as Excel files). You add links to documents in the same way as you add links to Internet pages. Instead of the URL, you then enter the path of the required file.

n Changing the menus: You can create, delete, move or rename directories. The principle of operation is similar to that of common graphical file managers.

n If you want to distribute the role to a particular target system, enter the target system (it must be an SAP R/3 Release 4.6C System) and choose the Distribute pushbutton. This function is primarily of importance when used with the Workplace.

n Role menus can, from SAP R/3 Release 4.6C, also be compared and customized using transaction ROLE_CMP.

SAP AG 2001


Define Role Name


Design User Menus



Assign Users


SAP AG 2001

Profile Generator: Create Authorization Profiles

Role MY_ROLE

Description FI: Accounts Payable Accountant - created from SAP template


Angelegt Letzte Änderung

Informationen zum Berechtigungsprofil

Maintain Authorization Data and Generate Profiles

User MEYERS

Date 16.01.2000

Time 13:22:12

Benutzer BENZ

Datum 18.01.2000

Uhrzeit 17:50:59

Profile name T-K6840005

Profile text Profile for Role MY_ROLE

Status Current Version Not Generated

Change Authorization Data

Expert Mode for Profile Generation

MY_ROLE FI: Accounts Payable Accountant

Maint: 0 Unmaint . Org levels, 7 Open Fields , Status: Saved

Gepflegt Old Cross-Application Authorization ObjectsGepflegt Old Asset ManagementGepflegt New Basis - Administration

Standard New Authorization for File Access


Maintained Old SAPscript: Standard text

Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Procurement

AktivityPhysical File NameABAP Program Name


n Creating the authorizations and authorization profiles: The Profile Generator automatically generates authorizations based on the menu functions that you have chosen before. Of course, the Profile Generator cannot propose values for all authorizations that would fit any company. Therefore, the authorization administrator must normally postprocess the authorizations manually in cooperation with the user departments and the audit division. By using organizational levels, you can simultaneously maintain a large number of authorization fields. This greatly simplifies the manual postprocessing work.

n In the example, transaction SO01 (SAP Office) was added to role MY_ROLE (which was created by copying the SAP template). As a result, the yellow traffic lights appear in the menu tree in the above example. The authorization for file access is a good example to show why manual postprocessing is necessary: The Profile Generator cannot "know" if the users should have only read access or also write access to the files.

SAP AG 2001

Inserting Authorizations Manually

Authorization

profile

n Although the Profile Generator automatically generates the authorizations, you can also add authorizations manually to an existing profile, which might be desirable in some cases. To do this, choose Change authorization data on the Authorizations tab and then Edit -> Insert authorization(s). The following options are available:

� Selection criteria: Here you can find authorizations for objects grouped by object class.

� Manual input: If you know the name of the authorization object for which you want to manually add authorizations, you can enter it here directly.

� Full authorization: This option inserts all authorizations with the value *.

� From profile...: Here you can use authorizations from individual prof iles.

� From template...: If you want to create a user with almost all authorizations, you can use the SAP authorization templates designed for this purpose.

SAP AG 2001

Authorization Maintenance: Icon Legend

Traffic lights refer to authorization fields in lower-level branchesTraffic lights refer to authorization fields in lower-level branches

All Authorization Fields Have Values Assigned

Some Authorization Fields Have Missing Values

Unmaintained Organizational Level

/ Inactive / Reactivate: For Authorization Objects or Authorizations

Display Transactions for an Authorization Object

Assign Complete Authorization

Important Browser IconsImportant Browser Icons

Maintain Field Contents

n The current maintenance status of the authorizations at the various levels is shown by traffic lights:

� Green: All fields below this level have been supplied with values. Check whether the values given are appropriate.

� Yellow: Below this level, there is at least one field (but not an organizational level) for which no data has been entered.

� Red: Below this level, there is at least one field for which no organizational level has been maintained.

� If you single-click a red or yellow traffic light, the system displays all unmaintained fileds, except organizational levels with complete authorization (*).

n Inactive: Double-clicking on this icon has the following effects:

� At authorization object level: All subordinate authorizations are marked as inactive.

� At authorization level: This authorization is marked as inactive.

n Reactivate authorization: Clicking this icon has the effect that the authorization, and all subordinate authorizations, of an authorization object are set back to active.

n Delete: This can mean deletion of a field’s contents, or deletion of an inactive authorization or deletion of all inactive authorizations.

SAP AG 2001

Authorization Maintenance: Status Texts

Status Text for AuthorizationsStatus Text for Authorizations

Status Texts After a Comparison (such as Change in Menu Selection) Status Texts After a Comparison (such as Change in Menu Selection)

l Standard: Field Values Were Not Changed

l Maintained: Value Was Entered in Field Delivered Empty

l Changed: Field Delivered with Content Was Changed

l Manual: Authorization Object Was Added Manually

l Old: No field values were changed + no new authorizations added

l New: At least one new authorization added

n Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults.

n Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value.

n Changed: The value of at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value. The status also changes to Changed if you change an organizational level which was previously set globally. (The exception to this is if you make the change in the Maintain organizational levels dialog box).

n Manually: There is at least one authorization on the subordinate hierarchy levels which you have added.

n Old: The comparison found that all field values in the subordinate levels of the hierarchy are still current and that no new authorizations have been added.

n New: The comparison found that at least one new authorization has been added to the subordinate levels of the hierarchy. If you now click on New, all new authorizations in the subordinate levels will be expanded.

SAP AG 2001


Define Role Name


Design User Menus



Assign Users


SAP AG 2001

MY_ROLE FI: Accounts Payable Accountant

Maint.: 0 Unmaint. Org Levels, 7 Open Fields, Status: Saved

Maintained Old Cross-Application Authorization ObjectsMaintained Old Asset ManagementMaintained New Basis - Administration

Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Procurement

ActivityPhysical FilenameABAP Program Name



Maintained Old SAPscript: Standardtext

Generate


You can change the default profile name here

Profie lname MY_ROLE_PF

You will not be able to change this profile name laterText Profile for role MY_ROLE

Assign Profile Name for Generated Authorization Profile

Generate Authorization Profile

n If the authorizations for the company concepts are appropriately maintained, you can generate an authorization profile. Only then do the authorizations contained in the profile take effect. A maximum of 150 authorizations can be contained in a profile. If there is a greater number of authorizations, the Profile Generator automatically creates additional profiles for the role. The name of the profile consists of 12 characters (see SAP Note 16466), of which the first 10 can be changed when the profile is first generated; the other two characters act as a counter. The second character must not be an underscore (_)

SAP AG 2001

Define Role Name


Design User Menus


Generate Authorization Profile

Assign Users


Profilgenerator: Arbeitsschritte

SAP AG 2001

Role 4Role 3

Assigning Users to Roles

Role 1

Role 2

n Assigning users: So that users are provided with the menu tree for their role when they log on to the system, you must assign roles to them.

n You assign roles to users by adding the corresponding names to the list on the User tab of the Profile Generator. Users can be assigned to more than one role. It makes sense to define roles for specific cross-role activities. An example is the activity "Print". Regardless of their function, all users (who are authorized to print) can be assigned to a role with the activity "Print". This eliminates the need to add the "Print" transaction to a large number of roles which is a cumbersome task.

n It is also possible to assign roles to users for a limited time only. This makes sense, for example, for year-end closing. Physical inventory activities should only be allowed for a limited time. So that a time-dependent assignment of an activity profile to a user master record becomes effective, you must perform a comparison (see next page). You are recommended to schedule the background job pfcg_time_dependency in such cases. Alternatively, you can perform the comparison in dialog mode using transaction PFUD.

SAP AG 2001


Define Role Name


Design User Menus



Assign Users


SAP AG 2001

Comparing the User Master

Description Menu Authorizations User Pers ...

Selection User Compare

Role

DescriptionMY_ROLE

FI: Accounts Payable Accountant

Other Role Information

Last Comparison

User

Date

Time

Complete Adjustment

User

Date

Time

Information for user master comparison

Status User authorization changed since last save

Complete Compare Expert Mode for Compare Information

Compare Role User Master Record


n Comparing the user master: So that users are allowed to execute the transactions contained in the menu tree of their roles, their user master record must contain the profile for the corresponding roles.

n You can start the user compare process from within the Profile Generator (User tab and User compare pushbutton). As a result of the comparison, the profile generated by the Profile Generator is entered into the user master record. Caution: Never enter generated profiles directly into the user master record (using transaction SU01, for example)! During the automatic user compare process (with report pfcg_time_dependency, for example), generated profiles are removed from the user masters if they do not belong to the roles that are assigned to the user.

n If you assign roles to users for a limited period of time only, you must perform a comparison at the beginning and at the end of the validity period. You are recommended to schedule the background job pfcg_time_dependency in such cases.

SAP AG 2001

Derived Roles

(Reference)Role

Authorizations for:• Plant 1• Company Code 0020• Business Area 110•...

Authorizations for:• Plant 1• Company Code 0020• Business Area *•...

OrganisationalStructure



DerivedRole 3

Authorizations for:• Plant 2• Company Code 0001• Business Area 100• ...

DerivedRole 1

DerivedRole 2

n Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

n The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.

n Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

SAP AG 2001

Menus of Derived Roles

ReferenceRole

DerivedRole 1

Changes to the menuare only possible here

DerivedRole 2

DerivedRole 3

n The menus passed on cannot be changed in the derived roles. Menu maintenance takes place exclusively in the role that passes on its values. Any changes immediately affect all inheriting roles.

n You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normal role. Once a relationship is removed, it cannot be established again.

SAP AG 2001

Composite Roles

Role 1

Role 2

Role 3Role 4 Role 6

Role 5

CompositeRole A

CompositeRole B

Role 7

n A composite role is a container which can collect several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles.

n Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role.

n Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group.

n The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.

SAP AG 2001

Menus of Composite Roles

Role 1MenuRole 1

MenuRole 2

Role 2

MenuRole 1

MenuRole 2

Composite Role

Changes to the Entire Menu ArePossible!

n The menu tree of a composite role is, in the simplest case, a combination of the menus of the roles contained. When you create a new composite role, the initial menu tree is empty at first. You can set up the menu tree by choosing Read menu to add the menus of all roles included. This merging may lead to certain menu items being listed more than once. For example, a transaction or path contained in role 1 and role 2 would appear twice.

n If the set of roles contained in a composite role changes, the menu tree is also affected. In such a case, you can completely rebuild the menu tree or process only the changes. If you choose the latter option, the Profile Generator removes all items from the menu which are not contained in any of the roles referenced.

n It is possible (and often necessary) to change the menu of a composite role at any time. You adjust these menus in the same way as the menus for roles (see above).

SAP AG 2001

Customizing Roles

Set countriesCurrenciesCheck units of measurementMaintain calendarMaintain calendar for JapanTime zonesField Display Characteristics

Enterprise StructureCross-Application ComponentsFinancial AccountingTreasuryControlling

General SettingsImplementation Guide for R/3 Customizing

CustomizingRole

ProjectProject

IMGIMG

n You can assign projects or project views of the Implementation Guide (IMG) to a role. The purpose of such an assignment is to specifically generate the authorization for certain IMG activities and assign it to users. When the profile is generated, the system creates the authorization which is necessary to perform all activities of the IMG projects/project views assigned.

n If a project or project view has been assigned to a role, it is no longer possible to manually assign transactions to this role. This means that such a role can only be used for generating and assigning Customizing authorizations. Vice versa, a role with transactions assigned manually cannot be used for Customizing authorizations.

n The transactions of the project or project view are not displayed in the Session Manager and the SAP Easy Access menu. If the Enterprise IMG or Project IMG is changed, the authorization data of this role must be regenerated.

n Since Customizing activities are performed on a project-related basis and for a limited period, you should maintain the end date for the users in the user assignment. This ensures that the users assigned to the role lose the authorization for the projects/project views assigned upon completion of the project.

SAP AG 2001

l Perform the steps involved in assigningauthorizations with the Profile Generator

l Copy, change, and create roles and determinetheir activities

l Display and maintain authorizations that weregenerated automatically


Working with the Profile Generator: Unit Summary

Exercises

Unit: Working with the Profile Generator Part 1


• Create roles using the Profile Generator and determine their activities

• Check and maintain authorizations that were generated automatically

• Derive and copy roles

• Explain the difference between derived and copied roles

• Assign users and perform a user comparison

1 You will now implement an authorization concept in the SAP R/3 System similar to the one you created in the Conception with ASAP Methodology exercise. The model solution on the next page will serve you as a template for your sample authorization concept. Important! To ensure that you have a consistent basis for all other exercises, you should not use the authorization concept that you created yourself.

Sample Authorization Concept



R/3 Links:

T Code


MM01

MM02

MM03 x x x x

MM19 x x x x

MM04 x x x x

FD01 x x

FD02 x x

FD03 x x

VD01 x x

VD02 x x

VD03 x x

VA21 x x

VA22 x x

VA23 x x

VA25 x x

VA01 x x

VA02 x x

VA03 x x

VA05 x x

V.01 x x

MB1C x

MB90 x

VL21 x

F-18 x

F-26 x

F-28 x

GR##_MM_MAT_DIS PL

GR##_FI_IP_POST

Roles

GR##_FI_ACCREC_MAINT

GR##_SD_CUST_MAINT

GR##_SD_SALES

GR##_FI_MM_GR_POST

1-1 Create a role GR##_MM_MAT_ANZ to display a material master.

Enter a short description, and save your role.

1-1-1 Go to the Menu tab and select the transactions that are listed in the sample authorization concept. Create a folder with the name WWW Links. In this folder, create a Web address with the name SAP and the URL http://www.sap.com. Check that the Web address is correct by double clicking it. Create another Web address with a link to your own company’s homepage. Save your role.

1-1-2 Go to the Authorizations tab. Select the normal mode (Change authorization data). Define the organizational levels: - Company code: 1000 - Warehouse number/complex: * - Sales organization: 1000 - Distribution channel: * - Plant: 1000, 1100, 1200 Display the technical names for the authorizations (Utilities menu).

1-1-3 Check the traffic light symbol status: For which authorization object class are all authorization field contents maintained? Authorization object class: ____________________________________ For which authorization objects of the object class MM_G do you have to supply authorization values? Authorization Objects: ________________________________________

1-1-4 Set the authorization for the maintenance status in the authorization object M_MATE_STA to full authorization. What is the status of the authorization after your change? ____________________ Set all open authorization values to full authorization. What happens to the traffic light symbol for object class MM_G after you have assigned values to all open fields? __________________________________________________________

1-1-5 Generate the authorization profile for your role. Assign the following profile name: GR##_MM_01

1-1-6 Exit the authorization maintenance screen and check the status of your authorization profile in the information section of the Authorizations tab. What is the status of your authorization profile? ______________________

1-2 Create a role GR##_WM_GR_POST with authorizations for a warehouse supervisor.


1-2-1 Go to the Menu tab. and select the transactions listed in the example authorization concept. Create a folder and place all of the appropriate transactions in this folder using Drag&Drop. Save your role.

1-2-2 Go to the Authorizations tab. Select the normal mode (Change authorization data). Define the organizational levels: - Plant: 1000, 1100, 1200 Display the technical names for the authorizations (Utilities menu).

1-2-3 Make the following adjustments: Enter 561 and 562 as the authorization values for the Movement type field of the authorization object M_MSEG_BWA. Set full authorization for all open authorization values.

1-2-4 Generate the authorization profile for your role. Accept the default profile name.

1-3 Create a derived role GR##_WM_GR_POST1000 with authorizations for a warehouse supervisor in plant 1000.


1-3-1 Assign the imparting role GR##_MM_GR_POST. Display the inheritance hierarchy of the roles.

1-3-2 Go to the Menu tab. Are you allowed to select additional activities or delete existing activities? ____________________

1-3-3 Go to the Authorizations tab. Select the normal mode (Change authorization data). Define the organizational levels: - Plant: 1000 Did the system copy the authorizations of the imparting role? ____________________

1-3-4 Save the authorizations and accept the default profile name. Copy the authorization data from the imparting role. Did the system copy settings for organizational levels? ____________ Make sure that users assigned to this derived role are only allowed to post data in plant 1000.

1-3-5 Generate the authorization profile for your role.

1-4 Create the role GR##_MM_GR_POST1200 by copying the role GR##_MM_GR_POST. Choose Copy all.

1-4-1 Go to the Menu tab. Are you allowed to select additional activities or delete existing activities? ____________________

1-4-2 Go to the Authorizations tab. Check the status of the authorization profile in the information section of the tab. What is the status of the authorization profile? ______________________ Select the normal mode (Change authorization data). Did the system copy the authorizations of the copy template? ____________________ Assign the value 1200 to the organizational level Plant. Generate the authorization profile for your role, and accept the default profile name.

Exit the authorization maintenance screen and check the status of your authorization profile in the information section of the Authorizations tab. What is the status of your authorization profile? ______________________

1-5 Create an role GR##_BC_WORKPLACE. This role is to be assigned to all SAP R/3 users and contain functions of general interest.


1-5-1 Go to the Menu tab and copy the menu of the predefined role SAP_BC_SRV_USER by selecting all transactions. Save the menu.

1-5-2 Go to the Authorizations tab. Set full authorization for all open authorization field values. Generate the roles and accept the default profile name

1-5-3 Go to the User tab. What is the traffic light symbol status of the tab? __________________________________________________________ Assign all users that you created in exercise 1-8-1 of the unit The User Master to your role. Check the User Comparison settings (Menu: Utilities → Settings). Confirm that a user comparison is automatically performed when you save. Save your user assignment. What happens to the traffic light symbol status of the User tab after you have saved the data? __________________________________________________________ What happens during the user compare process? ________________________________________________________

1-6 Assign the role CA940_PLUS to all users that you created in exercise 1-8-1. Save you user assignment.

1-7 Display the user master record of user GR##_MM1. Is the user linked to roles? If yes, to which ones? ________________________________________________________________ Are authorization profiles assigned to the user? _____________________________

Solutions


1-1 Menu: Tools → Administration → User Maintenance → Roles (PFCG) Choose the Basic Maintenance view, create a short description and save your role.

1-1-1 Choose the following transactions with the Transaction pushbutton. MM03 MM04 MM19 To create a folder, choose the Create Folder icon. To create a Web address, choose Enter Other, enter a description in the Text field and the URL in the form http://www.sap.com in the Web Address or File field. Save your role.

1-1-2 You can enter multiple plants by choosing the Add. values pushbutton. Display the technical names for the authorizations. Menu: Utilities → Technical names on

1-1-3 Check the traffic light symbol status: For which authorization object class are all authorization field contents maintained? Authorization object class: Cross-application Authorization Objects AAAB For which authorization objects of the object class MM_G do you have to supply authorization values? Authorization objects whose authorization field values are not completely maintained are flagged with a yellow traffic light.

The following authorization objects are not completely maintained: M_MATE_MAR M_MATE_MAT M_MATE_STA M_MATE_WGR

1-1-4 Set the authorization for the maintenance status in the authorization object M_MATE_STA to full authorization. To do this, double-click the asterisk before the open field value. What is the status of the authorization after your change? Status: Maintained Set all open authorization values to full authorization. To do this, click the traffic light symbol at the top hierarchy level, and confirm the assignment of full authorization. What happens to the traffic light symbol for object class MM_G after you have assigned values to all open fields? The traffic light symbol turns to Green.

1-1-5 Choose the Generate icon.

1-1-6 What is the status of your authorization profile? Status: Authorization profile is generated

1-2 Menu: Tools → Administration → User Maintenance → Roles (PFCG)

Choose the Basic Maintenance view, create a short description and save your role.

1-2-1 Choose the following transactions with From SAP Menu or Transaction: MB1C MB90 VL21

1-2-2 You can enter multiple plants by choosing the Add. values pushbutton. Display the technical names for the authorizations. Menu: Utilities → Technical names on

1-2-3 You can enter the field values for the authorization object M_MSEG_BWA by clicking the pencil. You can find this authorization object in object class MM_B. Assign Full Authorization: Click the traffic light symbol at the top hierarchy level, and confirm the assignment of full authorization.

1-2-4 Choose the Generate icon.


1-3-1 Enter GR##_MM_GR_POST into the field Derive from role. Display the inheritance hierarchy of the roles. Menu: Role → Where-used list

1-3-2 Are you allowed to select additional activities or delete existing activities? No, because the menu is inherited by the role GR##_MM_GR_POST1000 from role GR##_MM_GR_POST.

1-3-3 Did the system copy the authorizations of the imparting role? No, they must either be maintained here or copied as in 1-3-4.

1-3-4 Copy the authorization data from the imparting role by choosing the pushbutton Copy data or the menu path Edit → Copy data. Did the system copy settings for organizational levels? Choose Organizational levels. Plants 1000, 1100, and 1200 have been copied. Delete the entries for plant 1100 and 1200.

1-3-5 You do not need to enter a name since the system prompted you for one when you saved the data.


1-4 Copy the role GR##_MM_GR_POST to the new role GR##_MM_GR_POST1200 by choosing the Copy role pushbutton. Choose Copy All.

1-4-1 Are you allowed to select additional activities or delete existing activities? Yes. You can use the copied role like one that you created anew.

1-4-2 Check the status of the authorization profile in the information section of the tab. What is the status of the authorization profile? Status: Current version not generated Did the system copy the authorizations of the copy template? Yes. Choose the Organizational Level pushbutton. Plants 1000, 1100, 1200 were copied. Delete the entries for plants 1000 and 1100. What is the status of your authorization profile? Status: Authorization profile is generated


Choose the Basic Maintenance view, create a short description and save your role.

1-5-1 Go to the Menu tab and copy the menu of the predefined role SAP_BC_SRV_USER by selecting all transactions. To do this, choose From other role under Copy menus.

1-5-2 Complete authorization assignment: To do this, click the traffic light symbol at the top hierarchy level, and confirm the assignment of full authorization. Choose the Generate icon.

1-5-3 What is the traffic light symbol status of the tab? The traffic light is red. This means that no users are assigned to this role. Assign the following users by entering the names into the User ID column.

User name

GR##-FI1

GR##-FI2

GR##-SD1

GR##-SD2

GR##-MM1

GR##-MM2

1-5-4 What happens to the traffic light symbol status of the User tab after you have saved the data? The status display is green. What happens during the user compare process? During the user compare process, the generated profiles for a role are entered into the user master record.

1-6 Tools → Administration → User Maintenance → Roles (PFCG) Choose the Basic Maintenance view for role CA940_PLUS, and choose the Change pushbutton. Go to the User tab, and assign the role to the following users by entering them in the User ID column. Remember to save the user assignment.

User name

GR##-FI1

GR##-FI2

GR##-SD1

GR##-SD2

GR##-MM1

GR##-MM2

1-7 Display the user master record of user GR##_MM1. Tools → Administration → User Maintenance → User (SU01) Is the user linked to activity groups? If yes, to which ones? Yes, to: CA940_PLUS GR##_BC_WORKPLACE Are authorization profiles assigned to the users? Yes.

Exercises



• Work with composite roles and predefined work center examples

• Design user menus

1-1 Create the composite role GR##_MM_WHOUSE.

Make sure that the Composite role indicator is set on the initial screen of the Profile Generator.

1-1-1 Create a short description and save your composite role.

If you look at the tabs, what do you notice? ___________________________________________________________

1-1-2 Go to the Roles tab. Your composite role should consist of both roles in the role definition in the sample authorization concept. That means the roles: – GR##_MM_MAT_DISPL – GR##_MM_GR_POST. Enter these in the appropriate field.

1-1-3 Go to the Menu tab and read the menus of the inserted roles into your composite role. Optionally, you can further customize the menu of the composite role. Save your composite role.

1-1-4 Change the composite role GR##_MM_WHOUSE. Go to the User tab and assign user GR##-MM1 and save your user assignment.

1-2 Display the user master record of user GR##-MM1. To which roles is the user assigned? ____________________ Display the authorization profiles. How many profiles are assigned? ______________ authorization profiles Why are there fewer profiles than roles? __________________________________________________________________

1-3 Log on to the system as user GR##-MM1. Use the initial password that was generated automatically in the User Master exercise or assign a new initial password in user maintenance.

Change the password when you logon: _________________

You can show the transaction codes by choosing Extras → Settings (Display Technical Names)

1-3-1 Set up a user-specific favorites list by defining the transactions MM03 and MB1C as favorites and adding a Web address of your choice.

1-3-2 Try to start some of the transactions, for example, MM03, and display the accounting view of material P-100 in plant 1000. Can you also display the accounting view of material P-100 in plant 3000? If not, why? ___________________________

1-3-3 Display the failed authorization check. If necessary, assign the role CA940_PLUS to your user GR##-MM1.

Menu path à System à Utilities à Display authorization check (or transaction SU53)

Why were you not able to display material P-100 in plant 3000? ________________________________________________________ Log off as GR##-MM1.


1-4 Create a new single role GR##_SD_SALES by copying the predefined work area example CA940_SD_SALES without user assignment.

1-5 Change the copied role GR##_SD_SALES.

1-5-1 Change the group-specific description.

Go to the Menu tab.

Show the technical names.

Expand all of the menu nodes, deleting all transactions and nodes that do not appear in this role in the example authorization concept (see exercise Working with the Profile Generator Part 1), for example the Master Datanode. Save the altered user menu.

1-5-2 Go to the Authorization tab.

Choose the normal mode. (Change Authorization Data).

Restrict the organizational levels as follows: - Sales Organization 1000 Use the default values for all other organizational levels.

1-5-3 Generate the authorization profile for your role. Use the default profile name.

1-6 Create the three missing single roles from the example authorization concept. (See the exercises for Working with the Profile Generator, Part 1). Restrict the organizational levels with the specified values: - Company Code 1000 - Business Area 1000 - Account Type D - Controlling Area 1000 - Division * - Sales Organization 1000 - Distribution Channel* Assign full authorization for all open authorization fields. Generate the profiles.

1-7 Create the three composite roles that correspond o the example authorization concept. Use the names from the following table. Follow the instructions in steps 1-1-1 to 1-1-3 when create the roles.

Make sure that the Composite role indicator is set on the initial screen of the Profile Generator.

Composite Role Corresponds to ASAP Role

GR##_FI_ACCREC Accounts receivable accountant (AccRec)

GR##_SD_SALCLK Sales clerk (SClerk)

GR##_MM_WHOUSE Warehouse supervisor (Whouse)

Create a short description and save your composite role.

1-7-1 Go to the Roles tab. Your composite role should bring together the roles form the role definitions in the example authorization concept.

Select the corresponding roles and copy them into your composite role.

Example: The Accounts Receivable Accountant role (AccRec), that is the composite role GR##_FI_ACCREC, must contain the following roles:

- GR##_MM_MAT_DISP - GR##_FI_CUST_MAINT - GR##_FI_IP_POST

1-7-2 Go to the Menu tab and read the menus of the roles you have added to your composite role. Repeat steps 1-7-1 and 1-7-2 until all composite roles have been created.

Working with the Profile Generator Part 2 - Solutions



Remember to use the Create composite role button on the initial screen of the Profile Generator.

1-1-1 Create a short description and save your composite role. If you look at the tabs, what do you notice? The Roles tab has been added. The Authorizations tab has disappeared

1-1-2 Go to the Roles tab. Enter the two roles from the example authorization concept: - GR##_MM_MAT_DISPL - GR##_MM_WE_POST You can do this using the possible entries (F4) help, or by entering the transactions manually.

1-1-3 Go to the Menu tab and choose the pushbutton Read Menu. You can further adjust the menu of the composite role as you wish. Save your composite role.

1-1-4 Go to the User tab, assign the user GR##-MM1 and save the user assignment.

1-2 Menu: Tools → Administration → User Maintenance → SU01 - Users To which roles is the user assigned? GR##_MM_WHOUSE GR##_MM_MAT_DISP GR##_MM_GR_POST (GR##_BC_WORKPLACE optional) (CA940_PLUS optional) 42 (4) authorization profiles, since the composite role does not have a profile of its own.

1-3 Log on to the system as user GR##-MM1. Use the initial password that was generated automatically in the User Master exercise or assign a new initial password in user maintenance.

1-3-1 You can add favorites to the favorites list by dragging transactions with the mouse from the user menu to the list, or enter them directly using the context menu (right mouse button).

1-3-2 Choose the transaction MM03. Enter the material ID P-100 in the Material field. Choose View selection, Accounting 1 and. Continue. Can you also display the accounting view of material P-100 in plant 1000? Yes. Can you also display the accounting view of material P-100 in plant 3000? No, because you do not have authorization for plant 3000.

1-3-3 Display the failed authorization check: Menu: → System → Utilities → Display authorization check (or transaction SU53) Why were you not allowed to display material P-100 in plant 3000? The program required activity 03 and plant 3000 for authorization object M_MATE_WRK. Although the user master contained the authorization for activities 03 and 08, it did not contain the authorization for plant 3000. Log off from the system as user GR##-MM1.

The following exercises are optional.

1-4 Menu: Tools → Administration → User Maintenance → Roles (PFCG) Copy the role CA940_SD_SALES to the new role GR##_SD_SALES by clicking the Copy Role icon. Choose Copy selectively and do not check the User Assignment box. This means that the assigned users are not copied along with the role.

1-5 Choose the Change pushbutton.

1-5-1 On the menu tab, the technical name (transaction code) can be displayed by choosing the Magnifying Glass icon (next to the Delete icon – the waste basket). Delete the nodes: - Master Data - Delivery - Billing by selecting the nodes and choosing the Delete icon.

1-5-2 Overwrite the asterisk for sales organization with the value 1000. The other organizational levels (company code, controlling area, division, distribution channel, and so on) should retain their default values.

1-5-3 Choose the menu path: Authorizations → Generate or the corresponding pushbutton.

1-6 Create the three missing single roles from the example authorization concept (see Working with the Profile Generator Part 1 exercises). Menu: Tools → Administration → User Maintenance → Roles (PFCG)


GR##_FI_ACCRECI_MAINT FD01, FD02, FD03

GR##_FI_IP_POST F-18, F-26. F-28

GR##_SD_CUST_MAINT VD01, VD02, VD03

Restrict the organizational levels of the roles with the values given below: Role GR##_FI_ACCREC_MAINT - Company Code 1000 Role GR##_FI_IP_POST - Company Code 1000 - Business Area 1000 - Account Type D – Controlling Area 1000

Role GR##_SD_CUST_MAINT - Company Code 1000 - Division * - Sales Organization 1000 - Distribution Channel * Assign full authorization for all open authorization fields. Generate the profiles.


Composite Role Roles Contained

GR##_FI_ACCREC GR##_MM_MAT_DISPL GR##_FI_ACCREC_MAINT GR##_FI_IP_POST

GR##_SD_SALCLK GR##_MM_MAT_DISPL GR##_SD_CUST_MAINT GR##_SD_SALES

GR##_SD_SALMGR GR##_MM_MAT_DISPL GR##_FI_ACCREC_MAINT GR##_SD_CUST_MAINT GR##_SD_SALES

GR##_MM_WHOUSE GR_MM_MAT_DISPL GR_MM_GR_POST

1-7-1 Go to the Roles tab.

Enter the roles according to the table above.

1-7-2 Choose the Read menu pushbutton. You can move and restructure the menus using the mouse. You can structure the transactions according to function or process using the Create folder button.

Repeat steps 1-7-1 and 1-7-2 until all composite roles have been created.

SAP AG 2001

Profile Generator: Installation and Upgrade

l Steps Required to Install the Profile Generator

l Checking Profile Parameters

l Copy Default Values for the Profile Generator

l Use Check Indicators

l Subsequent Processing after an Upgrade

Contents:

SAP AG 2001

l Perform the Steps Necessary to Install the ProfileGenerator

l Adjust the Default Values of the Profile Generatorif Required

l Differentiate the Check Indicators

l Perform Required Subsequent Processing afteran Upgrade

l Migrate Manually Created Profiles to Roles


Profile Generator: Installation and UpgradeUnit Objectives

SAP AG 2001





Introduction





Integration ins Organisationsmanagement

666





SAP AG 2001

l Before you can use the Profile Generator, you mustfirst install it.

l Depending on the source release, differentsubsequent activities are necessary in connectionwith the profile generator and existing roles afteran upgrade. For example, after the upgrade youmight want to work with the profile generator forthe first time and migrate an authorization conceptthat was created manually.

Profile Generator: Installation and UpgradeBusiness Scenario

SAP AG 2001

Using the Profile Generator requires that

l the profile parameter auth/no_check_in_some_cases has the value 'Y'

l the customer tables for the default values ofthe Profile Generator are filled

Necessary Steps

n Activating the Profile Generator after a new installation requires that:

� the SAP R/3 System profile parameter auth/no_check_in_some_cases has the value Y

� the default tables are filled which control the behaviour of the Profile Generator when a transaction in a role is started.

n Both steps are described in detail in this unit.

SAP AG 2001

Checking Profile Parameters

Parameter Name

auth/no_check_in_some_cases

Short Description (Engl)

Appl. area

ParameterTyp

Changes allowed

Valid for oper. system

DynamicallySwitchable

Same on all servers

Special char. string

Separator

Dflt value

ProfileVal

Current value

Y

Y

Y

Special authorization checks switched off by customer

Authentication

Special char. string

Change permitted

All operating systems

Y

Documentation

Display Profile Parameter Attributes

n After a reinstallation, the SAP R/3 System profile parameter auth/no_check_in_some_cases should be set to its default value Y. This activates the Profile Generator.

n To check this, use transaction RZ11. The above slide shows transaction RZ11 after you have entered the parameter name. For Current value, Y must be entered. You can find more details on the currently selected parameter by choosing Documentation.

n Alternatively, you can select and check the parameter setting using report RSPFPAR.

n If the parameter has the value N, it must have been set to this value in the default profile or in the instance profiles of the SAP R/3 System. Transaction RZ10 is used to maintain and manage this profiles. The transaction can be accessed by choosing Tools -> CCMS -> Configuration -> Profile Maintenance. You should use this transaction to delete the parameter from both the default and the instance profiles. The parameter is then set to its default value Y.

SAP AG 2001

What is the Origin of the Default Values?

Copy Menus

from the SAP Menu

from Role

From area menu

Target System (trusting)

Role MY_ROLE

Description FI: Accounts Payable Clerk - Created from SAP tem.

Description Menu Authorizations Users Pers. .

URL - www.mysap.comURL - Route PlannerSM04 - User ListSO01 - SAP OfficeAccount Master Data

FK01 - Create vendorFK02 - Change vendorFK03 - Display vendorFK04 - Display changesFK05 - Block/UnblockFK06 - Set deletion flagConfirmation of changeCompare

Transaction Report Other All

T70CLNT400

Distribute

Role Menu

From the SAP Menu

From another role

From area menu

Import from File

Translate Node

Display documentation

Find in docu.

CorrespondenceClosingReportingWithholding TaxInformation SystemOtherAddresses

MY_ROLE FI: Accounts Payable Clerk - Created from SAP tem.

Maint. : 0 Unmaint. org. levels, 7 open fields, Status: Saved

Maintained Old Cross-Application Authorization ObjectsMaintained Old Asset AccountingMaintained New Basis - Administration

Standard Old Basis - Development EnvironmentMaintained New Basis - Central FunctionsStandard Old Materials Management - Purchasing

ActivityPhysical file nameABAP Program name



Maintained Old SAPscript : Standard text

?

USOBX_C

USOBT_C

n If an administrator selects a transaction while creating an role, the Profile Generator selects the authorization objects that are checked in this transaction and maintained in the Profile Generator. Three cases can occur:

� For an authorization object against which the check is performed in the transaction selected, the Profile Generator has default values for the authorization content so that full authorization can be provided. The traffic light beside the authorization is green.

� For an authorization object against which the check is performed in the transaction selected, the Profile Generator does not have default values for the authorization content. On the above slide, the SAPOffice transaction SO01 has been selected from within which you can access files at operating system level. No specifications are made as to which files can be accessed in read-only or in write mode. The traffic light beside the authorization is yellow.

� It may be the case that some authorization checks during transaction processing are not maintained in the Profile Generator. The corresponding authorization objects do not appear in the profile overview.

n Tables USOBX_C and USOBT_C control the behavior of the Profile Generator after the transaction has been selected. After a reinstallation, these tables are empty and must be filled with values before the Profile Generator is used for the first time.

SAP AG 2001

Initial Filling of the Default Tables

USOBX

SAP defaults

USOBT

Per transaction:- Which checks exist?- Which checks are performed?- What is maintained in the Profile Generator?- What does the Profile Generator propose?

USOBX_C

Customer values

USOBT_C

Per transaction:- Which checks exist?- Which checks are performed?- What is maintained in the Profile Generator?- What does the Profile Generator propose?

Copy

SU25

n SAP delivers the tables USOBX and USOBT. These tables are filled with default values and are used to fill the customer tables USOBX_C and USOBT_C initially. After the initial fill, you can adjust the customer tables and consequently the behavior of the Profile Generator.

n The table USOBX defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.

n The table USOBT defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator.

n Under menu item 1, Initially fill the customer tables, transaction SU25 copies the SAP defaults of USOBX and USOBT into customer tables USOBX_C und USOBT_C. From this point, the Profile Generator can be used.

n For a full description of the functions of SU25, choose the Information about this transaction pushbutton.

SAP AG 2001

Optional: Adjust Check Indicators

USOBX_C

Customer values

USOBT_C

Per transaction:

- Which checks are performed?

- What is maintained in the Profile Generator?

- What does the Profile Generator propose?

SU24

N: No check

U: Unmaintained

C: Check

CM: Check/maintain

Field values

Check indicators

n After the tables USOBX_C and USOBT_C have been filled, you can maintain them to adjust the behavior of the Profile Generator and the authorization checks to be performed for each transaction. Tables are maintained in transaction SU24. This transaction displays the check indicators of a transaction. Check indicators determine if an authorization check will run within the transaction or not. The following check indicators are supported:

� N: No check. No check is performed against the corresponding authorization object in this transaction (despite authority-check command programmed). This indicator cannot be set for HR and Basis authorization objects.

� U: Unmaintained. No check is performed against the corresponding authorization object in this transaction.

� C: Check. A check is performed against the corresponding authorization object in this transaction. Maintenance in the Profile Generator is not supported. An example of this check indicator is the authorization object S_SPO_DEV against which a check is run in almost all SAP transactions in connection with list printing (printer icon). In the Profile Generator, however, it is cumbersome to handle print authorizations for each transaction anew.

� CM: Check/maintain. A check is performed against the corresponding authorization object in this transaction. For objects with this check indicator, you can display and change the defaults of the Profile Generator by choosing Edit -> Field values -> Display. If some SAP default values are missing, security is most often the reason. These missing values cause the administrator to postprocess the authorization profile (yellow traffic lights).

SAP AG 2001

l Migration of Report Trees

l Maintain New Fields in User Maintenance (SU01)

l Check Activation of the Profile Generator

l Upgrade Roles (SU25, Steps 2A-2D)

l If Required, Convert Manually Created Profiles to Roles(SU25, Step 6)

Post- Upgrade Actions

n There are various steps to be taken after an upgrade with regard to the authorization data in the system, depending on the source release, and whether roles that you wish to continue using have already been created in the source release using the Profile Generator.

n A migration of the customer-defined report tree is necessary, as the data structure of report trees changed internally in SAP R/3 Release 4.6B. The migration is executed automatically by the transaction RTTREE_MIGRATION. As part of this process, every report is automatically assigned a transaction code with which the report can be started or included in roles after the migration.

n Two new fields have been added to the Defaults tab in user maintenance transaction SU01: Personal Time Zone and Date Format. These should be maintained after the upgrade.

n If the Profile Generator was not used in the source release, it may have to be activated. In the case of new installations, the Profile Generator is already activated.

n If roles were already used in the source release, they must be updated. Transactions that appear in the menus of existing roles, may be protected by additional authorization objects in the target release. It is therefore necessary to update tables USOBT_C and USOBX_C and the existing roles.

n It is possible to convert manually created profiles to roles.

SAP AG 2001

Source ReleaseSource Release Did Did Not Not Use Use PGPG

Source ReleaseSource Release ( (fromfrom 3.1G 3.1G UsesUses PG) PG)

Upgrade Considerations (1)

SAP AG 2001

l Option 1:

n Review your authorization concept and create the authorizationsagain using the Profile Generator.

l Option 2:

n Convert existing manually created profiles and authorizations inroles.To do this, use transaction SU25 (Point 6)

Upgrade Scenario:Source Release Did Not Use PG

n Option 1

� Advantages:

Authorizations have a new structure based on the new authorization concept. You can fully utilize the configuration tables USOBX_C and USOBT_C

You can use the user-friendly user menus

Opportunity to create a clearly structured, transparent authorization concept with a consistent naming convention and to reorganize authorization administration

� Disadvantage:

Can take a long time (New security implementation)

n Option 2

� Advantages:

Allows the administrator to assign all existing and carefully checked profiles to the appropriate roles

If the profiles contain authorizations for authorization object S_TCODE, the user menu can be automatically created

� Disadvantage:

An authorization profile in a role has no relationship to the menu assignments. The menu can only be automatically created if authorizations for S_TCODE are contained in the profile. The administrator cannot use configuration tables USOBX_C and USOBT_C.

SAP AG 2001

Upgrade Considerations(2)

Source ReleaseSource Release Did Did Not Not Use Use PGPG

Source ReleaseSource Release ( (fromfrom 3.1G 3.1G UsesUses PG) PG)

SAP AG 2001

l Perform the Following Steps in Transaction SU25:

n 2A: Execute the Profile Generator Comparison Program.

w Compare the new tables USOBT and USOBX with USOBT_Cand USOBX_C.

n 2B: Using SU25, add the new Transactions/Updates to tables USOBX_C and USOBT_C.

n 2C: Update the existing roles.

n 2D: Display changed transaction codes.

Upgrade Scenario:Previous System (>3.0F) Uses PG

n Due to authorization checks newly introduced in the target release, the tables USOBT_C and USOBX_C, and the roles that have been created in the source release must be updated. Use transaction SU25 to do this.

n When executing transaction SU25, note that tables USOBT_C and USOBX_C could have been changed by the customer in the source release. For this reason, step 1 must not be executed in transaction SU25, as this would completely overwrite the tables. A comparison procedure is required. This is performed by steps 2A and 2B.

n Step 2C runs through all roles that are affected by the newly introduced authorization checks and must therefore be correspondingly extended.

n Transactions in the SAP R/3 System are occasionally replaced by one or more other transactions. In step 2D, you create a list of all roles that contain transactions replaced by other transactions. The old and new transaction codes are specified. If necessary, you can replace the transactions in the roles. By double clicking the list, you can jump to the corresponding role.

n If you are upgrading from SAP R/3 Release 4.0B to SAP R/3 Release 4.6B, and have used responsibilities in Release 4.0B, these are automatically converted to derived roles, which replace responsibilities from Release 4.5A (see SAP Note 156250).

n If you are upgrading to SAP R/3 Release 4.6B from an SAP R/3 Release lower than 4.5A, the existing roles are automatically renamed. The 10 character identifier used in the source release is used in the target release as a prefix for the technical name from the source release. If you do not want these changes to be made, follow the procedure in SAP Note 156196.

SAP AG 2001

l Perform the Steps Necessary to Install the ProfileGenerator

l Adjust the Default Values of the Profile Generatorif Required

l Differentiate the Check Indicators

l Perform Required Subsequent Processing after anUpgrade

l Migrate Manually Created Profiles to Roles


Profile Generator: Installation and Upgrade:Unit Summary

Exercises

Unit: Profile Generator: Installation and Upgrade


• Explain the meaning of the authorization check indicators and know their difference

• Describe how authorization checks and default values for authorization fields are determined

1-1 In Customizing for Basis Components, choose Work on SAP Check Indicators and Field Values and then Change Check Indicators. (Transaction SU24)

Select Maintain check indicators for transaction codes and enter transaction PA30.

1-1-1 Display the check indicators for the authorization objects of this transaction and check the following: Do authorization objects with check indicator U or N exist? ____________________ To which authorization objects is the check indicator CM assigned? __________________________________________________________

1-1-2 Go to the field value display. Which default values are assigned to which authorization fields of the authorization object PLOG? Fill in the following table.

Object Field Value (Interval)

1-2 Create the role GR##_HR_PA30.


1-2-1 Go to the Menu tab and select the following activities: - PA30 - Maintain HR Master Data Save the activities of your role.

1-2-2 Go to the Authorizations tab. Select the normal mode (Change authorization data). Define the organizational levels: - Plan version: 01 Why do you have to enter an authorization value for the plan version? __________________________________________________________ For which authorization objects did the system automatically generate authorizations? __________________________________________________________ Why is the status of the authorization objects PLOG and P_PCLX set to Standard and why is the traffic light symbol status set to green? __________________________________________________________

1-2-3 Assign full authorization for all open authorization values, and generate the profile. Use the default profile name.

Solutions

Unit: Profile Generator: Installation and Upgrade

1-1 Menu: Tools → AcceleratedSAP → Customizing → Edit Project (SPRO) Choose SAP Reference IMG. IMG path: Basis Components → System Administration → Users and Authorizations → Maintain Authorizations and Profiles Using Profile Generator → Work on SAP Check Indicators and Field Values. Choose Change Check Indicators.

1-1-1 Choose Display check ID. Do authorization objects with check indicator U or N exist? There are authorization objects with check indicator N. To which authorization objects is the check indicator CM assigned? PLOG P_ORGIN P_PCLX P_PERNR

1-1-2 Go to the field value display.

Object Field Value (Interval)

PLOG INFOTYP 1001

ISTAT *

OTYPE C, O, P, Q, S

PLVAR $PLVAR

PPFCODE *

SYBTYP *


1-2-1 Select transaction PA30 in the Menu tab by choosing the Transaction pushbutton or the From the SAP menu pushbutton.

1-2-2 Why do you have to enter an authorization value for the plan version? Because the plan version is defined as an organizational level in the default values of the Profile Generator (indicated by the dollar ($) sign). For which authorization objects did the system automatically generate authorizations? S_TCODE PLOG P_ORGIN P_PCLX P_PERNR Why is the status of the authorization objects PLOG and P_PCLX set to Standard and why is the traffic light symbol status set to green? Because all fields of these authorization objects could be filled with default values.

1-2-3 Click the traffic light on the highest hierarchy level and confirm the assignment of full authorization.

SAP AG 2001

l Roles in Organizational Management

l Objects and relationships of the organizational plan

l Simple Maintenance of an organizational plan

l Creating an organizational plan (simple maintenance)

l Positions

l Indirect user assignment

l Indirect user assignment reconciliation

l User master record comparison

Contents:


SAP AG 2001

l Create organizational units in HR OrganizationalManagement

l Link roles with the organizational plan objects

l Assign roles for a specific period of time

l List the components of an organizational plan

l Create organizational plans in simplemaintenance

l Assign organizational units, jobs and positions toroles

l Reconcile indirect user assignments

l Compare user masters


Integration into Organizational Management:Unit Objectives

SAP AG 2001





Introduction










777

SAP AG 2001

l Authorization management can be greatlysimplified by linking it to organizational units of HROrganizational Management.

Integration into Organizational Management:Business Scenario

SAP AG 2001

Authorizations in Organizational Management

l Problem:

n Managing role assignments directly to users can becomecumbersome in large implementations.

n As users move or change jobs in your organization, theirauthorizations must be reviewed.

l Solution:

n Create roles based on organizational objects, such as positions inyour organization. For example: Sales manager, A/P clerk,secretary, and so on.

n Assign roles to your organizational plan. Users will inherit theauthorizations based on their position in your organizational plan.

Advantages:

n Substitution and Transfers

� If roles were assigned directly to specific employees, then each time the user's responsibilities change, the corresponding assignment of roles would have to be changed

� If, however, the assignments are based on the notion of positions, then no adjustments will have to be made within the agent assignments of roles.

n Time-Dependent Planning in Reorganization Processes

� SAP Organizational Management allows both the validity and the assignment of organizational objects to be planned and activated according to the time available. You must schedule the User Master Record Update program so that profiles can be added or removed based on changes to the organizational plan.

SAP AG 2001

Organizational Plans

Organizational UnitPositionJobPersonUserTask

Organizational Structure Code

Board Board Production Production

Sales Sales European Sales EU Sales

USA Sales US Sales Australia Sales AU Sales

Human Resources HR Personnel Development Development

Payroll Payroll Recruitment Recruitment

Financial Accounting Accounting

Organization and Staffing DisplayOrganization and Staffing Display

Name Code

Board Board

Search area

SelectionArea

OverviewArea

n As of SAP R/3 Release 4.5, SAP R/3 comes with a new maintenance interface for editing organizational plans. You can call up this interface by choosing SAP standard menu -> Human Resources -> Organizational Management -> Organizational plan -> Organization and Staffing -> Create (PPOCE), Change (PPOME), or Display (PPOSE).

n You can, however, still use the simple maintenance mode to edit organizational plans (as in previous releases). To go from the new maintenance interface to the simple maintenance mode , choose the following menu path: Settings -> Maintenance Interface.

n The new user interface consists of several screen areas:

� In the search area, you look for one or more objects that you want to display or edit (for example, a complete organizational structure, or all objects of a specific object type, such as all positions).

� The selection area lists the objects found. You can select one of these objects

by double-clicking it to display the object and its environment in the overview area and its properties in the detail area

by clicking it once to assign it to another object through Drag&Drop, for example, a position to an organizational unit.

n The overview area displays the selected object and its environment.

SAP AG 2001

Organizational Plan User Interface

Organizational unitPositionJobPersonUserTask

Organizational structure Code

Executive Board Board Production Production

Sales Sales Europe Sales EU Sales

US Sales US Sales Australia Sales AU Sales

Human Resources HR Personnel Development Development

Payroll Payroll Recruitment Recruitment

Financial Accounting Accounting

OrganizationOrganization and Staffing and Staffing DisplayDisplay

Name Code

Board Board

Search area

Selection area

Overviewarea

n As of Release 4.5, R/3 comes with a new maintenance interface for editing organizational plans. You can call up this interface by choosing SAP standard menu -> Human Resources -> Organizational Management -> Organizational plan -> Organization and Staffing -> Create (PPOCE), Change (PPOME) or Display (PPOSE).

n You can, however, still use simple maintenance to edit organizational plans (as in previous releases). To go from the new maintenance interface to simple maintenance , choose Settings -> Maintenance interface, or enter transaction code PPOC_OLD.

n The new user interface consists of several screen areas:

� In the search area, you look for one or more objects that you want to display or edit (for example, a complete organizational structure, or all objects of a specific object type such as all positions).

� The selection area lists the objects found. You can select one of these objects

by double-clicking it to display the object and its environment in the overview area and its properties in the detail area

by clicking it once to assign it to another object through Drag & Drop, for example, a position to an organizational unit.

n The overview area displays the selected object and its environment.

SAP AG 2001

Simple Maintenance of an Organizational Plan

Tree structure 3 main windows

SAP Dialog users

+BusinessWorkflow

User

SAP Dialog users

+BusinessWorkflow

User

Views

Overall viewOverall view

Humanresource users

Humanresource users

HRViewHRViewOrganizational

structure

Staffassignments

Executive Board

Production

Sales and Distribution

Europe Sales

US Sales

Australia Sales

HR

Pers. Development TaskProfiles

Finance

PayrollRecruitment

n In the simple maintenance mode, you can edit organizational plans either in the Overall view or in the Human resources view. The Overall view provides specific functions for users of the authorization system and SAP Business Workflow. In this view you can, for example, work with roles. The Human resources view provides specific functions for HR users.

n This method uses a tree structure which allows you to rapidly put together a basic framework for organizationa l plans, using streamlined procedures.

n You work in three main windows. Each window covers specific maintenance activities:

� The Organizational Structure window allows you to build up and maintain the organizational structure for your organizational plan.

� The Staff Assignments window allows you to identify the fundamental staffing details required for an organizational plan.

� The Task Profile window allows you to assign roles to jobs, positions, organizational units, and holders of positions (users). Workflow Tasks are also assigned at this level, however, these are not related to authorizations.

SAP AG 2001

Creating an Organizational Plan in SimpleMaintenance

Step 1: Create rootorganizational unit Step 2: Create other

organizational units

Step 4: Createpositions

Step 3: Createjobs

Step 5: Assign tasks

Step 6: Assign occupant

Thor Nielsen

SalesManager

Production US SalesExecutive Board

Sales and Distribution

Sales ManagerUSA

Role

- Top-down sales planning- New product decisions- Market segment success contribution analysis- etc.

n The above diagram illustrates that the first step in Simple Maintenance is to create a root organizational unit. All other organizational units are then defined in the organizational structure.

n You can define organizational units and jobs in any order you like. However, they should be defined before you define the relevant positions.

n Positions are created after the appropriate job(s) are created in the job index.

n Holders, are assigned to positions, not to jobs.

n Having set up the organizational plan, you can assign roles to organizational units, jobs, positions, and holders of positions (users).

SAP AG 2001

Abbr.Organizational unit

ExecutiveBoard

Board

Description Executive Board

Validity period 01.02.2000 to 31.12.9999

Step 1: Create Root Organizational Unit

n When you want to build a new organizational plan, you must first create a root organizational unit. The root organizational unit is the top-level unit of an organizational structure. An example would be the executive board. The root organizational unit is also your starting-point for enhancing the organizational structure by adding lower-level units.

n The date specified on the initial screen is used as the default for the validity periods of all objects and relationships to be defined.

SAP AG 2001

Step 2: Create Additional Organizational Units

Production Sales HR Accounting

ExecutiveBoard

Validity period

Organizational unit

01.02.2000 - 31.12.9999

Relationship

01.02.2000 31.12.9999-

Board Executive Board

Production ProductionSales SalesHR Human ResourcesAccounting Financial Accounting

Further entries Period...

Create organizational units

n Using the root organizational unit as your starting-point, you create additional lower-level organizational units. In the above example, the Executive Board constitutes the higher-level object, while the organizational units Production, Sales, HR and Accounting are lower-level objects.

n To create organizational units in simple maintenance, you select the organizational unit below which you want to add new organizational units. The relevant relationship records (A/B 002) between the lower-level and the higher-level organizational unit are automatically created by the system.

SAP AG 2001

Step 2: Edit Organizational Structure

Production Sales HR Accounting

ExecutiveBoard

Pers. Develop.

Payroll

Recruitment

EU Sales

US Sales

AU Sales

n To change the hierarchical position of an organizational unit in the organizational structure, you can reassign the relevant unit. If you reassign a unit, the relationships between the organizational units are changed. This means that the current relationship records are automatically delimited and new relationship records are created based on the reassignment process.

n To change the short or long text, you use the Rename function.

n Other functions include:

� Delete objects and relationships

� Delimit objects and relationships

� Determine the order of the organizational units

n If required, you can show or hide other information, for example, the abbreviation, the object period, and the object key.

SAP AG 2001

Step 3: Create Jobs

Abbr.

Description

Sales Mgr

Sales Manager

Validity period

01.02.2000 - 31.12.9999

SalesManager

Staff assignments

Organizational Structure Organizational Structure / / ChangeChange

n To create jobs, go to the Staff assignments screen and choose Edit -> Create -> Jobs from that screen.

SAP AG 2001

Step 4: Create Positions

SalesManager Europe

Create Positions

Organizational unit Europe Sales

Choose describing job

Abbr. Sales Mgr

Description Sales Manager

Position

Abbr. SalesMgr_EU

Name Sales Manager Europe

Number of requested positions 1

Validity of positions 01.02.2000 31.12.9999

Create jobs

Job: Sales Manager

Position: Sales Manager Europe

Position:Sales Manager US

Position:Sales Manager Australia

n To create a position in simple maintenance, you select the organizational unit in the staff assignments below which you want to add the new position. The relevant relationship record (A/B 003) between the position and the higher-level organizational unit is automatically created by the system.

n As part of the basic concept, you should link each position with a job. As a result, the position automatically inherits the tasks and properties assigned to the describing job, considerably reducing the maintenance effort.

n When you create a position in simple maintenance, you can choose a describing job from the job index or directly create a new one. The relevant relationship record (A/B 007) between the describing job and the position is automatically created by the system. By default, the job description is used as the description of the position.

n You can create several positions simultaneously.

SAP AG 2001

Step 5: Assign Tasks

SalesManager

Postion: Sales Manager Europe

Role: SALESMANAGER_EUROPE

Job: Sales Manager

Organizational unit:Europe Sales

Sales Manager Europe

Role: SALESMANAGER

Role: SALES_EUROPE

n A position (such as Sales Manager Europe) can be assigned directly to a role. You can also assign roles using the job (for example, sales manager) and/or the organizational unit (for example, Europe Sales). The user assigned to this position then inherits all authorization profiles of these roles.

n The user assigned inherits the authorization profiles related to the following:

� Role: SALESMANAGER_EUROPE

Through relationship: Position -> Holder of position

� Role: SALESMANAGER

Through relationship: Job -> Position -> Holder of position

� Role: SALES_EUROPE

Through relationship: Organizational unit -> Position -> Holder of position

n You can also assign roles directly to a user. However, you are not recommended to do this since you loose the benefits of an assignment using an organizational plan.

n NOTE: Roles cannot be inherited across organizational units. Positions belonging to an organizational unit cannot inherit the roles assigned to a higher-level organizational unit.

SAP AG 2001

Step 6: Assign Holder

Position Sales ManagerEurope

Holder

Type

Name

US

LOPEZ Elena LOPEZ

User

Assignment

Staffing percentage

Time period

100,00

01.02.2000

%

- 31.12.9999

Assignmentl Person (P)l User (US)

n Positions can be occupied either by persons or by users.

� Information on the Person object type is maintained in the HR master data. Persons are employees of the company.

� R/3 users, however, are not necessarily employees. Users have authorizations to access the SAP R/3 System. They can occupy positions without being registered as an employee. This assignment is of importance in the workflow context.

SAP AG 2001

User Assignment View (Role)

Description Menu Workflow Authorizations User

Selection Organizational Mgmt User compare

AG SAP_CO_SALESMANAGER_AG Controlling: Sales Manager

C 50000039 Sales Manager

S 50000040 Sales Manager Europe

S 50000042 Sales Manager US

S 50000043 Sales Manager Australia

O 50000029 Sales deparment

Indirect user assignment reconciliation necessary

Color legend

Role (AG)Job (C)Position (S)User (US)Organizational unit (O)

US LOPEZ Elena LOPEZ

US NIELSEN Thor NIELSEN

US NAKE Christoph NAKE

Createassignment

Role Maintenance (PFCG)View

Simple Maintenance (Menu Maintenance for the Workplace)

Basic Maintenance (Menus, Profiles, Other Objects)

Overview (Organizational Management and Workflow)

n In order to assign roles to users, you can also use the role maintenance transaction. You can call this transaction by choosing SAP standard menu -> Tools -> Administration -> User Maintenance -> Roles or by entering transaction code PFCG.

n To be capable of assigning components of your organizational plan, you must select Overview when entering the role maintenance transaction (PFCG).

n By choosing Organizational Mgmt you go to the maintenance screen Role: Maintain Agent Assignment. The ‘indirect user assignments’ that have already been maintained are displayed here.

n You can also assign users to an role (SALESMANAGER, for example) based on positions.

n By choosing Create assignment, you can define the following relationships:

� Role / organizational unit

� Role / position

� Role / user

SAP AG 2001

Indirect User Assignment Reconciliation

AG SAP_CO_SALESMANAGER_AG Controlling : Sales Manager

C 50000039 Sales Manager

S 50000040 Sales Manager Europe

S 50000043 Sales Manager Australia

US BENZ Berta BENZ

US MEIER Michael MEIER

US NAKE Christoph NAKE

S 50000042 Sales Manager US

O 50000029 Sales department

Indirect user assignments ok

Indirect user assignment reconciliation

n If you choose Indirect user assignment reconciliation, the system reconciles the positions and the users assigned. Users that were added newly are entered, and user assignments that are no longer current are deleted.

n During the reconciliation process, the users assigned on the basis of positions are entered as 'indirect user assignments' for the role.

n Since assignments in Organizational Management are time-dependent, you must take this restricted validity into account when you assign users. During the reconciliation process, the relationship period from Organizational Management is copied for the indirect user assignments.

n If a user master compare is peformed (see next slide), the indirect user assignment is automatically reconciled. The same applies if report PFCG_TIME_DEPENDENCY is run.

SAP AG 2001

Compare User Master

Role

Description Controlling : Vertriebsleiter

Compare userCompare usermastermaster

Description Menu Workflow Authorizations User

Selection Organizational Mgmt User compare

n If you change the users assigned to the role or generate an authorization profile, you must compare the user masters (User compare button). The system compares the authorization profiles with the user master records. This means that profiles that are no longer current are removed from the user master records, and the current profiles are entered in the user master records.

SAP AG 2001

l Create organizational units in HR OrganizationalManagement

l Link roles with the organizational plan objects

l Assign roles for a specific period of time

l List the components of an organizational plan

l Create organizational plans in simple maintenance

l Assign organizational units, jobs and positions toroles

l Reconcile indirect user assignments

l Compare user masters


Integration into Organizational Management:Unit Summary

Exercises

Unit: Integration into Organizational Management


• Display organizational units in HR Organizational Management

• Link roles and users with HR organizational units

• Compare the relationships

1-1 Assign a composite role and a user to the existing organizational structure CA940. Then display and compare the indirect relationships, so that the user receives the corresponding authorizations.

1-1-1 Navigate to organizational management in the SAP menu, and there to Expert Mode and then Simple Maintenance. Display the organizational structure CA940.

Menu path: Human Resources → Organizational Management → Expert Mode → Simple Maintenance → Change (PPOM_OLD)

1-1-2 Go to the staff assignments window.

Select the root node and display the Structural Graphics by clicking the appropriate pushbutton.

1-1-3 Expand everything under the Materials Management node. Place your cursor on the position Group ## (under the Store node) and assign the holder GR##-MM2, of type US to the position (choose the Assign Holder pushbutton).

1-1-4 Select the position Group## and choose the Task Profile pushbutton. Link the position with the composite role GR##_MM_WHOUSE (that you created in the exercise of the unit Working with the Profile Generator Part 2).

1-2 Change your composite role GR##_MM_WHOUSE.

Caution: Choose Overview on the initial screen that appears.

1-2-1 Go to the User tab. Is the user from exercise 1-1-3 assigned to your role? ________________________________________________________

1-2-2 Go to Organizational Management by choosing Goto → Organizational Management (or clicking the appropriate pushbutton). Compare the indirect user assignments of the role.

1-2-3 Go back. Is the user from exercise 1-1-3 assigned to your role? ________________________________________________________ What is the traffic light symbol status of the Organizational Management area?

____________________ Display the user master for the user GR##_MM2. Go to the Roles tab. How many roles are there? _________ How many profiles are entered? _________________________________________________

1-2-4 Change your composite role GR##_MM_WHOUSE again. Perform a complete user compare. Display the user master again. How many roles are there now? __________ How many profiles are entered now? _________________________________________________

Solutions

Unit: Integration into Organizational Management

1-1 Assign a composite role and a user to the existing organizational structure CA940. Then display and compare the indirect relationships so that the user receives the corresponding authorizations.

1-1-1 Navigate to organizational management in the SAP menu, and there to Expert Mode and then Simple Maintenance. Display the organizational structure CA940.

Menu path: Human Resources → Organizational Management → Expert Mode → Simple Maintenance → Change (PPOM_OLD)

1-1-2 Go to the staff assignments by choosing the appropriate pushbutton.

Select the root node and display the Structural Graphics by clicking the appropriate pushbutton.

1-1-3 Expand everything under the Materials Management node. Place your cursor on the position Group ## (under the Store node) and assign the holder GR##-MM2, of type US to the position (choose the Assign Holder pushbutton).

1-1-4 Select the position Group## and choose the Task Profile pushbutton. Link the position with the composite role GR##_MM_WHOUSE (that you created in the exercise of the unit Working with the Profile Generator Part 2) by placing the cursor on the position Group## and choosing the Role pushbutton.

1-2 Change your composite role GR##_MM_WHOUSE. Menu: Tools → Administration → User Maintenance → Roles (PFCG)

Caution: Choose Overview on the initial screen that appears.

1-2-1 Go to the User tab. Is the user from exercise 1-1-3 assigned to your role? No.

1-2-2 Go to Organizational Management by choosing Goto → Organizational Management (or clicking the appropriate pushbutton). Compare the indirect user assignments of the role by choosing the Indirect user assignment reconciliation icon.

1-2-3 Go back. Is the user from exercise 1-1-3 assigned to your role? Yes. What is the traffic light symbol status of the Organizational Management area? Green Display the user master record. Menu: Tools → Administration → User Maintenance → Users (SU01) Go to the Roles tab. How many roles are there? 1 (3) Roles (*)

How many profiles are there? 0 (2) Profiles (*)

1-2-4 Change your composite role GR##_MM_WHOUSE again. Menu: Tools → Administration → User maintenance → Activity groups (PFCG) Perform a complete user compare. Display the user master record again.

Menu: Tools → Administration → User Maintenance → SU01 - Users How many roles are there? 3 (5) Roles (*) How many profiles are entered? 2 (4) Profiles (*) (*) Number in brackets:

Roles GR##_BC_WORKPLACE and CA940_PLUS were assigned in the optional exercises.

SAP AG 2001


l Access Control by Password Check

l Password Rules

l Password Control with System Profile Parameters

l Special Users

l Administration Tasks in User and AuthorizationAdministration

l SAP Authorization Objects for Protection from Accessto Administration Functions

l Scenarios for Distributing Administration Tasks in theSystem Infrastructure

Contents:

SAP AG 2001

Access Control and User Administration:Unit Objectives

l Define rules for passwords.

l Protect special users in SAP R/3.

l Describe tasks in user and authorizationadministration

l List options for separating functions of user andauthorization administration.

l Describe options for decentralization of useradministration.

l Create user and authorization administrators withlimited rights


SAP AG 2001






Introduction









888

SAP AG 2001

Access Control and User Administration:Business Scenario

l In order to protect your SAP R/3 System againstunauthorized access, you must define passwordrules, set the relevant profile parameters andprotect special users.

l You must also define areas of responsibility foruser and authorization administration.

l The organizational areas of responsibility must beclearly defined technically using authorizations.

SAP AG 2001

Password Rules

DEFINED BY THE

CUSTOMER:

Minimum length: 3 characters

Validity

Password may not be set to a

value contained in a "lock list"

(table USR40)

Pre-defined in SAP systemsThe first character cannot be ! or ?.

The first three characters of the passwordmay not be identical to the first threecharacters of the user ID.

The first three characters may not beidentical.

The first three characters may not be spaces.

The password cannot be PASS or SAP*.

All characters that can be entered from thekeyboard may be used in the password.

The password is not case-sensitive.

Users may not change their passwords moreoften than once a day. This restriction is notvalid for the user administrator.

The password may not be identical to the user'slast five passwords.

n There are two ways in which you can define your choice of user passwords:

� You can use the system profile parameters to assign a minimum length for passwords and define how often the user has to set new passwords.

� Invalid passwords can be entered in the table of reserved passwords USR40. This table is maintained with Transaction SM30. The entries can also be made generically:

? denotes a single character

* denotes a character string

n The SAP R/3 System also has pre-defined password rules.

SAP AG 2001

Password Control with System Profile Parameters

Minimum length of the logon passwordlogin/min_password_lng

Password Validity Periodlogin/password_expiration_time

Lock user with incorrect logonlogin/fails_to_user_lock

Automatic unlock at midnightlogin/failed_user_auto_unlock

Allowed number of incorrect logonslogin/fails_to_session_end

Deactivation of multiple dialog logonslogin/disable_multiple_gui_login

Applicable ValuesDefault Allowed

3 3-8

12 1-99

1 0

3 1-99

0 1

System Profile Parameters

0 999

n login/min_password_lng: The parameter defines the minimum length of the logon password. The password must have at least 3 characters, but the administrator can force a longer length.

n login/fails_to_session_end: Number of incorrect logons allowed with a user master record before the logon is terminated.

n login/fails_to_user_lock: Number of incorrect logons allowed with a user master record before the user master record is locked. An entry is written in the system log at the same time. The lock is removed at midnight.

n login/failed_user_auto_unlock: Controls unlocking of the users locked due to an incorrect logon. If the parameter is set to 1 (default), user locks caused by incorrect logons during the previous days are not taken into consideration. If the value is set to 0, the lock is not removed.

n login/password_expiration_time: Value 0 means that the user is not forced to change the password. Value > 0 specifies the number of days after which the user must change the logon password.

n login/disable_multi_gui_login: If this parameter is set to value 1, the system blocks multiple SAP R/3 dialog logons (in the same client and with the same user name). When a multiple logon is detected, there is a warning permitting the user either to "End the existing sessions" or "End this logon". This parameter is effective in SAPGUI logons.

n login/multi_login_users: A list containing the users who may log onto the system more than once is stored.

SAP AG 2001

Special Users

Initial Logon Procedure in SAP Clients

Client 000 001 066 Client (new)

User SAP* DDIC EarlyWatch SAP*

Initialpassword 06071992 19920706 support pass

! Since these users are generally known, they must beprotected against unauthorized access.

n To protect SAP* and DDIC against unauthorized access, you have to change the initial passwords for these users in all clients of your SAP R/3 System. SAP recommends that you assign these users to user group SUPER. This user group is only assigned to superusers.

n Superuser SAP* was pre-defined in clients 000 and 001 in the SAP R/3 System. A user master record is created for SAP* during installation, but this user master record is not really necessary since SAP* is programmed in the system code. If you delete user master record SAP* and log on again with initial password PASS, SAP* has the following characteristics:

� The user has all authorizations since no authorization checks are made.

� Standard password PASS cannot be changed.

n Since SAP* is a known superuser, you should deactivate it (system profile parameter login/no_automatic_user_sapstar - Note 68048) and replace it with your own superuser.

n The DDIC user is responsible for maintaining the ABAP Dictionary and the software logistics.

n The EarlyWatch user is used for the monitoring and performance analysis.

SAP AG 2001

User and Authorization Administration: Activities

l Create, maintain, lock and unlockusers, and change passwords

l Create and Maintain Roles

l Maintain Transaction Selections andAuthorization Data in Roles

l Generate Authorization Profiles

l Assign Roles and Profiles

l Transport Roles

l Monitor Using the Information System

l Archive Change Documents

SAP AG 2001

Authorization Objects: Users

Authorization Object

ACTVT ActivityCLASS User Group

S_USER_GRP

BC_A Basis:BC_A Basis: AdministrationAdministration

Applicable Activities

01 Create02 Change03 Display05 Lock06 Delete

08 Change Documents22 Include User in Role....

ACTVT ActivitySUBSYSTEM Log. system

S_USER_SYS 02 Change03 Display68 Model78 Assign90 Copy

n The object User Master Record Maintenance: User Groups (S_USER_GRP) defines the user groups for which an administrator has authorization and the activities that are allowed.

n The object S_USER_GRP can be used to grant administration rights for only a certain user group in decentralized administration.

n The object User Master Record Maintenance: System for central user maintenance (S_USER_SYS) defines which system a user administrator can access from the central user administration and the activities that are allowed.

n The object S_USER_SYS can be used in decentralized administration to grant administration rights for only users in a certain system from the central user administration.

SAP AG 2001

Authorization Objects: Roles


ACT_GROUP Role NameACTVT Activity

S_USER_AGR

BC_A Basis:BC_A Basis: AdministrationAdministration


01 Create Roles02 Change Roles03 Display Roles06 Delete Roles21 Transport Roles22 Compare User Masters of Roles....

OBJECT Auth.objectAUTH_FIELD Field nameAUTH_VALUE Auth.value

S_USER_VAL

TCD T-Code

S_USER_TCD

n The object Authorization: Check for roles (S_USER_AGR) defines the role names for which an administrator is authorized and the activities that are allowed.

n The object S_USER_AGR can be used in decentralized administration to grant an administrator authorization to access only certain roles (e.g. for a module or an organizational unit).

n The object Authorization: Transactions in roles (S_USER_TCD) defines the transactions that an administrator may include in a role.

n The object S_USER_TCD can be used to grant an administrator authorization to include only certain transactions in roles and thus prevent critical transactions from being included in roles.

n The object Authorization: Field Values for roles (S_USER_VAL) defines which field values an administrator may enter in roles for which authorization object and which fields.

n The object S_USER_VAL can be used to grant an administrator authorization to assign only certain authorizations in roles and thus prevent critical authorizations from being included in roles.

SAP AG 2001

Authorization Objects: Profiles & Authorizations


PROFILE Profile NameACTVT Activity

S_USER_PRO

BC_A Basis: Administration BC_A Basis: Administration


01 Create02 Change03 Display06 Delete07 Activate

08 Change Documents22 Assign Users24 Archive

OBJECT Authorization Object

AUTH AuthorizationName

ACTVT Activity

S_USER_AUT 01 Create02 Change03 Display06 Delete07 Activate

08 Change Documents22 Assign Profiles24 Archive

n The object User Master Record Maintenance: Authorization Profile (S_USER_PRO) defines the profile names for which an administrator has authorization and the activities that are allowed.

n The object S_USER_PRO can be used to grant an administrator author ization to assign only certain profiles in decentralized administration (e.g. for a module or an organizational unit).

n The object User Master Record Maintenance: Authorizations (S_USER_AUT) specifies the authorization object names and the authorization names for which an administrator is authorized.

n The object S_USER_AUT can be used to grant an administrator authorization to create only certain authorizations in roles and thus prevent critical authorizations from being created in roles.

SAP AG 2001

l An administrator may not

n Administer users and

n Maintain authorizations and

n Generate authorization profiles

l Separation of functions

n Principle of dual control

w User administration

w Authorization maintenance and generation

n Principle of triple control

w User administration

w Authorization maintenance

w Authorization generation

Security Requirements

n The authorization system can be used to flexibly organize maintenance of the user master records, profiles and authorizations.

� If your company is small and is organized centrally, all the tasks connected with maintaining the user master records and the authorization components can be handled by a single user called the superuser.

� If you want to ensure that your system maintains a higher level of security, you can share the responsibility for maintaining the user master records and the authorizations amongst a user administrator and an authorization administrator, each having limited responsibility (principle of dual control).

� For a maximum in system security you can share the responsibility for maintaining the user master records and the authorizations amongst a user admin istrator, an authorization data administrator and an authorization profile administrator, each having limited responsibility.

� Since you can assign specific authorizations for the user and administrator maintenance, the administrators need not be privileged users in your IT department. Normal users can be responsible for maintaining the user master records and authorizations.

SAP AG 2001

Separation of Functions

User Administrator

Authorization DataAdministrator

Authorization ProfileAdministratorl Maintain user master records

l Assign roles to usersl Assign profiles to users (only T...)l Display authorizations and profilesl Call "Information System Authorizations"

Superuser

l Maintain rolesn Change transaction selectionn Change authorization data

l Call "Information System Authorizations"

l Maintain rolesn Create authorizations (only T-...)n Create profiles (only T-...)

l Execute Transaction SUPCl Call "Information System Authorizations"

n Sharing the administrative tasks amongst three administrators is called the principle of triple control.

n The superuser sets up all the user master records, profiles and authorizations for the administrator.

n The authorization data administrator creates a role, selects transactions and maintains the authorization data. He only saves the data in the profile generator since he does not have the necessary authorization for creating the profile. He uses the proposed profile name T-...The authorization data administrator may not change users or create profiles.

n The authorization profile administrator starts Transaction SUPC and chooses All roles. He then restricts his selection, for example by entering the ID of the role to be edited. In the next screen, he chooses Display profile to check the data. If all the data is correct, he creates the authorization profile.The authorization profile administrator may not change users, change the data for roles or create profiles containing authorization objects beginning with S_USER.

n The user administrator then assigns this role to a user (from the user maintenance transaction SU01). The profile is entered for the user. The user administrator may not change data for roles or change or create profiles.

n The principle of dual control combines the tasks and authorizations of the authorization data administrator and those of the authorization profile administrator.

SAP AG 2001

PP

UserAdmin.

MM

UserAdmin.

SD

UserAdmin.

CO

UserAdmin.

FI

UserAdmin.

Location 1

Location 2

Location 3

Location 4

User Administrator

User Administrator

User Administrator

User Administrator

Decentral User Administration

n With decentralized user administration, there are several user administrators each responsible for administration of a certain group of users.

n The administration tasks in decentralized user administration can be shared according to different criteria:

� Application area / Module The users are assigned to decentralized user administrators, each of whom is responsible for a business application or an SAP module.

� Location The users are assigned to decentralized user administrators, each of whom is responsible for all the users at that location.

� Department The users are assigned to decentralized user administrators, each of whom is responsible for all the users in the department.

n Technically, decentralization is implemented by grouping users to form user groups. Each decentral user administrator may only administer the users assigned to the user group for which he is responsible. Accordingly, each decentral user administrator may only assign the roles needed for his application module, location or department.

SAP AG 2001

l Central user administration

n One user administrator for all users

n Unlimited authorizations for all user administration tasks of theuser administrator

l Central maintenance of roles and profiles

n One administrator takes on both roles

w Authorization data administrator

w Authorization profile administrator

n All authorizations for maintaining the roles and profiles

l Principle of dual control

Scenario 1

SAP AG 2001

Scenario 1: Authorizations

PRODUCTION

Useradministrator

Authorizationdata admin.

andauthorizationprofile admin.

Useradministrator

S_USER_GRPACTVT * 03, 08 *CLASS * * *S_USER_AGRACTVT 03 * 03ACT_GROUP * * *S_USER_TCDTCD *S_USER_VALOBJECT *AUTH_FIELD *AUTH_VALUE *S_USER_PROACTVT 03, 08, 22 * 03, 08, 22PROFILE * * *S_USER_AUTACTVT 03, 08 * 03, 08NAME * * *

DEVELOPMENT

n In this scenario there is one central user administrator for the development system and one for the production system.

n The development system also has a central administrator responsible for authorization data administration and authorization profile administration.

SAP AG 2001

l Decentral user administration (production system)

n One user administrator per application area (FI, MM)

w Authorized to maintain a certain user group

w Authorized to assign a certain number of roles and profiles

w No other restrictions in the specific user administrationtasks


n Separation of responsibilities

w One authorization data administrator

w One authorization profile administrator

n No other restrictions in the specific roles or profiles for bothadministrators

l Principle of triple control

Scenario 2

SAP AG 2001


Useradmin.


Authorizationprofile admin.

FI - useradmin.

MM - useradmin.

S_USER_GRPACTVT * 03, 08 03, 08 * *CLASS * * * FI_USER MM_USERS_USER_AGRACTVT 03, 22 01, 02, 03, 06 03, 64 03, 22 03, 22ACT_GROUP * * * * *S_USER_TCDTCD *S_USER_VALOBJECT *AUTH_FIELD *AUTH_VALUE *S_USER_PRO

ACTVT 03, 08, 22 01, 02, 03, 06, 08

03, 07, 08 03, 08,22 03, 08, 22

PROFILE * * * FI* MM*S_USER_AUT

ACTVT 03, 08 01, 02, 03, 06, 08, 22

03, 07, 08 03, 08 03, 08

NAME * * * * *

PRODUCTIONDEVELOPMENT

n This scenario has two user groups, each of which is administered by its own user administrator in the production system.

� The group of FI users (FI_USER) is administered by the FI user administrator.

� The group of MM users (MM_USER) is administered by the MM user administrator.

n The decentral user administrators must be restricted as follows:

� Administration of the user group for which they are responsible (S_USER_GRP)

� Assignment of the relevant roles and profiles for the user group (S_USER_AGR, S_USER_PRO)

n The users must be assigned to the appropriate groups (FI_USER, MM_USER).

n Caution: Users not belonging to any group can be administered by both user administrators.

SAP AG 2001

l Central creation and deletion for all users (prod.)

l Decentral user administration (production system)

n One user administrator per application area (FI, MM)

w Authorized to maintain a certain user group

w Authorized to assign a certain number of roles and profiles

w Authorized for only certain user administration tasks(change, lock/unlock, reset password)


n Separation of responsibilities

w One authorization data administrator

w One authorization profile administrator

n No other restrictions in the specific roles or profiles for bothadministrators

l Principle of triple control

Scenario 3

SAP AG 2001


Useradministrator


Authorizationprofile admin.

FI - useradmin.

MM - useradmin.

Centraluseradmin.

S_USER_GRPACTVT * 03, 08 03, 08 02, 03, 05, 22 02, 03, 05, 22 01, 03, 06, 08CLASS * * * FI_USER MM_USER *S_USER_AGRACTVT 03, 22 01, 02, 03, 06 03, 64 03, 22 03, 22 03ACT_GROUP * * * * * *S_USER_TCDTCD *S_USER_VALOBJECT *AUTH_FIELD *AUTH_VALUE *S_USER_PRO

ACTVT 03, 08 01, 02, 03, 06, 08

03, 07, 08 03, 08 03, 08 03, 08

PROFILE * * * FI* MM* *S_USER_AUT

ACTVT 03, 08 01, 02, 03, 06, 08, 22

03, 07, 08 03, 08 03, 08 03, 08

NAME * * * * * *OBJECT * * * * * *

DEVELOPMENT PRODUCTION

n This scenario has two user groups, each of which is administered by its own user administrator in the production system.

� The group of FI users (FI_USER) is administered by the FI user administrator.

� The group of MM users (MM_USER) is administered by the MM user administrator.

n In contrast to scenario 2, the user administrators may only perform the following activities for users in their group:

� Lock / unlock users

� Change passwords

� Assign roles and profiles

n A central user administrator creates and deletes the users.

n The decentral user administrators must be restricted as follows:

� Administration of the user group for which they are responsible (S_USER_GRP)

� Activities in user administration (S_USER_GRP)

� Assignment of the relevant roles and profiles for the user group (S_USER_AGR, S_USER_PRO)

n The users must be assigned to the appropriate groups (FI_USER, MM_USER).

SAP AG 2001

l Change password rules with system profileparameters

l Protect special users in the R/3 System.

l Describe tasks in user and authorizationadministration

l List options for separating functions of user andauthorization administration

l Describe options for decentralization of useradministration

l Create user and authorization administrators withlimited rights


Access Control and User Administration:Unit Summary

Exercises

Unit: Access Control and User Administration


• Create a role to grant authorizations for user maintenance within your user group

• Test the settings you made.

1-1 Create a role for user administration activities.

1-1-1 Create role GR##_BC_USR_ADM by selectively copying role (without user assignment) CA940_BC_ADMIN

1-1-2 Change the description for your group and save the role.

1-1-3 Change to the Authorizations tab and choose Change authorization data. Limit the authorization values so that a user who is assigned at a later time may only assign roles and profiles beginning with GR## or CA940. Make sure that only user group ZGR## may be assigned and maintained.

1-1-4 Generate the profile. Use the default name.

1-1-5 What is the status of the User tab and why? __________________________________________________________

1-1-6 Exit the transaction and change the user master record of user administrator GR##-ADM. Remove role CA940_BC_ADMIN Add the newly created role GR##_BC_USR_ADM to the user master record. Save the user master record and go to the maintenance transaction for roles.

1-2 Log onto the system with user GR##-ADM.

1-2-1 Create a test user GR##-TEST and try to assign this user your neighbor's user group. Can you store the user master record? ________________________________ If not, what is the reason why it fails? _______________________________________________________

1-2-2 What can be implemented by assigning user groups? _______________________________________________________

1-2-3 Assign test user GR##-TEST role CA940_PLUS. Can you assign a role delivered by SAP? (For example: SAP_HR_...) ________________________________ If not, what is the reason why it fails? _______________________________________________________

Solutions

Unit: Access Control and User Administration


1-1-1 Copy with the appropriate icon. On the next screen, choose Copy Selectively.

1-1-2 Specify a description of your role.

1-1-3 The field values have to be changed for the following authorization objects (by clicking on the pencil icon) S_USER_PRO ACTVT stays the same PROFILE change GR* to GR##* S_USER_GRP ACTVT stays the same CLASS change Z* to ZGR##* S_USER_AGR ACTVT * (stays the same) ACT_GROUP change GR* to GR##*

1-1-4 Choose Generate or the menu path: Authorizations à Generate

1-1-5 What is the status of the User tab and why? The status display is red, because the user assignment is not copied when you choose Copy Selectively.

1-1-6 Menu Path: Tools → Administration → User maintenance → User (SU01) Save the user master record and go to role maintenance. Menu: Tools → Administration → User Maintenance → Roles (PFCG)

1-2 Menu path: Tools → Administration → User Maintenance → User (SU01) Log onto the system with user GR##-ADM.

Create a test user GR##-TEST and try to assign this user your neighbor's user group. Can you store the user master record? No, because the authorization for your own user group was restricted, resulting in an error in the authorization check.

1-2-2 What can be implemented by assigning user groups? A decentral user administration because each administrator may only maintain the users of "his own" user group.

1-2-3 Assign test user GR##-TEST activity group CA940_PLUS. Can you assign an role delivered by SAP? No because it begins with SAP… and no authoriza tion was assigned for this activity group (authorization object S_USER_AGR).

SAP AG 2001

l Analyze the authorization checks

l Authorization Error Analysis SU53

l Authorization Trace ST01

l Information System

l Audit Information System

Contents:


SAP AG 2001

l Use different analysis and information functions.

l Use Transaction SU53 and analyze the results.

l Apply the features of the information system anduse them for different tasks.

l Use the Audit Information System.


Analysis and Monitoring Functions:Unit Objectives

SAP AG 2001






Introduction









999

SAP AG 2001

l Missing authorizations can be found with theanalysis functions.

l An overview of the users and authorizations can beobtained with various analysis functions of theInformation System.

Analysis and Monitoring Functions: BusinessScenario

SAP AG 2001

AuthorizationTrace ST01

Analyze the authorization checks

No authorization?No authorization?

Which authorization is missing?Which authorization is missing?

Authorizationerror analysisSU53

FindFindAuthorizationAuthorizationauthorizationauthorization

n There are two ways to analyze authorization checks.

SAP AG 2001

Authorization Error Analysis SU53

User ID: BLITZSystem : T20 Client : 400

Object Customer: Application authorization (F_KNA1_APP)Object class Financial accounting ( FI )

The following authorization object was checked:

Field Value

Activity02

Application authorization customer and vendor master dataF

Activity03

Application authorization customer and vendor master dataF

Available authorizations for the object in the master record:

Object Customer: Application authorization (F_KNA1_APP)Object class Financial accounting ( FI )

Field Value

No authorization?No authorization?

What youWhat youshouldshouldnotnot do! do!

What youWhat youshould do!should do!

Analyze which authorizations are missing and pass thisAnalyze which authorizations are missing and pass thisinformation on to the authorization administrator.information on to the authorization administrator.

n Choose the menu path System -> Utilities -> Display Authorization Check or transaction code SU53. You now can analyze an error in your system that just occurred because of a missing authorization.

n You can call Transaction SU53 in all sessions, not just in the session in which the error occurred. Authorization errors in other users' sessions, however, cannot be analyzed from your own session.

n Example: In the above example, user BLITZ calls Transaction FD02 (change customer). The message "You do not have authorization for Transaction FD02" appears. User BLITZ now chooses transaction code /nSU53 and the system displays the authorization object that was just checked and, for comparison purposes, the values of the object that user BLITZ has in its user master record. In this case the authorization object F_KNA1_APP exists, but instead of the required activity 02 (change), user BLITZ is only authorized for activity 01 (display).

n Transaction SU56 allows the user to see what current authorizations are in his buffer

SAP AG 2001

Authorization Trace ST01

System traceSystem trace

Trace on Trace off Current status File list

Trace status Trace switched off (main switch off)

11

System traceSystem trace

Trace on Trace off Current status File list

Trace status Trace switched on (main switch on)33

Trace is switched offTrace is switched off

Authorization checkAuthorization check 22 Switch on authorization checkSwitch on authorization check

Switch on traceSwitch on trace

44Display + analyzeDisplay + analyzefile listfile list

<Authorization object>:<Field>=<Tested value>

Return code0: Authorization check successful1: Missing authorizations

n You can analyze authorizations as follows:

1. Choose Tools -> Administration -> Monitor -> Traces -> SAP System Trace or Transaction ST01.

2. Choose trace component Authorization check and pushbutton Trace on. The trace is automatically written to the hard disk.

3. To limit the trace function to your own sessions, choose Edit -> Filter -> Shared. Enter your user ID in field Trace for user only in the displayed dialog box.

4. Once the analysis is completed, choose Trace off.

5. To display the results of the analysis, choose Goto -> Files/Analysis or the pushbutton File list. Select the required file and choose Analyze.

n The results of the authorization check are displayed in the following format: <Authorization object>:<Field>=<Tested value>.

n The return code shows whether or not the authorization code was successful.

SAP AG 2001

Information System

Tools

ABAP Workbench Administration

Monitor User maintenance

Users Display Users

User Mass Maintenance Maintain User Groups

Roles Information System

Users Profiles

Authorization Objects Authorizations

Roles Transactions

Comparisons Where-used list

Change documents

Roles By Complex Search Criteria

Roles by Complex Search Criteria By Role Name

By User Assignment By Transaction Assignment

By Profile Assignment By Authorization Object

By Authorization Values By Change Data

Users by Address Data

Users by Complex Search Criteria By Complex Search Criteria

By User ID By Profiles

By Authorizations By Authorization Values

By Transaction Authorization By Roles

By Critical Combinations of Authorizations for Transaction StartWith Incorrect Logons

With Critical Authorizations

n To go to the Information System in the SAP menu, choose Tools -> Administration -> User Maintenance -> Information System

n You can also go to the Information System authorizations in the User Maintenance transaction (SU01) by choosing the menu path Information -> Infosystem.

n You can find elements of the authorization system using different selection criteria.

n The Information System (RSUSR998) and parts of the Information System can be called as executable reports: RSUSR002 Users by Complex Search Criteria RSUSR005 List of User with Critical Authorizations RSUSR020 Profiles By Complex Search Criteria RSUSR030 Authorizations by Complex Selection Criteria RSUSR040 Authorization Objects by Complex Selection Criteria RSUSR070 Roles by Complex Selection Criteria RSUSR100 For Users RSUSR101 For Profiles ............

n More detailed analyses can also be started using Reports: RSUSR003 Check the passwords of users SAP* and DDIC in all clients RSUSR200 List of users By Log on Date and Password Change RSUSR405 Reset All User Buffers in All Clients .............

SAP AG 2001

SAP -SAP - DB DB

Audit Information System

Externa

l Aud

iting

Intern

al Aud

iting

System

Check

Data Prot

ectio

n

n The Audit Information System (AIS) is a checking tool for

� External Auditing

� Internal Auditing

� System Check

� Data Protection

n AIS improves the flow and quality of the check. It consists of the Audit area menu and collects and structures SAP standard programs as well as defining initial values for them. You can call AIS with the menu path Information Systems -> Audit Info System or Transaction SECR.

� NOTE: AIS becomes a component of the SAP Basis functions as of Releases 3.1I and 4.6A. For previous maintenance levels from 3.0D, you can import AIS according to the instructions in Note 100609.

n The Audit area menu is structured according to the flow of the check. There are analysis programs with preset control data for each check field.

n AIS is an integrated component of the SAP R/3 System. The internal auditor works at his screen in his production environment. He needs a user master record with full display authorization.

SAP AG 2001

Audit Information System Reporting Tree

Audit Information System (AIS)

System ConfigurationTransport GroupRepository / TablesDevelopment / CustomizingBackground ProcessingSystem Logs and Status DisplaysUser AdministrationCheck List According to SAP Security GuideCheck List According to Data ProtectionGuideHuman Resources Audit / Data Protection Audit

Business Audit

System Audit -

++

+

++++++

+

+

AuthenticationInfo System Users & AuthorizationsAuthorizationsProfile GeneratorUser OverviewWhich User May ...Internet UsersCentral User Administration

++++++

+

+

n To display a list of reports on any object, expand the node.

n The reporting tree has two components:

� System auditing functions

� Business auditing functions

n Reports that are executed may be saved to the reporting tree for evaluation at a later time, without having to rerun intensive reports. As with any report, the output can be saved locally, sent as an SAP office mail attachment, or saved to a shared or private folder.

n SAP developed AIS by request of and in collaboration with members of the REVISION SAP User Group. Individual themes are worked on by separate user groups. The results have a direct effect on AIS. In this way, the members of the User Groups make their experience available. The collaboration is continuing. You can find information about the Revision User Group at: http://www.sap.com/germany/discsap/revis/index.htm.

SAP AG 2001

l Analyze the authorization checks

l Use Transaction SU53 to find missingauthorizations

l Run the authorization trace (ST01)

l Analyze information using the Information System

l Understand and apply the AIS (Audit InformationSystem) functions


Analysis and Monitoring Functions: Unit Summary

Exercises

Unit: Analysis and Monitoring Functions


• Use the Audit Information System (AIS)

• Use reports in the authorization information system

• Analyze the created authorization concept

• Answer practical questions.

1-1 You are the data protection officer and want to check the R/3 System's assignment of authorizations and security.

1-1-1 Display all the users with incorrect logons (AIS). How often did your users (GR##... or CA940-##) log on incorrectly? __________________________________________________

1-1-2 Check the passwords of the special users in AIS. Are there unprotected special users? If yes, name two cases. __________________________________________________

1-1-3 Check the logon rules in AIS. How many places are set for the minimum password length? ____________ After how many incorrect logons is the user locked? ____________ Is the user automatically unlocked? If yes, when? ____________________________________ Exit the Audit Information System (AIS).

1-2 You are authorization administrator and are in the consolidation phase after the start of production.

1-2-1 Compare the settings of the authorizations between your user GR##-ADM and user GR??-ADM of your neighbor. Are there differences? If yes, which? ____________________________________________________________

1-2-2 Find out which users may execute Transaction MB1C. If user GR??-MM1 of your neighbor is displayed, define the date and time when it was created. ____________________________________________________________

1-2-3 Display all the users assigned to role GR##_MM_MAT_DISP. Name three of these users. ____________________________________________________________

1-2-4 Display an overview of all the users you created (GR##…) with their corresponding roles. Which users still do not have module-specific roles? ____________________________________________________________


1-3 You are still authorization administrator and are in the consolidation phase after the start of production.

1-3-1 The sales manager with user ID GR##-SD1 calls you. He tells you that he cannot execute any SD transaction. His SAP Easy Access Menu only contains general transactions. Look at this problem. Then make a small test and tell the sales manager his new initial password, which you set up after the test.

1-3-2 You get a mail from the production manager immediately thereafter. He has employed a new senior storeperson who should only be able to post in plant 1000. Look at this problem. Then make a small test and tell the new senior storeperson his new initial password, which you set up after the test.

Use existing master data to solve this problem.

Solutions

Unit: Analysis and Monitoring Functions

1-1 You are the data protection officer and want to check the R/3 System's assignment of authorizations and security.

1-1-1 Menu: Information Systems → Audit Info System Choose Complete audit and Start Audit. Path: System Audit → User Administration → Information System Users and Authorizations → User → with incorrect logons The number of incorrect logons appears in the last column.

1-1-2 Menu: Information Systems → Audit Info System Choose Complete audit and Start Audit. Path: System Audit → User Administration → Authentification → Special User → Check Passwords of Special Users Unprotected special users are marked in red.

1-1-3 Menu: Information Systems → Audit Info System Choose Complete audit and Start Audit. Path: System Audit → User Administration → Authentification → Logon Rule Parameters How many places are set for the minimum password length? System parameter login/min_password_lng 3 After how many incorrect logons is the user locked? System parameter login/fails_to_user_lock 12 Is the user automatically unlocked? If yes, when? System parameter login/failed_user_auto_unlock Double-click on system parameter The user is automatically unlocked at midnight.

1-2 You are authorization administrator and are in the consolidation phase after the start of production.

1-2-1 Menu: Tools → Administration → User Maintenance → Information Systems → Comparisons → Comparisons → From users Emter GR##-ADM as your user and GR??-ADM as your neighbor's user and choose Execute. Authorization values that are not the same are marked in bright red. Navigate in the detail view by double-clicking and look at the different authorization values. Are there differences? If yes, which? S_USER_PRO ACTVT identical PROFILE not identical (GR##* < > GR??*) S_USER_GRP ACTVT identical CLASS not identical (ZGR##* < > ZGR??*) S_USER_AGR ACTVT identical ACT_GROUP not identical (GR##* < > GR??*)

1-2-2 Menu: Tools → Administration → User Maintenance → Information Systems → Where-used list → Where-used lists → For authorization values Enter authorization object S_TCODE and choose Execute. Enter transaction code MB1C (in uppercase) and choose Execute. Choose Use in User masters. If user GR??-MM1 of your neighbor is displayed, define the date and time when it was created. Select user GR??-MM1 and choose Change documents. You can find the date of creation at the top of the right column.

1-2-3 Menu: Tools → Administration → User Maintenance → Information System → User → Users by complex selection criteria → by roles Enter role GR##_MM_MAT_DISP and choose Execute.

1-2-4 Menu: Tools → Administration → User Maintenance → Information System → User → Users by complex selection criteria → by user name Enter GR##* and execute the report. Choose the Roles or Activity Groups pushbutton. Which users still do not have module-specific roles? GR##-FI1 GR##-FI2 GR##-SD1 GR-SD2 The users may differ depending on completion of the optional exercises.


1-3 You are still authorization administrator and are in the consolidation phase after the start of production. Menu: Tools → Administration → User Maintenance → User (SU01) 1-3-1 Display the user master record of user GR##-SD1 and check the assigned

roles. The roles for the menu entries requested by the sales manager are missing. Assign the composite role GR##_SD_SALMGR to user GR##-SD1 (in the Roles tab) and save the user master record. Logon with the user and check whether the user menu has the required functionality. Then set a new initial password, e.g. init, and mail it to the sales manager in the Business Workplace (SBWP).

1-3-2 In the exercise Working with the Profile Generator Part 1 you created the role GR##_MM_GR_POST1000 that exactly satisfies the requirements. Path: Tools à Administration à User maintenance à User (SU01) Assign role GR##_MM_MAT_DISP. Log on and test Transaction MB1C (Good receipt - Other). To test the transaction, try to make a posting both in plant 1000 and in plant 1200. If everything was set correctly, the system only permits the posting in plant 1000. Use the following data for testing MB1C: Transaction type 561 Plant 1000 or 1200 Storage location 0001 Press ENTER Material P-100 Amount 10 Choose Post (Save). Then set a new initial password, e.g. init, and mail it to the new warehouse supervisor in the Business Workplace (SBWP).

SAP AG 2001

l Table Maintenance Authorization S_TABU_DIS

l Maintaining Cross-Client Tables S_TABU_CLI

l Maintaining the Area Menu

l Checking Transaction Code S_TCODE

l Program Run Checks using S_PROGRAM

Contents:


SAP AG 2001

l Protect tables/views with authorization groups

l Create and maintain area menus

l Automatically create or manually assigntransaction codes to reports

l Protect SAP R/3 functions with authorizationobject S_TCODE

l Protect Programs with authorization groups


Special Authorization Components:Unit Objectives

SAP AG 2001






Introduction








Special Authorization Components 101010

SAP AG 2001

l Some authorization objects are of importance forall applications and need to be given specialattention.

Special Authorization Components:Business Scenario

SAP AG 2001

Table Maintenance Authorization

Field ValueACTVT 02DICBERCLS V*

Authorization 1: Maintenance for sales tables


ACTVT ActivityDICBERCLS Authorization group

S_TABU_DIS

Object Class: BC_ABasis: Administration

Field ValueACTVT 02DICBERCLS M*

Authorization 2: Maintenance for material tables

Authorization …


ACTVT:02 Add, change or delete table entries03 Only display table contents

n Authorization object S_TABU_DIS defines which tables may be maintained by which employees.

n Authorization object S_TABU_DIS simply controls accesses that use the standard table maintenance transaction (SM31), the enhanced table maintenance (SM30) or the Data Browser (SE16), including the accesses made in the Customizing system.

n The object has the following fields:

� DICBERCLS: Authorization group for DD objects (Description max. 4 characters)

� ACTVT: Activity (02, 03)

n Example:

� Authorization 1: Table entries may be added, changed or deleted (ACTVT=02), but only tables/views assigned to authorization group V* (DICBERCLS=V*) may be maintained.

n SAP standard tables are assigned to authorization groups. These assignments can be changed.

n Important tables:

� V_TDDAT: Assignment of tables to authorization groups (SM31)

� V_TBRG: Definition of authorization groups

SAP AG 2001

Table Maintenance Authorization (Cross-Client)

Field ValueCLIIDMAINT X

Authorization 1: Maintenance for sales tables (cross-client)


CLIIDMAINT Identifier for cross- client maintenance

S_TABU_CLI

Object Class: BC_ABasis: Administration

Field ValueCLIIDMAINT

Authorization 2: Maintenance for material tables (cross-client)

Authorization …

Applicable Values

CLIIDMAINTX: Authorized to maintain

cross-client tables

n Authorization object S_TABU_CLI: Grants authorization to maintain cross-client tables with the standard table maintenance transaction (SM31), enhanced table maintenance transaction (SM30) and the Data Browser, also in the Customizing system. Also acts as a further security measure for cross-client tables and enhances the general table maintenance authorization S_TABU_DIS.

n The object has the following field:

� CLIIMAINT: If identifier X is set, cross-client tables can be maintained.

n Normally each client has his table environment in the Customizing area in which he can edit his Customizing parameters. The table design of the Customizing tables permits two different clients to each have and maintain their own data without disturbing the other clients. However, this is not the case for cross-client tables, since their contents are available for all clients. You therefore should assign these tables a special authorization that is only granted to especially competent maintenance persons to avoid unintentional side-effects in multi-client systems. There are only very few cross-client tables in Customizing. Additional security measures in production systems are nevertheless strongly recommended.

SAP AG 2001

Creating the Area Menu

Area menu ZCA940_DEMO Favorite

Area menu for CA940 demo

Favorites management

My favorites

Name + short text of the area menuName + short text of the area menu

FDMN Customers

FIAR Reports for accounts receivable accounting

Include the areaInclude the areamenu in themenu in the

list of favoriteslist of favorites

List ofList offavoritesfavorites

n With Release 4.6A, the previous CUA area menus were converted to tree navigation. The menu contents are automatically copied to a new data structure when you upgrade to Release 4.6A or higher. You can edit the area menus with a new maintenance interface (area menu maintenance transaction: SE43 or menu path: Tools -> Development -> Other tools -> Area menues ).

n In the past you could only link transactions into the area menues. With Release 4.6A, you can also insert all types of reports found in the report trees directly into area menues. The system automatically assigns the report a transaction code used to start the report from the menu. If you already integrated a report into another area menu, the previously assigned unique transaction code is used and a new transaction code is not generated

n You can use migration transaction RTTREE_MIGRATION to create the corresponding area menues from complete report trees. The necessary transaction codes for the reports are generated automatically.

n Report trees can only be displayed. They cannot be maintained any longer. To modify the old contents of the report trees they must first be converted using the migration transaction. The area menu maintenance transaction is then available for modifying the contents.

SAP AG 2001

Maintaining the Area Menu

Area menu for demo for course CA940

Information System: Roles

Search by user assignment Search for change data Search by role name Roles by complex search criteria

Profile generator

Roles (user roles)

User administration

Analyses

Users with incorrect logons Users with critical authorizations Users currently active in the system Users Create Maintain

InsertionInsertionofof

reportsreports

InsertionInsertionofof

transactionstransactions

Automatic creation Automatic creation of transaction codes of transaction codes

for the reportsfor the reports

Transaction codes:Transaction codes:Customer namespaceCustomer namespace

n You want to create a new area menu to be assigned to a user or user group as a new menu or sub-menu.

n Choose the menu path: Tools -> ABAP Workbench -> Development -> Other tools -> Area menues or Transaction SE43 to create an area menu.

n Inserting transactions: If you want to add transactions to the menu, you have to enter the desired transaction code as well as a text that is to appear as entry in the menu. If you define a transaction code without a text, the name of the transaction is used as text. If the transaction code does not exist in the current system, the transaction code is used as text.

n Inserting reports: To insert reports in the area menu, choose Insert report.

n Automatic creation of transaction codes: A transaction code is automatically created for the selected report when you end the dialog. If there is already a transaction code for the selected report, it is used.

n Manual assignment of a transaction code: If you want to define the transaction code for the report yourself, choose Display other options.

SAP AG 2001

Authorization Check for Transaction Start

Field ValueTCD PFCG

Authorization 1: Profile generator


TCD Transaction code

S_TCODE

Object Class: AAAB Cross-application authorization objects

Field ValueTCD S_BCE_68001402

Authorization 2: Display users with incorrect logons

Authorization …

n Each time a transaction is started, the transaction code (TCD) is checked as a value against authorization object S_TCODE.

n Example:

� Authorization 1: The user calls Transaction PFCG (profile generator). He can only call the profile generator if he has authorization for this transaction code.

� Authorization 2: The user calls report "Display users with incorrect logons" from the area menu. Transaction code S_BCE_68001402 is assigned to this report. He can only execute this report if he has authorization for this transaction code.

n All the objects of an area menu are checked with authorization object S_TCODE since a transaction code is assigned to each executable menu entry (reports, transactions).

SAP AG 2001

Authorization …

Field ValueP_ACTION SUBMITP_GROUP CA940

Authorization 1: Profile Generator


P_GROUP Authorization Group ABAP ProgramP_ACTION User Action ABAP Program

S_PROGRAM

Object Class: BC_C Basis - Development Environment

ABAP: Programmablaufprüfungen

n As in previous releases, you can check programs using the authorization object S_PROGRAM.

n The programs (Reports) are grouped in program authorization groups and,using the groups, can be protected against unauthorized access. The authorization groups is stored in the program attributes.

n You can create your own authorization groups (without modification) using SAP Programs:

� Start the program RSCSAUTH.

It creates a list of reports (Type 1) ("Program“ column), the authorization groups delivered by SAP ("SAP“ column), and the authorization groups maintained by the customer (“Customer“ column). You can enter your authorization groups in the “Customer" column. When you choose Save, the customer authorization groups for all SELECTED reports are copied to table TRDIR. This is equivalent to changing the authorization group in the program attributes, and existing SAP authorization groups are overwritten. The authorization groups are also entered in table SREPOATH by report, so that the customer’s authorization groups can be restored after an upgrade by running RSCSAUTH.

� Now start program RSABAUTH. The new authorization groups are written to the table TPGP.

SAP AG 2001

l Protect tables/views with authorization objects

l Create and maintain area menus

l Automatically create or manually assigntransaction codes to reports

l Protect SAP R/3 functions with authorizationobject S_TCODE

l Protect Programs with authorization objects


Special Authorization Components: Unit Summary

Exercises

Unit: Special Authorization Components


• Determine authorization groups for protecting tables,

• Restrict table accesses.

Create authorizations so that a user can view specific tables in Transaction SM30. The user must be able to display two tables: the company code table and the business area table. Those table names are V_T001 (company code) and V_TGSB (business area).

1-1 Find out about authorization object S_TABU_DIS.

1-1-1 Display the documentation for the authorization object S_TABU_DIS. What is the main function of these authorization objects? ___________________________________________________ ___________________________________________________

1-1-2 What activities are allowed? ___________________________________________________

1-1-3 What is stored in table V_DDAT? ___________________________________________________

1-1-4 What is stored in table V_BRG? ___________________________________________________

1-2 Find the authorization group assigned to tables V_T001 or V_TGSB.

1-2-1 Authorization Group for Table V_T001 _________________________________

1-2-2 Authorization Group for Table V_TGSB __________________________________

1-3 Create a role for reading tables V_T001 and V_TGSB.

1-3-1 Create role GR##_FI_TAB_DISP and write a short description.

1-3-2 Assign authorizations for Transaction SM30 (Extended Table Maintenance) and permit only read access to the above tables. Generate the profile and use the default name.

1-3-3 Assign the role to your user GR##-FI1.

1-4 Log on as GR##-FI1. Go to SM30 and answer the following questions:

1-4-1 Can you display table V_T001? Why? ___________________________________________________

1-4-2 Can you change table V_T001? Why? ___________________________________________________

1-4-3 Can you display table V_TGSB? Why? ___________________________________________________

1-4-4 Can you display table V_TVKO? Why? ___________________________________________________

Solutions

Unit: Special Authorization Components

1-1 Menu: Tools → Administration → User Maintenance → Roles (PFCG) Environment → Author. Objects → Display

1-1-1 Choose Search and enter the authorization object S_TABU_DIS. The result is the object class BC_A (Basis - Administration). Search for the authorization object S_TABU_DIS in the object class BC_A. To display the documentation, press the I button following the technical name of the authorization object. What is the main function of this authorization object? S_TABU_DIS: Authorizations for displaying or maintaining table contents.

1-1-2 What activities are allowed? S_TABU_DIS: - 02: Add, change or delete table entries - 03: Only display table contents.

1-1-3 Assignment of Tables/Views to Authorization Groups.

1-1-4 Definition of the Authorization Groups.

1-2 Find the authorization group assigned to tables V_T001 or V_TGSB.

Menu:

System → Services → Table Maintenance → Extended Table Maintenance (SM30)

Enter tabel V_DDAT and choose Display.

1-2-1 Choose table V_T001. Note the authorization group. FCOR


1-3-1 Create the role GR##_FI_TAB_DISP and a short description (Description tab).

1-3-2 Go to the menu tab and enter the transaction SM30 with Transaction. Go to the Authorizations tab and choose Change authorization data. Enter the value FCOR in the open field for the authorization group in the authorization object S_TABU_DIS and change the field Activity (ACTVT) to 03. Set the authorization object S_TRANSLAT to Inactive. Choose the menu path: Authorizations à Generate or the corresponding pushbutton.

1-3-3 Enter the user GR##-FI1 in the User tab and execute a user comparison (User Comparison pushbutton).

1-4 Log on as GR##-FI1. Go to SM30 and answer the following questions:

1-4-1 Can you display table V_T001? Why? Yes because when this table is displayed authorization group FCOR, which is in the user master record, is checked.

1-4-2 Can you change table V_T001? Why? No because authorization to change (ACTVT = 02) was not granted.

1-4-3 Can you display table V_TGSB? Yes.

1-4-4 Can you display table V_TVKO? Why? No. Authorization for authorization group VCOR is missing.

SAP AG 2001

l Transporting user master records

l Transporting roles with and withoutCentral User Authorization (CUA)

l Transporting the test status

Contents:

Transporting Authorization Components

SAP AG 2001

l Copy user master records to other clients

l Transport roles with user assignments (withoutCUA)

l Transport roles without user assignments (withCUA)

l Transport the test status using Transaction SU25


Transporting Authorization Components: UnitObjectives

SAP AG 2001





Introduction










111111

SAP AG 2001

l Authorization components such as roles should becreated and tested in development systems, andnot in production systems. At the end of the testphase they are transported from the developmentsystems to the production system.

Transporting Authorization Components:Business Scenario

SAP AG 2001

Which Authorization Components can beTransported?

Transport of

l User Master Records

l Roles

l Authorization Profiles

l Test Status

n User data and authorization data must be exchanged in system landscapes with multiple SAP R/3 Systems. The data is either exchanged between different clients of an SAP R/3 System or between clients of different SAP R/3 Systems.

n There is a basic difference between transporting

� User Master Records

� Roles

� Test Status

in the SAP R/3 authorization concept.

n Authorization profiles can be transported together with their roles. Working with authorization profiles without an assigned role should remain the exception. The transport connection of Transaction SU02 for maintaining authorization profiles is only mentioned here for completeness and is not further discussed.

SAP AG 2001

SAP R/3 Repository

Cross-Client CustomizingU

sers

Appl.Data

Customizing

Use

rs

Appl.Data

Customizing

Transporting User Master Records

SAP R/3 Repository

Cross-Client Customizing

Use

rs

Appl.Data

Customizing

Use

rs

Appl.Data

Customizing

Client Transport orRemote Client CopyLocal Client Copy

n User master records can be maintained centrally in one client of a system. If a new client is built, it can initially be filled with the user master records of the maintenance client. The transactions of the client management can be found under the menu path Tools -> Administration -> Administration -> Client management.

n If a new client is filled with data from another client of the same SAP R/3 System, this copy process is called a local client copy. Since the data of both clients is stored in the same database, it is not necessary to transport the data using the network or the operating system. The local client copy is started with Transaction SCCL or in the client management with Client copy -> Local copy.

n If a new client is filled with data from another SAP R/3 System, it can be copied with a client transport or as a remote client copy. The client transport exchanges its data with a data export at operating system level. Transaction SCC8 can be started in the client management with Client transport -> Client export. In a remote client copy, the data is copied over the network and not as a file. Transaction SCC9 can be found in the client management with Client copy -> Remote copy.

n Prior to each client copy, the data areas to be copied are deleted in the target client. Only the complete user master record, and not individual users, can be copied. Roles are also copied when you copy Customizing data.

SAP AG 2001

Transporting Roles Without Central UserAuthorization

DEV

Role

User Assignment


QAS

Role

User Assignment


n SAP roles are available in all systems and are not transported. If roles that you developed yourself are to be transported between clients or SAP R/3 Systems, you must decide whether or not to use the Central User Administration.

n If you do not use the Central User Administration, roles can be transported with user assignments. The transport is started with a Customizing request, which you can create in the Profile Generator with Environment -> Mass transport. The transport request is either imported into another SAP R/3 System with the Transport Management System or into another client of the same SAP R/3 System with SCC1. The user master records of the target client must be compared after the import. You can do this manually from the Profile Generator with Environment -> Mass compare or periodically in the background. You can also create the background job there.

n Authorization profiles can be transported together with their roles. If you do not want to do so, you must prevent the data export in the source system with the control entry (PROFILE_TRANSPORT,NO) in table PRGN_CUST. The table entry can be made using maintenance transaction SM30. Before comparing the user master records in the target system, you must create the profiles by mass generation. You can start the mass generation in the Profile Generator with Environment -> Mass generation.

n If you do not want to transport the user assignments to roles, you can protect the target system with an import lock. In this case, control table PRGN_CUST must contain the entry (USER_REL_IMPORT,NO).

SAP AG 2001

Transporting Roles With Central UserAuthorization

DEV

Role

User Assignment


QAS

Role

User Assignment


CUA

n Roles must also exist in the systems in which they are assigned to users within the Central User Administration. If systems are assigned to a Central User Administration, roles must be transported without user assignment since these assignments are made and distributed in the central system. If user assignments were transported, there would be a temporary inconsistency between the actual state of the system and its subsystems. The imported assignments are deleted without being copied to the central system the next time there is a distribution. For security reasons, the import lock for user assignments therefore should be set for systems within the Central User Administration.

n A Customizing request for roles is created analogously to the scenario without Central User Administration. You should make sure that user assignments are not transported. The authorization profiles are also transported analogously.

n Normally it is only possible to exchange data with transport requests between SAP R/3 Systems that use the same release. For example, if roles have to be exchanged within the Central User Administration for all releases, this can be done by downloading or uploading roles if necessary. When you download the data, it is all stored in a local file, with the exception of the generated authorization profiles and the user assignments. After an upload, the role might have to be edited. You can choose to upload or download in the Profile Generator with Role -> Upload/Download. From SAP R/3 Release 4.6C, you can save multiple roles in a local file at the same time by choosing Environment -> Mass download.

SAP AG 2001

DEV

Transporting the Test Status

USOBX_C

CustomerValues

USOBT_C

QAS

USOBX_C

CustomerValues

USOBT_C

n Customer tables USOBX_C and USOBT_C, which control the behavior of the Profile Generator, must be filled in each system in which the Profile Generator is used.

n If these tables are adjusted to the customer's needs, they can then be transported as a whole. This means that you transport all the settings for the authorization checks, test status and the corresponding field values.

n The transport link can be found under step 3 of Transaction SU25, which must be executed when you activate the Profile Generator. A transport request that can be transported to other SAP R/3 Systems in the Transport Management System is created.

SAP AG 2001

l Copy user master records to other clients

l Transport roles to other systems with or withoutCentral User Administration (CUA)

l Transport the test status and field values


Transporting Authorization Components: UnitSummary

SAP AG 2001

l How the central user administration (CUA) functions

l Setup of the CUA

l User management with the CUA

l Logs

l Error display

l Change documents

l Global User Manager

Contents:


SAP AG 2001

l Explain how the central user administrationfunctions

l Specify the most important steps for setting upthe central user administration

l Create, maintain and distribute users centrally

l Use the Global User Manager


Central User Administration: Unit Objectives

SAP AG 2001






Introduction








121212


SAP AG 2001

l In complex system infrastructures, users inmultiple systems must be managed locally. Theseusers work in different systems with differentauthorizations. In the central user administration,the required management functions can be carriedout centrally on one system.

Central User Administration: Business Scenario

SAP AG 2001

Decentral User Administration

SAP R/3 System Infrastructure

Development QualityAssurance

Production

UserMaint.

UserMaint.

UserMaint.

UserMaint.

n In complex system landscapes with multiple systems and clients, the administration cost for keeping the user master records in the systems consistent and up-to-date is very high. Employees join the company, resign, or change jobs within the company. Users must usually access several systems and clients in order to perform their business tasks, and therefore require multiple users.

n Since user master records are client-specific, they must be maintained in each client of each and every system. For example, if you want to create a new user, you must create it manually in all the clients of all of the SAP R/3 Systems in which it should be valid.

n User master records can be maintained centrally in one client of a system. If a new client is built as a copy of a maintenance client, the new client can initially be filled with the user master records of the maintenance client. During this copy, the roles of the maintenance client are copied together with the user master records. However, you cannot select which users should be copied and which should not. The user master records also cannot be automatically synchronized sequentially

SAP AG 2001


ALE

Centralsystem

Sub-system

Sub-system

Sub-system

Distribution of information

R/3 System InfrastructureUser

Maint.

n The essential feature of the central user administration is the definition of a central maintenance client in a selected system. It can be used to maintain the user master records for all the clients of the system infrastructure. For example, you can define which roles should be assigned to which users in which systems. This greatly reduces the administrative cost for authorization administration.

n You can decide which systems each user should be able to log on in. Central user administration does not mean that each user must exist in each system of the system infrastructure.

n You can individually set the user master record data to be maintained centrally and distributed or to be maintained locally. Local maintenance by the user himself or by an administrator could be recommended for certain data of the user master record.

n The authorization data is exchanged based on the ALE concept. ALE means Application Link Enabling and permits you to build and operate distributed SAP links. It includes a business-controlled message exchange between loosely linked SAP R/3 Systems. The application is integrated with asynchronous communication.

n The central user maintenance client is called the central system. The sub-system is a client of an SAP R/3 System used in the central user maintenance.

SAP AG 2001

What Can be Distributed?

ALE

Centralsystem

Sub-system

l User master recordl Assignment of

nRolesnAuthorization profilesn Initial password

l Lock status

n The following data can be distributed with the central user administration:

� Data about the user master record, such as the address, logon data, user fixed values and user parameters.

� The assignment of the user to roles or profiles per sub-system. The advantage of maintaining assignments globally is that you no longer need to log onto each system in order to make system-specific assignments of roles and profiles; it is all managed at one location in the central system.

� The initial password: When you create a new user, the initial password is distributed to the sub-systems as a default. The passwords are distributed in coded form.

� The lock status of a user. In addition to the locks caused by incorrect logon that already existed in previous releases or those set manually by the local administrator, there is now also a new 'global lock'. This is valid in all the sub-systems in which the user is defined and can be canceled in the central system or locally if required.

n Roles and authorization profiles can be transported, but are normally maintained in the sub-systems and not centrally. Different customizing settings and releases in the sub-systems normally make it necessary to adjust the roles individually.

SAP AG 2001

ALE Setup

l Definition of logical systemsl Assignment to clients

l Definition of logical systemsl Assignment to clients

DEVCLNT200

QASCLNT300

PRDCLNT100

PRDCLNT200

DefineRFC links

DefineRFC links

Define ALE distribution model

Define ALE distribution model

Centralsystem

Sub-system

Sub-system

Sub-system

n Communications partners are addressed in the ALE scenario with aliases, which are called logical systems. The central system itself and every sub-system is defined by name in the central system in Transaction SALE -> Specify logical system. The sub-system itself and the central system are defined in the sub-systems. The logical system names are assigned to the client definitions in the corresponding systems in Transaction SCC4 Each logical system also identifies a certain client of an SAP R/3 System.

n Communications between the central system and the sub-systems uses the network with an RFC (Remote Function Call). The technical definition of the link is maintained in Transaction SM59. All the links to the sub-systems must be maintained in the central system, and the link to the central system must be maintained in the sub-systems. The RFC link names must be the same as the names of the logical systems. Communications must be based on users with SAP_ALL authorization in the target system.

n What data is sent from where to where is defined in the ALE distribution model. User and company data is exchanged within the central user administration. The distribution model is maintained, generated and distributed in the central system in Transaction BD64. It only has to be generated in all the sub-systems.

n The central user administration is then activated centrally in Transaction SCUA:

n You can find a detailed description of the central user administration in Units 10 and 11 of Authorizations Made Easy 4.6 in the SAP online documentation for Release 4.6. Course BC305 Advanced R/3 System Administration handles the technical implementation.

SAP AG 2001

Setup of the Central User Administration

Address

Logon data

Fixed values

Parameters

Profiles

Roles

Locks

Address

Logon data

Fixed values

Parameters

Profiles

Roles

Locks

Global

Default

Returned

Local

Everywhere

SCUM: Field attributes

n You can define whether each individual component of a user master record should be maintained in the central system or locally in the sub-systems. This is defined within Transaction SCUM in the central system. A field attribute can be defined for each input field of user maintenance transaction SU01.

n If a field of the user maintenance transaction has field attribute "global", data for this field can only be maintained in the central system. The data is automatically distributed to the sub-systems when it is saved. Such fields are in display mode in the user maintenance transaction of the sub-systems, i.e. you cannot maintain these fields.

n If you use field attribute "default", a default value that is automatically distributed to the sub-systems when it is saved can be maintained when you create a user in the central system. After distribution, the data is only maintained locally in the sub-systems and cannot be returned.

n If you use field attribute "Return", the data can be maintained in both the central system and the sub-systems. If a change is made to the sub-system, the data is returned to the central system and passed on to other existing sub-systems from there.

n Field attribute "local" means that the data for the corresponding field can only be maintained locally in the sub-systems. No data is distributed.

n Field attribute "everywhere" is used if the data should be maintained everywhere, but not returned.

SAP AG 2001

Integration of Existing Systems

Centralsystem

Sub-system

Sub-system

Creation of a NewUser Infrastructure

UserMaint.

New

New

NewCentralsystem

Sub-system

Sub-system

Integration in aUser Infrastructure

UserMaint.

Old

Old

New UserMaint.

UserMaint.

n The integration of existing systems in the central user administration depends on whether there is a complete new installation of the system infrastructure or the user master records are built completely anew in all existing systems, or whether the central user administration is set up at a time at which there are already users in the relevant systems that must be migrated to the central user administration.

n For a new installation, all the uses are newly created in the central system and distributed by the central user administration. Distribution ensures that the user data is consistent in all systems.

n If the central user administration is installed at a later time, the existing users of the system infrastructure must be copied to the central system. This procedure is called migration. The user identifications copied from the sub-systems must be compared and adjusted in the central system.

n Roles that were already developed and assigned to users in the old systems must be identified by name in the central system. Only then can the users be assigned centrally to roles. The old assignment between users and roles can be copied if required.

n The authorization-specific contents of the roles remain in the old systems and are still maintained there.

SAP AG 2001

Copying User Master Records

Centralsystem

Sub-system

Transfer Usersn New usersn Identical usersn Different usersn Already central users

SCUG

n Existing user master records are migrated to the central system with Transaction SCUG in the central system. This procedure can only be performed once for each sub-system. User identification is the SAP R/3 logon name to which a combination of the first and last names is assigned.

n If the user identification to be copied is not yet in the central user administration, it is entered as New user. New users including their user master records can be copied to the central system and then maintained there.

n If the user identification to be copied is already in the central user administration with the identical first and last names, it is entered as Identical user. Identical users can be copied to the central system. The old system assignment including the valid roles and profile assignment are recorded there.

n If the user identification to be copied is already in the central user administration with a different first or last name, it is entered as Different user. If the name given in the central system is correct, the user can be copied. If the name given in the sub-system is correct, the first or last name must be corrected in the central system using Transaction SU01. If they are two different persons, the user identification must be changed either in the central system or in the sub-system using Transaction SU01.

n Transaction SCUG shows the copied users under Already central users.

SAP AG 2001


... Systems Roles Profiles Groups

DEVCLNT100

PRDCLNT200

DEVCLNT100

PRDCLNT200

Superuser

Operator

AdministratorT-...........

SU01

Text Comparison

n After activating the central user administration, the appearance of user maintenance transaction SU01 changes.

n An additional tab Systems, under which the logical systems in which the user is distributed are entered, appears in the central system The user is only known in these sub-systems and in the central system. The Systems column also appears in the tabs Roles and Profiles. You can thus define the assignment of users to roles and profiles individually for each sub-system. The data is distributed to the appropriate sub-systems when it is saved.

n Existing roles are still maintained and new roles are still built in the sub-systems. In order to be able to assign users in the central system the roles and profiles defined in the sub-system, there is the Text comparison pushbutton in the Roles and Profiles tabs in the central system. The names of the roles and profiles defined in the sub-systems are stored in the central system together with their short text. The names of the roles and profiles are thus available in the central system in the value help (F4 help). Since the information in the sub-systems might change, you should occasionally repeat the text comparison.

n Only the fields of SU01 for which the field attributes were not defined as global are input fields in the sub-systems. It is not possible to create new users in the sub-systems.

SAP AG 2001

The Magic Triangle

System

System Types

Users

Usergroups Composite

role

SingleRole

n The magic triangle explains how the central user administration works, where the central user administration is a tool for managing complex user and system infrastructures.

n A user can be assigned to a system. It is then created in this system. A role can also be assigned to this system. Only then can it be assigned to a user there.

n A role can be assigned to a user. The user then has the authorizations specified in the role for the systems to which the user and the role are assigned. One should keep in mind that roles are only assigned by name and are maintained locally in the systems. A 'Bookkeeper' role can contain full maintenance authorization for all company codes in one system, but the role with the same name only has display authorization for one company code in another system.

n To obtain a compete assignment of users to roles in different systems, the magic triangle must be fully defined!

n Central user administration permits you to group users into user groups. Instead of assigning individual users roles or systems, you can do this for complete user groups. You can assign a user to more than one user group. It takes on the assignments for all groups. Systems can be grouped into system types. If users or roles are assigned to a system type, all the systems are assigned to this type. Roles can also be grouped to form composite roles.

SAP AG 2001

Preparations for the Global User Manager

1. ALE setup (already done)

2. Copy user master records (already done)

3. System comparison (in Global User Manager)

1. Migration of roles (in Global User Manager)

2. Migration of users (in Global User Manager)+

System

n If the user master records are newly built in the system infrastructure, no further preparations are required for using the optional tool Global User Manager (Transaction SUUM).

n If the central user administration is integrated into an existing user infrastructure, however, the existing relationships between systems, users and roles must be copied to the Global User Manager in the form of the magic triangle.

n All the systems involved in the central user administration are already known within the ALE setup. All existing users were already copied to the central system in the user migration of SCUG. The roles defined in the sub-systems must be specified by name in the central system. You can do this in the Global User Manager with Extras -> System comparison or in SU01 with the Text comparison pushbutton on the Roles tab. This defines all the corners of the triangle.

n The existing relationships between roles and systems can be copied in the Global User Manager with Extras -> Migration -> Roles. All the roles existing in the sub-systems are then assigned to the systems in which they exist. This defines the first corner of the triangle.

n The existing relationships between users and systems can be copied in the Global User Manager with Extras -> Migration -> Users. The current relationships between users and roles are also copied directly. This defines the other two corners of the triangle. After these actions, the Global User Manager shows the individual assignment of the current user infrastructure, which should be converted to an assignment on the level of user groups.

SAP AG 2001

Global User Manager

Assignment to user Naknak

User Groups Admin Super Accounting ...

Users Dern Esch Heepmann Hermsen Lechneri

Niemann Turbo Wienecke ...

Naknak

System Types Development Quality Assurance Production

Systems DEV QAS PRD PRQ

Systems DEV QAS PRD

Composite Roles SAP_BC_DWB_... ...

Roles... Admin ....

Role Admin

Drag &Drop

Drag &Drop

Drag &Drop

Assignment to user Naknak

n The Global User Manager is based on the central user administration and provides a graphic interface in the central system with which you can maintain the relationships between users (user groups), systems (system types) and (composite) roles. Its three columns correspond to the three corners of the magic triangle.

n Whereas the user maintenance transaction SU01 only permits individual users to be assigned to individual systems and roles, the Global User Manager groups users into user groups and systems into system types. Users working on the same systems to whom the same roles are assigned should be assigned to one user group. This permits a large number of system-specific assignments between users and roles, implemented with a much smaller number of assignments between user groups, system types and roles. The Global User Manager automatically maps assignments between these groups on assignments between individual users and systems.

n Users can be grouped into user groups and systems into system types within the columns with Drag&Drop. If you choose an object by double -clicking, the assignments to this object are displayed in the other two columns. In the magic triangle you therefore always see the two links going from the selected object. You can change the assignments with Drag&Drop. Once modeling has been completed, you can distribute the data from the Global User Manager.

n You can find more information about the Global User Manager in Authorizations Made Easy 4.6 A/B.

SAP AG 2001

Logs of the Central User Administration

Centralsystem

Sub-system

Change to

user data

LogsComplete list� Messages of

success� Warnings� Errors

Return message

Changedocuments

Changedocuments

n The central system asynchronously distributes each change in user data to the sub-systems The sub-systems report each change action back to the central system in the form of messages of success, warnings or error messages.

n Transaction SCUL organizes access to the logs. The logs can be output sorted by system, user name, error status or user-defined criteria. If there are unconfirmed changes, no log was yet sent back to the central system, for example because the corresponding sub-system cannot be reached at the moment. When users are distributed, up to three logs are sent back to the central system from the sub-system for each user. The assignments of roles and profiles are reported back separately from the rest of the user data. Log transaction SCUL provides initial information about correcting errors. It can be used to trigger a new distribution of the user data.

n You can also get information about the data that would be copied in the next distribution process from the Global User Manager with the Display distribution data button. You can load this data to the frontend with Word or Excel.

n Change documents are also written in all systems. Each system logs the name of the local changer if maintenance is local. The change documents are not distributed to the central system. However, if the user master records were changed in the central system, change documents are created in the sub-system in which the name of the ALE user appears for the RFC links when the data is distributed.

SAP AG 2001

l Explain how the central user administrationfunctions

l Specify the most important steps for setting upthe central user administration

l Create, maintain and distribute users centrally

l Use the Global User Manager


Central User Administration: Unit Summary

Exercises

Unit: Central User Administration


• Set up new users

• Check the Central User Administration (CUA) settings

1-1 Create new users using CUA

1-1-1 Central System (SAPGUI for Windows, User CUA_CA940-##): Create the new user CUA-##, using the last name “Test” and the initial password "init". Assign the role MY301_BASICS_WP on the Workplace Server, and the role MY301_BASICS_R3 in the SAP R/3 System to the user. Save your settings, so that the user is created in both systems.

1-1-2 Child System (SAPGUI for Windows, User CUA_CA940-##): Using the logs, check that the new user was correctly created in the SAP R/3 System (Assignment of the role and the authorization profile).

1-2 First Logon of the New User

1-2-1 Child System (SAPGUI for Windows, User CUA-##): Logon to the SAP R/3 System with your new user CUA-##. Note your new password. Call the maintenance screen for your user data. Change the first and last names. Save your settings.

1-2-2 Central System (SAPGUI for Windows, User CUA-##): Logon to the central system with your new user and change the password to the same one you used in the SAP R/3 System. Check the user name that is displayed on the initial screen. Was the new name distributed?

1-3 Additional Exercise (Optional): Check the CUA Settings on the Central System

1-3-1 Central System (SAPGUI for Windows, User CUA_CA940-##): Check if both logical systems <WPServer>CLNT<client> and <R/3>CLNT<client> are entered.

1-3-2 Central System (SAP GUI for Windows, User CUA_CA940-##): Check if the logical system <WPServer>CLNT<client> is assigned to the current client.

1-3-3 Central System (SAP GUI for Windows, User CUA_CA940-##): Compare the RFC Destinations of the central and subordinate systems. The RFC Destination has the same name as the logical system.

1-3-4 Central System (SAP GUI for Windows, User CUA_CA940-##): Check the ALE distribution system. Which model is used for CUA? Which objects specified in the distribution model are distributed along with the model?

1-3-5 Central System (SAP GUI for Windows, User CUA_CA940-##): Check the distribution parameters for the fields. Which fields can be maintained in systems other than the central system?

Solutions

Unit: Central User Administration

1-1 Create a New User Using CUA

1-1-1 Central System (SAP GUI for Windows, User CUA_CA940-##): Choose Tools → Administration → User Maintenance → Users (Transaction SU01). Create the new user CUA-##. On the Address tab, enter the last name Test. On the Logon Data tab, enter the initial password init. For the F4 help for Roles, first perform a Text comparison from child system on the Roles tab. Then choose your central system under System, and the single role MY301_BASICS_WP under Role. Follow the same procedure as you did in the SAP R/3 System with the role MY301_BASICS_R3. Save your entries.

1-1-2 Central System (SAP GUI for Windows, User CUA_CA940-##): Check log for correct distribution of the user: Choose Tools → Administration → User Maintenance → User → Environment → Distribution Log (Transaction SCUL). Click the User button and find the receiving systems of user CUA-##. The central system and the SAP R/3 System should appear here. After selecting a receiving system, you can display the relevant user master directly by choosing the Glasses icon. In the case of incorrect or incomplete distribution, execute Resend User.

1-2 First logon of the new user

1-2-1 SAP R/3 (SAP GUI for Windows, User CUA-##): Call the maintenance screen for user data by choosing System → User Profile → Own Data (Transaction SU3). Change the first and last names. Save your entries.

1-2-2 Central System (SAP GUI for Windows, User CUA-##): Check the user name that is displayed on the initial screen (SAP Easy Access Menu).

1-3 Additional Exercise: Check the CUA settings on the Central System

1-3-1 Central System (SAP GUI for Windows, User CUA_CA940-##): To set up the logical system, run the transaction SALE. Choose Sending and Receiving Systems → Logical Systems → Define Logical Systems. Check if both logical systems <WPServer>CLNT<client>, and <R/3>CLNT<client> are available.

1-3-2 Central System (SAP GUI for Windows, User CUA_CA940-##): To set up the logical system, run the transaction SALE. Choose Sending and Receiving Systems→ Logical Systems→ Assign Client to Logical System. Check if the logical system <WPServer>CLNT<client> is assigned to the referencing client.

1-3-3 Central System (SAP GUI for Windows, User CUA_CA940-##): Call the transaction SALE, and choose Sending and Receiving Systems→ Define Target Systems for RFC Calls. Compare the RFC Destinations of the central systems and the subordinate systems. The RFC destination has the same name as the logical system.

1-3-4 Central System (SAP GUI for Windows, User CUA_CA940-##): Call transaction SALE, and choose Modeling and Implementing Business Processes → Predefined ALE Business Processes → Cross-Application Business Processes → Central User Administration→ Select Model View for Central Administration. Here you can see which ALE distribution model is used for CUA. Call the transaction SALE, and choose Modeling and Implementing Business Processes → Maintain Distribution Model and Distribute Views. The objects USER and UserCompany are distributed using the Clone method.

1-3-5 Central System (SAP GUI for Windows, User CUA_CA940-##): Call transaction SALE, and choose Modeling and Implementing Business Processes → Predefined ALE Business Processes→ Cross-Application Business Processes → Central user Administration → Set Distribution Parameters for Fields. Fields are globally maintained. Only the fields First Name and Last Name are set to Redistribution.

Note: Transaction SALE is part of the IMG. (Transaction SPRO; SAP Reference IMG: IMG → Path Basis→ Application Link Enabling (ALE)).

SAP AG 2001

l Principles of mySAP.com

l Workplace Architecture

l Role Definition and the Workplace

l Logging on to the Workplace

Contents:


SAP AG 2001

l Describe the basic elements of mySAP.com

l Describe the architecture of the Workplace

l Create roles using the profile generator


mySAP.com and the Workplace:Unit Objectives

SAP AG 2001






Introduction








mySAP.com and the Workplace 131313

SAP AG 2001

l The Workplace permits several SAP R/3 Systems,New Dimension products, web links and externalapplications to be integrated in a browser-supported interface. The LaunchPad provides theuser with a menu that corresponds to hisworkplace or role in the enterprise and which hecan use to navigate in all the components of thesystem.The user menu is set up with the profile generatorby creating roles.

mySAP.com and the Workplace:Business Scenario

SAP AG 2001

Principles of mySAP.com

IntegratedPersonal

Partnership platformIndustry-focusedIntegrated business processes

Build relationships (communities)Integrate external services (content)

One-step business (collaboration)Application hosting

Internet Business Framework

Can be individually tailoredRole-specific

Uniform access to allinternal and external

services

Cooperative

n The mySAP.com initiative includes the following areas:

� my emphasizes the focus on user requirements. EnjoySAP provides a user interface that is easy to use. The Workplace provides simple, role -based access to all mySAP.com components.

� SAP represents business solutions for a number of industries.

� .com represents SAP's clear orientation to the business world in the Internet age. Business relationships can be set up and enhanced using the Internet.

SAP AG 2001

Workplace

Enterprise boundary

WorkplaceIndustry-specific

Role-basedPersonalizedDrag&Relate

Market-place

3.1H

R/3 4.6FIFI LOLO

HRHR

CRMCRMKWKW

SEMSEM

APOAPO

BWBW

CFMCFM

mySAP.com components

OpenInternet

standards

R/2R/2

not mySAP.com3rdparty

Partner

SAPSAP

inside

outside

mySAP.com Internet services

different Internet services

diff. ERP

Systems

SingleSign On BBPBBP

Presentation by Hasso Plattner at SAPPHIRE Nice99

n The Workplace is an Enterprise Portal, and provides simple access any time and from any place (mobile devices) to all required applicatons, information and services. The portal can be used by employees and external interest groups (suppliers, investors, and so on).

n You can access to the Workplace and to the applications accessed through it using one single logon (Single Sign On).

n The user can configure the Workplace individually. To meet customer’s requirements, it is already delivered in various industry- and role-specific versions. By adding frequently used links and transactions, the Workplace can be changed to match the requirements of the individual users. The Drag&Relate function is implemented throughout.

n The Workplace allows access to a range of mySAP.com and external components. SAP R/3 Systems are Internet and intranet-compatible from Release 3.1H onwards. Important mySAP.com components are:

� Knowledge Warehouse (KW)

� Business Information Warehouse (BW)

� Customer Relationship Management (CRM)

� Advanced Planner & Optimizer (APO)

� Business-to-Business Procurement (BBP)

SAP AG 2001

Business Scenarios

supplier

Business partner

CustomerVendor

EmployeeSelf Services

Business to Business

Procurement

Collaborativeapplications

Purchasing Onlinesales

InvoicePayment

Collaborativeplanning

Onlineservices

Employee

n Business-to-Business Procurement (BBP) and Employee Self-Service (ESS) are examples of business scenarios:

� Using SAP BBP, vendors can place their catalog on the Internet or an Intranet. Purchasing and ordering are carried out over the World Wide Web.

� The ESS permit employees of a company to perform such activities as ordering office supplies or updating their personal data. Orders, requests and their changes are passed to an SAP system in the background. The first ESS scenarios were available in 1996 as part of SAP R/3 Release 3.1G.

n Cooperation between business partners primarily takes the form of cross-business planning and forecasting. The participating parties can access applications which are common to them and online services from external providers as required.

SAP AG 2001

Elements of the Workplace

LaunchPad WorkSpace (MiniApps, Transactions, WebPages, ...)

Welcome Julie Armstrong

mySAP.com Markrtplace Update Personalize Getting Started Info

Reuters News

Web Search Calculator

Search

In Use

Home

Create Order

User Overview

Replenishment Planning

Workplace Favorites

Meyer Inc.Display OrderCreate Order

RolesSales and Distribution

SalesCreate QuotationDisplay QuotationCreate OrderDisplay OrderReplnishmnt Planning

Credit Management

Drag&Relate

n You call the mySAP.com Workplace by entering the relevant URL (Internet address) in a Web Browser. Usually this is done by clicking a link (instead of being entered manually). The syntax for the URL of the Workplace is typically <protocol>://<webserver>[:<port>]/scripts/wgate/sapwp/!, for example: https://workplace.wdf.sap-ag.de:1042/scripts/wgate/sapwp/!

n The Workplace has two main components: the LaunchPad on the left side and the Workspace on the right side of the Workplace window.

� The LauchPad depends on the user's role. It contains the relevant activities, including the functions from the mySAP.com components, external components and the Web. Simply clicking on an entry starts it. The LaunchPad can include multiple roles. The user can include his own URLs in his LaunchPad.

� When you logon to the Workplace, a list of MiniApps (such as Stock ticker, news, overview lists, reports) that are assigned to your role appears in the WorkSpace . represents SAP transactions or MiniApps , as well as MiniApps that you have added yourself. When you start an application in the LaunchPad (for example, the transaction for Post Invoice), this is executed in the WorkSpace

n Another feature of the Workplace is Drag&Relate . It permits you to connect one application with another simply by clicking on an object and pulling it to a target, for example an SAP R/3 application or an Internet link.

SAP AG 2001

In Use

Start Page

Create Order

User Overview


Workplace Favorites



SalesCreate QuoteDisplay QuoteCreate OrderDisplay OrderReplenish. Planning

Credit Management

Options

Allow More Than One Application in the Area “In Use“

Workplace Favorites Start Page General

Close Applications Without Confirmation

Display Dialog for Drag&Relate

Running Applications(Assigned Channels)

Running Applications(Assigned Channels)

Expand and CollapseLaunchPad

Expand and CollapseLaunchPad Initial Screen

(to the MiniApps)Initial Screen

(to the MiniApps)

PersonalizationWindow

PersonalizationWindow

Log off from WorkplaceLog off from Workplace

Expand and Collapse Folders

Expand and Collapse Folders

Session Handling in the LaunchPad

n The Workplace supports holding and switching between several applications. This function is called Session Handling. The use of this function has been simplified for the user in mySAP Workplace Release 2.11:

� Start an application, either a favorite from the LaunchPad folder Workplace Favorites or an entry from the Roles folder(by clicking on entries at the lowest level, next to which there are icons).

� The first available Channel is assigned this application. The application appears in the WorkSpace and automatically appears as a new entry in the folder In Use. Every application that you start is added to the existing list as a new entry.

� By clicking on the entries in the In Use list, you can switch between the various applications. The application running in the WorkSpace is Die gerade im WorkSpace is shown with a blue background.

� If you have opened the maximum number of applications (set by the System Administrator) and call another application, the standard setting is that you are asked which of the running applications you want to close. With the option Close applications without confirmation in the personalization window, you can suppress this prompt.

SAP AG 2001

In Use

Start Page

Create Order

User Overview


Workplace Favorites




Credit Management

Delete

Copy

OK Cancel

Test

New FolderNew Web Address

Display in a separate browser window

Web Address http://marketplace.mysap.com

Name mySAP.com Marketplace

Propertíes Available in Roles

mySAP.com Marketplace


Workplace Favorites

Display OrderReplenishment Planning

Add Applications UsingDrag&Drop

Add Applications UsingDrag&Drop

Test and Add Web AddressesTest and Add

Web Addresses

Working with Favorites

n The Workplace Favorites folder in the LaunchPad contains entries that can be individually set by each Workplace user.

n By choosing Personalize (or using the Personalize icon), you open a new window. You can create and (re)name your own folders in the left-hand part of the tab page Workplace Favorites, as well as moving them and changing their grouping.

n You can enter Web addresses (URLs) in the right-hand part. These are then available in the Favorites folder in the LaunchPad. You should test your favorites by choosing the Test button before you add them to your favorites list. A favorite that requires a complete browser window is not suitable for displaying in the WorkSpace of the mySAP Workplace. In this case, a dialog window containing a warning appears. Choose Cancel in this window. Afterwards, the indicator Display in a separate Browser Window is automatically checked.

n You can see the entries in your LaunchPad that were assigned to you by your system administrator on the Available in Roles tab page on the right-hand side. This contains, for example, transactions. If you use a transaction frequently, you can define this as a favorite. To do so, click the relevant entry and choose Add.

n You can also add to and edit your favorites directly from the LaunchPad. Using Drag&Drop, you can add frequently used entries to the Workplace Favorites folder.

SAP AG 2001

Personalizing the Start Page

In Use

Start Page

Create Order

User Overview


Workplace Favorites


RollenSales and Distribution


Credit Management

Welcome Julie Armstrong

mySAP.com Marketplace Update Personalize Getting Started Info

New MiniApp

LinesHeight

Test

Web Address http://www.sap.com/MiniApps

Name MiniApp-Community

Properties Available MiniApps

10 minimized

OK Cancel

Add

List View Layout Preview

Web Search

News

Calculator

Delete


Displayed in Workspace

n You have a quick overview and easy access to your most important information, applications and services on the Start Page through MiniApps , which are simple and intuitive to operate.

n There are two ways in which MiniApps can appear on the Start Page of your Workplace:

� MiniApps can be assigned by your system administration

� You can define your own MiniApps.

n By choosing Personalize (or by choosing the Personalize icon), you open the personalization window. You can add your own MiniApps on the right-hand side of the tabe page Start Page using New MiniApp. Also enter the Web address (URL), a name for the MiniApp, and the height in lines. MiniApps should (like Favorites) also be tested before they are added. You can easily rename and reassign them later.

n You can adjust and personalize the format of MiniApps. In the left-hand work area, you can change the order in which the MiniApps are displayed, or choose your desired display format (minimized or expanded). You can see and change the layout of your MiniApps in the Layout Preview. By using this function, you can see which MiniApps are displayed at half width.

n In order to improve system performance, your system administration may have configured your Workplace so that no MiniApps at all are displayed the first time you logon to the Workplace. You can then select self-defined MiniApps using the personalization functions and MiniApps from your roles in order to create an individual Start Page.

SAP AG 2001

Workplace Architecture

Desktop Backendsystems

Workplace Middleware

R/3 APO

BW KW

BBP CRM

for example

Web Server ITS

Web BrowserWorkplace

ServerInstance 0 PortalBuilder

Instance 1

Instance n

Instance 1

Instance n

Drag&RelateServlets SAP DCOM

Compon.system 1

Compon.system n

n Technically the Workplace architecture can be divided into 3 layers:

n On his desktop the user only needs a Web Browser.

n The communications partner of the Web Browsers is a Web Server, which is part of the Workplace Middleware. Another important component is the SAP Internet Transaction Server (ITS), which implements the connection between the Web Server and a backend system. A special ITS instance is the PortalBuilder, which communicates with a special backend system called the Workplace Server. If the Workplace was installed with the Drag&Relate option, this function is copied by other elements, the Drag&Relate Servlets and the SAP DCOM CC.

n Different backend systems can be integrated in the Workplace. Each Workplace installation always has a Workplace Server, an independent SAP System (SAP Basis with special Add Ons) with the following functions:

� Storage of roles and favorites of all users

� Generation of the correct URLs for the entries in the user's LaunchPad

� Central system of the CUA (if required)

All other systems (such as SAP R/3, APO, BW, KW, BBP, CRM) are called component systems. Their integration in the Workplace assumes that the Workplace has an Add On.

SAP AG 2001

Role Definition and the Workplace

BackendSystems

R/3 APO

BW KW

BBP CRM

For example

WorkplaceServer

ComponentSystem 1

ComponentSystem n

Role Definition(for the user menu)

+CUA (if desired)

Role Definition(for authorizations)

Where is What Information?

Transfer of Roles

n What does implementation of the Workplace mean for the authorization administrator?

n Nothing is changed in the authorization concept of the different component systems. The authorization profiles in the user master record still define what the user may do in the particular component system, no matter how these profiles were created.

n The role-based structure of the Launchpad in the Web Browser requires that each user be assigned a role on the Workplace Server. Except for RFC calls, a user does not need any special authorization profiles on the Workplace Server; only the role definition is of importance. The user's favorites are also managed on the Workplace Server.

n To avoid unnecessary work and consistency problems, there are mechanisms for transporting role definitions from the component system to the Workplace Server. These will be introduced at a later time.

n You are not required to use CUA in connection with the Workplace. If you use the CUA, however, it makes sense to use the Workplace Server as central system.

n Roles can be transferred by using Central Role Maintenance (Workplace Server -> Component Systems), by Up-/Download, or by Import using RFC (Component Systems -> Workplace Server).

SAP AG 2001

Role Definition: Overview

Rolleanlegen

Legend:Central Role MaintenanceDecentralized Role Maint.

Component System Workplace Server

Generate Authorizations

CreateRole

Assign UsersReconcile Users

Assign Users toComposite Role

Create Composite Role

DistributeRole

Create Role

CUAno yes

TransferRole

n The slide shows an Overview of the Creation of User Roles. If the component system has SAP R/3 Release 4.6A or higher, central role maintenance can be selected (broken black arrows). Component systems with lower releases work with decentralized role maintenance (solid orange arrows).

n With central role maintenance , the menu definitions of the single roles are initially created on the Workplace Server. A single role is assigned to only one component system. The role is then distributed and its authorization content is maintained there. If Central User Administration (CUA) is not in use, the users are assigned the role directly in the component systems and their user master records are adjusted.

n With decentralized role maintenance , the single roles are initially created,and their authorization content is maintained on the component system. If CUA is not in use, the users are assigned the role directly in the component systems and their user master records are adjusted.

n Single roles are grouped together into composite roles on the Workplace Server. Users are assigned these composite roles on the Workplace Server. If CUA is activated, users automatically have the corresponding roles in the component systems as a result of this assignment. If CUA is not activated, the assignment must first be made manually.

n Composite roles are only created on the Workplace Server. They group together single roles from the component systems.

SAP AG 2001

Defining Roles on the Workplace Server

RoleRole MaintenanceMaintenance

Favorites Description Target System

Role

Description

Transactions

Create Role Create Composite Role

Show DocumentationViews

n Single roles can be created either in the component system or on the Workplace Server, depending on the Release used on the component system. ‘Created’ here means the definition of the role’s activity. The technical authorizations content of a role is usually maintained in component systems because of different Customizing.

n If a user calls a transaction in the Workplace using the LaunchPad, this transaction is executed in the corresponding component system. Therefore, the single roles on the Workplace Server must point to the appropriate component systems . Single roles that are created in the context of the central role maintenance on the Workplace Server and distributed to component systems, are already assigned to “their” component systems. Single roles, created in the context of decentralized role maintenance, and copied to the Workplace Server using RFC, are also assigned to ”their" component systems. Only if single roles were transferred by Download/Upload, must you assign them manually.

n Composite Roles bundle Single Roles. Composite roles can contain single roles that access different systems within the Workplace architecture. It is not possible to group composite roles together in superordinate composite roles.

n Composite roles determine the appearance of the LaunchPad in the Workplace.

n Composite Roles are only maintained on the Workplace Server and contain no authorizations.

SAP AG 2001

Transfer of Roles

ComponentSystems

WorkplaceServer

Individ. Role 6

Individ. Role 3

Individ. Role 5

Individ. Role 2 Individ.

Role 1


Role 4

Individ. Role 6


Role 3

Individ. Role 5 Individ.Role 1


Role 4

n After creating the roles in the individual component systems, the role definitions (menus) must be transported to the Workplace Server. There are the following scenarios:

n SAP R/3 Systems from 3.1H after importing the Workplace Plug Ins : Transaction WPST provided by the plug-in permits you to download roles and the enterprise menu in the file system. The role definitions can also be transferred to the Workplace Server using RFC. To do this, choose Role -> Read from other system by RFC in Transaction PFCG.

n SAP R/3 Systems 3.1H to 4.0B: There are reports for downloading and uploading role using the file system (see SAP Note 181368).

n SAP R/3 Systems 4.5A to 4.5B: In addition to the mechanisms for downloading and uploading, you can transport roles with the CTS.

n SAP R/3 Systems from 4.6B: There are functions in the profile generator with the menu definition for downloading and uploading. The reports mentioned above are therefore no longer needed.

n SAP R/3 Systems from 4.6: The roles can be distributed from the Workplace Server (Central Role Maintenance) or read from the component systems using RFC.

SAP AG 2001

Authorizations to Logon to the Workplace

(Workplace Server)

n In principle, no special authorizations are required by the user for the Workplace server. For access to the Web, authorization for the object S_RFC is required. You can set a full authorization here (all fields set to *).

n The Workplace Administrator can assign this authorization to the users using the transaction PFCG, by adding it manually.

n If users want to personalize their Workplaces, SAP recommends that you additionally assign the SAP role SAP_WPS_USER to them. This allows the user to personalize MiniApps and to specify the SAP GUI to be started.

SAP AG 2001

Single Sign-On - Overview

Logon with user ID andpassword

1. Single Sign-On Cookie

2. mySAP.comLogon Ticket

3. ZertifikatLogon

The Cookie is stored inthe Browser‘s mainmemory

The Ticket is stored inthe Browser‘s mainmemory

The X.509 UserCertificate and privatekey are stored on theFrontend

Decryption of theCookie

Ticket checked andlogon using "Ticketdata"

The X.509 ServerCertificate and privatekey are stored on theserver

Verification of the UserCertificate

Authentication of theAGates and mappingto SAP users using amapping table

The AGate provides asecure connection tothe WGate and SAPsystems

Creation of the Cookie

Logon with user IDand password

Logon with user IDand password, Ticketcreated

from Workplace 2.10

WebBrowser

WebServer

ITSAGate

Comp.system

n Single Sign-On (SSO) means that the user must only log on to the Workplace Infrastructure once, and can then use all component systems without being prompted for a password again.

n The Single Sign-On (SSO) function can be realized in two ways in the Workplace Infrastructure :

� By checking user ID and password

through logon with the logon data encrypted in the Cookie

through logon using the SAP Logon Ticket, which does not contain a password; the component system ”believes" the Ticket, that the user is authorized, and allows the named user access according to his/her authorizations.

� By checking identity and authorization using digital certificates

n With these procedures, the user logs on only once. Thereafter, the user’s logon data is passed to all systems with which he/she wants to work.

n The single logon to the Workplace using certificates requires using the HTTPS protocol. SAP also recommends using this protocol for systems where identity is proved using user Ids and passwords or where the SAP Logon Ticket is used.

SAP AG 2001

Further Information

l WWW Addresses

n www.sap.com (SAP Homepage)

n service.sap.com (SAP Service Marketplace)

n marketplace.mysap.com (mySAP.com Marketplace)

n www.sapmarkets.com (SAPMarkets Homepage)

l SAPNet Aliases

n mysapcom

n workplace, marketplace, scenarios

l Training

n MY301 Workplace

SAP AG 2001

l Describe the basic elements of mySAP.com

l Describe the architecture of the Workplace


mySAP.com and the Workplace:Unit Summary

Exercises

Unit: mySAP.com and the Workplace

At the conclusion of this exercise, you will be able to

• Call the Workplace

• Work with the Workplace

1-1 Logon

1-1-1 Web Browser: Logon to the Workplace with the Demo User. To do this, start your Web Browser and enter the Homepage for your course. To logon to the Workplace, enter “sapwp”. Your instructor will give you the address of the Homepage and the logon data.

1-2 Working with the Workplace

1-2-1 Web Browser: Gain an overview of your Workplace. Which setting is necessary in order to be able to use Session Handling (multiple active applications in the area In Use)? Change your settings appropriately.

1-2-2 Add to the Workplace Favorites area. Add your own folder “Group ##”, where ## is your group number. Place two Favorites in this folder: One Favorite to a Web Address (URL) of your choice and an entry from the Role that has been assigned to you. Then check if your folder and the Favorites are visible and usable.

1-2-3 Optional: Extend the MiniApps provided for your role with a MiniApp that points to a Web address of your choice. Test your entry before you add it. Then change the order in which the MiniApps are displayed on the Workplace and test the various display possibilities (minimized/expanded) for MiniApps.

Solutions

Unit: mySAP.com and the Workplace

1-1 Logon

1-1-1 See exercise text

1-2 Working with the Workplace

1-2-1 Session Handling is initially not activated for new users. In order to check and change the appropriate setting, call the personalization window by clicking the Personalize icon (or by clicking the Personalize button on the Start Page). Check the setting for Allow More Than One Application in the Area "In Use” under Options on the General tab. After a change to the settings, you must log off the Workplace and log back on.

1-2-2 You also create new folders in the personalization window. Choose the New Folder function on the Workplace Favorites tab. Enter the name “Group ##” and click Add. It is also here that you enter URLs (beginning with “http“) and a description of your Web address. Test your entries (some addresses require their own browser window), before you Add them. When you have done this, leave the personalization window by clicking “OK”. Choose an entry under Roles in the LaunchPad (it can also be a complete menu tree), and add it to your folder “Group ##” using Drag&Drop.

1-2-3 MiniApps are also managed in the personalization window, on the Start Page tab. You can test new MiniApps and add them to your existing MiniApps – in exactly the same way as Favorites - under Attributes. You can determine which MiniApps should be displayed under Available MiniApps. You can see and change the layout of your MiniApps in the Layout Preview.

SAP AG 2001

Appendix

Transaction Codes

The following are transaction code links for SAP R/3 Release 4.6C. The transaction codes and menu paths are categorized by function.

End User Functions

Transaction Code

Menu Path Purpose

SU3 System → User Profile→ Own Data Set address/defaults/parameters

SU53 System → Utilities → Display Authorization Check

Display last authority check that failed

SU56 Tools → Administration → Monitor → User Buffer

Display user buffer

Role Administration Functions

Transaction Code

Menu Path Purpose

PFCG Tools → Administration → User Maintenance → Roles

Maintain roles using the Profile Generator

PFUD <none> Compare user master in dialog.

This function can also be called in the Profile Generator: Environment → Mass compare

The Job for user master comparison is: PFCG_TIME_DEPENDENCY (to Release 4.0 RHAUTUP1)

SUPC Tools → Administration → User Maintenance → Roles → Environment → Mass Generation

Mass Generation of Profiles

User Administration Functions

Transaction Code

Menu Path Purpose

SU01 Tools → Administration → User Maintenance → Users

Maintain Users

SU01D Tools → Administration → User Maintenance → Display Users

Display Users

SU10 Tools → Administration → User Maintenance → User Mass Maintenance

User mass maintenance

SU02 Tools → Administration → User Maintenance → Manual Maintenance → Edit Profiles Manually

Manually create profiles

SU03 Tools → Administration → User Maintenance → Manual Maintenance → Edit Authorizations Manually

Manually create authorizations

Profile Generator Configuration Functions

Transaction Code

Menu Path Purpose

RZ10 Tools → CCMS → Configuration → Profile Maintenance

Maintain system profile parameters.

(auth/no_check_in_some_cases = Y).

SU25 IMG Activity:

Enterprise IMG → Basis Components → System Administration → Users and Authorizations → Maintain authorizations and profiles using Profile Generator → Work on SAP check indicators and field values

Select: Copy SAP check ID’s and field values

Installation

1. Initial Customer Tables Fill

Upgrade

2a. Preparation: Compare with SAP values

2b. Reconcile affected transactions

2c. Roles to be checked

2d. Display changed transaction codes

SU24 Same as for SU25:

Select: Change Check Indicators

1. Maintain Check Indicators

2. Maintain Templates

Transport Functions

Transaction Code

Menu Path Purpose

SCCL Tools → Administration → Administration → Client Administration → Client Copy → Local Copy

Local client copy (within one system, between different clients)

SCC9 Tools → Administration → Administration → Client Administration → Client Copy → Remote Copy

Remote Client Copy (between clients in different systems) Data exchange over a network (not files).

SCC8 Tools → Administration → Administration → Client Administration → Client Transport → Client Export

Client transport (between clients in different systems) Data exchange using a data export at operating system level.

<none> Tools → Administration → User Maintenance → Roles → Environment → Mass Transport

Mass transport of roles

<none> Tools → Administration → User Maintenance → Roles → Role → Upload/Download

Upload/Download of Roles

SU25 Point 3. Transport of Check indicators

STMS Tools → Administration → Transports → Transport Management System

Transport Management System

System Configuration Functions

Transaction Code

Menu Path Purpose

RZ10 Tools → CCMS → Configuration → Profile Maintenance

Maintain system profile parameters.

(auth/no_check_in_some_cases = Y). .

RZ11 Description of system profile parameters

SM01 Tools → Administration → Administration → Transaction Code Administration

Lock transaction codes from execution

Authorization Object Maintenance

Transaction Code

Menu Path Purpose

SU20 Tools → ABAP Workbench → Development → Other Tools → Authorization Objects → Fields

List of authorization fields

SU21 Tools → ABAP Workbench → Development → Other Tools → Authorization Objects → Objects

List of authorization objects (Initial screen lists by object class)

Information System, Audit Information System

Transaction Code

Menu Path Purpose

SE84 Tools → Administration → User Maintenance → Information System

Information System for SAP R/3 Authorizations

SECR*

<none> Audit Information System

Table Group Maintenance Functions

Transaction Code

Menu Path Purpose

SM30

(Tables

V_BRG,

V_DDAT)

System → Services → Table Maintenance → Extended Table Maintenance

Create table authorization groups (V_BRG)

Maintain assignments to tables (V_DDAT)

Table Group Maintenance Functions

Transaction Code

Menu Path Purpose

SE43 ABAP Workbench → Development → Other Tools → Area Menus

Maintain (Display) Area Menus

SAP Notes: CA940

SAP Note Description Release

31395 System Parameters: Defined Where? Displayed How? Docu? Release Independent

39267 Availability of SAP Security Guide Release Independent

30724 Data protection and Security in R/3 Release Independent

23611 Collective Note: Security in SAP Products Release Independent

66687 Use of Network Security Products

20534 Authorization Check – A Short Introduction Release Independent

20643 Naming Conventions for Authorizations Release Independent

16466 Customer Namespace for SAP Objects

28175 Questions Regarding the Authorization Concept Release Independent

2467 Password Rules and Preventing Unauthorized Logons Release Independent

12466 Logon Restrictions in R/3 Release Independent

28186 What Does the Profile SAP_NEW Do? Release Independent

82390 Generating Profile SAP_ALL 45A - 45B

40A -40B

310 - 31I

29276 SAPCPIC: At which points are passwords visible? Release Independent

2383 Documentation: Description of “super user” SAP* Release Independent

68048 Deactivating the Automatic User SAP* 4.5A - 4.5B

4.0A - 4.0B

3.0x - 3.1I

93769 Additional Documentation Regarding the Authorization Concept – Documentation on Profile Generator (Authorization made easy for Releases 3.0F, 3.1G and 3.1H, 4.0B)

4.6A - 4.6B

4.5A - 4.5B

4.0A - 4.0B

3.0x - 3.1I


156250 Responsibilities Replaced as of Release 4.5A 4.6A - 4.6B

4.5A - 4.5B

198598 Profiles and References in Roles as of Release 4.6B 46C - 46C

46B - 46B

156196 Activity Groups Renamed as of Release 4.5A 46A - 46B

45A - 45B

80210 Profile Generator: Documentation 45A - 45B

40A -40B

31G - 31I

91721 Problem with org. levels in Profile Generator 40A -40A

30F - 31I

323817 Creating organizational level fields for Profile Generator 46C - 46D

46A -46B

45A - 45B

314513 Org. level in Profile Generator 46C - 46D

46A -46B

85234 Missing authorization when using Profile Generator 46A - 46B

45A - 45B

40A - 40B

30F - 31I

113290 PFCG: Merg. process with authorization data: Explanation Release Independent

313587 Mass deletion of Activity Groups 46A - 46B

45A - 45B

203994 Changed behavior: User menus in 4.6 46A - 46C

301344 Performance problems during menu editing in PFCG 46C - 46D

46B -46B

169469 List of all activity groups with a manual S_TCODE

Install source code

4.0B

167466 IMG authorizations with Profile Generator in 4.5 46A -46B

45A - 45B


184906 Renaming users: Activity groups are missing 4.6A - 4.6B

4.5A - 4.5B

355364 SU01 Role assignm.: Chaning validity period impossible 46C - 46D

203617 High memory consumption with Easy Access Menu 46C - 46C

46A -46B

66056 Authorization trace with Transaction ST01 45A -45B

40A -40B

300 - 31I

205771 Migration of report trees in area menus 46C - 46C

46A -46B

193251

Customer enhancements in area menus 46A -46B

77503 Audit Information System (AIS) Release Independent

Integrated into Basis from 3.1I and integral part of Basis functions as of 4.6; Import released in 3.0D, 3.0F, 3.1H, 4.0B

139418 Logging user actions Release Independent

179145 Authorization checks for numeric values Release Independent

65968 ABAP/4 Debugging authorizations as of Release 3.1G 45A -45B

40A - 40B,31G - 31I

314843 Authorization object S_TABU_LIN 46C - 46C

23342 You are not authorized to ... → Analysis Release Independent

15253 Authorization check during transaction start (Tab. TSTCA) Release Independent

67766 S_TCODE: Authorization check on transaction start 45A -45B

40A -40B

30E - 31I


171316 PFCG/SU03: F4 Help for Authorization Values 46A -46B

45A -45B

7642 Authorization protection of ABAP/4 programs

142724 Prevention of multiple dialog logons 45A -45B

40A -40B

30D - 31I

159885 CUA: Collective Note for Central User Administration 46A -46B

45A -45B

303468 Global User Manager: Frequently Asked Questions Release Independent

CA940 - SAP R/3 Application Security Concept - hservers.org

Documents

Transcript of CA940 - SAP R/3 Application Security Concept - hservers.org