adm940

ADM940SAP Authorization Concept

mySAP Technology

Date

Training Center

Instructors

Education Website

Instructor HandbookCourse Version: 2003 Q4Course Duration: 3 Day(s)Material Number: 50065135Owner: Dieter Swiebocki (d031128)

An SAP Compass course - use it to learn, reference it for work

Copyright

Copyright © 2003 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for anypurpose without the express permission of SAP AG. The information contained herein maybe changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Trademarks

� Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server®are registered trademarks of Microsoft Corporation.

� IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®,AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBMCorporation.

� ORACLE® is a registered trademark of ORACLE Corporation.� INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered

trademarks of Informix Software Incorporated.� UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open

Group.� Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®,

VideoFrame®, MultiWin® and other Citrix product names referenced herein aretrademarks of Citrix Systems, Inc.

� HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®,World Wide Web Consortium, Massachusetts Institute of Technology.

� JAVA® is a registered trademark of Sun Microsystems, Inc.� JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under

license for technology invented and implemented by Netscape.� SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow,

SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo andmySAP.com are trademarks or registered trademarks of SAP AG in Germany andin several other countries all over the world. All other products mentioned aretrademarks or registered trademarks of their respective companies.

Disclaimer

THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAPEXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED,INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALSAND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHERMATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BELIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL,OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUTLIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THEUSE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.

About This HandbookThis handbook is intended to complement the instructor-led presentationof this course, and serve as a source of reference. It is not suitable forself-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The followingtypographic conventions are also used.

Type Style Description

Example text Words or characters that appear on the screen.These include field names, screen titles,pushbuttons as well as menu names, paths, andoptions.

Also used for cross-references to otherdocumentation both internal (in thisdocumentation) and external (in other locations,such as SAPNet).

Example text Emphasized words or phrases in body text, titlesof graphics, and tables

EXAMPLE TEXT Names of elements in the system. These includereport names, program names, transaction codes,table names, and individual key words of aprogramming language, when surrounded bybody text, for example SELECT and INCLUDE.

Example text Screen output. This includes file and directorynames and their paths, messages, names ofvariables and parameters, and passages of thesource text of a program.

Example text Exact user entry. These are words and charactersthat you enter in the system exactly as theyappear in the documentation.

<Example text> Variable user entry. Pointed brackets indicatethat you replace these words and characters withappropriate entries.

12-12-2003 © 2003 SAP AG. All rights reserved. iii

About This Handbook ADM940

Icons in Body TextThe following icons are used in this handbook.

Icon Meaning

For more information, tips, or background

Note or further explanation of previous point

Exception or caution

Procedures

Indicates that the item is displayed in theinstructor�s presentation.

iv © 2003 SAP AG. All rights reserved. 12-12-2003

ContentsCourse Overview ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Course Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Unit 1: Authorizations in General .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What Are Authorizations?.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Creating and Implementing an Authorization Concept. .. . . . . . . . . 19

Unit 2: Basic Terminology of Authorizations..... . . . . . . . . . . . . . . . . . 53Elements and Terminology of the SAP R/3 AuthorizationConcept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Authorization Checks in the SAP System .... . . . . . . . . . . . . . . . . . . . . . 79

Unit 3: User Settings ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . 93Maintaining and Evaluating User Data .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Unit 4: Working with the Profile Generator .... . . . . . . . . . . . . . . . . . . . 125Profile Generator and Standard Roles .. . . . . . . . . . . . . . . . . . . . . . . . . . .127Special PFCG Roles.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167Subtleties of Authorization Maintenance... . . . . . . . . . . . . . . . . . . . . . . .200

Unit 5: Basic Settings..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Profile Generator: Installation and Upgrade.. .. . . . . . . . . . . . . . . . . . .221Access Control and User Administration... . . . . . . . . . . . . . . . . . . . . . . .247Troubleshooting and Administration Aids .. . . . . . . . . . . . . . . . . . . . . . . .287

Unit 6: Transporting Authorizations..... . . . . . . . . . . . . . . . . . . . . . . . . . . . 311Transporting Authorization Components... . . . . . . . . . . . . . . . . . . . . . . .312

Unit 7: Integration into the Company Landscape ..... . . . . . . . . . . 327Integration into Organizational Management... . . . . . . . . . . . . . . . . . .329Central User Administration (CUA) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

Unit 8: Use of Enterprise Portals .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381Introduction to the mySAP Enterprise Portal Solution ... . . . . . . .382Security Issues for the SAP Enterprise Portal . . . . . . . . . . . . . . . . . . .401

Glossary..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

12-12-2003 © 2003 SAP AG. All rights reserved. v

Contents ADM940

Index ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

vi © 2003 SAP AG. All rights reserved. 12-12-2003

Course OverviewThis course will provide information about the fundamentals of theSAP authorization concept, using SAP R/3 Enterprise. However, thesefundamentals can, for the most part, be adapted to other components. Basicknowledge about the SAP environment is vital for this training course.

Target AudienceThis course is intended for the following audiences:

� Project team members� Authorization and user administrators from the system

administration� Authorization and user administrators from the user departments

Course PrerequisitesRequired Knowledge

� SAPTEC (SAP NetWeaver: Fundamentals of the ApplicationPlatform)

Recommended Knowledge

� SAP01 (mySAP.com Overview)� Attendance of basic and advanced training courses in at least one

application area

Course Duration DetailsUnit 1:Authorizations in General

What Are Authorizations? 30 MinutesCreating and Implementing an Authorization

Concept 105 MinutesExercise 1: Creating and Implementing an

Authorization Concept 45 Minutes

Unit 2: Basic Terminology of AuthorizationsElements and Terminology of the SAP R/3

Authorization Concept 60 MinutesExercise 2: Elements and Terminology of the

Authorization Concept 20 MinutesAuthorization Checks in the SAP System 30 Minutes

12-12-2003 © 2003 SAP AG. All rights reserved. vii

Course Overview ADM940

Exercise 3: Authorization Checks in the SAP System15 Minutes

Unit 3: User SettingsMaintaining and Evaluating User Data 85 MinutesExercise 4: Maintaining and Evaluating User Data 30 Minutes

Unit 4: Working with the Profile GeneratorProfile Generator and Standard Roles 80 MinutesExercise 5: Profile Generator and Standard Roles 40 Minutes

Special PFCG Roles 95 MinutesExercise 6: Special PFCG Roles 45 Minutes

Subtleties of Authorization Maintenance 75 MinutesExercise 7: Subtleties of Authorization Maintenance 20 Minutes

Unit 5: Basic SettingsProfile Generator: Installation and Upgrade 60 MinutesExercise 8: Profile Generator: Installation and

Upgrade 15 MinutesAccess Control and User Administration 85 MinutesExercise 9: Access Control and User Administration 25 Minutes

Troubleshooting and Administration Aids 70 MinutesExercise 10: Troubleshooting and Administration

Aids 25 Minutes

Unit 6: Transporting AuthorizationsTransporting Authorization Components 40 MinutesExercise 11: Transporting Authorization

Components 15 Minutes

Unit 7: Integration into the Company LandscapeIntegration into Organizational Management 60 MinutesExercise 12: Integration into Organizational

Management MinutesCentral User Administration (CUA) 60 MinutesExercise 13: Working with Central User

Administration 30 Minutes

Unit 8: Use of Enterprise PortalsIntroduction to the mySAP Enterprise Portal

Solution 20 MinutesSecurity Issues for the SAP Enterprise Portal 15 Minutes

viii © 2003 SAP AG. All rights reserved. 12-12-2003

ADM940 Course Overview

Course GoalsThis course will prepare you to:

� Outline the elements, strategies, and tools of the SAP authorizationconcept

� Generate and assign authorization profiles with the Profile Generator� Work with the Central User Administration (CUA) tool

Course ObjectivesAfter completing this course, you will be able to:

� List the elements and objects of the authorization concept� Explain the use and purpose of the Profile Generator� Analyze authorizations� Describe special objects for administrators

SAP Software Component InformationThe information in this course pertains to the following SAP SoftwareComponents and releases:

At the start of the course, introduce the individual units and lessons. Thisprovides the participants with an overview of the contents. Customersusually come to the course with questions and want to ask these as soon aspossible. If you introduce the content, they know that the desired topic ispart of the course, and usually keep their questions to the appropriate time.

Mention the focus of this course.

� What are the basics of an authorization concept?� What does authorization assignment mean?� Use of role maintenance� Overview of the tasks of an administrator and initial information

about an administrator�s daily work� Additional options for authorization and user administration with

the integration into Organizational Management or, for exampleCentral User Administration

12-12-2003 © 2003 SAP AG. All rights reserved. ix

Course Overview ADM940

x © 2003 SAP AG. All rights reserved. 12-12-2003

Unit 11 Authorizations in General

This unit is split into two lessons

1. What are authorizations?2. Creating and Implementing an Authorization Concept

The first part introduces SAP�s role-based authorization concept. This is theentry point into the topic of authorizations.

The structure and implementation of an authorization is then describedusing a five phase model. This example will make it easier to build andstructure an authorization concept.

Unit OverviewThis unit is the entry point into the topic of authorizations.

Starting with the initial basic concepts of the authorizations topic, itaddresses SAP�s role-based authorization concept, and discusses a methodthat describes how to create and structure authorizations, and how toimplement them in a customer landscape.

Unit ObjectivesAfter completing this unit, you will be able to:

� Describe the SAP authorization concept as part of a comprehensivesecurity concept

� Explain the access control mechanisms� Explain how users, roles and authorizations are related� Describe the technical implementation of a role-based authorization

concept� Explain the structure of an authorization concept� List the steps required to implement a concept� Describe the activities for the individual implementation steps

12-12-2003 © 2003 SAP AG. All rights reserved. 1

Unit 1: Authorizations in General ADM940

� Use the presented procedure model for implementing anauthorization concept for your own projects

� Explain the strategy for user and authorization administration

Unit ContentsLesson: What Are Authorizations? ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Lesson: Creating and Implementing an Authorization Concept . .. . . . . . . . . 19

Exercise 1: Creating and Implementing an Authorization Concept . .. 41

2 © 2003 SAP AG. All rights reserved. 12-12-2003

ADM940 Lesson: What Are Authorizations?

Lesson:2

What Are Authorizations?Lesson Duration: 30 Minutes

Lesson OverviewThis lesson will introduce the contents of the ADM940 course. It will alsoprovide an introduction to the topic of authorizations and the role-basedauthorization concept, using a number of overview figures.

Lesson ObjectivesAfter completing this lesson, you will be able to:

� Describe the SAP authorization concept as part of a comprehensivesecurity concept

� Explain the access control mechanisms� Explain how users, roles and authorizations are related� Describe the technical implementation of a role-based authorization

concept

In this lesson, you provide the participants with an overview of thesecurity challenges that companies face. After considering some generalinformation, the security concept in the context of the SAP system isdiscussed. The role of the SAP authorization concept within the securityconcept is then explained.

Business ExampleAuthorizations are used to control access at the application level.At this level, the term role is at the center of the SAP autho-rization concept. SAP course ADM940 describes the individualsteps, from setup, through the implementation of a roleconcept with PFCG, to its use in a production environment.The system must also be protected at the operating sys-tem, database, network and front end levels in order toimplement a comprehensive security concept. SAP coursesADM950 and ADM960, for example, consider these issues.



Content Overview for SAP Course ADM940 andPositioning in the SAP Customer Curriculum

Figure 1: ADM940 - SAP Authorization Concept

SAP R/3 System

Release 4.7

Version: June 2003

Material number:

Trademarks

Some software products marketed by SAP AG and its distributors maycontain proprietary software components of other software vendors.

Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint, and SQL Serverare registered trademarks of Microsoft Corporation.

IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX,S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBMCorporation.

ORACLE is a registered trademark of ORACLE Corporation.

INFORMIX OnLine for SAP and INFORMIX Dynamic Server� areregistered trademarks of Informix Software Incorporated.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the OpenGroup.



HTML, DHTML, XML, XHTML are trademarks or registered trademarksof W3C, World Wide Web Consortium, Massachusetts Institute ofTechnology.

JAVA is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., usedunder license for technology invented and implemented by Netscape.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and otherSAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany andin several other countries all over the world. All other products and servicenames mentioned are the trademarks of their respective companies.

Figure 2: Curriculum Overview



Figure 3: Target Group

Notes to the User

The training materials are not self-teach programs. They complement thecourse instructor�s explanations. There is space for you to write downadditional information on the sheets.

Figure 4: Course Content



Why and for What Do We Require Authorizations?

Describe why authorizations exist in your own words. Use the bulletpoints after the next figure or your own experience as a consultant tochoose the words for your explanation.

Security Expectations

� Protection of sensitive business data on the basis of

� Laws� Agreements

� Regulations� Advantageous cost-benefit relation� No obstruction of business processes

Table 1: Security Expectations

Requirements for protecting sensitive data:

� A company must meet certain legal requirements based on theircountry of operation. These include, for example, data protectionlaws (personal data, family status, illnesses, and so on), or employeeprotection.

� A company must be able to adhere to agreements with andrequirements of partners and vendors, and to ensure theirimplementation.

� A company must publish and enforce security policies, so that asecure environment can be established and maintained. This appliesboth to data used externally and to data used internally.

Cost-Benefit Relation

� There are a large number of different possible threats. Perfect securitycould only be achieved with cross-dimensional assignment ofauthorizations. However, the benefits achieved in this way are oftennot relative to the costs incurred.

With some values, it is cheaper to replace a loss than to protect thedata at great expense. A company should therefore concentrateon areas in which a clear benefit can be realized through thisexpenditure. This saves unnecessary investments of time and money.

� It is impossible to ensure complete security against all potentialthreats. Therefore, a company must be able to weigh up theextraordinary risks of a threat against the costs of a security system.



Obstruction of Business Processes

� It is disadvantageous if business processes are controlled withauthorizations to such an extent that almost every call leads toan error message. A situation of this type is not favorable for theprocesses in a company.

� The assignment of authorizations should be structured in a way thatis clear for the administrator, by using a smaller number of roles. Ifthis is not done, it is often difficult to remove undesired obstructionsto business processes in complex, nested authorizations. Only witha transparent structure can this be avoided. If problems occurnevertheless, it is only in this way that the places to be maintainedcan be found.

Use the next figure to discuss the questions that must be asked duringthe development of a security concept. Discuss the problems of the endusers at this point. If the users have no training or poor training, this coulddestroy more than they can absorb with one concept.

What is to be protected?- List the assets to be protectedWhich values must be protected?- Localize potential dangersWhat must the values be protected against?- Determine protective measures



Figure 5: Security - Overview

When developing a security concept, you must first determineWHAT youwant to make safe. Which assetsmust be protected? To which categoriesdo these assets belong (for example: hardware, software, data, persons)?When assigning assets to categories, consider the consequences of losingthese assets. When calculating the value of fixed assets, for example, youshould take into account the loss of value due to depreciation, damageor theft.

You must also determine AGAINSTWHAT you want to protect your assets.What dangers are there? Potential sources of danger are, for example,technology, the environment, or persons.

� Persons: Important employees leaving the company, dissatisfied orinexperienced employees. Hackers with criminal intent.

� Technology: Processing errors (caused by applications or operatingsystems), viruses, power supply interruption, hardware failure.

� Environment: Fire, flood, dust, earthquakes.



Once you have identified your assets and the potential sources of danger,you can develop security mechanisms. You must determine an appropriateprotective measure for each source of danger. Thesemeasures should alsobe assigned to different categories (for example: organizational, technical,environmental).

� Organizational Measures: Training, internal security policy,procedures, roles, responsibilities.

� Technical Measures: Inclusion of electronics for checks (routers).Access authorizations for systems and data.

� Environmental measures protect physical system components againstnatural sources of danger.

The next figure provides a small overview of the different SAP securitylevels. Describe the context of ADM940 briefly. There are additionalcourses from the components, such as HR (HR940), BW (BW365), and soon. Provide this information to the participants.

Figure 6: SAP Security Levels

For the �operating system� entry, �???� is entered as the course name. Thisdoes not mean that SAP does not yet offer a course here. Courses on thistopic are provided directly by operating system vendors. Explain this tothe participants.



SAP systems are made safe at a variety of levels. Each level has its ownprotection mechanisms.

To avoid unauthorized system access, for example, system and data accesscontrol mechanisms are provided at the application level.

When protecting an SAP system, you must consider the following:

� Security must be implemented at all levels, since the overall securitydepends on the weakest part.

� A complex authorization concept is therefore only one aspect of anoverall security concept.

This course deals only with the security mechanisms at application level.The other levels are covered in the SAP courses ADM950 and ADM960.

System Access Control and �Role-Based� AccessControl

Describe the difference between system access controls (such as usermaster record, password rules), and access controls that the SAP systemprovides (authorization checks for programs and transactions). If a userhas access to a system, this certainly does not mean that he or she canrun something in the system.

Figure 7: SAP Access Controls



In order to work with an SAP system, users require unique user IDs. Auser master record must be created in the system for each user. This usermaster record also contains the password that the system prompts the userto enter when logging on.

There are numerous mechanisms for preventing unauthorized access toan SAP system that can raise the security level of a system if configuredappropriately. These configurable settings include, for example, theminimum length and the expiry date of passwords.

To protect business data and functions against unauthorized access, SAPprograms utilize authorization checks. In order to pass an authorizationcheck of this type, a user needs the appropriate authorization.

Authorizations are assigned using profiles in the form of roles, which areentered into the user master record.

Use the next figure to describe that employees in companies performroles in business scenarios. These roles are assigned authorizations, sincepeople can only perform certain activities that correspond to their positionin the company.

A business scenario (such as procurement) consists of multiple activities(Create Purchase Requisition, Release Purchase Requisition, and OrderPurchase Requisition). An activity, in turn, requires certain authorizations.A role consists of one or more activities. People are assigned one or moreroles.

Since SAP R/3 4.6, this has been described with the term: � role-basedauthorization concept �.

The SAP term role-based authorization concept is introduced on the followingpages.



Figure 8: Users, Roles, and Authorizations

People perform roles that belong to business scenarios. In the exampleabove, KAREN performs the �Create Purchase Requisition� role in thePROCUREMENT business scenario.

A person can have multiple roles. JOHN, for example, has been assignedthe roles �Service Representative�, �Create Purchase Requisition�, and�Release Purchase Requisition�.

A role is a group of activities performed within business scenarios. Forexample, the activity CREATE PURCHASE REQUISITION belongs to the�Create Purchase Requisition� role.

A role generally includes all activities that may occur in the respectivescenario.

A single role can be involved in several scenarios. The EMPLOYEE,for example, participates in the SELF-SERVICES and the REPORTINGscenarios, among others.

A single scenario may require the participation of multiple roles. In thisway, the roles �Service Representative�, �Create Purchase Requisition�,�Release Purchase Requisition�, and, for the supervisor, the role �BusinessPurchaser� are all involved in the PROCUREMENT scenario.

Business scenarios are groups of activities performed by one or moreemployees in their respective roles. The PROCUREMENT scenario, forexample, comprises the activities CREATE PURCHASE REQUISITION,RELEASE PURCHASE REQUISITION, and CREATE PURCHASE ORDER.

Activities are associated with specific system functions that can only beaccessed with the proper authorization.



You can use the following two figures to highlight the contents of a roleagain. Roles are created using transaction PFCG, with the followingcontent:

� Transactions� Menu� Authorizations (objects dependent on the menu entry)� User assignment

These are the four core elements of a role.

Figure 9: Technical Implementation of Roles

To implement roles technically, you must create roles (or composite roles)using the Profile Generator.



A role consists of the following components:

� Role Menu

The transactions, reports, Web links, and so on in a role are combinedinto amenu, to which the users of the role are to have access.

� Authorizations

The authorizations define the access rights for business functionsand data.

� User

To grant the access rights of a role to a user, you must assign the userto the role. You can assign users using either the Profile Generator oruser administration.

SAP delivers a large number of predefined roles with SAP systems.Customers can use these roles as templates and customize them to meettheir individual requirements. You can use the report RSUSR070 to displayall the role templates that are supplied by SAP.

Graphical representation of a role (with menu) in an SAP system. Thismenu can also be hidden. For more options for hiding and showing,choose Extras → Administration Information on the initial menu screen.Provide this information to the participants.

Figure 10: SAP Easy Access - User-Specific Menus

SAP systems support the setup of user-friendly personal user menus.



When creating the roles, the system administrator specifies the requiredfunctions including their descriptions. The descriptive text can be changed,and is therefore freely definable.

Once a user has been assigned a particular role (with menu), theappropriate personal user menu is automatically displayed when the userlogs on to the system. The menu is based on the assigned activities.

In addition to the functions preset by the administrator, users can choosetheir own �Favorites�. There are two ways to do this: Users can drag thedesired function with the mouse into the relevant menu area, or theycan select the transaction and then choose �Add to Favorites� to add thefunction to their list of favorites.

If the user calls a transaction, the personal menu is hidden so that theentire screen can be used for transaction processing. If the user quits thetransaction or opens a new session, the menu is shown in the foregroundagain.



Facilitated DiscussionYou should prompt the participants to become involved in discussion toavoid the course becoming a monologue over three days. This shouldrelax the atmosphere between the instructor and the participants, whichis usually reserved to begin with.

There is a round of introductions in most SAP courses. However, not allparticipants appreciate this, since it takes up a lot of important coursetime. You should decide yourself whether you think this is useful. Werecommend that you do not do this with large groups. However, to obtaina general impression about the previous knowledge of the participants,you can use additional questions during the discussion to find out aboutthe knowledge and wishes of the participants. Examples of questions are:

- Who is familiar with transaction PFCG?- What are the experiences of participants familiar with thetransaction?- Which area do you work in (FI, CO, MM, HR, CRM, APO, BW, andso on)?- Are you familiar with CUA or portals? Do you use these?

Discussion QuestionsUse the following questions to engage the participants in thediscussion.Feel free to use your own additional questions.

What are authorizations?

Why are authorizations used?

What are the elements of a role?

What does SAP mean by role-based authorization concept?

Who already uses or is implementing this?

What advantages does the use of roles provide?

What is access control?

Which steps are necessary for a user menu to be displayed for a user?



Lesson Summary

You should now be able to:� Describe the SAP authorization concept as part of a comprehensive

security concept� Explain the access control mechanisms� Explain how users, roles and authorizations are related� Describe the technical implementation of a role-based authorization

concept


ADM940 Lesson: Creating and Implementing an Authorization Concept

Lesson:14

Creating and Implementing an Authorization ConceptLesson Duration: 105 Minutes

Lesson OverviewThis lesson will present a possible method for introducing an authorizationconcept in a company. The methodology used here to implement a roleand authorization concept consists of five steps (preparation, analysisand conception, implementation, quality assurance and test, andcutover), which will be described in more detail in this lesson. User andauthorization administration are defined, specified, and implemented inparallel to these five steps.


� Explain the structure of an authorization concept� List the steps required to implement a concept� Describe the activities for the individual implementation steps� Use the presented procedure model for implementing an

authorization concept for your own projects� Explain the strategy for user and authorization administration

As the instructor, it is your task in this lesson to provide the participantswith a method with which they can plan and implement an authorizationconcept in a company.

When doing so, you should emphasize that it is not only the people whomust create a new concept that are being addressed here.

In comparison to new customers, it is often much more difficult for thosenew to authorizations to understand an existing concept and to create theirown method for their daily work. Concepts that have developed over thecourse of years are often badly structured, and seldom comprehensible.

Business ExampleBefore going live, your company wants to implement an authorizationconcept. The steps required to realize the authorization concept must beplanned in the context of the entire implementation process. During theplanning phase you want to estimate the time and personnel resourcesneeded.



Development of an Authorization Concept

The method used in the next figure is based on VSAP/ASAP. It is thereforeadvantageous if you know the method and can describe the procedurewith your own words.

It is always very difficult for beginners to create a thread. They often donot know where and with what they should begin, or what the next stepis. It is for exactly this reason that the VSAP method is used as the basis.

Caution:Avoid using the name VSAP/ASAP during your presentation, sincethis product is no longer delivered. However, the basic idea behindthe method is no less useful because of this.

If a customer enquires about a successor product to VSAP, be carefulto describe that the Solution Manager does not currently provide anycomparable content.

Figure 11: Implementation Methods and Authorizations

The procedure used here is based on the principles of the SAPimplementation method. Many consultancy companies use a similarmodel, usually with their own name. When combined, the individualsteps of this method ensure quick and efficient implementation of theSAP system.



Setting up an authorization concept must be planned and implementedstep-by-step using a project plan. In the example used here, the projectwas divided into five key points at the uppermost level (these are oftenalso called phases):

� Project Preparation

Inclusion of all relevant decision-makers for the SAP implementationand selection of the internal and external members of the project team.

� Business Blueprint

The business requirements of the implementing company aredetermined. The Business Blueprint is a visual representationof the status of the company which is to be realized in the SAPimplementation. All business processes are analyzed and describedhere. This is the basis for the later authorization concept.

� Implementation

Configuration and fine tuning of the SAP system. The businessprocesses created and described in the previous phase are the startingpoint for the implementation of the roles.

� Final Preparation

Testing of all interfaces, training of users, migration of business datainto the SAP system.

� Go Live & Support

Start of SAP production operation, specification of procedures andmeasurement items for ongoing checking of the benefits of theinvestment in the SAP system.

With the next figure, use keywords to outline the activities that arerequired to introduce a role and authorization concept. Explain alsothat user and authorization administration is defined in parallel to theseactivities. Call the URL www.saplabs.com/auth.



Figure 12: Role and Authorization Concept: Steps

To fulfill a certain task, the employee responsible must normally useseveral applications. The transactions and reports used for a businessactivity can be combined into roles.

It is important that users can only process those tasks that they areauthorized to perform, and are prevented from making unintentional orincorrect changes in system areas which are outside their competence.Since all SAP components use authorizations to control access to theirfunctions, administrators only assign those authorizations to each role thatare are necessary to perform the role-specific tasks.

Besides authorizations, a role comprises the user menu specifications.When a user logs on to an SAP system, the system displays a user-specificmenu, with selected transactions, reports, and Internet links in the formof a tree structure. This menu is based on the assigned role. Users canonly access transactions and reports that they are authorized to use. Thiseliminates unnecessary functions from the navigation structure.

When developing the role and authorization concept, the challenge is tocoordinate business requirements at a cross-department level and protectsensitive data against potential dangers.

This is why we recommend that you develop the role and authorizationconcept as a separate project. You should follow the procedure explainedin this training course and use the demonstrated method for orientation.

An Authorization Concept Is Developed Step-by-StepStep 1: Preparation



It is important that you explain the importance of preparation to theparticipants with the next figure. ALL contacts from user departmentsshould be informed about the project during the initial discussions.If cooperation is later required from a department that were notinformed, they often create obstacles, and therefore slow down furtherimplementation.

Figure 13: Step 1: Preparation

Set up a team responsible for the specification and implementation of theuser roles and the authorization concept.

Identify the business areas affected and their special security requirements.Like the control mechanisms selected, these can vary from area to area.Normally, the security requirements of the Human Resources departmentare more demanding than those of other departments. Therefore you mustfirst determine the desired security level.

Hint:Consider the different security requirements for production, testand development environments. Also bear in mind that user rolesoften need to access multiple systems and may therefore requiredifferent functions and authorizations depending on the system.

Train the team for roles and authorizations with regard to specificationand implementation topics.



The team members must be familiar with the basic principles of theSAP authorization concept and the available control and administrationtools (such as central user administration). The members responsible forimplementation must be able to use the Profile Generator.

Since the role and authorization project requires the cooperation ofvarious business areas and departments, SAP recommends that youinform the responsible employees of the project targets set and establishcommunication channels at an early stage to ensure efficient handling.

Point out again that the complexity of an authorization concept requiresteamwork. Input from the user departments is required to define theroles.

The members of the project team have the following tasks:

� Creating the role descriptions� Implementing the roles� Testing the roles

Revision should also be included during quality control.

Figure 14: Working Party for Roles and Authorizations



When developing the role and authorization concept, the challenge is tocoordinate business requirements at a cross-department level and protectsensitive data against potential dangers.

While user roles and the authorization concept are specified withthe cooperation of the individual business areas, they are normallyimplemented by the IT department. This is why you must set up across-area and cross-department project team.

The team members have the following tasks:

� Create SAP-dependent role descriptions in the �Analysis &Conception� step.

� Cooperate with the IT department during implementation.� Set up and run through test scenarios.

To ensure that both the authorization concept and the procedures for useradministration and authorization management comply with the controlregulations of the company, the internal invoice verification departmentmust be involved in the authorization project at an early stage.

Step 2: Analysis & Conception

Hint:This is an internal note; do not pass this information onto the customers.

VSAP and ASAP are replaced by the Solution Manager with SAPR/3 Enterprise 4.7. However, it no longer provides any informationfor an authorization concept. It is no longer possible to create anduse authorization lists.

Demonstrate to the participants how you can create a Microsoft Excel listfor the authorization concept in the system itself. To do this, read the areamenu S000 (SAP menu) using transaction � SE43 � and demonstrate howyou can save this as a local file by choosing the menu path System→ List......



Figure 15: Step 2: Analysis & Conception

Specification of the role and authorization concept:

� Identify required roles. Determine task profiles based on theorganization chart and a business process analysis. Check if SAProle templates can be used.

� Specify relevant applications functions (transactions, reports, Weblinks) to the roles. Make any required adjustments if role templatesare used.

� Specify if the roles are higher-level roles or specific roles; that is, ifthey are subject to any restrictions resulting from organizational orapplication-specific control mechanisms.

� Identify required composite and individual roles for implementingthe roles and the authorization concept.

Check the role and authorization concept. To detect any shortcomingsin conception before actual implementation, SAP recommends that youcreate a prototype of the concept.



Use the next figure to clarify the basic principles of the role-basedauthorization concept again.

Specification of the role and authorization concept:

� Determine contents of the roles (Resources: organizational plan,process chains, job roles, delivered SAP roles)

� Design the roles (include required transactions, reports, and Weblinks)

� Define the restrictions with regard to enterprise requirements (suchas company code, plant, and so on)

� Determine the type of role to be implemented

Figure 16: Technical Conception: Role Implementation (1)

User roles are technically implemented using individual, composite, andderived roles. Based on the transactions and reports selected for eachrole, the Profile Generator automatically determines all authorizationobjects required for performing the functions specified, and creates thecorresponding authorization profile.



Using individual, composite, and derived roles, you can model the rolestructure in two ways:

� You can model each role as an individual role that contains allrequired functions. If some functions are used unchanged in multipleroles, the associated transactions and reports are contained in severalindividual roles. If general function modifications are required, thisconsequently affects several individual roles.

� Alternatively, you can model each role as a composite role consistingof individual and derived roles. In this case, the individual andderived roles represent activity blocks, that is, groups of interrelatedfunctions (for example: all functions needed for a specific businessscenario). Since individual and derived roles contain encapsulatedfunctions, they can be used in multiple or composite roles. Theadvantage of this approach is that multiple access to transactionsused in several individual roles is avoided. Therefore, organizationalor process-related modifications that affect several user roles can beapplied by adjusting a single role.

Use the next three figures to explain the development of a concept again.

� Listing of all transactions that are used in a company� Allocating transactions and processes to the job roles� Grouping of frequently used elements.

The result is called � roles �

Figure 17: Analysis: Determine user roles



Step 2 �Business Blueprint for the Implementation Project� is used toanalyze and determine the scope of the implementation. When creating theBusiness Blueprint, you determine which processes are to be implementedin the context of the implementation.

The result of all used and mappable business processes in the SAP systemis, in this example, saved as a Microsoft Excel list.

The user roles are created and completed in this authorization list. Asimilar list can also be generated in the SAP system. In this case, the list iscomponent-oriented, and not process-oriented as in our example.

Demonstrate for the participants the way in which you can generate acomponent-oriented list in the SAP system.

� T Code: � SSM2 �, Which menu is the standard menu in the system?� T Code: � SE43 �, call and display the standard menu� Display the transaction codes by choosing the appropriate entry from

the Additional Information menu� Expand the desired areas� Save the list to a file, such as *.xls

SAP systems are delivered with a number of role templates in which theassociated application functions (transactions and reports), the user menuand the authorization data are predefined. These templates can be usedas a basis for analyzing and developing the company-specific roles andthe authorization concept.

Hint:These roles begin with SAP_* and the profiles for these roles havenot yet been generated. They are only intended as templates withexamples for the authorization setting.



Figure 18: Conception: Complete User Roles (1)

The authorization list is a Microsoft Excel table that helps the project teamto model the user roles before they are implemented in the SAP system.Using this list, the roles can be developed before the system is installed.

In the authorization list, you create user roles and specify the associatedtransactions. In this example, it consists of two worksheets:

� Sheet 1: Process View (Roles Design - Scope)

The structure shows the business processes that were selected duringthe analysis and conception of the enterprise. The job roles and userroles are specified and linked with the processes here.

� Sheet 2: Transaction Overview for each Role (T Code for each Role)

You can generate an overview of the transaction assignments for eachrole in the transaction overview (after the modeling on sheet 1).

You can see block formation of the role contents in the next figure.

Hint:With this figure, remind the participants that the role formationdoes not depend on the repeatedly used transactions, but rather onthe enterprise requirements. This is also described in the noteunder the figure.



Figure 19: Conception: Complete User Roles (2)

Modeling the role structure: Analyze the authorization list and determinethe areas in which access to several transactions is needed. Activity blockssuch as this can be created as roles.

To simplify implementation, you can subsequently modify roles during thetechnical conception phase, for example, by choosing additional functionsto use activity blocks already defined.

Hint:Note that access to the same transactions and reports isnot a sufficient criterion for the existence of an activityblock. Since authorizations may vary even at field level, youmust implement the different variants of individual activityblocks as separate or derived roles.

You can use the next figure to explain another approach.The composite role

Roles can be technically implemented in composite roles (such as jobroles). Composite roles contain multiple single roles, which containlogically related transactions, known as activity blocks. Aim: To use singleroles in the form of a building block principle. In turn, these encapsulatefunctions in composite roles as reusable modules (such as accountspayable accountant).



Figure 20: Technical Conception: Role Implementation (2)

During the first conception and implementation approach, individualfunctions are encapsulated in separate roles (for example, the Basisauthorizations of the end-users).

From a technical point of view, all elements of the authorization conceptmust be assigned a unique identifier. This is why you must defineindividual naming conventions for all role types.

The following text addresses the naming conventions for roles for the firsttime. You can reach ahead somewhat (this actually belongs to the �PFCG�topic) and mention here that:

� Role names are not language-dependent� There are 30 characters available� The names must not begin with SAP

You can define naming conventions based on different criteria, forexample, country, business area (FI, CO, and so on), or applicationcomponent (FI-AP, CO-PA, and so on).

If you want to decentralize user and authorization management, thenaming conventions are also required for administrative purposes. Inthis case, the access rights of the decentralized administrators should belimited to those (composite) roles that belong to a specific business areaand thus apply only to a restricted namespace.



Since roles are divided into individual and derived roles, the user rolescreated in this step may be different from the original specification definedduring the development phase. For example, the roles may contain moreor fewer activities (transactions and reports). This is why you must checkthat the roles have been properly defined before implementation.

SAP recommends that you carry out a test implementation of the userroles and authorization concept in order to check the technical conception.

Step 3: Implementation

Transaction �PFCG� (Role Maintenance) is used during theimplementation. The authorizations should not be set using �manualprofiles�.

Ask the participants:

Do you know all of the authorization objects or authorization fields thatare checked during the check for a particular transaction?

Figure 21: Step 3: Implementation

From a technical point of view, user roles (job roles) can be implementedas composite roles using the Profile Generator. Composite rolesconsist of individual and composite roles that each contain the relevantauthorizations and menu data. Authorizations specify the scope of accessto data and functions. User menus use hierarchical structures to specifythe access path to the transactions, reports and Internet pages releasedfor a specific user.



An example of how you create user roles:

� Create individual roles: Individual roles either describehigher-level functions that are independent of organizational orapplication-specific restrictions or are used as templates for creatingderived roles that are not subject to any restrictions.

� Having checked the individual roles used as the derivation basis, youcreate the derived roles. These contain the desired organizational orapplication-specific restrictions. For each responsibility area, youcreate a derived role from an existing individual role.

� Finally, the composite roles are created from the implementedindividual and derived roles as the technical counterparts of theuser roles.

Step 4: Quality Assurance & Tests

To ensure that productive operation is not affected, it is important tothoroughly test the user roles in connection with the authorizations beforeyou switch over to production. In addition, the responsible area managermust approve of the role and authorization concept implemented.

Explain the need for testing again.

The following should be checked during the tests (see also the text belowthe figure):

� Check whether all assigned values can also be called� Check the unassigned values to see whether they interrupt the

program flow

Tip: If the customers finish the implementation of the authorizationconcept before the end user training, this can be used to perform anadditional test.



Figure 22: Step 4: Quality Assurance & Tests

To standardize the tests, the relevant process flows must be determinedand published. You should use predefined test scenarios that cover allbusiness processes implemented.

The test scenarios should include both positive and negative checks of theauthorizations of the individual roles. The positive test checks whetherthe functions are executed as desired, while the negative test must confirmthat all restrictions defined are observed. For example, a human resourcesadministrator can display the users for a specific work center, but not therecords for other work centers. The test scenarios must cover all functionsthat are to be performed by a user role.

If a function cannot be called during the test, you must correct the userroles and the authorization concept. Note that changes may affect several(derived) roles. In extreme cases, you must revise the entire role andauthorization concept.

You may also be required to modify the user menus in order to simplifyaccess to the functions. To ensure that the system becomes moreuser-friendly, the project team responsible should closely cooperate withthe representatives of the relevant business areas.

After fine-tuning the user roles, you must repeat the tests as often asnecessary until the user roles implemented completely comply with thesecurity and usability requirements.

Step 5: Cutover

Before you create the production users, you must create the master recordsfor user management in your production environment, and possiblyconfigure central user management.



The work of the administrators is not complete with cutover. There is asignificant amount of work for them to do at this stage: Describe the tasks:

� Setting up the production environment (possibly Central UserAdministration)

� Creating user master records, using sample users as templates� With the agreement of the area managers, assigning the roles to the

relevant users� Providing the data required for access to the end users

Figure 23: Step 5: Cutover

To simplify the creation of the individual user master records, you firstcreate model records. These model records are used as copy templates forthe records of the productive users. In the central system, create a usermaster record for each role specified in the company-wide role matrix(authorization list). If a role is subdivided into several responsibilityareas that are subject to organizational restrictions (company code, costcenter, plant, and so on) or application-specific control mechanisms (suchas FI authorization groups), you must create a separate record for eachresponsibility area. Maintain the additional data (parameters, printers,and so on).

After consulting the area managers (data owners), define the roles foreach user. Consider that some users may have several roles or differentroles in various logical systems (clients). Enter the assignments in a userand role matrix.

To create a master record for a user, you copy the model record for therelevant role and customize this record as required.



Get the final approval of the area managers with regard to the userscreated and communicate all access-relevant data (system, client, ID, andpassword) to the end users.

Implementing User and Authorization Administration

Explain the decisions that are necessary for user and authorizationadministration:

� Is Central User Administration to be set up? List advantages anddisadvantages.

� Who is to administer the users?

Figure 24: Strategy for User and Authorization Administration

The SAP environment offers various possibilities for managing users.Users distributed in a far-reaching system landscape can be managedfrom within a central system: All users are initially created in a centrallogical system (client) and then distributed to the other clients of the entireinstallation.

Before you set up a central user management, you must determine whichprocesses (for example, assigning or locking roles) can be run locally, and ifmodifications made in local systems (for example, address changes) shouldbe passed on to the central system. Consistent central user managementcan be set up for such different SAP systems as SAP R/3, APO, and CRM.

After the role and authorization concept is implemented, the members ofthe project team are normally no longer responsible for managing usersand authorizations. Depending on how the tasks are distributed in the



company, the users are managed either centrally (for example, using ahelp desk) or on a decentralized basis (by local location or departmentadministrators). You must assign and train employees for this purpose.

Make the following basic statement: �Auditability requires that it is notpossible for one administratorto do everything.� Explain the organizationof user and authorization administration. Mention the principles of dualand treble control.

� Distribution of tasks between multiple user administrators� Determine an administrator on site� Utilization of user groups

This depends, of course, on the requirements and circumstances of thecompany.

Figure 25: Organization of User and Authorization Administration

The tasks of the authorization administrators include creating, activating,changing, deleting, and transporting roles.

User administrators deal with setting up, changing, deleting, locking, andmonitoring users and assigning passwords and authorizations.

The user and authorization management tasks should be distributedamong several administrators (for example, separate user, authorizationdata, and profile administrators). By dividing the tasks, you ensure thatno single administrator gets full control of user authorizations (�dualcontrol principle�).



By assigning the user maintenance tasks to local administratorsthat represent individual departments or locations, you can evenfurther decentralize user and authorization management. Having anadministrator on site can also be desirable since first-time users accessingthe system often need to be introduced to their task-specific user role. Inaddition, decentralized administrators are useful for reporting since theyknow to whom the user IDs refer.

From a technical point of view, decentralization is achieved by subdividingthe users into user groups and limiting the rights of the local administratorswith regard to the assignment of authorizations. Decentralizedadministrators may only maintain the users of the group that has beenassigned to them. In addition, decentralized administrators should only beallowed to assign authorizations that are required in their department orat their site in accordance with the naming conventions of user roles.

Before the participants start the exercises, you should briefly summarizeand describe the tasks to be performed. To avoid errors during the exercise,demonstrate calling up the Microsoft Excel list. It is also important herethat each group sets the macro security to low locally, and saves the file ontheir own computer. To ensure that participants are aware of this, thesenotes are also included in the exercise description.



31 Exercise 1: Creating and Implementing anAuthorization ConceptExercise Duration: 45 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Describe the individual worksheets of the authorization list� Define roles in the authorization list� Assign transactions to these roles� Group transactions� Generate an overview of the roles with the relevant transactions

Business ExampleThis exercise should provide you with a brief impression of how you cancreate, structure, and usefully implement a new authorization concept in acompany. A prepared Microsoft Excel list is provided for this purpose. Itallows you to divide the user tasks into small reusable blocks (roles).

System DataSystem: These SAP systems change weekly. Trainingadministration will provide you with the exact ID of your SAP R/3Enterprise system.Client: The training courses are held in the 8xx clients;training administration will provide you with the exact numbers. One ofthe clients is set up as the central system.User ID: The user IDs for SAP courses should have auniform structure. The IDs contain the course ID and a two-digit groupnumber. For example, for the ADM940 course: User ID "ADM940-##". Atthe start of the course, the instructor creates the users using transaction"ZUSR" and the template "ADM940-MODEL". The participants receive therequired roles and authorizations for the exercises through the template.Password: The instructor can set a uniform password for theusers when creating them (such as "ADM940"). Training administrationwill inform you of the instructor password for access to the system.Set up instructions:

1. Check the availability of the Microsoft Excel list for task 1 in thetraining system. No additional settings are required.



Task 1:Open the Excel file AL-ADM940.XLS, which you can find in the SharedFolders, and answer the following questions.

The Shared Folders are in the Business Workplace.

Menu Path: SAP Menu→ Office→Workplace→ Shared Folders→ ADM940:Authorization Concept → AL-ADM940.XLS.

Double click the Microsoft Excel file to open it. If a dialog box appears,choose Enable Macros.

Then choose the menu path Tools → Macro → Security and select thesecurity level Low. Save your settings.

Save the Microsoft Excel file on your hard disk (for example, in thedirectory C:\Temp) under the name AL-ADM940-##. Close the file (notMicrosoft Excel). If you now reopen the file (AL-ADM940-##) in MicrosoftExcel, all macro functions are available.

1. Which master data is used by the company at Scenario Level, andshould be used in the job roles (Level 3)?

Master data for

_________________________ and _________________________

2. Which business processes (Level 5) should be taken into account forassigning authorizations and were included in the Microsoft Excellist?

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

3. Which transaction codes were copied for the business process salesorder processing?

____________________

____________________

____________________

____________________

Continued on next page



Task 2:Define roles for the enterprise areas:

- Financial Accounting (FI)

- Sales and Distribution (SD)

- Materials Management (MM)

and assign transactions to these roles.

1. FI

Create the role for an Accounts Receivable Accountant (AccRec,FI). To do this, enter FI in the column header for Enterprise area andAccRec as role name on the Roles Design worksheet.

Assign all transactions of theManual Incoming Payments businessprocess to the accounts receivable accountant by placing an �x� forthese transactions in the AccRec column. The accounts receivableaccountant should also be able to maintain the accounting views ofthe accounts receivable master.

What does maintainmean? Discuss this term with your neighbor andconsider opinions and points of view.

2. SD

Define a role for a Sales and Distribution clerk (SDClerk, SD), andassign all transactions of the Sales Order Processing (Standard) businessprocess as well as transactions for overall maintenance of the SDviews of the accounts receivable master records to this role.

3. SD

Define a role for the Sales and Distribution manager (SDMan, SD),and assign all transactions of the Sales Order Processing (Standard)business process as well as transactions for overall maintenance ofall (accounting and sales and distribution) views of the accountsreceivable master to this role.

4. MM

Define a role for aWarehouse Supervisor (Whouse) for the MMenterprise area. Assign the transactions of the Goods Receipt Processingbusiness process to this role.

5. Add transactions � MM03 �, � MM04 �, and � MM19 �for displayingmaterial master data to all roles.




Task 3:

1. Switch to the Microsoft Excel list on the second worksheet T Codesfor each Role. Generate an overview of the transactions and roles bypressing the appropriate button.

How many transactions were chosen for the individual roles:

AccRec ____________ TransactionsSDClerk ____________ TransactionsSDMan ____________ TransactionsWhouse ____________ Transactions

Task 4:Now combine these transactions into meaningful roles to ensure that thesesingle roles can be reused in several composite roles.

Hint: There are several ways to do this.

Do not worry if your solution is not the same as your neighbor�s.The solutions will vary from group to group.

Go back to the first worksheet Roles Design.

1. Combine several transactions into roles in such a way that thesesingle roles can be reused in several composite roles. To do this, youcan color code the roles or draw a border around them.

2. Give the roles meaningful names and enter the associated transactionsin the following table. Compare the names that you have given theroles with the suggestions in the solution.

Name of the Role Transactions for this Role



Solution 1: Creating and Implementing anAuthorization ConceptTask 1:Open the Excel file AL-ADM940.XLS, which you can find in the SharedFolders, and answer the following questions.

The Shared Folders are in the Business Workplace.

Menu Path: SAP Menu→ Office→Workplace→ Shared Folders→ ADM940:Authorization Concept → AL-ADM940.XLS.

Double click the Microsoft Excel file to open it. If a dialog box appears,choose Enable Macros.

Then choose the menu path Tools → Macro → Security and select thesecurity level Low. Save your settings.

Save the Microsoft Excel file on your hard disk (for example, in thedirectory C:\Temp) under the name AL-ADM940-##. Close the file (notMicrosoft Excel). If you now reopen the file (AL-ADM940-##) in MicrosoftExcel, all macro functions are available.

1. Which master data is used by the company at Scenario Level, andshould be used in the job roles (Level 3)?

Master data for

_________________________ and _________________________

a) Master Data/General Master Data for

material master and customer master records

2. Which business processes (Level 5) should be taken into account forassigning authorizations and were included in the Microsoft Excellist?

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

a) Customer Quotation Processing

Sales Order Processing

Goods Receipt Processing

Manual Incoming Payments




3. Which transaction codes were copied for the business process salesorder processing?

____________________

____________________

____________________

____________________

a) � VA01 �

� VA02 �

� VA03 �

� V.01 �

Task 2:Define roles for the enterprise areas:

- Financial Accounting (FI)

- Sales and Distribution (SD)

- Materials Management (MM)

and assign transactions to these roles.

1. FI

Create the role for an Accounts Receivable Accountant (AccRec,FI). To do this, enter FI in the column header for Enterprise area andAccRec as role name on the Roles Design worksheet.

Assign all transactions of theManual Incoming Payments businessprocess to the accounts receivable accountant by placing an �x� forthese transactions in the AccRec column. The accounts receivableaccountant should also be able to maintain the accounting views ofthe accounts receivable master.

What does maintainmean? Discuss this term with your neighbor andconsider opinions and points of view.

a) Excel authorization list on the Roles Design worksheet

The following table contains the solutions to exercises 2.1 to 2.5:




Enterprise area>>> FI SD SD MMJob Role >>> AccRec SD-

ClerkSD-Man

Whouse

SAP R/3 Links:

T Code

Scope Scope Scope Scope

MM01MM02MM03 x x x xMM19 x x x xMM04 x x x x

FD01 x xFD02 x xFD03 x xVD01 x xVD02 x xVD03 x x

VA21 x xVA22 x xVA23 x xVA25 x x

VA01 x xVA02 x xVA03 x xV.01 x x

MB1C xMB90 xVL21 x





ClerkSD-Man

Whouse

SAP R/3 Links:

T Code


F-18 xF-26 xF-28 x

Sample Authorization Concept (job role)

2. SD

Define a role for a Sales and Distribution clerk (SDClerk, SD), andassign all transactions of the Sales Order Processing (Standard) businessprocess as well as transactions for overall maintenance of the SDviews of the accounts receivable master records to this role.

a) See solution 2.1

3. SD

Define a role for the Sales and Distribution manager (SDMan, SD),and assign all transactions of the Sales Order Processing (Standard)business process as well as transactions for overall maintenance ofall (accounting and sales and distribution) views of the accountsreceivable master to this role.

a) See solution 2.1

4. MM

Define a role for aWarehouse Supervisor (Whouse) for the MMenterprise area. Assign the transactions of the Goods Receipt Processingbusiness process to this role.

a) See solution 2.1

5. Add transactions � MM03 �, � MM04 �, and � MM19 �for displayingmaterial master data to all roles.

a) See solution 2.1




Task 3:

1. Switch to the Microsoft Excel list on the second worksheet T Codesfor each Role. Generate an overview of the transactions and roles bypressing the appropriate button.

How many transactions were chosen for the individual roles:

AccRec ____________ TransactionsSDClerk ____________ TransactionsSDMan ____________ TransactionsWhouse ____________ Transactions

a) The button for generating an overview of transactions and rolesis in cell A4 on the second worksheet T Codes for each Role.

AccRec 9 TransactionsSDClerk 14 TransactionsSDMan 17 TransactionsWhouse 6 Transactions

Task 4:Now combine these transactions into meaningful roles to ensure that thesesingle roles can be reused in several composite roles.

Hint: There are several ways to do this.

Do not worry if your solution is not the same as your neighbor�s.The solutions will vary from group to group.

Go back to the first worksheet Roles Design.

1. Combine several transactions into roles in such a way that thesesingle roles can be reused in several composite roles. To do this, youcan color code the roles or draw a border around them.

a) There are several solutions to this task.

Model solution as a sample authorization concept:

See the next page or exercise 1 for the unit Working with theProfile Generator 1.




2. Give the roles meaningful names and enter the associated transactionsin the following table. Compare the names that you have given theroles with the suggestions in the solution.

Name of the Role Transactions for this Role

a) The following table shows the role names in accordance withthe example authorization concept, which you will use in laterexercises. The example authorization concept is then showngraphically.

Name of the Role Transactions for this RoleGR##_MM_MAT_ANZ MM03, MM04, MM19GR##_FI_AC-CREC_MAINT

FD01, FD02, FD03

GR##_SD_CUST_MAINT VD01, VD02, VD03GR##_SD_SALES VA21, VA22, VA23, VA25, VA01,

VA02, VA03, V.01GR##_MM_IM_POST MB1C, MB90, VL21GR##_FI_IP_POST F-18, F-26, F-28

Sample Authorization Concept (role distribution)



Lesson Summary

You should now be able to:� Explain the structure of an authorization concept� List the steps required to implement a concept� Describe the activities for the individual implementation steps� Use the presented procedure model for implementing an



Unit Summary ADM940

Unit SummaryYou should now be able to:� Describe the SAP authorization concept as part of a comprehensive

security concept� Explain the access control mechanisms� Explain how users, roles and authorizations are related� Describe the technical implementation of a role-based authorization

concept� Explain the structure of an authorization concept� List the steps required to implement a concept� Describe the activities for the individual implementation steps� Use the presented procedure model for implementing an



Unit 243 Basic Terminology of Authorizations

This unit describes the basic terminology of authorizations. It is dividedinto:

� Elements and Terminology of the SAP Authorization Concept� Authorization Checks in the SAP System

The first part allows you to begin working with the terms and therelationships between authorizations, objects, profiles, and so on. Atthe end of this unit, every participant should have an image of theauthorization concept, and be able to explain its meaning and use. Toround off this knowledge, lesson 2 introduces the authorization check inthe SAP system.

Unit OverviewThis unit uses two lessons to provide an introduction to the basic terms ofauthorization and the main authorization check in the SAP system. Therelationships between the authorization terms are explained step-by-stepand form a good basis for all subsequent units.


� Describe and differentiate between the individual elements of theauthorization concept

� Describe the relationships between the elements in the overall concept� Explain the differences between roles and authorization profiles� Find out the meaning of an authorization object� Explain the relationship between roles and the Easy Access Menu� Explain when authorization checks are performed� Describe the difference between the authorization check when a

transaction is started and the authorization check performed bya program


Unit 2: Basic Terminology of Authorizations ADM940

� Define the function of the user buffer and evaluate the buffered userauthorizations

� Control some additional checks without �modifying� the system

Unit ContentsLesson: Elements and Terminology of the SAP R/3 AuthorizationConcept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Exercise 2: Elements and Terminology of the Authorization Concept 67Lesson: Authorization Checks in the SAP System .... . . . . . . . . . . . . . . . . . . . . . . 79

Exercise 3: Authorization Checks in the SAP System ... . . . . . . . . . . . . . . 85


ADM940 Lesson: Elements and Terminology of the SAP R/3 Authorization Concept

Lesson:44

Elements and Terminology of the SAP R/3Authorization ConceptLesson Duration: 60 Minutes

Lesson OverviewThis lesson will provide an overview of the terminology for the SAPauthorization concept. The classical terms, such as authorization object,authorization field, authorization, and so on are introduced first. Preciselythese terms occur and are used if you use the Profile Generator forauthorization concepts using roles (since SAP R/3 4.6C).


� Describe and differentiate between the individual elements of theauthorization concept

� Describe the relationships between the elements in the overall concept� Explain the differences between roles and authorization profiles� Find out the meaning of an authorization object� Explain the relationship between roles and the Easy Access Menu

In this lesson, you will explain the terminology of the authorizationconcept to the participants. After this, every participant should be able tocorrectly arrange the expressions used and to explain the relationshipsbetween them. This knowledge is the basis for all other procedures.

Business ExampleThe SAP authorization concept prevents unauthorized access to the systemand to data and objects within the system. Users that are to performspecific functions in the SAP system need a user master record with therelevant authorizations.



Overview of the Terms and Elements in theAuthorization Concept

Work out the figure below with the participants.

Try to use questions to the participants to draw up the figure together.An example could be:

� What is in an authorization object of this type?� What happens with the instances?

Figure 26: Overview of the Elements of the SAP Authorization Concept

Authorization object class: Logical grouping of authorization objects (forexample, all authorization objects for object class FI begin with �F_�).

Authorization Object: Groups 1 to 10 authorization fields together. Thesefields are then checked simultaneously (example: F_LFA1_APP, Creditor:Application authorization).

Authorization field: Smallest unit against which a check should be run(ACTVT, BUKRS).

Authorization: An instance of an authorization object, that is, acombination of allowed values for each authorization field of anauthorization object.

Authorization profile: Contains instances (authorizations) for differentauthorization objects.

Role: Is generated using the Profile Generator (transaction � PFCG �,and allows the automatic generation of an authorization profile. A roledescribes the activities of an SAP user.



User/User Master Record: Used for logging on to SAP systems and grantsrestricted access to functions and objects of the SAP system based onauthorization profiles.

Naming conventions for customer developments (see SAP Notes 20643and 16466):

� Authorizations and authorization profiles are Customizing objectsand must therefore not be in the customer namespace (Y, Z). Theymust not contain an underscore in the second position.

� Authorization classes, objects, and fields are development objects andmust begin with Y or Z (customer namespace).

Explain the definitions of the terms and clarify the presented termsusing an example. Authorization objects are called using the followingmenu path: Tools → ABAP Workbench → Development → Other Tools →Authorization Objects→ Objects or by starting transaction � SU21 �.

Initial access is always made through the authorization object class. Youcan display the authorization fields by double clicking the authorizationobject names. Alternatively, you can also display the authorization fieldsusing transaction � SU20 �.

Call the �List of Object Classes� with transaction � SU21 � and displaythe content.

1. Tools2. ABAP Workbench3. Development4. Other Tools5. Authorization Objects6. Objects

You should also demonstrate transaction � SU20 �, List of AuthorizationFields from the same SAP menu path.



Figure 27: Authorization Fields, Objects, Object Classes

Example:

The authorization fields BUKRS (company code) and ACTVT (activity)are used in the following authorization objects, among others:

� M_RECH_BUK: Authorization to release blocked invoices forspecific company codes

� F_BKPF_BUK:Authorization to edit documents for specific companycodes.

� F_KNA1_BUK: Authorization to maintain the accounts receivablemaster record for specific company codes.

Ask the participants why the �ACTVT� field is used so often. Why doesthis make sense?

Explain the context and use transactions � SM30 � and � SE16 � to showthe tables in the participant text.

If there is a lot of interest in these tables, you can also show the content ofthe following structures in the Dictionary (� SE11 �):

� AUTHA: Authorization fields for the application departments (thecompany code, for example, is found here)

� AUTHB: Authorization fields for SAP Basis (the authorization fieldActivity, for example, is found there)



In the authorizations for each authorization object, you can specify whichactivities (such as create, change, display, and so on) may be performedin which company code. Each object has a specific number of allowedactivities, which are described in the object documentation.

All possible activities (ACTVT) are stored in table TACT (transaction �SM30 �).

The valid activities for each authorization object can be found in tableTACTZ (transaction � SE16 �).

Hint:Every customer can create their own authorization object classes,authorization objects, and authorization fields.

Since it is very important that all participants understand the relationshipsbetween instances, objects, profiles, roles, and so on, there is anotherexample of two authorizations at this point. Think of an example of anauthorization check. Then combine authorizations �A� and �B� in anyway and ask the participants whether an authorization check would besuccessful or not.

Figure 28: Authorization



Example:

� Authorization �A� allows the user to perform the activities create,change and display in company codes 1000 and 2000.

� Authorization �B� allows the user to perform only the display activityin company codes 1000, 2000, and 3000.

If the user has authorization �A� and authorization �B�, they worktogether. This means that the user can perform the create, change anddisplay activities in company codes 1000 and 2000, but can only performthe display activity in company code 3000.

The next figure clarifies the difference between an authorization and anauthorization profile. Show the content of a profile in the system, forexample using the role �ADM940_PLUS�

Figure 29: Authorizations and Authorization Profiles

You can define several different authorizations for an authorization object.This means that an authorization object has various instances.



Example: Authorization object F_BKPF_BUK has the followingauthorizations:

� Work center 1: Authorized to create, change and display documentsin company code 2000.

� Work center 2: Authorized to create, change and display documentsin company code 1000.

� Work center 3: Authorized to display documents in company code1000.

You can assign multiple authorizations to a work center. Grouped together,these authorizations are called an authorization profile.

Example: Work center 2 has the following authorization profile:

� Authorization to execute transaction code � F-22 �, � F-27 �, � FB02 �,and � FB03 �.

� Authorization to create, change and display documents in companycode 1000.

� Authorization to create, change and display documents in businessarea 2000.

� Authorization to create, change and display document items for theaccounts receivable account type.

Establish the relationships between all elements of a role. From theactivities to the function of the SAP Easy Access Menu (user menu).



Figure 30: Roles and Authorization Profiles

To provide users with user-specific menus after they have logged on to anSAP system, you use roles. These are defined using the Profile Generator.

A role is a set of functions, also known as activities, describing a specificwork area. The �Accounts Receivable Accountant� role, for example,contains transactions, reports, and/or Internet/Intranet links that anaccountant needs for his or her daily work.

In the role, you organize transactions, reports, or Web addresses in arole menu.

A large number of roles (>1200) are delivered with the standard SAP R/3System. Before you define your own roles, check if one of the user rolesdelivered as part of the standard SAP R/3 System can be used.

Hint:Note that the predefined roles are delivered as templates,and begin with the prefix �SAP_�.

For a user to be able to receive authorizations, you must first maintainauthorization data.



You can then generate the authorization profile, and the role is complete.

Hint:SAP strongly recommends the automatic creation of authorizationprofiles in the form of roles using the Profile Generator. You shouldonly use manual authorization profiles in exceptional cases.

A role can be assigned to any number of users. Through the role, youalso assign the authorizations that users need to access the transactions,reports, and so on contained in the menu.

This user menu appears when the user to which the authorization profilewas assigned logs on to the SAP system. A user menu consists of the rolemenus of the assigned roles. It contains the activities that are required by agroup of users for their work area.

Finally, explain once again the way in which roles work (if you arepresenting the entire ADM940 course, explain that this is dealt with againin the �Profile Generator and Standard Roles� lesson).

Hint:We strongly recommend that customers do not createauthorization profiles manually. SAP strongly recommends theautomatic creation of authorization profiles in the form of rolesusing the Profile Generator. Transactions, reports, and/orWeb links are assigned to a role. An authorization profileis generated from these. A user menu/role menu is thenavailable to the user (see next figure).



Figure 31: Roles and the Easy Access Menu

The new SAP Easy Access menu provides a user-specific point of entryinto the SAP system.

The user menu (created from multiple role menus) contains only thosetransactions, reports and Web addresses needed by the users for theirdaily work processes.

The user menus can be and are often created with the Profile Generatorusing composite roles.

For users with system administrator authorization, the SAP Easy Accessmenu provides some additional functions for:

� Creating roles� Calling menus for roles and assigning them to users

In order to be able to use these extended functions, you need authorizationsfor the following authorization objects:

authorization object ValueS_USER_TCD PFCGS_USER_PRO *S_USER_AUT *S_USER_GRP *



Briefly discuss the tasks to be completed in the exercises.

You should also use an example of a user to show the participants arole and the corresponding profile. Explain the contents, and discussthe display. Use the jump points from the Info System and demonstratesimilar queries to those in the exercises, before the participants performthese themselves.



53 Exercise 2: Elements and Terminology ofthe Authorization ConceptExercise Duration: 20 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Distinguish between the elements of the authorization concept� Display a user master record and find out the authorizations of a

specific user� Find out the meaning of an authorization object

Business ExampleSystem DataSystem: These SAP systems change weekly. Trainingadministration will provide you with the exact ID of your SAP R/3Enterprise system.Client: The training courses are held in the 8xx clients;training administration will provide you with the exact numbers. One ofthe clients is set up as the central system.User ID: The user IDs for SAP courses should have auniform structure. The IDs contain the course ID and a two-digit groupnumber. For example, for the ADM940 course: User ID "ADM940-##". Atthe start of the course, the instructor creates the users using transaction"ZUSR" and the template "ADM940-MODEL". The participants receive therequired roles and authorizations for the exercises through the template.Password: The instructor can set a uniform password for theusers when creating them (such as "ADM940"). Training administrationwill inform you of the instructor password for access to the system.Set up instructions:

1.

Task 1:Display the master record of user ADM940-##.

1. Are roles assigned to the user? If yes, which ones?

______________________

______________________

______________________




______________________

2. Is an authorization profile assigned to the user? If yes, which one/s?

______________________

______________________

______________________

______________________

______________________

______________________

______________________

3. Display the details for the authorization profile ADM94_PLUS.

Hint: Double-click the profile name to go to the detail screenof the authorization profile.

Expand the tree structure of the authorization profile.

Do you have authorizations for the following authorization objects?

- F_BKPF_BUK? _____

- PLOG? _____

- S_TCODE? _____

- S_USER_GRP? _____

What is the name of your authorization(s) for the object S_USER_GRP?

____________________________________

____________________________________

Which authorization fields does the object S_USER_GRP consist of?

____________________________________

____________________________________

Which authorization values do you have for the authorization objectS_USER_GRP?

Field 1:_________________________________________________________

Field 2:_________________________________________________________




From the detail screen of the authorization profile, go back to thedisplay of the user master record.

Exit the transaction.

Task 2:Display various authorization information in the Information System.

1. Navigate to the Information System in the SAP Menu.

(Tools→ Administration→ User Maintenance→ Information System)

Expand the structure for the Authorization Objects node, and select thereport Authorization Objects by Object Name, Text by double-clicking it.

Select the authorization object S_USER_GRP.

To which authorization object class is the authorization objectS_USER_GRP assigned?

____________________

Display the documentation for this authorization object.

In which transactions is the authorization object checked?

_______________________; _______________________;_______________________; _______________________;_______________________; _______________________;

What activities are possible?

___________; ___________; ___________; ___________; ___________;___________; ___________; ___________; ___________; ___________;

Exit the report Authorization Objects by Object Name, Text.

2. In the Information System, under the Authorization Objects node,double-click the report Authorization Objects By Object Class. Choosethe All Selections icon.

Select the authorization object class from task 2-1.

How many authorization objects are there, whose names begin withS_USER?

____________________

Find out about the authorization object S_USER_TCD by displayingthe documentation. What is controlled with this authorization object?

_________________________________________________________

_________________________________________________________




_________________________________________________________

Which authorization fields does the object consist of?

____________________

How many authorization objects are assigned to the selectedauthorization object class? (Note: The number of authorizationobjects is indicated at the end of the list.)

____________________

Exit the report Authorization Objects by Object Class.

3. Expand the structure for the Roles node, and choose the report ByRole Name.

Select the role ADM940_SD_SALES.

Display the transaction assignment for the role.

How many transactions in total are assigned to the role? (Note: Thenumber of transactions is displayed at the end of the list.)

____________________

Does this role provide authorization to call transaction � VA03 �?

____________________

Does this role provide authorization to call transaction � MM03 �?

_____________________



Solution 2: Elements and Terminology ofthe Authorization ConceptTask 1:Display the master record of user ADM940-##.

1. Are roles assigned to the user? If yes, which ones?

______________________

______________________

______________________

______________________

a) Menu: Tools → Administration → User Maintenance → Users ,� SU01 �

Enter ADM940-## and choose Display (F7).

b) Select the Roles tab page.

Yes:

ADM940_DEMO_MENU

ADM940_DISPLAY

ADM940_PLUS

ADM940_USER

2. Is an authorization profile assigned to the user? If yes, which one/s?

______________________

______________________

______________________

______________________

______________________

______________________




______________________

a) Choose the Profiles tab page.

Yes:

ADM94_DISP

ADM94_DISP1

ADM94_DISP2

ADM94_DISP3

ADM94_DISP4

ADM94_PLUS

ADM94_TRAI

3. Display the details for the authorization profile ADM94_PLUS.

Hint: Double-click the profile name to go to the detail screenof the authorization profile.


Do you have authorizations for the following authorization objects?

- F_BKPF_BUK? _____

- PLOG? _____

- S_TCODE? _____

- S_USER_GRP? _____

What is the name of your authorization(s) for the object S_USER_GRP?

____________________________________

____________________________________

Which authorization fields does the object S_USER_GRP consist of?

____________________________________

____________________________________

Which authorization values do you have for the authorization objectS_USER_GRP?

Field 1:_________________________________________________________




Field 2:_________________________________________________________



a) Double-click the profile name to go to the detail screen of theauthorization profile.


Authorization for authorization object:

- F_BKPF_BUK? No.

- PLOG? No.

- S_TCODE? Yes.

- S_USER_GRP? Yes.

b) Names of the authorizations for object S_USER_GRP:

ADM94_PLUS00

ADM94_PLUS01

c) Authorization fields for the authorization object S_USER_GRP:

ACTVT Activity

CLASS User group in user master maintenance

d) Authorization values for the authorization object S_USER_GRP:

Authorization ADM94_PLUS00:

ACTVT 05

CLASS Z*

Authorization ADM94_PLUS01:

ACTVT 03, 08

CLASS *






Task 2:Display various authorization information in the Information System.

1. Navigate to the Information System in the SAP Menu.

(Tools→ Administration→ User Maintenance→ Information System)

Expand the structure for the Authorization Objects node, and select thereport Authorization Objects by Object Name, Text by double-clicking it.

Select the authorization object S_USER_GRP.

To which authorization object class is the authorization objectS_USER_GRP assigned?

____________________

Display the documentation for this authorization object.

In which transactions is the authorization object checked?

_______________________; _______________________;_______________________; _______________________;_______________________; _______________________;

What activities are possible?

___________; ___________; ___________; ___________; ___________;___________; ___________; ___________; ___________; ___________;





a) Authorization object class for authorization object S_USER_GRP:

BC_A

Select the authorization object and choose the Documentationbutton.

b) Transactions with integrated check of S_USER_GRP:

� SU01 �, � SU10 �, � SU12 �, � PFCG �, � SUUM �, � SUUMD �

c) Possible activities:

01: Create

02: Change

03: Display

05: Lock, Unlock

06: Delete

08: Display Change Documents

22: Include Users in Roles

24: Archive

78: Assign

68: Model


2. In the Information System, under the Authorization Objects node,double-click the report Authorization Objects By Object Class. Choosethe All Selections icon.

Select the authorization object class from task 2-1.

How many authorization objects are there, whose names begin withS_USER?

____________________

Find out about the authorization object S_USER_TCD by displayingthe documentation. What is controlled with this authorization object?

_________________________________________________________

_________________________________________________________

_________________________________________________________

Which authorization fields does the object consist of?




____________________

How many authorization objects are assigned to the selectedauthorization object class? (Note: The number of authorizationobjects is indicated at the end of the list.)

____________________


a) Select the authorization object class BC_A and the authorizationobject S_USER*.

Number of authorization objects that begin with S_USER:

10 authorization objects

b) Select the authorization object and choose the Documentationbutton. Documentation for authorization object S_USER_TCD:

Authorization objects control the transactions that systemadministrators can assign to a role, as well as the transactions for whichthey can assign transaction code authorization (object S_TCODE).Note that in the Profile Generator, you can only maintain intervalsof transactions if you have full authorization S_USER_TCD forauthorization object S_TCODE. Otherwise you can only maintainindividual values for the object S_TCODE.

c) Which authorization fields does the object consist of?

TCD: Transactions that administrators may assign to roles andfor which they may assign authorization to start a transaction inthe Profile Generator.

d) Number of authorization objects in object class BC_A:

(The number of authorization objects is indicated at the endof the list.)

92 authorization objects


3. Expand the structure for the Roles node, and choose the report ByRole Name.

Select the role ADM940_SD_SALES.

Display the transaction assignment for the role.

How many transactions in total are assigned to the role? (Note: Thenumber of transactions is displayed at the end of the list.)

____________________




Does this role provide authorization to call transaction � VA03 �?

____________________

Does this role provide authorization to call transaction � MM03 �?

_____________________

a) Display the transaction assignment of the role (by choosing thecorresponding button).

Number of transactions:

(The number of transactions is indicated at the end of the list.) 27transactions

b) Does this role provide authorization to call transaction � VA03 �?

Yes.

c) Does this role provide authorization to call transaction � MM03�?

No.



Lesson Summary

You should now be able to:� Describe and differentiate between the individual elements of the

authorization concept� Describe the relationships between the elements in the overall concept� Explain the differences between roles and authorization profiles� Find out the meaning of an authorization object� Explain the relationship between roles and the Easy Access Menu


ADM940 Lesson: Authorization Checks in the SAP System

Lesson:65

Authorization Checks in the SAP SystemLesson Duration: 30 Minutes

Lesson OverviewThis lesson will use an example to introduce the checking of authorizationsin an SAP system. There are essentially two checks. The first check isperformed by the system when transactions are called, and the second isthen performed by checks in the program. The user buffer, which is alsointroduced, plays a vital role in the check.


� Explain when authorization checks are performed� Describe the difference between the authorization check when a




As the instructor, you should explain the two basic authorization checks tothe participants in this lesson.

� The check by the kernel (and the table TSTCA)� The individual check in a program

It is important to note that problems can also occur due to the overlappingof authorization instance due to multiple buffer entries (object used ntimes).

To say nothing of the check in the program.Many customers or users in user departments still believethat it is possible simply to check any values in next to no time. However,to do this, it is necessary to change the program - and much more besides.Describe the false perceptions with examples from your experience.

Business ExampleAuthorization checks are performed under various conditions in the SAPsystem. In this way, there is, for example, a mandatory kernel checkfor each transaction start. The main task, however, in the company, is



to control the checks in programs. To do this, it is very important tounderstand the relationship between the buffer and the authorizationcheck.

Authorization Checks When Transactions Are Startedand in Programs

Describe the figure in your own words and use the Information System todisplay the description for the authorization object � S_TCODE � in thesystem, called through � S_BCE_68001410 �.

Hint:Each time a transaction is started, the kernel checks the transactioncode (TCD) as a value against this authorization object.This check is always performed (as of SAP R/3 3.0E), andcannot be deactivated by a developer.

We recommend that you demonstrate and discuss the second check, whichis connected to table TSTCA, only after the exercise.

Figure 32: Authorization Checks at Transaction Start

When starting a transaction, a system program executes a series of checksto ensure the user has the appropriate authorizations.



Step 1: Check if the user is authorized to start the transaction.Authorization object S_TCODE (transaction start) contains theauthorization field TCD (transaction code). The user must have theauthorization for the transaction code that he or she wants to run (such as� FB02 �, Change Document).

Step 2: Check if an authorization object is assigned to the transactioncode. If this is the case, the system checks if the user has an authorizationfor this authorization object. The transaction code / authorization objectassignment is stored in table TSTCA.

If any of the above steps fail, the transaction will not begin, and the userwill receive a message.

Hint:The ABAP statement authority-check is used to check theauthorization object assigned to the transaction. The check isperformed during transaction start by the ABAP program called bythe transaction.

Use the next figure to explain the authorization check in the program:

� There is always a program behind a transaction� Authorization objects are checked using the authority-check command� Certain field values are always required for authorization objects

Only if the user has sufficient authorizations can he or she continueworking



Figure 33: Authorization Check in the Program

Authorization checks in programs are performed using the ABAPcommand authority-check.

A program may contain any number of authorization checks.

Example: The user wants to call transaction � FB02 �. An authority-check iscoded in the ABAP program SAPMF05L which transaction � FB02 � calls.The following authorization is checked:

� Authorization object F_BKPF_BUK� Authorization field ACTVT (activity) for the value �02� (change).� Authorization field BUKRS (company code) for value �1000�.

Only if the user has the authorization object F_BKPF_BUK with theauthorization fields ACTVT (�02�) and BUKRS (�1000�) as authorization ishe allowed to perform the transaction.

After the authorization check, the system gives back a return code. Thevalid return codes for the authority-check command are:

� 0: The user has the authorization for the authorization object withthe correct field values.

� 4: The user has an authorization for the the authorization object, butthe values checked are not assigned to the user.

� 12: The user does not have any authorizations for the authorizationobject.

� 16: No profile is entered in the user master record.



If participants know other return codes and ask you about them, directthem to the online documentation or to SAP Notes on this topic.

The values that are returned by the program check depend on the userbuffer. It decides which authorizations are available to the user and whichare not.

Explain the way in which the user buffer works.

Each user has his or her own user buffer, in which all authorizations thatare assigned to the user are listed. Every user can display his or her ownentries using transaction � SU56 �.

Also discuss the content of the note below.

Hint:You should point out that there has been a change where the userbuffer is concerned. In newer systems, in which the profileparameter �auth/new_buffering� has been set to the value �3 or4�, the profile parameter for setting the size of the userbuffer (�auth/auth_number_in_userbuffer)� no longer hasany effect. The buffer can receive more entries than theparameter � auth/auth_number_in_userbuffer �(no longer a kernelparameter)allows. For more information, see SAP Note 209899



Figure 34: User Buffer

When a user signs on to an SAP system, a user buffer is built containing allauthorizations for the user. Each user has his or her own user buffer.

If Mr. Peterson (example from the figure) logs on to the system, hisuser buffer contains all authorizations that were assigned to the roleMY_FI_AR_DISPLAY_MASTER_DATA using the profile.

Hint:Every user can display only his or her own user buffer usingtransaction � SU56 �.

A user would fail an authorization check if:

� The authorization object does not exist in the buffer� The values checked by the application are not assigned to the

authorization object in the user buffer

Log on to the system with the user �ADM940-SU53� and the password�ADM940� to demonstrate an authorization check. Execute transaction�MM03�. You will not be permitted to do so. Show the participants thereason for this, the failed check, using transaction �SU53�. Discuss thedisplayed result.

To complete the lesson, display the buffer for your ADM940-00 user.Explain the display and then have the participants perform the exercise.



69 Exercise 3: Authorization Checks in theSAP SystemExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Explain when authorization checks are performed� Describe the relationships between the elements in the overall concept� Explain the differences between roles and authorization profiles� Find out the meaning of an authorization object� Explain the relationship between roles and the Easy Access Menu

Business ExampleIn practice, it is important to know the special features of the authorizationcheck performed when a transaction is called in the system. It is alsoimportant to determine, if an unsuccessful authorization check is reported,why it was unsuccessful. This exercise will consolidate the content of thelesson with work in the system.


1. Check the availability of the user �ADM940-SU53� for tasks 2 and 3.This user has been assigned the role �CA940_PLUS�.



Task 1:Display the definition of transaction � FB03 �.

Hint: Menu Path: Menu→ Tools→ABAPWorkbench→Development→ Other Tools → Transactions.

1. Which authorization object is checked when the transaction is called?

____________________

2. Which authorization values must exist for the authorization check tobe positive and the transaction to be started?

____________________

Task 2:Log on to the system with user � ADM940-SU53 � (password: ADM940).Then call transaction � VA07 by entering the transaction code in thecommand field or by choosing themenu path: Menu→ Logistics → Salesand Distribution → Sales → Information System → Worklists → CompareSales-Purchasing (Order). �.

1. Can you call the transaction?

____________________

2. What message is returned by the system?

____________________

3. Find out which object was checked, and what authorizations youhave.

____________________

4. Can you call a failed authorization check for another participant?

____________________

5. Try to do so.

Task 3:Describe the user buffer and display it for user � ADM940-SU53 �.

1. What do you see in the user buffer? Describe its content.

________________________________________

________________________________________




________________________________________

________________________________________

2. How can you call the user buffer?

____________________

3. Display the buffer for your user �ADM940-SU53�. How manyauthorization entries do you have?

____________________



Solution 3: Authorization Checks in theSAP SystemTask 1:Display the definition of transaction � FB03 �.

Hint: Menu Path: Menu→ Tools→ABAPWorkbench→Development→ Other Tools → Transactions.

1. Which authorization object is checked when the transaction is called?

____________________

a) F_BKPF_BUK

2. Which authorization values must exist for the authorization check tobe positive and the transaction to be started?

____________________

a) Activity 03

The company code is not checked here, so it does not matterwhich authorization values exist in the user master record for it.

Task 2:Log on to the system with user � ADM940-SU53 � (password: ADM940).Then call transaction � VA07 by entering the transaction code in thecommand field or by choosing themenu path: Menu→ Logistics → Salesand Distribution → Sales → Information System → Worklists → CompareSales-Purchasing (Order). �.

1. Can you call the transaction?

____________________

a) No.

2. What message is returned by the system?

____________________

a) �You are not authorized to use transaction VA07�

3. Find out which object was checked, and what authorizations youhave.




____________________

a) Object �S_TCODE� was checked, and your user hadauthorizations only for the following transactions: � SESS �, �SESSION_MANAGER �, � SMEN �, � SU3 �, � SU53 �, � SU56�, and � YIDES �.

4. Can you call a failed authorization check for another participant?

____________________

a) Yes.

5. Try to do so.

a) It works.

Task 3:Describe the user buffer and display it for user � ADM940-SU53 �.

1. What do you see in the user buffer? Describe its content.

________________________________________

________________________________________

________________________________________

________________________________________

a) The user buffer has the following meaning:

Each user has his or her own user buffer, in which allauthorizations that are assigned to the user are listed. This list isarranged by Object/Authorization/Object Text.

2. How can you call the user buffer?

____________________

a) With transaction � SU56 �.

3. Display the buffer for your user �ADM940-SU53�. How manyauthorization entries do you have?

____________________

a) The number of entries is 3.

S_TCODE/ADM94_PLUS00/Transaction Code Check atTransaction Start

S_USER_GRP/ADM94_PLUS00/User Master Maintenance: UserGroups

S_USER_GRP/ADM94_PLUS01/User Master Maintenance: UserGroups



Lesson Summary

You should now be able to:� Explain when authorization checks are performed� Describe the difference between the authorization check when a





ADM940 Unit Summary

Unit SummaryYou should now be able to:� Describe and differentiate between the individual elements of the

authorization concept� Describe the relationships between the elements in the overall concept� Explain the differences between roles and authorization profiles� Find out the meaning of an authorization object� Explain the relationship between roles and the Easy Access Menu� Explain when authorization checks are performed� Describe the difference between the authorization check when a





Unit Summary ADM940


Unit 375 User Settings

You should use this unit to explain the user master record to theparticipants. Deal briefly with the essential difference between systemaccess control and role-based access control and then describe theindividual tab pages of the master record.

Unit OverviewWhat is the user master record? This question is answered in this unit.

SAP systems differentiate between system access control and role-basedaccess control. Both are assigned and controlled using the user masterrecord of a user.


� Create and change user master records� Set the values on the tab pages of the user master record� Define the differences between the user types� Operate and implement mass maintenance� Display and archive change documents for authorization assignment

Unit ContentsLesson: Maintaining and Evaluating User Data... . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Exercise 4: Maintaining and Evaluating User Data .. . . . . . . . . . . . . . . . . . .113


Unit 3: User Settings ADM940

Lesson:76

Maintaining and Evaluating User DataLesson Duration: 85 Minutes

Lesson OverviewThis lesson will provide you with an overview of identifying a user usingthe user master record. First, the SAP user types are explained. Thecomponents of the user master record are then discussed. The functions ofmass maintenance and change documentation are clarified.


� Create and change user master records� Set the values on the tab pages of the user master record� Define the differences between the user types� Operate and implement mass maintenance� Display and archive change documents for authorization assignment

Provide an overview of the components of the user master record. Explainthat the users can only log on to the system if a user master record exists.The figures up to the mass maintenance of user data explain in detail thefollowing components of the user master record: logon data, defaults,parameters, roles, and profiles.

Business ExampleTo access the SAP system and work in the system, a user master recordwith authorizations is required. Other elements of the user master recordmake it easier to work with the SAP system. The assignment of theseauthorizations can be controlled individually for each user, but also, toan extent, using mass maintenance.


ADM940 Lesson: Maintaining and Evaluating User Data

The User Master Record and its Tab Pages

Figure 35: Components of the User Master Record

A user can only logon to an SAP system if a user master record with acorresponding password exists. The scope of activity of individual usersin the SAP system is defined in the master record by one or more roles,and is restricted by the assignment of the appropriate authorizations.

User master records are client-specific. You must maintain your own usermaster records for every client in SAP systems.

The following authorization objects are required to create and maintainuser master records:

� Authorization to create or maintain a user master record, and toassign it to a user group (object S_USER_GRP)

� Authorization for the authorization profiles that you assign to users(object S_USER_PRO)

� Authorization to create and maintain authorizations (objectS_USER_AUTH)

� Authorization to protect roles. With this authorization object, youspecify which roles can be edited, and which activities (display,change, create, and so on) are intended for the role(s) (objectS_USER_AGR)

� Authorization for transactions that you may assign to the role andfor which you can assign authorization to start the transaction in theProfile Generator (object S_USER_TCD)

� Authorization to restrict values that the system administrator caninclude in a role or change in the Profile Generator (S_USER_VAL)



By choosing System→ User Profile→ Own Data (transaction � SU3 �), userscan themselves maintain the Address, Defaults, and Parameters tabs.

Hint:In addition to the possibilities for assigning authorizations in theSAP system described in the following sections, you can ensurethat your data is protected with additional measures:

� Secure communication in the network (Secure NetworkCommunication, SNC)

� Secure data formats (Secure Store and Forward, SSF)� Security in the Internet� System passwords� Database accesses� Transport system� Your own directory structures for the SAP system, and so on

For information about these topics, see the Security Guide in theSAP Service Marketplace under service.sap.com/securityguide.

Tab Page: Address

Explain to the participants the first page of the User Maintenance (� SU01�): Address



Figure 36: User Master Record: Address

Hint:You must specify at least the following data to create newusers in a system:

� On the Address tab page, you only need to maintain the Lastname field.

� On the Logon Data tab page, you must enter an InitialPassword for the new user.

All other specifications are optional and almost self-explanatory.

Tab Page: Logon Data

The next figure shows the logon data. Important settings are to be madeon this tab page. These include:

� Initial password (without this, no user master record can be created)� User type� User group (explain again its use for the user administrator)



Figure 37: User Master Record: Logon Data

The Alias is an alternative ID for an SAP user. An alias can be assignedto a user. This means that 40 characters are available when assigninguser names (longer, more descriptive names). The user can therefore beidentified using either the (12 character) user name or using the alias. Thealias is primarily used if users are created in a Self-Service scenario fromInternet transactions. In this situation, only the alias is specified and used.

User Group for Authorization Check : To assign the user to a usergroup, enter the user group. This is required if you want to divide usermaintenance among several user administrators. Only the administratorthat has authorization for this group can maintain users of this group.If you leave the field empty, the user is not assigned to any group. Thismeans that any user administrator can maintain the user.

User Type: The system proposal is Dialog (normal dialog user). Theother user types can be assigned if special kinds of processing have tobe performed (see the next figure).

Validity Period: You can specify the validity period of the user masterrecord with these fields. If you do not wish to restrict the validity of theuser master record, leave the fields empty.

Other Data: For each user or user group, you should assign an accountingnumber which you can choose as required. System usage of that useris settled in the accounting system (ACCOUNTING-EXIT) using thisaccounting number. Useful accounting numbers, for example, are the costcenter or company code of the user.

The User Types in Detail



The different user types are listed in the next figure. The descriptions forthe participants have been taken from the online documentation.

Since the description of the reference user is too large for the introductionto the user types, it was shortened for the participants. However, to ensurethat all of the data is directly available for the instructor, the missinginformation is below.

Extra information: Reference User (L)

To assign a reference user to a dialog user, specify it when maintaining thedialog user on the Roles tab page. In general, the application controls theassignment of reference users. This assignment is valid for all systems in aCentral User Administration (CUA). If the assigned reference user doesnot exist in a CUA child system, the assignment is ignored.

You should be very cautious when creating reference users.

� If you do not implement the reference user concept, you candeactivate this field in accordance with SAP Note 330067.

� We also recommend that you set the value for the Customizing switchREF_USER_CHECK in table PRGN_CUST to �E�. This means thatonly users of type REFERENCE can then be assigned. Changing theCustomizing switch affects only new assignments of reference users.Existing assignments are retained.

� We further recommend that you place all reference users in oneparticularly secure user group to protect them from changes toassigned authorizations and deletion.

Figure 38: SAP User Types



Hint:The new user types completely contain all of the old user types(dialog, background, BCD, CPIC). The new structure is fullybackward compatible. No conversion is required.

Dialog (A)

User type for exactly one interactive user (all logon types includingInternet users):

� During a dialog logon, the system checks whether the password hasexpired or is initial. The user can change his or her password himselfor herself.

� Multiple dialog logons are checked and, where appropriate, logged.

System (B)

User type for background processing and communication within a system(internal RFC calls):

� A dialog logon is not possible.� The system does not check whether the password has expired or is

initial.� Due to a lack of interaction, no request for a change of password

occurs. (Only the user administrator can change the password.)� Multiple logons are permissible.

Communication (C)

User type for dialog-free communication between systems (such as RFCusers for ALE, Workflow, TMS, and CUA):

� A dialog logon is not possible.� Whether the system checks for expired or initial passwords depends

on the logon method (interactive or not interactive). Due to a lack ofinteraction, no request for a change of password occurs.

Service (S)



User type that is a dialog user available to a larger, anonymous group ofusers. Assign only very restricted authorizations for this user type:

� During a logon, the system does not check whether the passwordhas expired or is initial. Only the user administrator can change thepassword (transaction � SU01 �, Goto → Change Password).

� Multiple logons are permissible.� Service users are used, for example, for anonymous system accesses

through an ITS service. After an individual authentication, ananonymous session begun with a service user can be continued as aperson-related session with a dialog user.

Reference (L)

User type for general, non-person-related users that allows the assignmentof additional, identical authorizations, such as for Internet users createdwith transaction � SU01 �. You cannot log on to the system with a referenceuser.

You should be very cautious when creating reference users. For moreinformation, see the online documentation, or read SAP Note 330067.

Tab Page: Defaults

You can use transaction � SSM2 � to find out the default start menu ofsystem.

Figure 39: User Master Record: Defaults



Start Menu

� In this field you can specify an area menu which you can choose usingthe possible entries help. The SAP menu (SAP Easy Access) then onlycontains the components of this area menu.

A user needs the credit management transactions to perform the dailywork. If you enter FRMN as the start menu in that user�s data, theSAP menu displays only the transactions of credit management.

In transaction � SSM2 �, you can specify the initial menu on asystem-wide basis.

Logon Language

� System language when the user logs on. On the logon screen, the usercan choose another language if required.

Output Device

� (Short) name of a printer in the SAP system, specified in the devicedefinition. The users in the SAP system use this name (or the longname) to select the output device.

Time Zone

� The time zone describes the location of an object in relation to itslocal time. The underlying set of rules describes the time differencebetween the time zone and UTC in hours and minutes, and the startand end of summer time.

Decimal Notation and Date Format

� Different counties use different formats for numbers and dates. Enterthe format usual for your country.

Tab Page: Parameters



There is not much to say about the parameters. Describe their use usingthe example below the figure.

You can also ask a few questions at this point, such as: - How does a settingof this type affect authorizations? - Can the values preset by the user beoverwritten? - Have you experienced any problems with parameters?

Hint:A few customers may claim at this point that assigned parametersare not automatically transferred to the corresponding fields. Whyis this? This is usually due to a customer program or transactionsthat use different parameters from those used by SAP. In theprogram, for example, the company code is queried, and in theprogram, parameter � BUK � is not used for this, but rather a valuespecified by the customer, � BKRS �.

Figure 40: User Master Record: Parameters

Using a parameter ID, a field can be filled with default values from theSAP memory.

Example:A user only has authorization for company code 1000. When atransaction starts, this company code is saved to the memory using thecorresponding parameter ID. On all subsequent screens, all fieldsreferencing the company code data element are then automatically filledwith the value 1000.



A field on a screen is only filled automatically with the value saved underthe parameter ID of the data element, if you have explicitly allowed thisin the Screen Painter.

Tab Page: Roles

A role is a set of functions describing a specific work area. In the role, youorganize transactions, reports, or Web addresses in a user menu. A rolecan be assigned to any number of users.

Inform the participants that assigning the role to the user does notnecessarily mean that the user has authorizations. A few reasons for thiscould be:

� The role does not have a profile

� The profile has not been generated� The profile has not been regenerated with new settings� The user master records have not been compared, and so on

The other special features for role assignment affect the topic of CUAand reference users. For more information, see the relevant lessons orthe online documentation.

Figure 41: User Master Record: Roles

On the Roles tab page, you can use the possible entries help (F4 help) todisplay a list of all available roles and then select the desired entries fromthat list.

You can enter any number of roles in the table, and then restrict theirvalidity using the Valid From and Valid To columns. If you use the inputhelp for these columns, the system displays a calendar in which you canselect the date.

Tab Page: Profiles



On the Profiles tab page, you assign manually created authorizationprofiles, and therefore authorizations, to a user. The generated profiles ofthe roles assigned to the user are also displayed there.

Ensure that you explain the special features of generated profiles, inconnection with the user master comparison when discussing the Profilestab page (see the notes after the figure).

Figure 42: User Master Record: Profiles

Each profile grants the user a number of authorizations.

Hint:Remember that we recommend that you structure the contents ofauthorizations using transaction � PFCG � and not using�manual profiles�.

Caution:Never enter the generated profiles directly on the Profiles tab page,since transaction � PFUD � deletes these assignments if there is noentry for them on the Roles tab page. When you assign a role to auser on the Roles tab page, the profile generated for this role isautomatically entered on the Profiles tab page, and the profiles inthe user master record and compared with the roles.



The SAP system contains predefined profiles, such as:

� SAP_ALL: To assign all authorizations that exist in the SAP system tousers, assign the profile SAP_ALL.

� SAP_NEW: Composite profile to bridge the differences in releasesin the case of new or changed authorization checks for existingfunctions, so that your users can continue to work as normal.

Caution:This composite profile contains very extensive authorizations,since, for example, organizational levels are assigned with thefull authorization asterisk (*).

Tab Page: Groups

Groups Tab Page

You assign the user to a user group on this tab page. This is purelya grouping, suitable, for example, for mass maintenance of user data(transaction � SU10 �). Assignments that you make on the Groups tabpage are not used for authorization checks that are specified on the LogonData tab page using the User Group field. The user groups are also usedby the Global User Manager, (transaction � SUUM �). However, this isdeactivated.

The next tab page, Groups, is not currently fully actively used. The mainuse, for the Global User Manager, has officially been deactivated. For thisreason, this tab page is not described in detail here. For more information,see SAP Note 433941, the current online documentation, or access thelatest information through the link www.service.sap.com.

Tab Page: Personalization

Personalization Tab Page

Hint:Personalization does not yet contain much data. This is still beingdeveloped, and can be extended by the customer. For moreinformation, see the online documentation, or, for more detailedinformation about storing user-dependent data, see CentralRepository for Personalization Data [Ext.].

You can make person-related settings here using personalization objects.The tab page is available both in role maintenance and in user maintenance.



Figure 43: User Master Record: personalization

On the Personalization tab page, you can make person-related settingsusing personalization objects. Personalization is available both from rolemaintenance and in user maintenance. You can define values here thatcontrol the results displayed when programs are called (such as displayperiods: Last three months, Number of entries: Max. 50, and so on).

Steps for using personalization:

� Choose the Personalization tab page.� On the tab page, activate the display by application component by

choosing the By Application Component button.� Select the component for which you want to maintain personalization

data. The right side of the display lists the personalization objectsprovided for this component.

� Select the desired personalization object and assign the values to bepredefined in the dialog window that appears.

Tab Page: License Data

SAP software contains a measurement program with which every systemproduces the information used to determine the payment applicable forthe installation.



License Data Tab Page

On this tab page, you specify the contractual user type of the user. Forinformation about the user types, see the SAP Service Marketplace(http://service.sap.com/licenseauditing) → System Measurement NamedUser → Documentation → �System Measurement Guide�.

Hint:Before the users are classified in the user managementtransaction, the system measurement transaction (� USMM �)must be run. The price lists, in accordance with which yoursystem was licensed, are assigned in this transaction. Onlyone active price list is usually used.

Figure 44: User Master Record: License Data

The measurement program is used exclusively to determine the number ofusers and the utilized units of SAP products. The results are evaluated inaccordance with the contractually agreed conditions.

For more information, see the current version of the document SystemMeasurement Guide (service.sap.com/licenseauditing).



Other Possibilities for User Maintenance and ChangeDocuments

Describe mass changes to the participants.

Pay particular attention to the logs at the end of a mass change. Not all ofthe information displayed in the log can be displayed again later using thechange documents. You should therefore always call or print the report, orsave it as a file on your PC.

Figure 45: Mass Changes

Most changes that can be made for individual users in the context of usermanagement can also be made for a selected quantity of users.

Logon data, defaults, parameters, roles, and profiles can be changed for aparticular group of users.

In user maintenance, you can make changes to a selected group of users bychoosing Environment→Mass Changes (transaction � SU10 �).

Hint:On the Address, Logon Data, and Defaults tab pages, you mustselect the Change checkbox for each change. This ensure thatyour changes, such as deleting the content of a field aretransferred for the relevant fields.



After each mass change, a dialog box appears, asking whether you wouldlike a log. The log shows who made which changes in which system atwhich time.

The log contains several message levels, which you can expand as desiredusing the relevant buttons. If there is a long text for a particular message,you can also display this by choosing a button displayed next to themessage.

While you can make certain specifications for the log display by choosingSettings, the Color Legend provides information about the colors used inthe display.

You can print the log or save it to a file on your PC.

You should use the next figure to show the participants what you candetermine from change documents, and how to use them.

You can use report RSUSR100 to determine all changes to a user [profile(RSUSR101) or an authorization (RSUSR102). Note that changes aredivided into two areas:

� Changes to authorizations: Creating the user, changing, adding, orremoving profiles

� Changes to header data: Changing the password, validity, user type,user group, accounting number, or lock status

You can select both fields to obtain all information. The left column showsthe status before the change, and the right column the changed entry.

Demonstrate the jump in the system and the procedure ...

1. Start the User Information System (transaction � SUIM �).2. Expand the Change Documents node.3. Choose the Execute option next to For Users (or For Profiles or For

Authorizations).4. Specify the user (or profile or authorization) and make additional

restrictive specifications, and choose Execute. The results list �ListChange Documents for Users� appears.

5. You can double-click from a relevant object in the result list to displaydetails about profiles and authorizations.



Figure 46: Change Documentation and Archiving

Display change documents:Choose Environment→ Information System andthen, on the overview screen that appears, Change Documents to display alist of changes made to user master records, authorization profiles, andauthorizations.

Archiving change documents: User master records and authorizationsare saved in USR* tables. Using the archiving function, you can reducethe memory space occupied by the USR* tables in the database. Changedocuments are saved in USH* tables. The archiving function deleteschange documents from the USR* tables that are no longer needed.

You can archive the following change documents or change recordsrelating to user master records and authorizations from the USH* tables:

� Changes to authorizations (archiving object US_AUTH)� Changes to authorization profiles (archiving object US_PROF)� Changes to the authorizations assigned to a user (archiving object

US_USER)� Changes to a user�s password or to defaults stored in the user master

record (archiving object US_PASS)

Before the participants begin the exercise, you should have explained allof the user maintenance tab pages, and provide a relevant demonstrationin the system. The participants should also have seen the special featuresof mass maintenance. Gear your demonstrations toward the exerciseexamples.



89 Exercise 4: Maintaining and EvaluatingUser DataExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create and change user master records as well as evaluate changes� Know the components of the user master record� Use predefined work center examples� Create multiple users in one step� Understand the principle of the user buffer and evaluate the buffered

user authorizations

Business ExampleAlmost all companies use PCs and software programs to support theiremployees in their daily work. However, to work with this technology, theusers require access and authorizations to call the programs. A controlmethod in an SAP system is the user master record and its roles andprofiles.

System DataSystem: These SAP systems change weekly. Trainingadministration will provide you with the exact ID of your SAP R/3Enterprise system.Client: The training courses are held in the 8xx clients;training administration will provide you with the exact numbers. One ofthe clients is set up as the central system.User ID: The user IDs for SAP courses should have auniform structure. The IDs contain the course ID and a two-digit groupnumber. For example, for the ADM940 course: User ID "ADM940-##". Atthe start of the course, the instructor creates the users using transaction"ZUSR" and the template "ADM940-MODEL". The participants receive therequired roles and authorizations for the exercises through the template.Password: The instructor can set a uniform password for theusers when creating them (such as "ADM940"). Training administrationwill inform you of the instructor password for access to the system.



Set up instructions:

1. All of the users, roles, and profiles (specifications) that the participantsare to call have already been set up by the weekly system copy. If datais missing, contact the system administrators or the course author.The content to be created by the participants has been created in thesystem with the ID �...##� for the participant group numbers, and theinstructor number �00� for comparison.

Task 1:

1. Create a new user group ZGR## with a description of your choice.

Task 2:Create a user master record for a dialog user GR##-ADM.

1. Enter address data of your choice.

2. Enter an initial password of your choice and assign the user to usergroup ZSUPER.

Initial password: _______________

3. Assign the logon language that you have used yourself for logging on.

4. Save your user master record.

Task 3:Assign a predefined work center example to your new user master recordby choosing the Other Menu button on the SAP Easy Access initial screen(on the application toolbar).

1. Choose the role ADM940_BC_ADMIN.

2. Assign your new user GR##-ADM to the role.

Choose the Assign users button and enter your user ID. Accept yoursettings and have the user master record comparison performedautomatically.

Task 4:Switch from the Other menu display to the SAP menu display.

Change the user master record of your user GR##-ADM.

1. Check the following points: Is a role assigned to the user?




Which role?

____________________

2. Link your user with another role. Choose the role ADM940_PLUS.

3. Are authorization profiles assigned to your user?

Which authorization profile(s)?

___________________

Task 5:

1. Display the change documents for your user GR##-ADM by callingup the information system for users and authorizations and selectingthe report Change documents for user.

Display Changes to authorizations and Changes to header data.

Does the list tell you that creating the user master record andassigning the user to roles were separate steps?

______________________________________________

Task 6:Log on to the system as user GR##-ADM.

1. Do you need to enter a logon language?

____________________

2. Specify your own user password:

____________________

3. Check the user menu:

Which functions does it contain? List some examples.

______________________________________________

4. Check the user buffer by calling the User Buffer function in your usermenu (SAP menu).

How many authorizations are available?

____________________

For which authorization objects? List some examples.

______________________________________________




Task 7:

1. Log off as user GR##-ADM and log on again as user ADM940-##.

Task 8:Create additional master records using the User Mass Maintenancetransaction.

1. In the User column, enter the following user names and choose Create.

User NameGR##-FI1GR##-FI2GR##-SD1GR##-SD2GR##-MM1GR##-MM2

2. Enter the user group ZGR## and the logon language that you use intothe corresponding fields.

3. Save the user settings and check the result in the change log.

Expand the log completely and enter the initial passwords generatedinto the following tables beside the user names.

User Name Generated PasswordGR##-FI1GR##-FI2GR##-SD1GR##-SD2GR##-MM1GR##-MM1



Solution 4: Maintaining and EvaluatingUser DataTask 1:

1. Create a new user group ZGR## with a description of your choice.

a) Menu:

→ Tools → Administration → User Maintenance → MaintainUser Groups , (transaction Code:� SUGR �).

Enter ZGR## and choose Create (F8).

Task 2:Create a user master record for a dialog user GR##-ADM.

1. Enter address data of your choice.

a) Menu:

→ Tools → Administration → User Maintenance → Users ,(transaction Code:� SU01 �).

Enter GR##-ADM and choose Create (F8).

On the Address tab page

2. Enter an initial password of your choice and assign the user to usergroup ZSUPER.

Initial password: _______________

a) On the Logon Data tab page

3. Assign the logon language that you have used yourself for logging on.

a) On the Defaults tab page

4. Save your user master record.

a) Save your user master record.




Task 3:Assign a predefined work center example to your new user master recordby choosing the Other Menu button on the SAP Easy Access initial screen(on the application toolbar).

1. Choose the role ADM940_BC_ADMIN.

a) Choose the role ADM940_BC_ADMIN.

2. Assign your new user GR##-ADM to the role.

Choose the Assign users button and enter your user ID. Accept yoursettings and have the user master record comparison performedautomatically.

a) Assign the new user GR##-ADM to this role. To do this, chooseAssign users on the SAP Easy Access initial screen.

Enter the user ID and choose Add users.

Ensure that the user master records are compared automaticallyby choosing Yes on the dialog box that appears next.

Task 4:Switch from the Other menu display to the SAP menu display.

Change the user master record of your user GR##-ADM.

1. Check the following points: Is a role assigned to the user?

Which role?

____________________

a) Menu → SAP Menub) Menu:


Role ADM940_BC_ADMIN

2. Link your user with another role. Choose the role ADM940_PLUS.

a) Enter ADM940_PLUS on the Roles tab page.

3. Are authorization profiles assigned to your user?

Which authorization profile(s)?




___________________

a) Assigned authorization profiles:

ADM94_BC_A

ADM94_PLUS

Task 5:

1. Display the change documents for your user GR##-ADM by callingup the information system for users and authorizations and selectingthe report Change documents for user.

Display Changes to authorizations and Changes to header data.

Does the list tell you that creating the user master record andassigning the user to roles were separate steps?

______________________________________________

a) Menu:

→Tools → Administration → User Maintenance → InformationSystem → Change Documents → For Users

Yes. The different time stamps tell you that the changes weremade one after another.

Task 6:Log on to the system as user GR##-ADM.

1. Do you need to enter a logon language?

____________________

a) No, the logon language is set in the user master.

2. Specify your own user password:

____________________

a) Specify a new user password

3. Check the user menu:

Which functions does it contain? List some examples.




______________________________________________

a) User

Display users

User mass maintenance

Maintain user groups

User buffer

Information System node with additional entries ...

4. Check the user buffer by calling the User Buffer function in your usermenu (SAP menu).

How many authorizations are available?

____________________

For which authorization objects? List some examples.

______________________________________________

a) Menu: → Tools → Administration → Monitor → User Buffer ,(transaction Code:� SU56) �).

Number of authorizations: 13

b) S_TCODE (twice)

S_USER_AGR (twice)

S_USER_AUT

S_USER_GRP (three times)

S_USER_PRO

S_USER_SYS

P_TCODE

PLOG

S_ADRESS1

Task 7:

1. Log off as user GR##-ADM and log on again as user ADM940-##.

a) Menu: System → Log Off




Task 8:Create additional master records using the User Mass Maintenancetransaction.

1. In the User column, enter the following user names and choose Create.


a) Menu:

→ Tools → Administration → User Maintenance → User MassMaintenance , (transaction Code:� SU10) �).

In the User column, enter the following user names and choosethe Create - F8 icon.

2. Enter the user group ZGR## and the logon language that you use intothe corresponding fields.

a) Logon data tab page:

Enter ZGR##

Defaults tab page:

Enter EN

3. Save the user settings and check the result in the change log.

Expand the log completely and enter the initial passwords generatedinto the following tables beside the user names.

User Name Generated PasswordGR##-FI1GR##-FI2GR##-SD1




User Name Generated PasswordGR##-SD2GR##-MM1GR##-MM1

a) Expand the log completely and enter the initial passwordsgenerated into the tables contained in the exercise part.



Lesson Summary

You should now be able to:� Create and change user master records� Set the values on the tab pages of the user master record� Define the differences between the user types� Operate and implement mass maintenance� Display and archive change documents for authorization assignment


Unit Summary ADM940

Unit SummaryYou should now be able to:� Create and change user master records� Set the values on the tab pages of the user master record� Define the differences between the user types� Operate and implement mass maintenance� Display and archive change documents for authorization assignment


Unit 4101 Working with the Profile Generator

Describe role maintenance to the participants in this unit. Starting witha simple role up to a derived role. Once all of the basic terms have beendealt with, round off the topic with the third lesson. After this lesson, theparticipants should be familiar with all icons in and functions that areaccessible through the menu in PFCG.

Unit OverviewRole maintenance in an SAP System is the central place with whichauthorizations are set for users, and combined into reusable blocks (roles).This unit describes all options and buttons in role maintenance. In practice,this is also referred to as the Profile Generator or � PFCG �, which is thetransaction code.

This unit is divided into three lessons to allow a step-by-step approach.


� Describe and explain the basic steps for assigning authorizationswith the Profile Generator

� Create new roles, change and copy roles, and specify their activities� Display and maintain authorizations that were generated

automatically� Compare user master records directly in role maintenance �PFCG� or

through user maintenance �SU01�� Describe how to perform a mass comparison and state which report

you can schedule for an automatic comparison� Describe the use of Customizing roles� Explain the advantages and disadvantages of composite roles� Define the relationship between reference roles and derived roles


Unit 4: Working with the Profile Generator ADM940

� Bundle frequently used transactions and map them with differentinstances using derived roles

� Describe how to perform a mass comparison and state which reportyou can schedule for an automatic comparison

� Interpret the red, yellow, and green traffic lights for different fieldcontents

� Describe the meaning of the icons in the PFCG authorizationmaintenance

� Define the hierarchy of status terms, and explain when which termis used

� Distinguish between the expert mode and simple maintenance forauthorizations

� List additional functions that are accessible through the menu

Unit ContentsLesson: Profile Generator and Standard Roles... . . . . . . . . . . . . . . . . . . . . . . . . . .127

Exercise 5: Profile Generator and Standard Roles .. . . . . . . . . . . . . . . . . . .149Lesson: Special PFCG Roles .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

Exercise 6: Special PFCG Roles.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179Lesson: Subtleties of Authorization Maintenance .. . . . . . . . . . . . . . . . . . . . . . . . .200

Exercise 7: Subtleties of Authorization Maintenance ... . . . . . . . . . . . . . . .209


ADM940 Lesson: Profile Generator and Standard Roles

Lesson:103

Profile Generator and Standard RolesLesson Duration: 80 Minutes

Lesson OverviewThere are two lessons about role maintenance, covering simple andadvanced maintenance with the Profile Generator. This lesson containsthe basic role maintenance functions and the automatic generation ofSAP Easy Access user menus for various work centers and the associatedauthorizations, profiles, and user assignments.


� Describe and explain the basic steps for assigning authorizationswith the Profile Generator

� Create new roles, change and copy roles, and specify their activities� Display and maintain authorizations that were generated



you can schedule for an automatic comparison

You will explain the central tool for generating and assigningauthorizations and user menus in this lesson.

This tool has different names and is usually known as the Profile Generator.However, some customers refer only to PFCG or role maintenance.

There are two processing views in the Profile Generator: BasicMaintenance and Complete View. (Simple Maintenance for theWorkplace can now only be activated by choosing Goto→ Settings).

� The Basic Maintenance view is used for user and authorizationadministration.

� If organizational management and/or the Workflow is in use, theComplete View is used.

In the Profile Generator, you can select the transactions, reports, andWeb links of which the user menu consists. An authorization profile isgenerated for the selected activities. The generated profile is assigned tothe user through the assignment of the role. A role is a set of functionsdescribing a work area. All of the steps necessary to do this are explainedto the participants in this lesson.



Business ExampleWhen you create authorizations and authorization profiles for groupsof users, you should use the Profile Generator. Based on selected menufunctions, the Profile Generator automatically generates authorizationdata and offers it for postprocessing. The authorization data assignedin this way is combined into profiles and can be assigned indirectly tousers through roles.

Basic Maintenance of Roles Using the ProfileGenerator

Figure 47: The Profile Generator

What is the Profile Generator?

The Profile Generator is the central tool for generating authorizations andauthorization profiles and assigning them to users.

In the Profile Generator, system administrators choose transactions, menubranches (from the SAP menu) or area menus. The functions chosencorrespond to the field of activity of a user or a group of users. The ProfileGenerator offers two different maintenance views:

� Basic maintenance (menus, profiles, and other objects)� Complete view (Organizational Management and workflow)

The menu tree set up by system administrators for users with a specificrole in the company corresponds to the user menu that appears if a user(to which the corresponding role is assigned) logs on to the SAP System.



The Profile Generator automatically provides the correspondingauthorizations for the functions chosen. Some of these authorizationshave default values. Traffic light symbols tell you which values you needto maintain.

Finally, the Profile Generator generates an authorization profile from thisdata, which you can assign through the role.

Figure 48: Roles

What are roles?

A role is a set of functions describing a specific work area. The �AccountsReceivable Accountant� role, for example, contains transactions, reports,and/or Internet/Intranet links that an accounts receivable accountant needsfor his or her daily work. Through roles, you also assign the authorizationsthat the user - in the example, the accounts receivable accountant - needsto access the transactions, reports, and so on contained in the menu.

Roles are used to implement the menus that users can work with after theyhave logged on to the SAP System. You can use roles predefined by SAPand roles that you have created yourself. You can find the predefined rolesusing the �F4� help under Tools → Administration → User Maintenance →Role Administration→ Roles or through the menu pathMenu→ Display RoleMenu or by choosing the �Other Menu� button.

You can use the report RSUSR070 to display the role templates that aredelivered by SAP.

In addition to the normal �Login� users, you can assign object types suchas jobs, organizational units, or positions to roles. This is referred to asintegration using Organizational Management.



The following figures describe the required work steps performed whencreating a role up to assigning the role to the user. The text for theparticipants is often sufficiently detailed that you do not need to go into detail.

Figure 49: The Profile Generator: Work Steps

All required steps to create a role including the assignment to the user arelisted in the following as a thread.

To call the Profile Generator, choose �Create menu� on the SAP Easy Accessinitial screen, or choose the following menu path: Tools → Administration→ User Maintenance → Role Administration → Roles.The correspondingtransaction code is �PFCG� .

Thread

- The first step is defining the role and entering a short descriptionof its contents.- In the second step, you define the activities for the user role. Theresult of this definition process is a role (or several roles) that collectsall activities of the role - represented by means of transactions,reports, and Web addresses.- Simultaneously you define what the menu tree for the new userrole should look like.- Afterwards, the authorizations for the activities selected are createdand profiles generated. This step normally involves the greatestadministrative maintenance effort.



- Subsequently, the users are assigned to the roles.- Finally (depending on the settings in PFCG), the comparison withthe user master records of the users which have just been assignedto the roles is performed.

Figure 50: Profile Generator: Views

Basic Maintenance allows you to

� Access all of the functions for role maintenance� Assign the roles only to SAP users

The Complete View (Organizational Management) displays allassignments and data for a role.

This view is useful for users in Personnel Planning and Development,particularly for organizational management and workflow. The CompleteView allows you to:

� Access all of the functions for role maintenance� Change the validity time period of the role� Link tasks with a role� Assign the role to objects in organizational plan and restrict the

validity dates for each assignment

So that the process of creating a role is easier to remember, all process stepsare shown repeatedly in the from of a �to do� list in this lesson.



Figure 51: Process Steps: Define role name

Figure 52: Defining the Role Name and Description

Note that the roles delivered by SAP start with the prefix �SAP_� andcan be used as templates. If you want to create your own user roles, donot use the SAP namespace.



Caution:Roles with the �SAP_� prefix are overwritten during an upgrade orwhen relevant Support Packages that contain roles of the samename are imported. We therefore recommend that you copy thesetemplates to the customer namespace before changing them.

SAP does not use different names for single and composite roles. Whencreating or naming your roles, you should consider a naming conceptthat differentiates between single and composite roles. It is also useful toinclude a system abbreviation in the naming concept.

Hint:Up to 30 characters are available to you for the role name. Thename that you select is, however, not language-dependent.

Figure 53: Process Step: Determine activities



The following figure gives you an opportunity to explain the contents ofwhich a role can consist. There is not an error in the figure, even if it looksas though the Reports have been lost between the possible Activities andRoles. Point out the special features for reports to the participants.

Hint:If reports are used in roles, a transaction code is always assigned.This can be automatically generated, or the administrator canspecify the code.

Figure 54: Determine activities

Definition of the roles:

Using roles, you define which activities are assigned to a specific role inthe company. The authorization administrator selects those transactions inthe Profile Generator that users with a specific role in the company mustperform regularly. The administrator also chooses any Web addresses



if these are useful for the daily work of a role holder (for example, aweather forecast service would be of interest to field service personnel). Inaddition, frequently needed reports can also be added to the user menu.

Hint:If, for example, a report is included, it is important to know thespecial features associated with this:

� If they are used in a role, reports always have a transactioncode

� The transaction code can be automatically generated by thesystem or specified by the administrator

� If you assign a new transaction code although a transactioncode has already been created for this report (for example, foranother role), the system displays a message that informs youabout the situation. If necessary, you can choose betweenthe new and the old T codes.

You can create completely new roles if required. In most cases, however,it is easer to use the roles delivered by SAP as a template, to copy them,and then change them to meet your own requirements. You can choose thecopy icon on the initial screen of transaction � PFCG �.

You have two options when copying:

1. Copy selectively

You decide what is copied.

2. Copy all

Personalization and user assignment are also automatically copied.

Use your own words to describe to the participants the sources from whicha role menu can be built up.

The transactions are specified here. Take these from various sources(templates, direct entry, and so on). Other options for editing: subsequentlydeleting entries, changing the order, and so on.



Figure 55: Process Step: Structuring the Role Menus

Figure 56: Creating and Structuring Menus

Changing the functions:



You can adjust the transactions listed in the menu tree of a role to meetyour individual requirements:

� You can delete transactions that you do not need and add new ones(by choosing the �Transaction� button or by copying transactions�from other roles� or from other �menus�).

� You can add reports (by choosing the �Report� button). The ProfileGenerator generates a transaction code (which is either createdautomatically or which you define yourself) that can be used to startthe report from the menu. You can also include queries, BW reports,and transactions with variants in this way.

� You can add Internet sites (by choosing the �Other� button). Similarly,you can add links to documents (such as Microsoft Excel files). Youadd links to documents in the same way as you add links to Internetpages. Instead of the URL, you then enter the path of the required file.

Hint:When defining Web addresses or file paths, you can specifyvariables, which are defined in transaction � SM30_SSM_VAR�. You should then enter the variables in upper caseletters in angle brackets in the Web address, such as: �<VARIABLE_NAME> �. When the Web address is started, thevariable is automatically replaced by the associated value.

Changing the menus:

You can create, delete, move or rename directories. The operation issimilar to that of graphical file managers.

To distribute the role to a particular target system, choose Distribute. Notethat the authorization data for the role is not distributed together with therole. You must therefore add the authorization data for distributed rolesin the target system. There are other settings that you need to take intoaccount for this distribution. For more information, see the F1 help.

As of SAP R/3 4.6C, you can also use transaction � ROLE_COMP � tocompare and adjust role menus across systems.

For a good starting point for the following figures, ask the participants:

Where does the authorization data come from?

Can you still change the values that you see here?



Who decides which values appear here?

Hint:Authorization data is generated based on previously selectedactivities. The organizational level fields (such as the companycode) are a special feature here. These are defined in table USVAR(transaction � SM30 �). The customer can create authorizationfields for organizational level fields (see SAP Note 323817).

Figure 57: Process Step: Maintain authorization data



Figure 58: Maintain authorization data

Creating the authorizations and authorization profiles:

The Profile Generator automatically generates authorizations based on themenu functions that you have chosen before. The Profile Generator cannot,however, propose �default value� authorizations that are suitable foreveryone in the company. Therefore, the authorization administrator mustnormally postprocess the authorizations manually in cooperation with theuser departments and the audit division. By choosing �OrganizationalLevels�, you can simultaneously maintain a large number of authorizationfields. This greatly simplifies the manual postprocessing work.

In the example, the transaction � SO01 � (SAP Office) was added to therole �MY_ROLE � (which was created by copying the SAP template).As a result, the yellow traffic lights appear in the menu tree in the aboveexample, The authorization for file access is a good example to show whymanual postprocessing is necessary: The Profile Generator cannot knowif the users should have only read access or also write access to the files.



The next figure is about extending the authorization objects proposed bythe Profile Generator with manual entries (objects).

Hint:Discuss with the participants the different sources using which themanual objects can be selected. Ensure that you ask the question: �Why do you want to enter an authorization object manually? �.

You will receive various reasons. It is usually, however, objectsthat are not offered through the Profile Generator, but which arerequired due to a transaction in the menu. Reasons for this couldbe:

� SAP checks this object but has forgotten to propose it� It is a customer development� A field exit with an additional check is being used� It is an object that is required by every user of this role using

the jump through the menu

You can see that there are many reasons. However, this should notmean that objects are entered manually. Have the Profile Generatorpropose this, and the solution for this is: � SU24 �.

Figure 59: Manual Insertion of Authorizations



Although the Profile Generator automatically generates the authorizations,you can also add authorizations manually to an existing profile, whichmight be desirable in some cases. To do this, choose the � ChangeAuthorization Data � button on the � Authorizations � tab page, and then �Edit→ Insert Authorizations �. The following options are available:

� Selection criteria:

Here you can find authorizations for objects grouped by object class.

� Manual input:

If you know the name of the authorization object for which you wantto manually add authorizations, you can enter it here directly.

� Full authorization:

This option fills all authorizations with the value �*�.

� From profile...:

Here you can use authorizations from individual profiles.

� From template...:

If you want to create a user with �almost all� authorizations, you canuse the SAP authorization templates designed for this purpose.

Question?

Is it sensible to insert an object manually? Why not have the ProfileGenerator propose this object?

For more information, see transaction � SU24 � (Maintain Assignment ofAuthorization Objects to Transactions).

There is not now much to do before the role is complete and the settingscan be used by users.

Point out to the participants that new queries have now been programmedfor the exiting of authorization maintenance that can be displayed ifrequired.

� Status of the profile� Status of the data



A profile can have the following statuses: unchanged, saved, changed,or generated.

Hint: Explain about naming. 10 characters, system proposes name,can be overwritten if necessary.

Figure 60: Process Step: Generate authorization profile

Figure 61: Generate authorization profile



Having maintained the authorizations in accordance with the policies ofyour company, you can generate the authorization profile. It is only thenthat the authorizations contained take effect.

During the generation, the Profile Generator collects all entered values andassigns them to a profile. However, one profile can only contain a certainnumber of authorizations. It is therefore possible that one role has severalprofiles. You can recognize these profiles from the fact that their names areidentical for the first 10 characters, and an appended number starting with1-99 (SAP Note 16466). These are known as sequential profiles.

This division is performed automatically and is decided by the ProfileGenerator. It depends on the fields used and on the number of entries.

Describe the options for user assignment to the participants.

Hint:The assignment does not yet mean that a comparison with theuser�s master record is performed. This is mandatory; otherwisethe user receives no authorizations. Explain this in connection withthe report PFCG_TIME_DEPENDENCY and transaction � PFUD �.

Figure 62: Process Step: Assign users



Figure 63: Assigning Users to Roles

Assigning users:

So that users are provided with the menu tree for their role when they logon to the system, you must assign roles to them.

You assign roles to users by adding the corresponding names to the liston the User tab page of the Profile Generator. Users can be assigned tomore than one role. It makes sense to define roles for specific cross-roleactivities. An example is the activity �Print�. Regardless of their function,all users (who are authorized to print) can be assigned to an role with theactivity �Print�. This eliminates the need to add the �Print� transaction toa large number of roles, which is a cumbersome task.

It is also possible to assign roles to users for a limited period of timeonly. This makes sense, for example, for the year-end closing. Physicalinventory activities should only be allowed for a limited time. So that atime-dependent assignment of an activity profile to a user master recordbecomes effective, you must perform a comparison (see the figure CompareUser Master Record).



There are two ways to do this:

1. As a background job: Report pfcg_time_dependency is run beforethe start of the business day, but after midnight, meaning that theauthorization profiles in the user master record always have the mostup-to-date status in the morning.

2. Alternatively, using transaction � PFUD �, (User Master DataReconciliation).

As an administrator, you should regularly execute this transaction asa check. In this way, you can manually process errors that may haveoccurred and been reported during the background job. Choose theComplete Reconciliation radio button to compare all roles.

After the comparison is processed, a log is displayed, in which actions witherrors are reported (background processing log for the background job).

The last step to be performed is the user master comparison fromtransaction � PFCG �.

Explain to the participants that the next step means that the assignedauthorization profiles of the roles are entered in the user master record.Demonstrate the behavior of the icons.

Figure 64: Process Step: User master record comparison



Figure 65: User master record comparison

Comparing the user master:

So that users are allowed to execute the transactions contained in the menutree of their roles, their user master record must contain the profile for thecorresponding roles.

You can start the user compare process from within the Profile Generator(�User� tab page and �User Comparison� button). As a result of thecomparison, the profile generated by the Profile Generator is entered intothe user master record.

Hint:The condition for this, however, is that the validity period of therole includes the current date. If this is not the case, the role isassigned and entered into the master record, but the profile is not.

If you assign roles to users for a limited period of time only, youmust perform a comparison at the beginning and at the end of thevalidity period. We recommend that you schedule the background jobpfcg_time_dependency in such cases.

Caution:Never enter generated profiles directly into the user master record(� SU01 �). During a user comparison, for example automaticallywith report pfcg_time_dependency , generated profiles areremoved from the user masters if they are not among theroles that are assigned to the user.



Discuss, with your own words, the purpose of the next participant exercise.It should familiarize them with the basic functions of PFCG.

The next two lessons (in the case of SAP course ADM940) discuss specialtypes of role and subtleties when creating roles.



121 Exercise 5: Profile Generator andStandard RolesExercise Duration: 40 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create roles with the Profile Generator and determine their activities� Check andmaintain authorizations that were generated automatically� Copy roles� Assign users and perform a user comparison

Business ExampleThis role maintenance exercise deals with simple maintenance using theProfile Generator. The following tasks should familiarize you with thebasic role maintenance functions and the automatic generation of SAPEasy Access user menus for various work centers and the associatedauthorizations, profiles, and user assignments. If you are attending SAPcourse ADM940, the next two lessons deal with special role types and thesubtleties of authorization maintenance.





1. This training material was developed in a new documentationenvironment. This technology is called �XML�. With this technology,individual lessons are created. These are complete entities. Theseentities can then be combined into units as required and reused invarious courses. However, this can also mean that results fromexercises that were created in other lessons are the prerequisite forperforming other lessons. However, to ensure that you are able tosolve the tasks, note the following. This exercise refers repeatedly tocontent from the �sample authorization concept�. This was createdin SAP course ADM940 in the lesson Creating and Implementing anAuthorization Concept. If this is not SAP course ADM940, you can readthe information required for the tasks in the two tables below, anddistribute this information to the participants.



ClerkSD-Man

Whouse

SAP R/3 Links:

T Code







ClerkSD-Man

Whouse

SAP R/3 Links:

T Code




MB1C xMB90 xVL21 x

F-18 xF-26 xF-28 x



FD01, FD02, FD03

GR##_SD_CUST_MAINT VD01, VD02, VD03GR##_SD_SALES VA21, VA22, VA23, VA25, VA01, VA02,

VA03, V.01GR##_MM_IM_POST MB1C, MB90, VL21GR##_FI_IP_POST F-18, F-26, F-28




Task 1:Create a role GR##_MM_MAT_ANZ to display a material master.

Enter a short description, and save your role.

1. Go to the Menu tab page and select the transactions that are listed inthe sample authorization concept.

Create a folder with the name WWW Links.

Add a Web address with the name SAP and the URLhttp://www.sap.com to this folder.

Check the functionality of this Web address by double-clicking it.

Create another Web address with a link to the homepage of yourcompany.

Save your role.

2. Go to the Authorizations tab page. Select the normal mode (Changeauthorization data).

Define the organizational levels:

- Company code: 1000

- Warehouse number/complex: *

- Sales organization: 1000

- Distribution Channel: *

- Plant: 1000, 1100, 1200

Display the technical names for the authorizations (Utilitiesmenu).

3. Check the traffic light symbol status:

For which authorization object class are all authorization fieldcontents maintained?

Authorization object class:

_________________________________________________

For which authorization objects of the object class MM_G do you haveto supply authorization values?

Authorization Objects:

_________________________________________________

_________________________________________________




_________________________________________________

_________________________________________________

4. Set the authorization for the maintenance status in the authorizationobject M_MATE_STA to full authorization.

What is the status of the authorization after your change?

_________________________________________________

Set all open authorization values to full authorization (top set oftraffic lights).

What happens to the traffic light symbol for object class MM_G afteryou have assigned values to all open fields?

_________________________________________________

5. Generate the authorization profile for your role. Assign the followingprofile name:

GR##_MM_01

6. Exit the authorization maintenance screen and check the statusof your authorization profile in the information section of theAuthorizations tab.

What is the status of your authorization profile?

_________________________________________________

Complete the maintenance of this role and return to the initial screenof transaction PFCG.

Task 2:Create a role GR##_MM_IM_POST with authorizations for a warehousesupervisor.


1. Go to the Menu tab and select the transactions that are listed in thesample authorization concept.

Create a folder and use Drag&Drop to move all transactions to thisfolder. Save your role.



- Plant: 1000, 1100, 1200





3. Make the following adjustments:

Add the authorization values 561 and 562 to the authorizationvalues for the Movement Type field of the authorization objectM_MSEG_BWA.

Set full authorization for all open authorization values.

4. Generate the authorization profile for your role. Accept the proposedprofile name. Exit the maintenance of this role.

Task 3:The following exercise is optional.

Use the role GR##_MM_IM_POST as a template to create the roleGR##_MM_IM_POST1200. Choose the Copy icon and copy all settingsfrom the template.

1. In transaction � PFCG �, enter the role GR##_MM_IM_POST, andchoose the option Copy. Confirm the query that appears by choosingCopy All.

Go to the Menu tab page.

Are you allowed to select additional activities or delete existingactivities?

_________________________________________________

2. Go to the Authorizations tab page.

Check the status of the authorization profile in the informationsection of the tab page.

What is the status of the authorization profile?

_________________________________________________

Select the normal mode (Change authorization data).

Did the system copy the authorizations of the copy template?

_________________________________________________

Assign the value 1200 to the organizational level Plant.

Generate the authorization profile for your role and accept theproposed profile name.

Exit the authorization maintenance screen and check the statusof your authorization profile in the information section of theAuthorizations tab.





_________________________________________________

Task 4:Create a role GR##_BC_PORTALS by copying a Role menu. This role is tobe assigned to all GR## users and contain functions of general interest.

1. Enter a short description, and save your role.

Go to the Menu tab page and copy the menu of the predefined roleSAP_BC_SRV_USER by selecting all transactions.

Save the menu.


Set full authorization for all open authorization field values.

Generate the profile and accept the proposed profile name.

3. Go to the User tab page.

What is the traffic light symbol status of the tab?

_________________________________________________

Assign your role to all users that you have created with the username GR## (the users GR##-FI1, GR##-FI2, GR##-SD1, GR##-SD2,GR##-MM1, GR##-MM2 should exist with the user group ZGR##,from another lesson of the SAP course ADM940).

Check the settings for the user comparison (menu: Utilities →Settings). Ensure that a user comparison is automatically performedwhen you save.

4. What happens to the traffic light symbol status of the User tab afteryou have saved the data?

__________________________________________________________

What happens during the user compare process?

_________________________________________________

_________________________________________________

_________________________________________________

5. Assign the role ADM940_PLUS to the users from task 4-3.




Save your user assignment.

Hint: With this exercise, it is possible that participants lockeach other when saving the settings. If this happens, pleasewait a moment and try again.

6. Display the user master record of user GR##-MM1.

Is the user linked to roles? If yes, to which ones?

________________________________

________________________________

Are authorization profiles assigned to the user?

________________________________



Solution 5: Profile Generator and StandardRolesTask 1:Create a role GR##_MM_MAT_ANZ to display a material master.


1. Go to the Menu tab page and select the transactions that are listed inthe sample authorization concept.

Create a folder with the name WWW Links.

Add a Web address with the name SAP and the URLhttp://www.sap.com to this folder.

Check the functionality of this Web address by double-clicking it.

Create another Web address with a link to the homepage of yourcompany.

Save your role.

a) Menu:

→ Tools → Administration → User Maintenance → RoleAdministration → Roles , (transaction code � PFCG �).

Choose the �Basic Maintenance� view, create a short description,and save your role.

b) Use the Transaction button to select the following transactions:

MM03

MM04

MM19

To create a folder, choose the Create folder icon.

To create a Web address, choose Add Other button, enter adescription in the Text field and a URL into the fieldWeb addressor file in the format: http://www.sap.com

Save your role.







- Warehouse number/complex: *



- Plant: 1000, 1100, 1200


a) You can enter multiple plants by choosing theMore Values button.

Display the technical names for the authorizations.

Menu: → Utilities → Technical Names On

3. Check the traffic light symbol status:

For which authorization object class are all authorization fieldcontents maintained?

Authorization object class:

_________________________________________________

For which authorization objects of the object class MM_G do you haveto supply authorization values?

Authorization Objects:

_________________________________________________

_________________________________________________

_________________________________________________

_________________________________________________

a) Cross-application authorization objects; AAABb) Authorization objects whose authorization field values are not

completely maintained are flagged with a yellow traffic light.

The following authorization objects are not completelymaintained:

M_MATE_MAR

M_MATE_MAT

M_MATE_STA

M_MATE_WGR

4. Set the authorization for the maintenance status in the authorizationobject M_MATE_STA to full authorization.

What is the status of the authorization after your change?




_________________________________________________

Set all open authorization values to full authorization (top set oftraffic lights).

What happens to the traffic light symbol for object class MM_G afteryou have assigned values to all open fields?

_________________________________________________

a) To do this, choose the asterisk before the open field value.

Status: Maintained

b) To do this, click the traffic light symbol at the top hierarchy levelwith the left mouse button, and confirm the assignment of fullauthorization.

The traffic light symbol turns to Green.

5. Generate the authorization profile for your role. Assign the followingprofile name:

GR##_MM_01

a) Choose the Generate icon.

6. Exit the authorization maintenance screen and check the statusof your authorization profile in the information section of theAuthorizations tab.


_________________________________________________

Complete the maintenance of this role and return to the initial screenof transaction PFCG.

a) Status: Authorization profile is generated

Task 2:Create a role GR##_MM_IM_POST with authorizations for a warehousesupervisor.


1. Go to the Menu tab and select the transactions that are listed in thesample authorization concept.




Create a folder and use Drag&Drop to move all transactions to thisfolder. Save your role.

a) Menu:


Choose the �Basic Maintenance� view, create roleGR##_MM_IM_POST and a short description. Save your role.

b) Select the following transactions with From SAP Menu orTransaction:

MB1C

MB90

VL21



- Plant: 1000, 1100, 1200


a) When assigning the organizational levels, you can specifymultiple values for a field by choosing theMore Values button.

Menu: → Utilities → Technical Names On

3. Make the following adjustments:

Add the authorization values 561 and 562 to the authorizationvalues for the Movement Type field of the authorization objectM_MSEG_BWA.

Set full authorization for all open authorization values.

a) You can enter the field values for the authorization objectM_MSEG_BWA by clicking the pencil. You can find thisauthorization object in the object class MM_B.

Assigning full authorization: To do this, click the traffic lightsymbol at the top hierarchy level, and confirm the assignment offull authorization.

4. Generate the authorization profile for your role. Accept the proposedprofile name. Exit the maintenance of this role.

a) Choose the Generate icon.





Use the role GR##_MM_IM_POST as a template to create the roleGR##_MM_IM_POST1200. Choose the Copy icon and copy all settingsfrom the template.

1. In transaction � PFCG �, enter the role GR##_MM_IM_POST, andchoose the option Copy. Confirm the query that appears by choosingCopy All.



_________________________________________________

a) Copy the role GR##_MM_IM_POST to the new roleGR##_MM_IM_POST1200 by choosing the Copy Role icon.

Choose Change.

b) Yes. The copied role behaves like a newly created role.


Check the status of the authorization profile in the informationsection of the tab page.

What is the status of the authorization profile?

_________________________________________________


Did the system copy the authorizations of the copy template?

_________________________________________________

Assign the value 1200 to the organizational level Plant.

Generate the authorization profile for your role and accept theproposed profile name.

Exit the authorization maintenance screen and check the statusof your authorization profile in the information section of theAuthorizations tab.





_________________________________________________

a) Status: Current version not generatedb) Did the system copy the authorizations of the copy template?

Yes, they were copied too.

Choose Organizational levels. Plants 1000, 1100, and 1200 havebeen copied. Delete the entries for plants 1000 and 1100.

Status: Authorization profile is generated

Task 4:Create a role GR##_BC_PORTALS by copying a Role menu. This role is tobe assigned to all GR## users and contain functions of general interest.


Go to the Menu tab page and copy the menu of the predefined roleSAP_BC_SRV_USER by selecting all transactions.

Save the menu.

a) Menu:



b) Go to the Menu tab page and copy the menu of the predefinedrole SAP_BC_SRV_USER by selecting all transactions. To dothis, choose the button

From other role under Copy Menus.


Set full authorization for all open authorization field values.

Generate the profile and accept the proposed profile name.

a) Assigning full authorization: To do this, click the traffic lightsymbol at the top hierarchy level, and confirm the assignment offull authorization.

Choose the Generate icon.


What is the traffic light symbol status of the tab?

_________________________________________________




Assign your role to all users that you have created with the username GR## (the users GR##-FI1, GR##-FI2, GR##-SD1, GR##-SD2,GR##-MM1, GR##-MM2 should exist with the user group ZGR##,from another lesson of the SAP course ADM940).

Check the settings for the user comparison (menu: Utilities →Settings). Ensure that a user comparison is automatically performedwhen you save.

a) The traffic light is red, that is no users have yet been assigned tothis role.

Assign the following users by entering the names into the UserID column.

User Name

GR##-FI1GR##-FI2GR##-SD1GR##-SD2GR##-MM1GR##-MM2

4. What happens to the traffic light symbol status of the User tab afteryou have saved the data?

__________________________________________________________

What happens during the user compare process?

_________________________________________________

_________________________________________________

_________________________________________________

a) The status display is green (it may be yellow, if you have notset Automatic User Adjustment when Saving Role by choosing →Utilities → Settings and checking the appropriate checkbox).

b) During the user comparison, the generated profiles for a role areentered into the user master record.

5. Assign the role ADM940_PLUS to the users from task 4-3.




Save your user assignment.

Hint: With this exercise, it is possible that participants lockeach other when saving the settings. If this happens, pleasewait a moment and try again.

a) Menu:


Choose the �Basic Maintenance� view for the ADM940_PLUSrole and choose �Change�.

Go to the User tab page and assign the following users byentering their names in the User ID column. Remember to saveyour user assignment.


6. Display the user master record of user GR##-MM1.

Is the user linked to roles? If yes, to which ones?

________________________________

________________________________

Are authorization profiles assigned to the user?




________________________________

a) Menu:


Yes, to:

ADM940_PLUS

GR##_BC_PORTALS

Yes.

b) Yes. Authorization profiles are assigned to the user.



Lesson Summary

You should now be able to:� Describe and explain the basic steps for assigning authorizations

with the Profile Generator� Create new roles, change and copy roles, and specify their activities� Display and maintain authorizations that were generated





ADM940 Lesson: Special PFCG Roles

Lesson:136

Special PFCG RolesLesson Duration: 95 Minutes

Lesson OverviewThis is the second lesson on the topic of role maintenance, and describesadvanced maintenance of role types, which extend standard roles in auseful way with special properties. A typical requirement in a companyis, for example, to create a role that has as clear a menu as possible, butwhich also describes a complete work center or position. These attributesare realized in the composite role.

Reference, derived, and Customizing roles round off the requirements.You can create these advanced types of role with the Profile Generator.


� Describe the use of Customizing roles� Explain the advantages and disadvantages of composite roles� Define the relationship between reference roles and derived roles� Bundle frequently used transactions and map them with different

instances using derived roles� Describe how to perform a mass comparison and state which report


In this lesson, youwill describe advanced role maintenance to the participants.

This includes the possibilities for using Customizing, composite, reference,and derived roles. The advantages and disadvantages are listed, and allprocesses for creating these roles in the system are demonstrated anddiscussed. The concluding exercise allows the participants to consolidatetheir new knowledge using practical examples.

Business ExampleThe different requirements in companies often require nesting of roles andthe possibility to set up dependencies. Composite, reference, and derivedroles exist for this purpose. However, before the end user roles are created,the system is Customized for customer requirements. Customizing rolesare used for this purpose.



Customizing role

Describe the use of the Customizing role and highlight the followingadvantage:

Hint:If you only want to allow project team members to work on theproject for a limited time (for example, in the case of consultants),you can implement this with a time restriction of the role. Inthis way, you could also create a display role for the projectteam (for every field, ACTVT := 03).

You can assign projects or project views of the Implementation Guide(IMG) to an Customizing role. The purpose of such an assignment is tospecifically generate the authorization for certain IMG activities and assignit to users.

If you are on theMenu tab page in the role maintenance transaction, youcan assign projects or view from the Implementation Guide (IMG) bychoosing Utilities → Customizing Auth.. When the profile is generated,the system creates the authorization which is necessary to perform allactivities of the IMG projects/project views assigned.

Figure 66: Customizing Roles

Caution:If a project or project view has been assigned to a role, it is nolonger possible to manually assign transactions to this role. Thismeans that the role can only be used for generating and assigning



Customizing authorizations. In the same way, an role to whichtransactions have been manually assigned cannot be usedfor Customizing authorizations.

The transactions of the project or project view are not displayed in theSession Manager and the �SAP Easy Access� menu. If the EnterpriseIMG or Project IMG is changed, the authorization data of this role mustbe regenerated.

Hint:Since Customizing activities are performed on a project-relatedbasis and for a limited period, you should maintain the end datefor the assigned users. This ensures that the users assigned to therole lose the authorization for the projects/project views assignedupon completion of the project. This only applies, of course, if theuser comparison is regularly performed.

Composite Roles

Familiarize yourself with the participant text. Describe the composite roleand the possibilities for using it in daily work.

A composite role is a combination of multiple single roles. These can be:

- Single roles- Derived roles (explained at the end of this lesson)

Create a composite role by choosing the Create Comp. Role button.

Hint:Composite roles cannot be included in composite roles.

It is often necessary to describe a work center using more than onesingle role and the information stored within it about menu structure,authorization data, and user assignments. To simplify maintenance andimprove reusability, it is also possible to modularize a work center usingseveral roles, which are then combined in a composite role. This possibilitysimplifies user administration and makes it easier for the company�s HRteam of Support department to assign authorizations.



Advantages of composite roles:

� One work center� One composite role� One assignment� One central menu

Figure 67: Composite Roles and User Assignment

This container can contain any content. For reasons of clarity, it doesnot make sense and is therefore not possible to add composite roles tocomposite roles.

Hint:The SAP system does not use different names for singleand composite roles. When creating or naming your roles,you should consider a naming concept that supports thedifferentiation of single and composite roles.

Disadvantages of composite roles



Since composite roles are only a shell for combined roles, they do not haveany authorization data themselves.

Hint:If you want to change the authorizations (that are represented by acomposite role), you must maintain the data for each role of thecomposite role.

Creating composite roles makes sense if some of your employees needauthorizations from several roles. Instead of adding each user separatelyto each role required, you can set up a composite role and assign it to theusers of that group.

The users assigned to a composite role are automatically assigned to thecorresponding (elementary) roles during the comparison. The contentsof the composite roles are automatically resolved and the single rolescontained in them are entered.

In the master record, the assigned composite roles are displayed as usual,but the associated roles are displayed with � blue text on a gray background �.These fields cannot be changed. The user assignment can only be changedthrough the composite role.

Use the next slide to compare the advantages and disadvantages of acomposite role:

For:

� Combination of a large number of single roles into a composite rolereduces effort required for user assignment

� Menus can be mixed as required (reduced)� Transactions can be deleted from the menu (hidden) and the

authorizations are retained

Against:

� Changes to the authorizations can only be made using the includedroles

� A composite role has now authorizations itself� Changes to the included roles are not immediately visible in the menu

of the composite role. A renewed import is required.



Figure 68: Menus of Composite Roles

If you assign multiple single roles to a user, multiple listings of individualmenu entries can occur. For example, if a transaction or a path that iscontained in role 1 and in role 2 appears twice. The user menu thencontains more than one entry for menu nodes, and frequently confusesend users.

The menu tree of a composite role is, in the simplest case, a combination ofthe menus of the roles contained. When you create a new composite role,the initial menu tree is empty at first. You can build the menu tree with themenus of the integrated roles by choosing � Read menu � (Menu tab page).



Caution:Menus for composite roles usually do not reflect the authorizationsthat the user has through the authorizations of the single roles.There can be two reasons for this:

1. Menu displays more than the composite role authorizes

If the combination of a role reduces (previously read and used in acomposite role), this has, of course, consequences for the existingmenu tree. In such a case, the Profile Generator allows you tocompletely rebuild the menu tree or process only the changes. Ifyou choose the latter option, the Profile Generator removes all itemsfrom the entire menu which are no longer contained in any of theroles referenced.

2. Menu displays less than the composite role authorizes

If the contents of the assigned roles are extended (menu orauthorizations change), these are not automatically visible in thecomposite role menu.

If you want to change the authorizations (that are represented bya composite role), you must maintain the data for each role of thecomposite role.

Note: A comparison is required in both cases.

On the Roles tab page, enter the roles of which the composite role shouldconsist (use the possible entries help by choosing F4).

On theMenu tab page, you can then create the menus of the roles containedin the composite role by choosing Read menu, and restructure it as you wish.

Hint:You can remove transactions in the composite role menu. You canonly add entries using the assigned single roles.

There are two possibilities in role maintenance for the structure of themenu:

1. If the composite role menu has never yet been built, when you chooseRead menu, every menu of the single roles that have been assignedis immediately imported.

2. However, if it is a Refresh, an additional query appears (see the nextpresentation slide).



Demonstrate in the system how a comparison of menus of this type isperformed. Explain the special features of a �refresh�.

You can make additional global settings for the menu using data records intable � SSM_CUST �. A few data records:

� CALL_READ_LEVEL1 (see the note after the next figure)� DELETE_DOUBLE_TCODES� SSM_MENU_SORT_ACTIVE� CONDENSE_MENU

If you are interested in this topic and want to present it to the participants,see the online help.

Figure 69: Building Composite Role Menus

You can now choose betweenMerge and Reimport. If you want to discardyour settings and restructure the menu, choose Reimport. Merge, on theother hand, creates a delta between the �actual� situation and the situationas it �ought� to be. This delta describes the change set.

- Reduction: In this case, the transactions that no longer appear inthe roles are removed from the menu of the composite role. Emptyfolders may be created. These are displayed in red, and you can deletethem manually or by choosing Delete Empty Folders.- Extension: Those transactions which now additionally appear in theroles are added. You can find these transaction in a separate folderwith the description New menu options. You can then distribute theseto the menu manually. Single roles that have been newly added to



the composite role are added with their hierarchy, while transactionsfrom single roles already contained in the composite role are includedwith no hierarchy.

Hint:Since SAP R/3 4.6D, when a composite role menu is restructured,the system creates a new folder for each single role contained in thecomposite role at the top hierarchy level. This folder initiallycontains the corresponding menu. You can decide whether the textfor each folder consists of the technical name or the shorttext of the role. You can deactivate this function by settingthe Customizing switch COLL_READ_LEVEL_1 to OFF inthe Customizing table SSM_CUST.

Reference (Root) Roles and Derived RolesIn practice, there are a number of requirements to create roles whosecontent differs only in the authorizations and not in the transactions.For example: two sales and distribution employees with the same workcenter description, but different plants (1000, 2000). Here are two usefulexamples for the use of derived roles.

1. The menu of the roles is to be identical, but the authorizations for theactions contained in the menu are reassigned in the derived role.

2. The menu and the authorizations of the derived role are to beidentical, but the organizational units are reassigned in the derivedrole.

The relationships are described in detail on the following pages, and youcan see that these roles can be created and maintained very elegantly.

Discuss the following slides with the participants and reinforce therelationships with a system demonstration.

- Create a template.- Define this, and derive the contents.

Use this example to show how the contents are affected when changes aremade. Use an example similar to the exercises.



Figure 70: Derived Roles

Derived roles refer to roles that already exist. The derived roles inherit themenu structure and the functions included (transactions, reports, Weblinks, and so on) from the referenced role.

However, the user assignments are not inherited.

Hint:Enter the name of the role from which all transactions includingthe menu structure are to be copied in the Derive from Role field onthe Description tab page. In this way, each role can becomea referencing role.

There are two ways to perform the comparison between the roles:



1.) Comparison from the imparting role

� � Generate Derived Roles � button

This action usually copies the normal fields (not the organizationallevels) to all derived roles and generates the profiles.

Hint:The data for the organizational levels is only transferredwhen the authorization data for the derived roles isfirst modified. If organizational levels have alreadybeen maintained in the derived role(s), this is notoverwritten (see SAP Note 314513).

For more information, see SAP Note � 314513 �. This SAP Notecontains an additional description of how data is compared betweenthe roles and overwritten.

2.) Comparison from the derived role

� � Transfer Data � button

This button is usually used for the � initial fill � of the authorizations.This call always copies all general authorization values from thetemplate. If an organizational level in the derived role is not filled, itis also set to the value from the reference role.

Hint:Previously, using this button also meant that the completesettings for the organizational levels were also copied 1:1. Thiswas done regardless of whether it was empty or filled in thereference role. If you now want to copy organizational leveldefinitions from the reference role, note that you must firstdelete this field in the derived role.

To modify authorization data of derived roles, you require fullauthorization for the authorization object S_USER_VAL and changeauthorization for the derived roles.



Figure 71: Menus of Derived Roles

Unlike composite roles, the derived role has the complete filled menu ofthe template immediately after the referencing role is entered and the roleis saved. The inheritedmenus cannot be changed in the derived roles.

Hint:Menu maintenance takes place exclusively in the imparting role.Any changes immediately affect all inheriting roles.

The inheritance relationship can be canceled, but the previously inheritingrole is then handled like a normal role. The cancellation of the relationshipcannot be undone.

Demonstrate all of the steps for the various roles in the system for theparticipants. You can do this directly after each role type, or perform acomplete demonstration at the end of this presentation. Try to use anexample that resembles the participant exercises.



147 Exercise 6: Special PFCG RolesExercise Duration: 45 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Work with composite roles and predefined work center examples� Structure user menus� Create derived roles with the Profile Generator and determine their

activities� Check and maintain authorizations that were generated automatically� Explain the difference between derived and copied roles� Describe differences between the master record comparison from

SU01 and from PFCG

Business ExampleThis exercise is concerned with advanced role maintenance. The exercisesshould provide ideas about how you composite, reference, and derivedroles can simplify your administration work.





1. This training material was developed in a new documentationenvironment. This technology is called �XML�. With this technology,individual lessons are created. These are complete entities. Theseentities can then be combined into units as required and reused invarious courses. However, this can also mean that results fromexercises that were created in other lessons are the prerequisite forperforming other lessons. However, to ensure that you are able tosolve the tasks, note the following. This exercise refers repeatedly tocontent from the �sample authorization concept�. This was createdin SAP course ADM940 in the lesson Creating and Implementing anAuthorization Concept. If this is not SAP course ADM940, you can readthe information required for the tasks in the two tables below, anddistribute this information to the participants.



ClerkSD-Man

Whouse

SAP R/3 Links:

T Code







ClerkSD-Man

Whouse

SAP R/3 Links:

T Code




MB1C xMB90 xVL21 x

F-18 xF-26 xF-28 x



FD01, FD02, FD03

GR##_SD_CUST_MAINT VD01, VD02, VD03GR##_SD_SALES VA21, VA22, VA23, VA25, VA01, VA02,

VA03, V.01GR##_MM_IM_POST MB1C, MB90, VL21GR##_FI_IP_POST F-18, F-26, F-28




Task 1:Create the composite role GR##_MM_WHOUSE.

Hint: Ensure that you use the Create Comp. Role button on the initialscreen of the Profile Generator.

1. Enter a short description, and save your composite role.

If you look at the tab pages, what do you notice?

___________________________________________________________

2. Go to the Roles tab page.

Your composite role should consist of the roles of the role definitionin the sample authorization concept.

In accordance with the sample authorization concept, these are:

� GR##_MM_MAT_ANZ

- GR##_MM_IM_POST

Enter these in the relevant fields.

3. Go to the Menu tab page and read the menus of the inserted rolesinto your composite role.

Optionally, you can further customize the menu of the composite role.

Save your composite role.

4. Go to the User tab page and assign user GR##-MM1. Save your userassignment.

5. Perform a user master comparison.

Task 2:Describe the options for a user master comparison.

1. Where can you perform a user master comparison? List at least twopossibilities.

_______________________________________________

_______________________________________________

2. What does the report pfcg_time_dependency do?

_______________________________________________




_______________________________________________

_______________________________________________

Task 3:Display the user master record of user GR##-MM1.

1. Which roles is the user assigned?

If your user GR##-MM1 does not yet have the role ADM940_PLUS,assign the role and perform a user master comparison.

_______________________________________________

_______________________________________________

_______________________________________________

Display the authorization profiles. How many profiles are assigned?

________________________ authorization profiles

Why are there fewer profiles than roles?

_______________________________________________

_______________________________________________

Task 4:Log on to the system as user GR##-MM1. Use the password automaticallygenerated in the exercise for the user master record or assign a new initialpassword in user maintenance.

Change the password when you log on: ______________________

Hint: You can show the transaction codes by choosing Extras →Settings (�Display Technical Names�).

1. Set up a user-specific favorites list by defining the transactions �MM03 � and � MB1C � as favorites and adding any Web address.

2. Try to start some of the transactions, for example, � MM03 �, anddisplay the accounting view of material P-100 in plant 1000.

Can you also display the accounting view of material P-100 in plant3000?

If not, why not?

_______________________________________________




3. Display the failed authorization check.

Hint: Menu path: → System→Utilities→Display AuthorizationCheck (or transaction � SU53 �)

Why were you not able to display material P-100 in plant 3000?

_______________________________________________

_______________________________________________

_______________________________________________

Log off as GR##-MM1.

Task 5:Create a derived role GR##_MM_IM_POST1000 with authorizations for awarehouse supervisor in plant 1000.


Assign the imparting role GR##_MM_IM_POST.

Display the inheritance hierarchy of the roles. (ChooseControl+Shift+F3 or the icon)

2. Go to the Menu tab page.


_________________________



- Plant: 1000

Did the system copy the authorizations of the imparting role?

_________________________

4. Save the authorizations and accept the proposed profile name.

Copy the authorization data from the imparting role.

Did the system copy settings for organizational levels?

_________________________

Ensure that users assigned to this derived role are only allowed topost data in plant 1000.




5. Generate the authorization profile for your role.


Create a new single role GR##_SD_SALES by copying the predefined workcenter example ADM940_SD_SALES without user assignment.

1. Use the copy icon in transaction � PFCG �.

Task 7:Change your copied role GR##_SD_SALES.

1. Change the description to a description specific to your group.


Display the technical names.

Expand all nodes of the menu and delete all transactions and nodesthat are not intended for this role in the � sample authorization concept� (see lesson Creating and Implementing an Authorization Concept orthe introduction to this exercise).

Save the changed user menu.



Restrict the organizational levels as follows:


Leave the default authorization values for all other organizationallevels.

3. Assign full authorization for all other and open fields (�*�).

4. Generate the authorization profile for your role. Accept the proposedprofile name.

Task 8:Create the missing three single roles of the sample authorization concept.(See the introduction to the exercise.)

1. Restrict the requested organizational levels with the values specifiedhere. The system never queries all organizational levels for a role. Usethe following values for the corresponding fields.




Organizational Level Field ValueCompany code 1000Business area 1000Account type DControlling area 1000Division *Sales organization 1000Distribution channel *

Set full authorization for all open authorization fields. Generate theprofiles.

Task 9:Create three composite roles, which correspond to the sampleauthorization concept. Use the names from the following table.

When creating the roles, follow the steps from tasks 1-1 to 1-3 from thislesson.

Ensure that you use the Create Comp. Role button on the initial screen ofthe Profile Generator.

composite role Corresponds to the Role from theSample Authorization Concept

GR##_FI_ACCREC Accounts receivable accountant(AccRec)

GR##_SD_SALCLK Sales clerk (SClerk)GR##_SD_SALMGR Sales and Distribution manager

(SDMan)

Enter a short description, and save your composite role.



Select the corresponding roles and copy them into your compositerole.




Example: The role of the accounts receivable accountant (AccRec),that is, the composite role GR##_FI_ACCREC, must contain thefollowing roles:

� GR##_MM_MAT_ANZ

� GR##_FI_ACCREC_MAINT

� GR##_FI_IP_POST




Repeat tasks 1 and 2 of this exercise, until all composite roles havebeen created.



Solution 6: Special PFCG RolesTask 1:Create the composite role GR##_MM_WHOUSE.

Hint: Ensure that you use the Create Comp. Role button on the initialscreen of the Profile Generator.

1. Enter a short description, and save your composite role.

If you look at the tab pages, what do you notice?

___________________________________________________________

a) Menu:


b) If you look at the tab pages, what do you notice?

The tab page Roles has been added;

The tab page Authorizations has been removed.



In accordance with the sample authorization concept, these are:

� GR##_MM_MAT_ANZ

- GR##_MM_IM_POST

Enter these in the relevant fields.

a) Enter the roles listed in the exercise text and save your settings.Can you select these roles using input help, or enter themmanually.







a) Goto the Menu tab page, and choose Read menu.

Optionally, you can further customize the menu of the compositerole.


4. Go to the User tab page and assign user GR##-MM1. Save your userassignment.

a) Choose the save icon (disk icon) or choose Control S)

5. Perform a user master comparison.

a) Choose the User comparison button to enter the roles in themaster record of user GR##-MM1.

Task 2:Describe the options for a user master comparison.

1. Where can you perform a user master comparison? List at least twopossibilities.

_______________________________________________

_______________________________________________

a) With additional steps in transactions: � SU01 �, � PFCG �, and �PFUD � or with the report pfcg_time_dependency.

2. What does the report pfcg_time_dependency do?

_______________________________________________

_______________________________________________

_______________________________________________

a) You can schedule an automatic user master comparison atregular intervals with this report. This compares all links andrelationships between roles, users, and profiles in the masterrecords (in the background).

Task 3:Display the user master record of user GR##-MM1.

1. Which roles is the user assigned?

If your user GR##-MM1 does not yet have the role ADM940_PLUS,assign the role and perform a user master comparison.




_______________________________________________

_______________________________________________

_______________________________________________

Display the authorization profiles. How many profiles are assigned?

________________________ authorization profiles

Why are there fewer profiles than roles?

_______________________________________________

_______________________________________________

a) Menu:


b) Solutions in square brackets are additional results that may havebeen created by other optional exercise tasks.

� GR##_MM_WHOUSE

GR##_MM_MAT_ANZ

GR##_MM_IM_POST

ADM940_PLUS

[GR##_BC_PORTALS]

� 2 (4) authorization profiles,� Because the composite role does not have its own profile.




Task 4:Log on to the system as user GR##-MM1. Use the password automaticallygenerated in the exercise for the user master record or assign a new initialpassword in user maintenance.

Change the password when you log on: ______________________

Hint: You can show the transaction codes by choosing Extras →Settings (�Display Technical Names�).

1. Set up a user-specific favorites list by defining the transactions �MM03 � and � MB1C � as favorites and adding any Web address.

a) You can fill the favorites list by dragging transactions from theuser menu to the favorites list or insert transactions directlyusing the context menu (right mouse button).

2. Try to start some of the transactions, for example, � MM03 �, anddisplay the accounting view of material P-100 in plant 1000.

Can you also display the accounting view of material P-100 in plant3000?

If not, why not?

_______________________________________________

a) Choose transactionMM03. Enter the material ID P-100 in theMaterial field. Choose Select view(s) and choose the Accounting 1view. Choose Continue.

Can you also display the accounting view of material P-100 inplant 1000?

Yes.

Can you also display the accounting view of material P-100 inplant 3000?

No, because you do not have authorization for plant 3000.

3. Display the failed authorization check.

Hint: Menu path: → System→Utilities→Display AuthorizationCheck (or transaction � SU53 �)

Why were you not able to display material P-100 in plant 3000?

_______________________________________________




_______________________________________________

_______________________________________________

Log off as GR##-MM1.

a) The program required activity 03 and plant 3000 for theauthorization object M_MATE_WRK.

Although the user master record contains authorization foractivities 03 and 08, there is no authorization for plant 3000.

Task 5:Create a derived role GR##_MM_IM_POST1000 with authorizations for awarehouse supervisor in plant 1000.


Assign the imparting role GR##_MM_IM_POST.

Display the inheritance hierarchy of the roles. (ChooseControl+Shift+F3 or the icon)

a) Menu:

Tools → Administration → User Maintenance → RoleAdministration → Roles , (transaction code � PFCG �). Choosethe �Basic Maintenance� view, create a short description, andsave your role.

b) Enter GR##_MM_IM_POST into the field Derive from Role.

Display the inheritance hierarchy of the roles.

Menu: → Role → Where-Used List

2. Go to the Menu tab page.


_________________________

a) Are you allowed to select additional activities or delete existingactivities?

No, since the menu of role GR##_MM_IM_POST is inheritedfrom the role GR##_MM_IM_POST1000.






- Plant: 1000

Did the system copy the authorizations of the imparting role?

_________________________

a) No, they must either be maintained here or copied as in thenext exercise task.

4. Save the authorizations and accept the proposed profile name.

Copy the authorization data from the imparting role.

Did the system copy settings for organizational levels?

_________________________

Ensure that users assigned to this derived role are only allowed topost data in plant 1000.

a) Copy the authorization data from the imparting role by choosingTransfer Data or by choosing

→ Edit → Transfer Data . The authorizations are then copiedfrom the imparting role (reference role).

Choose Organizational levels. The plants 1000, 1100, and 1200were not copied from the reference since this is an organizationallevel which was previously set in the derived role (see step 3in this task).

Delete the entry for plant 1000 and choose Transfer Data again.What is now displayed, when you call the organizational levels?Reduce the entries to the value 1000.

5. Generate the authorization profile for your role.

a) You do not need to enter a name since the system prompted youfor one when you saved the data.





Create a new single role GR##_SD_SALES by copying the predefined workcenter example ADM940_SD_SALES without user assignment.

1. Use the copy icon in transaction � PFCG �.

a) Menu:


b) Copy the role ADM940_SD_SALES to the new roleGR##_SD_SALES by choosing the Copy Role icon. Choose Copyselectively and do not set the user assignment checkbox. Thisensures that the assigned users are not copied.

Task 7:Change your copied role GR##_SD_SALES.

1. Change the description to a description specific to your group.


Display the technical names.

Expand all nodes of the menu and delete all transactions and nodesthat are not intended for this role in the � sample authorization concept� (see lesson Creating and Implementing an Authorization Concept orthe introduction to this exercise).

Save the changed user menu.

a) Open the specified role in change mode and go to theMenutab page.

b) Activate the technical names (transaction codes) by choosing themagnifying glass icon (on the right next to the delete icon).

Delete the nodes:

- Master data

- Outbound delivery

- Billing document

by selecting the node and choosing Delete.






Restrict the organizational levels as follows:


Leave the default authorization values for all other organizationallevels.

a) Overwrite the asterisk for Sales organization with the value1000. Keep the default values for the other organizationallevels (Company code, Controlling area, Division, Distributionchannel, and so on).

3. Assign full authorization for all other and open fields (�*�).

a) To do this, click the traffic light symbol at the top hierarchy levelwith the left mouse button, and confirm the assignment of fullauthorization.

4. Generate the authorization profile for your role. Accept the proposedprofile name.

a) Choose the menu path: Authorizations → Generate or thecorresponding button.

Task 8:Create the missing three single roles of the sample authorization concept.(See the introduction to the exercise.)

1. Restrict the requested organizational levels with the values specifiedhere. The system never queries all organizational levels for a role. Usethe following values for the corresponding fields.

Organizational Level Field ValueCompany code 1000Business area 1000Account type DControlling area 1000Division *Sales organization 1000Distribution channel *




Set full authorization for all open authorization fields. Generate theprofiles.

a) Menu:


Role TransactionsGR##_FI_ACCREC_MAINT FD01, FD02, FD03GR##_FI_IP_POST F-18, F-26, F-28GR##_SD_CUST_MAINT VD01, VD02, VD03

Restrict the requested organizational levels with the valuesspecified here:

Role GR##_FI_ACCREC_MAINT


Role GR##_FI_IP_POST


- Business area: 1000

- Account type: D

- Controlling area: 1000

Role GR##_SD_CUST_MAINT - Company code: 1000

- Division: *



Set full authorization for all open authorization fields.

Generate the profiles.




Task 9:Create three composite roles, which correspond to the sampleauthorization concept. Use the names from the following table.

When creating the roles, follow the steps from tasks 1-1 to 1-3 from thislesson.

Ensure that you use the Create Comp. Role button on the initial screen ofthe Profile Generator.

composite role Corresponds to the Role from theSample Authorization Concept

GR##_FI_ACCREC Accounts receivable accountant(AccRec)

GR##_SD_SALCLK Sales clerk (SClerk)GR##_SD_SALMGR Sales and Distribution manager

(SDMan)

Enter a short description, and save your composite role.



Select the corresponding roles and copy them into your compositerole.

Example: The role of the accounts receivable accountant (AccRec),that is, the composite role GR##_FI_ACCREC, must contain thefollowing roles:

� GR##_MM_MAT_ANZ

� GR##_FI_ACCREC_MAINT

� GR##_FI_IP_POST




a) Menu:


composite role Contained RolesGR##_FI_ACCREC GR##_MM_MAT_ANZ

GR##_FI_ACCREC_MAINT

GR##_FI_IP_POST

GR##_SD_SALCLK GR##_MM_MAT_ANZ

GR##_SD_CUST_MAINT

GR##_SD_SALES

GR##_SD_SALMGR GR##_MM_MAT_ANZ

GR##_FI_ACCREC_MAINT

GR##_SD_CUST_MAINT

GR##_SD_SALES

GR##_MM_WHOUSE GR##_MM_MAT_ANZ

GR##_MM_IM_POST

b) Enter the roles in accordance with the above table.




Repeat tasks 1 and 2 of this exercise, until all composite roles havebeen created.

a) Choose Read menu. You can move and restructure the menuswith the mouse. By creating folders with the Create folderbutton, you can organize your transactions from a functional orprocess-oriented point of view.

Create the missing roles.



Lesson Summary

You should now be able to:� Describe the use of Customizing roles� Explain the advantages and disadvantages of composite roles� Define the relationship between reference roles and derived roles� Bundle frequently used transactions and map them with different





Lesson:165

Subtleties of Authorization MaintenanceLesson Duration: 75 Minutes

Lesson OverviewThis lesson will describe special features in role maintenance (� PFCG�). These include:

� The red, yellow, and green traffic lights� The icons in authorization maintenance� The status texts for authorizations


� Interpret the red, yellow, and green traffic lights for different fieldcontents

� Describe the meaning of the icons in the PFCG authorizationmaintenance

� Define the hierarchy of status terms, and explain when which termis used

� Distinguish between the expert mode and simple maintenance forauthorizations

� List additional functions that are accessible through the menu

In this lesson, you explain all icons and their meaning to the participants.You should also describe all remaining functions that can be accessedthrough the menu.

Once you have established this knowledge with the participants, youcan address a problem which many customers have experienced, butunfortunately do not know the background for the solution. This is theyellow traffic light problem, which requires maintenance of authorizationvalues after menu changes. However, oddly these objects do not seemto have anything to do with the change in the menu. How can that be?Explain the background to the participants in this lesson.

Business ExampleThe authorization administration must understand the use of the icons andthe meaning of status values for his or her daily work. Depending on therequirements in the company, the administrator may require additionaldisplay and control options for this, which are provided through expertmode or the menu.


ADM940 Lesson: Subtleties of Authorization Maintenance

Icons and Additional Information for AuthorizationMaintenance

For your demonstration for the participants, create a role with anytransaction that requires an organizational level, such as � VA01 �. Explainthe traffic light colors in the authorization situation and their behaviorwhen values are maintained.

When maintaining and editing authorizations in role maintenance,different terms and icons appear that are perhaps not always correctlyinterpreted. What task do the traffic lights perform, for example?

Figure 72: Authorization Maintenance: Traffic Light Legend

The traffic lights are among the most important icons for the administrationof authorizations. You can use them to obtain an overview very quickly.They display the current maintenance status of the authorizations atvarious levels. The different icons here are Green, Yellow, and Red.

Green: All fields below this level have been filled with values.

Hint:If the traffic light did not become green due to your entry, this isdue to an SAP proposal.



Caution:Regardless of the color, you must always check all entries.A Green traffic light does not mean that you can accepteverything without checking it.

Yellow: There is at least one field (but no organizational levels) below thislevel for which no data has been proposed or entered.

Red: There is at least one organizational level field (also known as orglevel) below this level for which no value has been maintained.

Caution:Never assign organizational levels directly in the structure. Alwaysuse the central button Organizational Levels or the key combination�Control + F8� to assign the values.



Describe the following icons to the participants.

Focus in particular on Merge, Delete, and Active & Inactive.

� Merge

You can merge specifications if the following rule is followed:[(Number of fields for an object) -1] must be specified identically. Noother combination is considered.

Caution:Never recommend that authorizations in general are mergedusing the menu entry (blind). This should always be done inthe structure when all values are displayed. It is especiallycritical, if only the status changed remains (see the participanttext below for the topic � Changed � after the figureAuthorization Maintenance Status Texts).

� Delete �Field Contents� & �Inactive�

The deletion of authorizations is only ever offered for onespecification and is therefore uncritical, since the user always seeswhat is being deleted.

The deletion function �Delete Inactive�, on the other hand, using thetrash can icon (fourth menu bar from the top) or through the menupath Edit → Delete Inactive should be used with care. This actioncauses the often incomprehensible and undesired �Yellow� trafficlights to appear for maintenance (you should also read the participanttext for the topic � Changed � after the Authorization Maintenance StatusTexts here).

� �Active & Inactive�

This icon is simple to activate, but important in its effect. Readthe participant text for the � Changed � topic after the AuthorizationMaintenance Status Texts figure for this.

Prepare an example to explain the issue to the participants.



Figure 73: Authorization Maintenance: Icons Legend

Other icons in the object classes, authorization objects, authorizations,and authorization fields lines are:

Assignment of authorizations: Displays the transactions that use thisobject.

Full authorization: You can set full authorization by simply clicking theasterisk �*� next to an authorization field name or using the button in theinput window.

Assigning full authorization for all empty fields:

If you require a role with full authorizations or want to assign �*� to allempty fields for test purposes, follow the procedure below.

Hint:Assigning full authorization for all empty fields

If you click on a Yellow or Red traffic light in the status line, thesystem queries whether you want to assign the full authorizationasterisk (*) for all unmaintained authorizations.

You can use the traffic lights at the level of object classes, objects,or authorizations in the same way to assign full authorizationfor the structure below that level. This does not maintain theorganizational levels, and you should first use the � OrganizationalLevels... � button to enter and assign them.

The same procedure also applies for the traffic light in the top linebetween the Role Name and the Role Text.



Field contents: Choose the maintain icon to maintain an authorization fieldvalue. Alternatively, you can double-click the authorization field content,or click an empty field. You enter the values in a separate input window.

Copy: If you choose this icon, a complete specification for an authorizationobject is copied with all fields.

Merge: You can merge identical field contents for authorization fields ofan authorization object with this icon or through the Utilities menu.

Caution:Nevermerge authorizations in general in the background (blind)using the menu path Utilities→Merge Authorizations. This shouldalways be done in the structure when all values are displayed. Thisis especially critical if only the status Changed remains(see the text for Inactive below).

Delete: Delete a field content or delete an inactive authorization, or deleteall inactive authorizations.

Inactive / Reactivate: You can use this icon to technically hide and showspecifications for the check in the profile (the entry is retained). AlthoughDelete has the same effect, it is not as simple to return to the default valuein that case.

Hint: Inactive

If you click this icon:

� At authorization object level: All subordinate authorizationsare marked as inactive.

� At authorization level: This authorization is marked asinactive.

Reactivate: This icon means that the authorization or allsubordinate authorizations of an authorization object are reset toactive.

Use the next slide to explain the terms listed in the graphic to theparticipants.

Create a suitable example with which you can explain the yellow traffic lightproblem. When doing so, take into account the explanations forMaintainedand Active/Inactive in the participant text.



Figure 74: Authorization Maintenance: Status Texts

Status Texts for Authorizations

Standard: All field values in the subordinate levels of the hierarchy areunchanged from the SAP defaults

Hint:This includes both filled and unfilled organizational level fields.

The condition for the filled fields is that the entry was made usingthe maintenance button � Organizational Levels �, and for unfilledfields, that the original value � $.... � is displayed.

Maintained: At least one field in the subordinate levels of the hierarchywas empty by default and has since been filled with a value

Changed: The proposed value for at least one field in the subordinatelevels of the hierarchy has been changed from the SAP default value.

The Yellow Traffic Light Problem

Caution:Yellow traffic light effect.If the status jumps from Standard/Maintained to Changed due to anaction in the authorizations, the Profile Generator cannot create aconnection between this object entry and the menu. Therefore, forevery action that requires � Read old status and merge with new data �,the Standard is read again (can also be forced in expert mode).



This also applies for entries for organization levels that are notglobally set (using the buttons).

Note: This special feature can also lead to entries being copied intothe authorizations that cannot be identified by a Yellow traffic light.Red traffic lights (uncritical, since values are missing here) or evengreen traffic lights (critical since all fields are filled in this case) canappear with new entries. Always pay attention to and consider thestatus New when processing the authorizations.

Here is the solution for this problem, so that it does not occur repeatedlywhen you are processing the authorizations:

Hint:Before you make a change to authorizations that generates thestatus Changed, you must first perform the following steps:

1. Copy the relevant specification2. Set the template to inactive3. Make the changes to the copy

Only by performing these steps can you avoid the default beingread again and again, and ensure that you have no inexplicablevalues to maintain.

Manual: You maintained at least one authorization in the subordinatehierarchy levels manually (it was not proposed by the Profile Generator).

Status texts after a comparison

Old: The comparison found that all field values in the subordinate levelsof the hierarchy are still current and that no new authorizations have beenadded.

New: The comparison found that at least one new authorization has beenadded to the subordinate levels of the hierarchy. If you now click New, allnew authorizations in the subordinate levels are expanded.



To complete this lesson, go through all menu entries with the participantsand explain their use. This should not be a problem, since all relationshipsand terms have now been dealt with at least once. Then go over theexercise.



171 Exercise 7: Subtleties of AuthorizationMaintenanceExercise Duration: 20 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Explain the traffic light colors� Differentiate between the use and meaning of the status types� Find out where objects are used� Explain the term �inactive�

Business ExampleAfter you have you used role maintenance for some time, you usually knowall of the functions. However, some occurrences, such as yellow trafficlights that keep appearing and the status inactive often still cause somemisunderstandings. This exercise will reinforce your knowledge of thespecial features of role maintenance.





Task 1:Create the role GR##-RGB by copying AMD940-RGB without userassignments and personalization.


Go to the Authorizations tab page. Select the normal mode (Changeauthorization data).

2. What traffic light colors are displayed for the authorization objectsused?

__________________________

__________________________

__________________________

3. What does a red traffic light mean?

_________________________________________________

4. The Profile Generator has written a default value in the field withthe field text Plan Version. Use the search function to find theauthorization field. Note the field value. Explain the meaning ofthe first character.

_________________________________________________

5. Use the Organizational Levels button to assign the value 10 for thePlan Version.

Task 2:Explain the other traffic light colors.

1. What does a Yellow traffic light mean, and which objects (roleGR##-RGB have this status?

_________________________________________________

_________________________________________________

_________________________________________________

_________________________________________________

_________________________________________________

2. What does the last traffic light color mean, and what do you haveto take into account here?

_________________________________________________

_________________________________________________




_________________________________________________

This must be taken into account:____________________________________

_________________________________________________

_________________________________________________

3. In the authorization object S_USER_TCD, assign the value � V* �, andfull authorization for all other fields.

4. Generate the profile and accept the proposed profile name. Exitauthorization maintenance and return to the Authorizations tab page.

_________________________________________________

Task 3:Use the expert mode to merge the existing authorization data with the PGdefault values again.

1. Which choice must be made when starting the maintenance so thatthe Profile Generator reads default values again?

_________________________________________________

_________________________________________________

2. Open the authorization values and read the Profile Generator defaultsagain.

3. Which authorization field has the status New?

_________________________________________________

4. Why does the field S_USER_TCD receive the entry PFCG?

_________________________________________________

_________________________________________________

_________________________________________________

5. What would you have had to do as preparation to avoid this?

_________________________________________________

_________________________________________________

_________________________________________________



Solution 7: Subtleties of AuthorizationMaintenanceTask 1:Create the role GR##-RGB by copying AMD940-RGB without userassignments and personalization.


Go to the Authorizations tab page. Select the normal mode (Changeauthorization data).

a) Menu:

Tools → Administration → User Maintenance → RoleAdministration → Roles , (transaction code � PFCG �).

Choose the �Basic maintenance� view and create the requiredrole. Enter a short description, and save your entry.

Go to the Authorizations tab page. Select the normal mode(Change authorization data).

2. What traffic light colors are displayed for the authorization objectsused?

__________________________

__________________________

__________________________

a) Red, Yellow, and Green.

3. What does a red traffic light mean?

_________________________________________________

a) A red traffic light stands for an unfilled organizational level field.

4. The Profile Generator has written a default value in the field withthe field text Plan Version. Use the search function to find theauthorization field. Note the field value. Explain the meaning ofthe first character.

_________________________________________________

a) Open the search option by choosing the menu path Edit→ Findand enter plan version for the field text. The field for which youare searching has the field name PLVAR (authorization objectPLOG) and the default value $PLVAR. An �$� character at thebeginning of a field always indicates a plan version.




5. Use the Organizational Levels button to assign the value 10 for thePlan Version.

a) Click the Organizational Levels button with the left mouse buttonand enter the value 10 for the Plan Version. Save your data bychoosing save (disk icon).

Task 2:Explain the other traffic light colors.

1. What does a Yellow traffic light mean, and which objects (roleGR##-RGB have this status?

_________________________________________________

_________________________________________________

_________________________________________________

_________________________________________________

_________________________________________________

a) Yellow traffic lights indicate a structure in which at least onefield does not yet contain a value.

Open the structure with the node with a Yellow traffic light byclicking the plus sign next to the traffic light. The followingobjects have not yet received default values from the ProfileGenerator: S_GUI, S_USER_AUT, S_USER_GRP, S_USER_PRO,and S_USER_VAL.

2. What does the last traffic light color mean, and what do you haveto take into account here?

_________________________________________________

_________________________________________________

_________________________________________________

This must be taken into account:____________________________________

_________________________________________________




_________________________________________________

a) The Green traffic light indicates structures in which all fields areassigned a value. However, it is not possible to identify whetherthis is:

- A Profile Generator (PG) default- An organizational level field that received the field valuethrough the maintenance button- Field for which the PG default was changed- An organizational level field filled directly in the structure(not using the button)

Hint: Take into account the fact that authorization objectswith the status Standard and a Green traffic light areentirely Profile Generator default values. Green does notmean that you do not have to check these default values.

3. In the authorization object S_USER_TCD, assign the value � V* �, andfull authorization for all other fields.

a) Use the search function (see exercise 1-4) to find the fieldS_USER_TCD. Change the field entry to V* and use the trafficlight on the top hierarchy level to assign full authorization.

4. Generate the profile and accept the proposed profile name. Exitauthorization maintenance and return to the Authorizations tab page.

_________________________________________________

a) Choose the Generate icon (red and white circle) and accept theprofile name. Exit authorization maintenance by choosing F3.

Task 3:Use the expert mode to merge the existing authorization data with the PGdefault values again.

1. Which choice must be made when starting the maintenance so thatthe Profile Generator reads default values again?

_________________________________________________

_________________________________________________

a) The mode Read old status and merge with new data.




2. Open the authorization values and read the Profile Generator defaultsagain.

a) On the Authorizations tab page, choose the Expert Mode for ProfileGeneration icon. Select the radio button for the option Read oldstatus and merge with new data and execute the selection.

3. Which authorization field has the status New?

_________________________________________________

a) Search the authorizations for a line with the entry New or usethe corresponding button. You will find the object S_USER_TCDwith the field TCD and the entry PFCG.

4. Why does the field S_USER_TCD receive the entry PFCG?

_________________________________________________

_________________________________________________

_________________________________________________

a) This is an authorization object for which the Profile Generatorproposal was changed (status: changed).

If the Profile Generator proposal is now read again, the Standardis read again for all authorization objects that have the statuschanged. The condition is that the object continues to be proposedthrough the use of a transaction in the menu.

5. What would you have had to do as preparation to avoid this?

_________________________________________________

_________________________________________________

_________________________________________________

a) Yes. Before you process a specification in such a way that hasthe status changed appears, you must copy the specification, andset the template to inactive .



Lesson Summary

You should now be able to:� Interpret the red, yellow, and green traffic lights for different field

contents� Describe the meaning of the icons in the PFCG authorization

maintenance� Define the hierarchy of status terms, and explain when which term

is used� Distinguish between the expert mode and simple maintenance for

authorizations� List additional functions that are accessible through the menu


ADM940 Unit Summary

Unit SummaryYou should now be able to:� Describe and explain the basic steps for assigning authorizations

with the Profile Generator� Create new roles, change and copy roles, and specify their activities� Display and maintain authorizations that were generated



you can schedule for an automatic comparison� Describe the use of Customizing roles� Explain the advantages and disadvantages of composite roles� Define the relationship between reference roles and derived roles� Bundle frequently used transactions and map them with different


you can schedule for an automatic comparison� Interpret the red, yellow, and green traffic lights for different field

contents� Describe the meaning of the icons in the PFCG authorization

maintenance� Define the hierarchy of status terms, and explain when which term

is used� Distinguish between the expert mode and simple maintenance for

authorizations� List additional functions that are accessible through the menu


Unit Summary ADM940


Unit 5181 Basic Settings

In this lesson, you introduce the basics for authorizations in this unit.These include steps for installation/upgrade, how do I construct useradministration (with the most important authorization objects), and howcan I find the cause for a failed authorization check?

Unit OverviewThis unit describes basic settings for the topic of authorizations. Someof these settings should be made before � PFCG � is used (lesson 1:Installation and Upgrade), while others are made during operation (lesson2:Concept of user administration). There are a number of parameters,switches and objects used for this purpose, which are described here. Thefinal lesson discusses the Information System and AIS, which provide theadministrator for different search options for listing the system settingsand requirements for the area of authorization. This also includes theanalysis of failed authorization checks, and the system trace.


� Perform the steps necessary to install the Profile Generator� Find default values and check indicators in the system� Modify, delete, or extend the default values of the Profile Generator� Perform the necessary steps after an upgrade for postprocessing old

and new authorization values� Define password rules and system profile parameters� Protect special users in the SAP system� Protect SAP functions with authorization object S_TCODE� Protect tables and views using authorization groups� Protect programs with authorization groups� Describe tasks in user and authorization administration


Unit 5: Basic Settings ADM940

� List options for separating functions of user and authorizationadministration

� Describe options for decentralization of user administration� Create user and authorization administrators with limited rights

(using authorization objects)� Analyze authorization checks in various ways� Use transaction � SU53 � to find missing authorizations (also for other

users)� Run the authorization trace (� ST01 �)� Apply the features of the information system and use them for

different tasks� Understand and apply the functions of the Audit Information System

(AIS)

Unit ContentsLesson: Profile Generator: Installation and Upgrade .. .. . . . . . . . . . . . . . . . . . .221

Exercise 8: Profile Generator: Installation and Upgrade .. .. . . . . . . . . . .237Lesson: Access Control and User Administration .. . . . . . . . . . . . . . . . . . . . . . . . .247

Exercise 9: Access Control and User Administration... . . . . . . . . . . . . . . .275Lesson: Troubleshooting and Administration Aids .. . . . . . . . . . . . . . . . . . . . . . . .287

Exercise 10: Troubleshooting and Administration Aids... . . . . . . . . . . . . .299


ADM940 Lesson: Profile Generator: Installation and Upgrade

Lesson:183

Profile Generator: Installation and UpgradeLesson Duration: 60 Minutes

Lesson OverviewThis lesson will provide an overview of the steps required to install theProfile Generator. The Profile Generator has been delivered activated sinceSAP R/3 4.6.

The lesson will also explain which steps are to be performed after anupgrade, and how you can continue to use profiles that you have alreadycreated manually.


� Perform the steps necessary to install the Profile Generator� Find default values and check indicators in the system� Modify, delete, or extend the default values of the Profile Generator� Perform the necessary steps after an upgrade for postprocessing old

and new authorization values

In this lesson, you show the participants how the system settings must beset to use the Profile Generator (transaction code � PFCG �). You alsoexplain where the default values for role maintenance come from and theeffects of the different check indicators.

The second part is about upgrading. There is a difference in principlebetween the two statuses, whether the Profile Generator was previouslyused or not.

Business ExampleBefore the Profile Generator can be used, you must activate it in the systemand link it with default tables for the delivered SAP transaction codes.

If the customer performs an upgrade, various postprocessing is requiredin connection with the Profile Generator and existing combinations ofauthorizations. This includes manually created authorization conceptsthat are to be migrated.

Basic Settings for Using Role MaintenanceActivating the Profile Generator after a new installation requires that:



The Required Steps for Operating the Profile Generator.

� The SAP system profile parameter auth/no_check_in_some_cases hasthe value � Y �

� The default tables are filled which control the behavior of the ProfileGenerator when a transaction is selected in a role.

Both steps are described in detail in this lesson.

Hint:With new settings (since SAP R/3 4.6), the parameter isalready set to � Y � in the default settings. You only need tocreate the customer default tables.

Explain that the profile parameter setting auth/no_check_in_some_cases = Ymust be made. Profile parameters can be checked with transaction � RZ11� or report RSPFPAR . If the profile parameter is set to � N �, the valuemust be changed using transaction � RZ10 �, and the system restarted.

Figure 75: Checking Profile Parameter auth/no_check_in_some_cases

As described, with new installations of SAP systems (> SAP R/3 4.5), youonly need to check that the profile parameter is set to the correct value.



Call the profile parameter in the system.

� Transaction code � RZ11 �� Enter � auth* � and find the entry using the � F4 � help� Select auth/no_check_in_some_cases by double clicking it.

To check this, use transaction � RZ11 �. The figure shows transaction � RZ11� after you have entered the parameter name (auth/no_check_in_some_cases).For Current value, Y must be entered.

You can find more details on the currently selected parameter by choosingDocumentation.

Alternatively, you can select and check the parameter setting using reportRSPFPAR.

Hint:If the parameter has the value � N �, it must have been set to thisvalue in the default profile or in the instance profiles of the SAPsystem. Transaction � RZ10 � is used to maintain and manage theseprofiles (you can call this transaction by choosing Tools→ CCMS→Configuration→ Profile Maintenance. You should use this transactionto delete the parameter from both the default and the instanceprofiles. The parameter is then set to its default value � Y �.

The next slide describes where the default values for the Profile Generatorcome from. The default values are in the customer tables USOBX_ C andUSOBT_ C , and must initially be filled from the tablesUSOBX andUSOBTafter a new installation. � C � stands for customer where the tables are notcreated in the customer namespace.

The check indicators can be modified using transaction � SU24 � ifrequired. You can use SAP Note 368496 to import improved authorizationdefault values for the Profile Generator.



Figure 76: Where do the Default Values Come From?

If an administrator selects a transaction while creating a role, the ProfileGenerator selects the authorization objects that are checked in thistransaction and maintained in the Profile Generator. Four cases can occur:



� For an authorization object against which the check is performed inthe transaction selected, the Profile Generator has default values forthe authorization content so that full authorization can be provided.The traffic light beside the authorization is green.

� For an authorization object against which the check is performed inthe transaction selected, the Profile Generator does not have defaultvalues for the authorization content. In the example on the slide, theSAP Office transaction � SO01 � has been selected, from which youcan access files at operating system level. For security reasons, nospecifications are made as to which files can be accessed in read-onlyor in write mode. The traffic light beside the authorization is yellow.

� For an authorization object against which the check is performedin the transaction selected, the Profile Generator does not havedefault values for the authorization content, and this field is an�organizational level field�. The traffic light beside the authorizationis therefore red.

� It may be the case that some authorization checks during transactionprocessing were not maintained in the Profile Generator. Thecorresponding authorization objects do not appear in the profileoverview.

Hint:This should, however, only occur as an exception. It is usuallysensible to maintain the missing authorization objects in thetables using transaction � SU24 �.

Tables USOBX_ C and USOBT_ C control the behavior of the ProfileGenerator after the transaction has been selected. After a new installation,these tables are empty and must be filled with values before the ProfileGenerator is used for the first time. The next step, shown on the next slideis required to do this.

The next slide shows transaction � SU25 �, with which tables USOBX_Cand USOBT_C can be created.

Step 1: Initially Fill the Customer Tables



Figure 77: Initial Fill of the Default Tables

SAP delivers the tables USOBX and USOBT. These tables are filled withdefault values and are used for the initial fill of the customer tablesUSOBX_ C and USOBT_ C . After the initial fill, you can modify thecustomer tables, and therefore the behavior of the Profile Generator, ifrequired.

Table USOBX defines which authorization checks are to be performedwithin a transaction and which not (despite programmed authority-checkcommand). This table also determines which authorization checks aremaintained in the Profile Generator.

Table USOBT defines for each transaction and for each authorization objectwhich default values an authorization created from the authorizationobject should have in the Profile Generator.

Under menu item 1, Initially Fill the Customer Tables, transaction � SU25 �copies the SAP defaults from USOBX and USOBT to the customer tablesUSOBX_ C and USOBT_ C . You can use the Profile Generator as of thispoint.

Caution:If you call transaction � SU25 �, and there are already values fordate/time and user entered under Point 1, filling the tableagain would delete the changes that you have made andoverwrite them with the SAP values.

For a full description of the functions of � SU25 �, choose the Informationabout this transaction button.



Show the use of the next slide. Create an example (similar to the exercise,such as transaction code � PA30 �) and use it to explain the check indicatorsand proposed field values.

Caution:Point out to the participants that a change to the entries affectsevery new read of authorization values in role maintenance. This isthe case regardless of where this transaction was and is used.

Figure 78: Optional: Adjusting Check Indicators

After the tables USOBX_C and USOBT_C have been filled, you canmaintain them to adjust the behavior of the Profile Generator and theauthorization checks to be performed for each transaction. The tables aremaintained in transaction � SU24 �. This transaction displays the check



indicators of a transaction. Check indicators determine if an authorizationcheck will run within the transaction or not. The following check indicatorsare supported:

� N: No check.No check is performed against the corresponding authorization objectin this transaction (despite programmed authority-check command).This indicator cannot be set for HR and Basis authorization objects.

� U: Unmaintained.A check is performed against the corresponding authorization objectin this transaction.

� C: Check.A check is performed against the corresponding authorization objectin this transaction. Maintenance in the Profile Generator is notsupported. An example of this check indicator is the authorizationobject S_SPO_DEV against which a check is run in almost all SAPtransactions in connection with �list printing� (printer icon). In theProfile Generator, however, it is cumbersome to handle printauthorizations for each transaction anew.

� CM: Check/Maintain.A check is performed against the correspondingauthorization object in this transaction. For objects with this checkindicator, you can display and change the defaults of the ProfileGenerator by choosing Edit → Field values → Display. If some SAPdefault values are missing, security is most often the reason.These missing values cause the administrator to postprocess theauthorization profile (yellow and red traffic lights).

Caution:If you change the field values, these are distributed by the ProfileGenerator as new defaults during role maintenance. This affects allroles for which the transaction is in the menu, and the authorizationvalues are read again (Read old status and merge with new data).

This is the case regardless of whether the change in the role is forthis transaction or a different transaction.

Upgrading the Profile Generator

What do you do, if you have already used the Profile Generator? Youcan ask this question of the participants to facilitate the transition to thenext slides.



What do you need to do if you perform an upgrade?

� Migration of report trees� Check of Profile Generator activation� Upgrade of the roles and default tables (� SU25 �, steps 2A-2D)� Conversion of manually created profiles to roles if necessary (� SU25

�, step 6)

Different postprocessing steps are required for the authorization data inthe system after an upgrade, depending on the source release and whetheror not roles that are to be used in the target release were already createdwith the Profile Generator in the source release.

For a full description of the changes for different releases, see the detailedonline documentation.

However, the most important changes are listed here in keywords to giveyou a brief overview.

New Developments for SAP Web AS 6.20

� The Global User Manager was deactivated (see SAP Note 433941).� Additional system parameter login/password_change_for_SSO (for

logon with Single Sign-On) specifies whether the user must changehis or her password.

New Developments for SAP Web AS 6.10

� Additional system parameters for logon� Generation and deactivation of passwords� Synchronization of the SAP database with an LDAP directory

Source release < SAP R/3 4.6B

� You have to migrate customer-defined report trees because thedata structure of report trees changed internally (transaction �RTTREE_MIGRATION �). The report is automatically assigned atransaction code.

� New fields in the user administration:



Regardless of your release status, you will have one of the two followingstatuses:

1. Source release did not use PFCG

If the Profile Generator was not used in the source release, it mighthave to be activated. If it is a new installation, the Profile Generator isalready activated.

2. Source release used PFCG

If roles were already used in the source release, they must be updated.Transactions that were selected in the menu of existing roles can beprotected using additional authorization objects in the target release.This means that tables USOBT_C and USOBX_C have to be updatedas well as the existing roles.


Who has not yet used the Profile Generator?

Figure 79: Upgrade Considerations (1)

You have only implemented your authorization concept with manuallycreated profiles until now. The following questions apply to you:

How do I continue?

What can I transfer from the old concept?

Can I transfer anything at all?

Describe the options available from your experience.

Mention that even option � 1 � is not a bad situation. Or do you think thatall participants understand the concepts that have been developed overthe course of years (by colleagues)?

Demonstrate in transaction � SU25 � in the system step 6 and convert aprofile Identical to Profile and Optimized. During your preparation, selecta suitable profile for working through the notes for the next slide withthe participants.



Upgrade Scenario: Source Release Did Not Use PG

� Option 1

� Re-evaluate your authorization concept and rebuildauthorizations using the profile generator.

� Option 2

� Convert manually created profiles and authorizations into roles.Use Transaction � SU25 � (step 6) to do this.

Option 1 (create everything again):

� Advantages:

� Authorizations are restructured based on the new authorizationconcept. You can fully utilize configuration tables USOBX_Cand USOBT_C.

� Possible to use user-friendly user menus� Creation of clear, structured, transparent authorization concept

with consistent naming convention and reorganization of theauthorization administration possible

� Disadvantages:

� Can be time-consuming (re-implementation of security features)

You can also convert manually created profiles to roles.



Option 2 (transfer parts of the existing concept):

� Advantages:

� Allows administrator to assign all existing, well tested, profilesto corresponding roles.

� If the profiles contain authorizations for authorization objectS_TCODE, the corresponding user menu can be createdautomatically.

� Disadvantages:

� An authorization profile in a role does not necessarily havecomplete relation to the menu entries. In this case, theadministrator can only partially use the configuration tablesUSOBX_C and USOBT_C.

Hint:The menu can only be automatically created if authorizationsfor S_TCODE are included in the profile and the transactionsare listed as single values. Areas cannot be resolved,such as � VA* �.

Regardless of the situation: The roles containedmust still be postprocessed.


Who is in this situation and has already used the Profile Generator?

Figure 80: Upgrade Considerations (2)



Upgrade Scenario: Previous System (>SAP R/3 3.1G) Uses PG

� 2A: Execute the Profile Generator comparison program.

� Compares the new USOBT and USOBX tables with USOBT_Cand USOBX_C

� 2B: Add any new transactions/updates to tables USOBX_C andUSOBT_C using transaction � SU25 �.

� 2C: Update the existing roles and flag all roles with new authorizationobjects.

� 2D: Display all roles for which there are changed transaction codes.

The authorization checks added in the target release require that tablesUSOBT_C and USOBX_C as well as the roles created in the source releasebe updated to the latest version. Transaction � SU25 � can be used to dothis.

Caution:When executing Transaction � SU25 � you should keep in mindthat the customer might have changed tables USOBT_C andUSOBX_C in the source release. Step 1 in transaction �SU25 � may not be executed for this reason as it wouldcompletely overwrite the tables.

Rather, a comparison procedure is required, which is performed usingsteps 2A to 2D.

Step 2A

This compares the Profile Generator data from the previous release withthe data for the current release. New default values are written in thecustomer tables for the Profile Generator. You only need to perform amanual adjustment later (in step 2B) for transactions in which you changedthe settings for check indicators and field values. You can also display alist of the roles to be checked (step 2C).

Step 2B



If you have made changes to the check indicators or field values intransaction � SU24 �, you can compare these with the new SAP defaults.You can see the values delivered by SAP and the values that you changednext to each other, and can make an adjustment, if desired. You can assignthe check indicators and field values by double-clicking the relevant line.

Hint:Steps 2A and 2B make changes to the customer tables of theProfile Generator. If you want to transport these changes,choose step 3 in transaction � SU25 �.

Step 2C

This step guides you through all the roles that are affected by newly addedauthorization checks and that have to be changed to correspond. You canjump directly to role maintenance.

Caution:These changes are not recorded in step 3 (transport) and musttherefore be transported separately.

Step 2D

Occasionally, transactions in the SAP system are replaced by one or moreother transactions. In step 2D, you create a list of all roles that containtransactions that were replaced by other transactions. The old and newtransaction codes are listed. If necessary, you can replace the transactionsin the roles. It is also possible to jump directly to role maintenance in thisstep.

If you are performing an upgrade from a release status older than SAP R/34.6, there are a number of helpful SAP Notes, such as SAP Notes 156250 or156196.

Use the next slide, which is still missing, to show the participants howthey can perform an upgrade with large role concepts, although they havenot finished revising the roles. Ensure that you also point out the dangersthat could arise here.

Hint:A figure that refers to the SAP_NEW profile is still tobe inserted here.

Figure: SAP_NEW and How You Can Call it in the System.



Figure 81: Upgrade Profile: SAP_NEW

If you use a very large number of roles, it can be useful for reasons of time,to do without the postprocessing initially, and to assign the SAP_NEWprofile to the users manually.

The profile SAP_NEW is delivered with every new release and containsauthorizations for all new checks in existing transactions. You should onlyleave the subprofiles in the SAP_NEW profile that are relevant for youremployees.

The SAP_NEW profile guarantees backward compatibility of theauthorizations if a new release or an update or authorization checksintroduces checks for previously unprotected functions.

SAP_NEW: Composite profile to bridge the differences in releases in thecase of new or changed authorization checks for existing functions, so thatyour users can continue to work as normal.

Caution:This composite profile contains very extensive authorizations,since, for example, organizational levels are assigned with thefull authorization asterisk (� * �).



Either temporarily assign the previously adjusted composite profileSAP_NEW or the relevant single profiles contained in it, SAP_NEW_ �Release �. You require all single profiles between the old release and thenew release.

Hint:If you are upgrading, for example, from SAP R/3 4.5B to SAPR/3 4.6C, you require the following SAP_New profiles:SAP_NEW_4.6A, SAP_NEW_4.6B, and SAP_NEW_4.6C. Thesimplest solution is to delete all other single profiles fromSAP_NEW and to assign SAP_NEW.

Once you have included the new authorization checks in yourauthorization concept, delete the SAP_NEW profile to avoid users havingauthorizations that are too extensive.

Before the participants begin the exercises, you should have performeda system demonstration for the topics dealt with. Ensuring that allparticipants are familiar with the behavior of transaction � SU24 � ifchanges are made to default values (compare old status with new).



197 Exercise 8: Profile Generator: Installationand UpgradeExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Explain the meaning of the authorization check indicators and know

their difference� Describe how authorization checks and default values for

authorization fields are determined

Business ExampleThis exercise will reinforce the topics of Profile Generator default values,check indicators, and steps after an upgrade.





Task 1:Display the check indicators for transaction � PA30 �.

1. In Customizing for the SAP Web Application Server, chooseWork onSAP Check Indicators and Field Values and then Change Check Indicators.(transaction � SU24 �)

Choose Maintain check indicators for transaction codes and entertransaction � PA30 �.

2. Display the check indicators for the authorization objects of thistransaction and check the following:

Do authorization objects with check indicator U or N exist?

____________________

To which authorization objects is the check indicator CM assigned?

__________________________________________________________

3. Go to the field value display.

Which default values are assigned to which authorization fields ofthe authorization object PLOG?

Fill in the following table.

Object Field Value (Interval)PLOG

Task 2:Create a role and compare the automatically entered authorizations withthe check indicators and the default values from the previous task.

1. Create a role GR##_HR_PA30.


2. Go to the Menu tab and select the following activities:

- � PA30 � - Maintain HR Master Data




Save the activities of your role.



- Plan version: 01

Why do you have to enter an authorization value for the plan version?

__________________________________________________________

__________________________________________________________

__________________________________________________________

For which authorization objects did the system automaticallygenerate authorizations?

______________________________________

______________________________________

______________________________________

______________________________________

______________________________________

Why is the status of the authorization objects PLOG and P_PCLX setto Standard and why is the traffic light symbol status set to green?

__________________________________________________________

__________________________________________________________

__________________________________________________________

4. Set full authorization for all open authorization values. Generate theprofile, accept the proposed profile name, and exit role maintenance.

Task 3:Convert the profile A_ANZEIGE.

1. Where can you convert profiles?

__________________________________________________________

__________________________________________________________

2. Which type of profiles can be used for this, and which types ofconversion are available?

__________________________________________________________




Types:

a)_________________________________________________________

b)_________________________________________________________

3. Convert the specified profile so that a menu may be automaticallycreated. View the result. Could a menu be created?

______________________________________

4. Could all transactions from the profile be included in the menu?

______________________________________



Solution 8: Profile Generator: Installationand UpgradeTask 1:Display the check indicators for transaction � PA30 �.

1. In Customizing for the SAP Web Application Server, chooseWork onSAP Check Indicators and Field Values and then Change Check Indicators.(transaction � SU24 �)

Choose Maintain check indicators for transaction codes and entertransaction � PA30 �.

a) Tools→ Customizing→ IMG→ Edit Project , (transaction code:�SPRO �).

Choose SAP Reference IMG

IMG path: SAP Web Application Server→ System Administration→Users and Authorizations → Maintain Authorizations and ProfilesUsing Profile Generator→Work on SAP Check Indicators and FieldValues.

Choose Change Check Indicators

2. Display the check indicators for the authorization objects of thistransaction and check the following:

Do authorization objects with check indicator U or N exist?

____________________

To which authorization objects is the check indicator CM assigned?

__________________________________________________________

a) There are only authorization object with check indicator N.b) To which authorization objects is the check indicator CM

assigned?

PLOG

P_ORGIN

P_PCLX

P_PERNR

3. Go to the field value display.

Which default values are assigned to which authorization fields ofthe authorization object PLOG?




Fill in the following table.

Object Field Value (Interval)PLOG

a) Go to the field value display.

Object Field Value (Interval)PLOG INFOTYP 1001

ISTAT *OTYPE C, O, P, Q, SPLVAR $PLVARPPFCODE *SYBTYP *

Task 2:Create a role and compare the automatically entered authorizations withthe check indicators and the default values from the previous task.

1. Create a role GR##_HR_PA30.


a) Menu: → Tools → Administration → User Maintenance → RoleAdministration→ Roles , (transaction code� PFCG �).


2. Go to the Menu tab and select the following activities:

- � PA30 � - Maintain HR Master Data

Save the activities of your role.

a) Select transaction � PA30 � in the Menu tab page using the�Transaction� button or the �Select from the SAP Menu� button.






- Plan version: 01

Why do you have to enter an authorization value for the plan version?

__________________________________________________________

__________________________________________________________

__________________________________________________________

For which authorization objects did the system automaticallygenerate authorizations?

______________________________________

______________________________________

______________________________________

______________________________________

______________________________________

Why is the status of the authorization objects PLOG and P_PCLX setto Standard and why is the traffic light symbol status set to green?

__________________________________________________________

__________________________________________________________

__________________________________________________________

a) Because the plan version is defined as an organizational levelin the default values of the Profile Generator (indicated by thedollar sign ($)).

b) S_TCODE

PLOG

P_ORGIN

P_PCLX

P_PERNR

c) Because all fields of these authorization objects could be filledwith default values. The organization level filled using thebutton is interpreted as a PG default value.




4. Set full authorization for all open authorization values. Generate theprofile, accept the proposed profile name, and exit role maintenance.

a) To do this, click the traffic light symbol at the top hierarchy level,and confirm the assignment of full authorization. Save yoursettings and generate the profile. Exit role maintenance.

Task 3:Convert the profile A_ANZEIGE.

1. Where can you convert profiles?

__________________________________________________________

__________________________________________________________

a) You can convert profiles in transaction � SU25 �, with step 6 orusing the Customizing path in the solution for task 1.1.

2. Which type of profiles can be used for this, and which types ofconversion are available?

__________________________________________________________

Types:

a)_________________________________________________________

b)_________________________________________________________

a) Only manually created profiles can be converted. Generatedprofiles are not available for selection.

You can choose between two options:

1. Optimized2. Identical to profile

3. Convert the specified profile so that a menu may be automaticallycreated. View the result. Could a menu be created?

______________________________________

a) Yes.

4. Could all transactions from the profile be included in the menu?




______________________________________

a) No.

The transactions that describe an area could not be resolved. Inthe authorization object S_TCODE, field TCD, there is still aspecification with the value � SU5* �. This area could not beresolved and would therefore also not appear in the menu forthe role.



Lesson Summary

You should now be able to:� Perform the steps necessary to install the Profile Generator� Find default values and check indicators in the system� Modify, delete, or extend the default values of the Profile Generator� Perform the necessary steps after an upgrade for postprocessing old

and new authorization values


ADM940 Lesson: Access Control and User Administration

Lesson:206

Access Control and User AdministrationLesson Duration: 85 Minutes

Lesson OverviewThis lesson will provide an overview of the password rules and specialusers, and introduce scenarios for user and authorization administration.The authorization objects that are used in transactions � SU01 � and � PFCG� are very important for the principles of dual and treble control. Thislesson will describe how these and other frequently used objects are used.


� Define password rules and system profile parameters� Protect special users in the SAP system� Protect SAP functions with authorization object S_TCODE� Protect tables and views using authorization groups� Protect programs with authorization groups� Describe tasks in user and authorization administration� List options for separating functions of user and authorization

administration� Describe options for decentralization of user administration� Create user and authorization administrators with limited rights

(using authorization objects)

In this lesson, you will introduce the participants to the most importantelements required for administration in an SAP system. These include:

� Password rules� System profile parameters that begin with �login�� Special Users� Important authorization objects� Authorization objects for which the principle of dual or treble control

is used� Examples about organizing user and authorization maintenance

To do this, you must be familiar with the transactions � RZ10 � and � RZ11�, or with report RSPFPAR.



Business ExampleIn order to protect your SAP system against unauthorized access, you mustdefine password rules, set the relevant profile parameters and change theinitial passwords of the special users.

In addition to these parameters, there are general authorization objects,which must often be specified. These are also introduced in this context.

You must also define areas of responsibility for user and authorizationadministration. The organizational areas of responsibility must be clearlydefined technically using authorizations. The principle of dual or treblecontrol can be created.

Profile Parameters and Password Rules for UserLogonThe following slides show you the most important settings, and the profileparameters with which you can control password and logon rules. Controlusing these values should protect your system against any type of misuseby users.

You explain the predefined password rules in the SAP system.

There are also password checks using system profile parameters (login*).These can be displayed in transaction � RZ11 � or using report RSPFPAR.

Hint:However, the values can only be changed in transaction � RZ10 �,and take effect only after a restart of the system.



Figure 82: Password Rules

There are two ways in which you can control the choice of user passwords:

� You can use the system profile parameters to assign a minimumlength for passwords and define how often the users have to set newpasswords.

� Invalid passwords can be entered in the table of reserved passwords,USR40. This table is maintained with transaction � SM30 �. Theentries can also be made generically:

� � ? � denotes a single character� � * � denotes a character string

Example:

� If you enter �123*� in table USR40, passwords may not begin with thecharacter string �123*�.

� If you define �*ABC*�, passwords cannot contain the character string�ABC� in any position.

There are also a number of predefined password rules, which are shownon the next slide.



Call transaction � RZ11 � as a demonstration for the participants, andshow the descriptions and use of a few profile parameters that beginwith � login* �.

SAP divides the parameters into topic areas (see also the onlinedocumentation):

� Validate password� Multiple logon� Incorrect logon attempts� Initial password: restricted validity� Deactivation of password logon� SSO ticket logon� Other login parameters

Due to the large number of parameters, only a few are presented asexamples on the next slide.

Figure 83: Password Checks with System Profile Parameters

There are now around 30 profile parameters in the SAP system that startwith �login�. Due to the large number of parameters, only a few havebeen listed here as examples. For more information, see the parameterdescriptions (transaction � RZ11 �) or the online documentation.

login/min_password_lng: This parameter defines the minimum lengthof the logon password. The password must have at least �3� characters,but the administrator can force a longer length.



login/fails_to_session_end: Number of incorrect logon attempts allowedwith a user master record before the logon procedure is terminated.

login/fails_to_user_lock: Number of incorrect logon attempts allowedwith a user master record before the user master record is locked. Anentry is written in the system log at the same time. The lock is removedat midnight.

login/failed_user_auto_unlock: Controls unlocking of the users lockeddue to an incorrect logon. If the parameter is set to 1 (default), userlocks caused by incorrect logons during previous days are not taken intoconsideration. If the value is set to 0, the lock is not removed.

login/password_expiration_time: The value �0� means that the user is notforced to change the password. A value �> 0� specifies the number of daysafter which the user must change the logon password.

login/disable_multi_gui_login: If this parameter is set to value �1�, thesystem blocks multiple SAP dialog logons (in the same client and with thesame user name). When the system detects a multiple logon, a warningmessage appears, permitting the user either to �End the existing sessions�or �End this logon�. This parameter applies to SAP GUI logons.

login/multi_login_users: A list containing the users who may log onto thesystem more than once is stored.

The next slide provides the participants with a list of special users. Werecommend that customers create a �superuser� in each of the utilizedclients, and change the widely-known passwords of the special users asquickly as possible.

Use transaction � SA38 � to demonstrate report RSUSR003. This reportlists the special users for all clients, and also shows whether the passwordhas been reset or is still as delivered.

Hint:Recommend that the participants run this report in their ownsystem when they return to their companies. There must not beany �red� entries.



Figure 84: Special Users

Essentially, there are two types of special users: those created by installingthe SAP system and those created when you copy clients.

During the installation of the SAP system, the clients 000 and 066 arecreated (the client 001 is not always created during an SAP installation; it isalso created, for example, during an SAP R/3 installation). Special usersare predefined in the clients. Since there are standard names and standardpasswords for these users, which are known to other people, you mustprotect them against unauthorized access.

The SAP system special user, SAP*

SAP* is the only user in the SAP system for which no user master record isrequired, since it is defined in the system code. SAP* has, by default, thepassword � PASS �, and unrestricted access authorizations for the system.

When you install the SAP system, a user master record is automaticallydefined for SAP* in client 000 (and in 001 if it exists), with the initialpassword � 06071992 �. This deactivates the special properties of SAP*,so that only the authorizations and password defined in the user masterrecord now apply.

The DDIC user

This user is responsible for maintaining the ABAP Dictionary and thesoftware logistics.

When you install the SAP system, a user master record is automaticallycreated in client 000 [001] for the user DDIC. The standard password forthis user is � 19920706 �. Certain authorizations are predefined in the



system code for the DDIC user, meaning that it is, for example, the onlyuser that can log on to the SAP system during the installation of a newrelease.

Caution:To protect the system against unauthorized access, you mustchange the initial passwords in client 000 [001]. We recommendthat you assign these users to user group SUPER. This usergroup is only assigned to superusers.

The EarlyWatch user

The EarlyWatch user is delivered in client 066 and is protected with thepassword � SUPPORT �. The EarlyWatch experts at SAP work withthis user. This user should not be deleted. Change the password. Thisuser should only be used for EarlyWatch functions (monitoring andperformance).

Hint:Special features for the user � SAP*�

If you copy a client, the user � SAP*� is always available. This userdoes not have a user master record, and is programmed into thesystem code. To protect your system against unauthorized access,you should create a user master record for this special user. Createa � superuser � with full authorization.

If you now delete the user master record � SAP* �, the initialpassword � PASS � with the following properties becomes validagain:

� The user has full authorization since no authorization checksare made.

� The standard password � PASS � cannot be changed.

How can you counter this problem to protect the system against misuse?

� You can deactivate the special properties of SAP*. To do this, youmustset the system profile parameter login/no_automatic_user_sapstar toa value greater than zero. If the parameter is active, SAP* no longerhas any special properties. If the user master record SAP* is deleted,the logon with PASS no longer works.

� If you want to reinstate the old behavior of SAP*, you must first resetthe parameter and restart the system.



Hint:You can also make this setting for the � SAP* � special user forall instances of the SAP system.

To do this, set this parameter in the global system profileDEFAULT.PFL, so that it takes effect in all instances of the SAPsystem. Even if you set the parameter, ensure that there is a usermaster record for SAP*, as otherwise, as soon as the parameter isreset to �0�, it will be possible to log on with SAP*, the passwordPASS, and unrestricted authorizations again.

Special Authorization ObjectsIn the area of authorizations, there are a few objects that occur regularly,and are used and specified for daily queries. To clarify their use, some ofthese objects are described on the following pages.

This section, �Special Authorization Objects�, lists important authorizationobjects that an administrator requires during or for his or her daily work.Many of these objects will be familiar to the participants.

Ask the participants again what is so special about the object S_TCODE?



Figure 85: Authorization Check for Transaction Start

Hint:Each time a transaction is started, the kernel always automaticallychecks the transaction code (� TCD �) as a value againstthe authorization object S_TCODE . This also applies forcustomer-developed transaction codes.

Example:

� Authorization 1:

The user calls transaction � PFCG � (Profile Generator). He or shecan only call the Profile Generator if he has authorization for thistransaction code.


The user calls report �Display users with incorrect logons� from thearea menu. Transaction code � S_BCE_68001402 � is assigned tothis report. He can only execute this report if he has authorizationfor this transaction code.



All the objects of an area menu are checked with authorization objectS_TCODE since a transaction code is assigned to each executable menuentry (reports, transactions). This was implemented during the migrationof report trees to area menus.

Hint: However, there is no rule without exception. Someuser/participants know about a backdoor with which this kernelcheck can be avoided.

If a transaction is called indirectly; that is, from another transaction,no authorization check is performed. This means, for example, thatauthorizations are not checked, if a transaction calls another withthe statement CALL TRANSACTION.

To ensure that the called transactions are also subjected to anauthorization check, you must use transaction � SE97 � to set thecheck indicator check in tables TCDCOUPLES for the entry of thepair of calling and called transactions (see SAP Note 358122).

The following three authorization objects are required if you use � SE16�, � SM30 �, and � SM31 �.

Figure 86: Table Maintenance Authorization



You can use the row-oriented authorizations introduced with SAP R/3 4.6Cto restrict access to tables with business organizational units. Previously,only the authorization objects S_TABU_DIS and S_TABU_CLI wereavailable.

Authorization object S_TABU_DIS defines which table contents may bemaintained by which employees.

The authorization object S_TABU_DIS controls only complete accesses,which are made using standard table maintenance (� SM31 �), advancedtable maintenance (� SM30 �) or the Data Browser (� SE16 �). These groupassignments are defined in table TDDAT.

The object consists of the following fields:

� DICBERCLS: Authorization group for ABAP Dictionary objects(description - max.4 characters)

� ACTVT: Activity (02, 03)

Example:


In this case, table entries may be added, changed or deleted(ACTVT:=02), but only tables/views assigned to authorization group�V*� (DICBERCLS=V*) may be maintained.

Show the participants the use of authorization groups with a short systemdemonstration. Use the examples from the exercise.

Hint:SAP standard tables are assigned to authorization groups.These assignments can be changed.

Important tables:

� V_DDAT: Assignment of tables/views to authorization groups(� SM30 �)

� V_BRG: Definition of authorization groups (� SM30 �)



Figure 87: Table Maintenance Authorization (Cross-Client)

Authorization object S_TABU_CLI : Grants authorization to maintaincross-client tables with the standard table maintenance transaction (�SM31 �), extended table maintenance transaction (� SM30 �) and the DataBrowser, and also in the Customizing system. Also acts as an additionalsecurity measure for cross-client tables and enhances the general tablemaintenance authorization S_TABU_DIS .

The object has the following field:

� CLIIDMAINT: If identifier �X� or �*� is set, cross-client tables canbe maintained.

The next authorization object (S_TABU_LIN) is not as well-known. Itextends the objects S_TABU_DIS and S_TABU_CLI.



Figure 88: Row-Oriented Authorizations for Tables

New developments for the topic of row-oriented authorizations.

Up to now, you could only use the authorization objects S_TABU_DIS andS_TABU_CLI to allow or forbid access to complete tables (SAP R/3 4.6C,row-oriented authorizations).

Through the introduction of organization criteria, it is possible to restricta user�s access rights to specific parts of a table. A possible use forS_TABU_LIN would be to display and to change content for only a certainwork area, such as a country or a plant..

As you can see in the graphic, the object consists of fields.

Activity:

� 02: Add, change, or delete table entries� 03: Only display table contents.

Organizational criterion:

� Table key fields/row authorization, such as organizational criteria(defined in Customizing)

Attribute for organizational criterion:

� 1. to 8 attributes for the organizational criterion, each attribute fora certain table key field.



Figure 89: ABAP: Program Flow Checks

As is familiar from previous releases, it is possible to check programs usingthe authorization object S_PROGRAM.

The programs (reports) are combined into program authorization groupsand can be protected against unauthorized access using the groups. Theauthorization group is stored in the properties of the programs.

You can also store your own authorization groups in SAP programs(without making modifications).

You can assign authorizations for the following activities by programgroups:

� Starting a program (SUBMIT)� Scheduling a program as a background job (BTCSUBMIT)� Variant maintenance (VARIANT)



If a participant asks how it is possible to store their own authorizationgroups, you can provide the solution with the following description:

Start the program � RSCSAUTH �.

� It creates a list of reports (type 1) (�Program� column), theauthorization group delivered by SAP (� SAP � column), and theauthorization group maintained by the customer (� Customer �column). The �Customer� column accepts input. Customers can entertheir own authorization groups here. When the customer chooses�Save�, the customer�s own authorization groups for all SELECTEDreports are transferred to the table TRDIR. This is equivalent to achange of the authorization group in the program attributes, and theexiting SAP authorization groups are overwritten. The authorizationgroup for each report is also entered in the table SREPOATH, meaningthat the customer�s own authorization groups can be restored byrestarting � RSCSAUTH � after an upgrade.

Start the program � RSABAUTH �. The new authorization groups arewritten to the table TPGP.

User and Authorization AdministrationIn today�s system landscapes, an administrator has many tasks to performto structure and maintain user master records and roles. These activitiesshould also be subjected to an authorization check and should not all beavailable to one administrator. You can use the object presented on thefollowing pages to flexibly create a principle of dual or treble control.

Daily Tasks and Activities of an Administrator

� Create, maintain, lock and unlock users, and change passwords� Create and maintain roles� Maintain transaction selections and authorization data in roles� Generate authorization profiles� Assign roles and profiles� Transport roles� Monitor using the Information System� Archive change documents

The administrator uses the transactions � SU01 � and � PFCG � forthe activities listed above. When these transaction codes are used, thefollowing objects are checked in the program code.



The following authorization objects are used later to control the principleof dual or treble control.

Figure 90: Authorization Objects: User

The object User Master Record Maintenance: User Groups (S_USER_GRP)defines the user groups for which an administrator has authorization andthe activities that are allowed.

The object S_USER_GRP can be used to grant administration rights foronly a certain user group in decentralized administration.

The object User Master Record Maintenance: System for central usermaintenance (S_USER_SYS) defines which system a user administratorcan access from the central user administration and the activities that areallowed.

The object S_USER_SYS can be used in decentralized administration togrant administration rights for only users in a certain system from thecentral user administration.



Figure 91: Authorization Objects: Roles

The object Authorization: Check for roles (S_USER_AGR) defines the rolesnames for which an administrator is authorized and the activities thatare allowed.

The object S_USER_AGR can be used in decentralized administration togrant an administrator authorization to access only certain roles (such asfor a module or an organizational unit).

The object Authorization: Transactions in roles (S_USER_TCD) defines thetransactions that an administrator may include in a role.

The object S_USER_TCD can be used to grant an administratorauthorization to include only certain transactions in roles and thus preventcritical transactions from being included in roles.

The object Authorization: Field Values for roles (S_USER_VAL) defineswhich field values an administrator may enter in roles for whichauthorization object and which fields.

The object S_USER_VAL can be used to grant an administratorauthorization to assign only certain authorizations in roles and thusprevent critical authorizations from being included in roles.



Figure 92: Authorization Objects: Profiles & Authorizations

The object User Master Record Maintenance: Authorization Profile(S_USER_PRO) defines the profile names for which an administrator hasauthorization and the activities that are allowed.

The object S_USER_PRO can be used to grant an administratorauthorization to assign only certain profiles in a decentralizedadministration (such as for a module or an organizational unit).

The object User Master Record Maintenance: Authorizations(S_USER_AUT) defines the authorization object name and theauthorization name for which an administrator has authorization and theactivities that are allowed.

The object S_USER_AUT can be used to grant an administratorauthorization to create only certain authorizations in roles and thusprevent critical authorizations from being created in roles.

S_OC_ROLE

Authorization object definition: This defines whether the user is an SAPOffice administrator or not.

Defined fields: The value that must be assigned to the authorization objectS_OC_ROLE for administrator authorization is � ADMINISTRATOR �.

S_ADDRESS1

Authorization to create, change, display, or delete (non-person-related)addresses (organization, company) in Business Address Services. Theauthorization object S_ADDRESS1 is used for the authorization checkwhen Business Address Services through the parameter transaction �SADR �. If an address is maintained directly from an SAP applicationobject, no separate authorization check is performed by the Business



Address Services. Defined fields: ADGRP Names of the permitted addressgroups. Parameters are provided to the parameter transaction � SADR� by specifying the address group. ACTVT Activity. The followingspecifications are possible:

�01� Create addresses�02� Change addresses�03� Display addresses �06� Delete addresses

Options for Decentralization of User Administration

There are various security requirements due to laws and businessagreements or customer requirements. These are often required by anauditor. Use the next slides to explain to the participants the generalrequirements for user and authorization administration.

� An administrator may not

� Administer users and� Maintain authorizations and� Generate authorization profiles

� Solution by separating functions

Principle of dual control

� User Administration� Authorization maintenance and generation

Principle of treble control

� User Administration� Authorization maintenance� Authorization generation



The authorization system can be used to flexibly organize maintenance ofthe user master records, profiles and authorizations.

� If your company is small and is organized centrally, all the tasksconnected with maintaining the user master records and theauthorization components can be handled by a single user calledthe superuser.

� If you want to ensure that your system maintains a higher level ofsecurity, you can share the responsibility for maintaining the usermaster records and the authorizations amongst a user administratorand an authorization administrator, each having limited responsibility(principle of dual control).

� For a maximum in system security you can share the responsibilityfor maintaining the user master records and the authorizationsamongst a user administrator, an authorization data administratorand an authorization profile administrator, each having limitedresponsibility (principle of treble control).

� Since you can assign specific authorizations for the user andadministrator maintenance, the administrators need not be privilegedusers in your IT department. Normal users can be responsible formaintaining the user master records and authorizations.

Present the activities of user and authorization maintenance.Central question: How should the tasks be divided? This topic is veryrelevant to practice, and the participants will be glad that it is addressed.Explain the principles of dual and treble control.



Figure 93: Separation of Functions

Sharing the administrative tasks amongst three administrators is called theprinciple of treble control.

The superuser sets up all the user master records, profiles andauthorizations for the administrator.

The authorization data administrator creates the roles, selects transactionsand maintains the authorization data. He or she simply saves the data inthe Profile Generator since he does not have the necessary authorizationfor generating the profile. He or she accepts the proposed profile name�T-...�. The authorization data administrator may not change users, norgenerate profiles.

The authorization profile administrator starts transaction � SUPC � andchooses All Roles. He or she then restricts his selection, for example byentering the ID of the role to be edited. On the next screen, he or shechooses Display Profile to check the data. If all the data is correct, heor she generates the authorization profile. The authorization profileadministrator may not change users, change the data for roles, norgenerate profiles containing authorization objects beginning withS_USER*.



The user administrator then assigns this role to a user (from the usermaintenance transaction � SU01 �). The profile is entered for the user. Theuser administratormay not change data for roles, nor change or generateprofiles.

The principle of dual control combines the tasks and authorizations of theauthorization data administrator and those of the authorization profileadministrator.

Use the next slide to present a planned division in a company.

Figure 94: Decentralized User Administration

With decentralized user administration, there are several useradministrators each responsible for administration of a certain group ofusers.



The administration tasks in decentralized user administration can beshared according to different criteria:

� Application Area / Module

The users are assigned to decentralized user administrators, each ofwhom is responsible for a business application or an SAP module.

� Locations

The users are assigned to decentralized user administrators, each ofwhom is responsible for all users at that location.

� Departments

The users are assigned to decentralized user administrators, each ofwhom is responsible for all the users in the department.

Technically, decentralization is implemented by grouping users to formuser groups. Each decentralized user administrator may only administerthe users assigned to the user group for which he or she is responsible.Accordingly, each decentralized user administrator may only assign theroles needed for his or her application module, location or department.

Use the following three scenarios to discuss the division between multipleadministrators.

Example 1: The principle of dual control

Discuss the table entries with the participants. Pay particular attention tothe objects S_USER_GRP and S_USER_AGR. With these objects, you caneasily explain the division in each of the scenarios presented here in acomprehensible way.

Scenario 1, Principle of Dual Control

� Central User Administration

� One user administrator for all users� Unlimited authorizations for all user administration tasks of

the user administrator� Central maintenance of roles and profiles

One administrator performs both roles

� Authorization data administrator� Authorization profile administrator

All authorizations for maintaining the roles and profiles



Figure 95: Authorization Administration: Scenario 1

In this scenario there is one central user administrator for the developmentsystem and one for the production system.

The development system also has a central administrator responsiblefor authorization data administration and authorization profileadministration.

Example 2: The principle of treble control

Discuss the settings for the objects S_USER_GRP and S_USER_AGR.



Scenario 2, Principle of Treble Control

� Decentralized user administration (production system)

One user administrator for each application area (FI, MM)

� Authorized to maintain a certain user group� Authorized to assign a certain number of roles and profiles� No other restrictions in the specific user administration tasks

� Central maintenance of roles and profiles

Separation of responsibilities

� One authorization data administrator� One authorization profile administrator

No other restrictions with regard to specific roles or profiles for bothadministrators


This scenario has two user groups, each of which is administered by itsown user administrator in the production system.

� The group of FI users (FI_USER) is administered by the FI useradministrator.

� The group of MM users (MM_USER) is administered by the MMuser administrator.



The decentralized user administrators must be restricted as follows:

� Administration of the user group for which they are responsible(S_USER_GRP)

� Assignment of the relevant roles and profiles for the user group(S_USER_AGR, S_USER_PRO)

The users must be assigned to the appropriate groups (FI_USER,MM_USER).

Caution: Users not belonging to any group can be administered by bothuser administrators.

Example 3: The principle of treble control

This is the last scenario and completes the authorization administrationsection. The difference here in comparison to example 2 in for the centraluser administrator in the production system. This administrator has beenassigned the object S_USER_GRP with the value �01�.

Scenario 3, Principle of treble control, decentralized user administrationin PRD

� Central creation and deletion for all users (prod.)� Decentralized user administration (production system)

One user administrator for each application area (FI, MM)

� Authorized to maintain a certain user group� Authorized to assign a certain number of roles and profiles� Authorized for only certain user administration tasks (change,

lock/unlock, reset password)� Central maintenance of roles and profiles

Separation of responsibilities

� One authorization data administrator� One authorization profile administrator

No other restrictions with regard to specific roles or profiles for bothadministrators




This scenario has two user groups, each of which is administered by itsown user administrator in the production system.

� The group of FI users (FI_USER) is administered by the FI useradministrator.

� The group of MM users (MM_USER) is administered by the MMuser administrator.

In contrast to scenario 2, the user administrators may only perform thefollowing activities for users in their group:

� Lock / unlock users� Change passwords� Assign roles and profiles

A central user administrator creates and deletes the users.

The decentralized user administrators must be restricted as follows:

� Administration of the user group for which they are responsible(S_USER_GRP)

� Activities in user administration (S_USER_GRP)� Assignment of the relevant roles and profiles for the user group

(S_USER_AGR, S_USER_PRO)

The users must be assigned to the appropriate groups (FI_USER,MM_USER).



227 Exercise 9: Access Control and UserAdministrationExercise Duration: 25 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create a role to grant authorizations for user maintenance within

your user group� Test the settings you made� Determine authorization groups for protecting tables� Restrict table accesses

Business ExampleDuring his or her daily work, a user can receive a message: You are notauthorized to.... This system behavior is to be recreated here using anexample, and then analyzed.





Task 1:Create a role for user administration activities.

1. Create the role GR##_BC_USR_ADM by selectively copying (withoutuser assignments) the role ADM940_BC_ADMIN.

2. Change the description for your group and save the role.

3. Change to the Authorizations tab page and choose Changeauthorization data.

Restrict the authorization values so that a user who is assigned at alater time may only assign roles and profiles beginning with GR##or ADM940.

Ensure that only user group ZGR##may be assigned and maintained.If there are other unmaintained fields, assign full authorization forthem.

4. Generate the profile. Accept the proposed profile name.

5. What is the status of the User tab and why?

__________________________________________________________

6. Exit the transaction and change the user master record of useradministrator GR##-ADM.

Remove the role ADM940_BC_ADMIN.

Add the role that you have just created, GR##_BC_USR_ADM to theuser master record.

Save the user master record and go to the maintenance transactionfor the roles.

Task 2:Log onto the system with user GR##-ADM.

1. Create a test user GR##-TEST and try to assign this user yourneighbor�s user group. Can you save the user master record?

________________________________

If not, why does the assignment fail?

_______________________________________________________

2. What can be implemented by assigning user groups?

_______________________________________________________

_______________________________________________________




_______________________________________________________

3. Assign the role ADM940_PLUS to the test user GR##-TEST.

Can you assign a role delivered by SAP?

(Such as SAP_HR_...)

________________________________


_______________________________________________________

Task 3:Create authorizations so that a user can view specific tables in transaction� SM30 �. The user must be able to display two tables: the company codetable and the business area table. Those table names are V_T001 (companycode) and V_TGSB (business area).

1. Find out about authorization object S_TABU_DIS.

Display the documentation for the authorization object S_TABU_DIS.

What is the main function of this authorization object?

___________________________________________________

___________________________________________________

2. Which activities are allowed?

___________________________________________________

___________________________________________________

3. What is stored in table V_DDAT?

__________________________________________________

4. What is stored in table V_BRG?

___________________________________________________

Task 4:Find the authorization group assigned to tables V_T001 or V_TGSB.

1. The authorization group for table V_T001 is:

_________________________________

2. The authorization group for table V_TGSB is:

_________________________________




Task 5:Create a role for reading tables V_T001 and V_TGSB.

1. Create the role GR##_FI_TAB_ANZ and write a short description.

2. Assign authorizations for transaction � SM30 � (Extended TableMaintenance) in the menu, and use the authorization objects to allowonly read access to the above tables.

Generate the profile and accept the proposed name.

3. Assign the role to your user GR##-FI1. Perform a user mastercomparison and exit role maintenance.

Task 6:Log on as GR##-FI1. Call transaction � SM30 �, and answer the followingquestions:

1. Can you display table V_T001? Why?

___________________________________________________

___________________________________________________

2. Can you change table V_T001? Why?

___________________________________________________

3. Can you display table V_TGSB? Why?

___________________________________________________

___________________________________________________

4. Can you display table V_TVKO? Why?

___________________________________________________

___________________________________________________



Solution 9: Access Control and UserAdministrationTask 1:Create a role for user administration activities.

1. Create the role GR##_BC_USR_ADM by selectively copying (withoutuser assignments) the role ADM940_BC_ADMIN.

a) Menu:


Copy with the relevant icon. In the dialog box, choose Copyselectively (without user assignment).

2. Change the description for your group and save the role.

a) Enter a description for your role.

3. Change to the Authorizations tab page and choose Changeauthorization data.

Restrict the authorization values so that a user who is assigned at alater time may only assign roles and profiles beginning with GR##or ADM940.

Ensure that only user group ZGR##may be assigned and maintained.If there are other unmaintained fields, assign full authorization forthem.

a) The field values have to be changed for the followingauthorization objects (by clicking on the pencil icon)

Object Field Value (Interval)S_USER_PRO ACTVT same values

PROFILE change GR* to GR##*S_USER_GRP ACTVT same values

PROFILE change Z* to ZGR##*S_USER_AGR ACTVT same values

ACT_GROUP change GR* to GR##*




4. Generate the profile. Accept the proposed profile name.

a) Use the Generate button or choose the menu path: Authorizations→ Generate

5. What is the status of the User tab and why?

__________________________________________________________

a) The status display is red, since the user assignment was notcopied with the selective copy.

6. Exit the transaction and change the user master record of useradministrator GR##-ADM.

Remove the role ADM940_BC_ADMIN.

Add the role that you have just created, GR##_BC_USR_ADM to theuser master record.

Save the user master record and go to the maintenance transactionfor the roles.

a) Menu Path:

Tools → Administration → User Maintenance → Users ,(transaction Code:� SU01 �).

Save the user master record and go to the maintenancetransaction for the roles.

Menu:


Task 2:Log onto the system with user GR##-ADM.

1. Create a test user GR##-TEST and try to assign this user yourneighbor�s user group. Can you save the user master record?

________________________________





_______________________________________________________

a) Menu Path:

Tools → Administration → User Maintenance → Users ,(transaction Code:� SU01 �).

No, because the authorization for your own user group wasrestricted, resulting in an error in the authorization check.

b) The authorization was restricted to your own user group,resulting in an error in the authorization check.

2. What can be implemented by assigning user groups?

_______________________________________________________

_______________________________________________________

_______________________________________________________

a) A decentralized user administration, since each administratormay only maintain the users of his or her �own� user group.

3. Assign the role ADM940_PLUS to the test user GR##-TEST.

Can you assign a role delivered by SAP?

(Such as SAP_HR_...)

________________________________


_______________________________________________________

a) No.b) You are not authorized for entries that begin with � SAP... �

(authorization object S_USER_AGR).

Task 3:Create authorizations so that a user can view specific tables in transaction� SM30 �. The user must be able to display two tables: the company codetable and the business area table. Those table names are V_T001 (companycode) and V_TGSB (business area).

1. Find out about authorization object S_TABU_DIS.

Display the documentation for the authorization object S_TABU_DIS.


___________________________________________________




___________________________________________________

a) Menu:


Environment → Authorization Objects → Display

Choose the Find icon and enter the authorization objectS_TABU_DIS. The result is the object class BC_A (Basis -Administration). Find the authorization object S_TABU_DIS inthe object class BC_A. To display the documentation, choose thei button next to the technical name of the authorization object.


S_TABU_DIS:

Authorizations for displaying or maintaining table contents.

2. Which activities are allowed?

___________________________________________________

___________________________________________________

a) S_TABU_DIS:

- 02: Add, change, or delete table entries

- 03: Only display table contents.

3. What is stored in table V_DDAT?

__________________________________________________

a) Assignment of tables/views to authorization groups.

4. What is stored in table V_BRG?

___________________________________________________

a) Definition of authorization groups.

Task 4:Find the authorization group assigned to tables V_T001 or V_TGSB.

1. The authorization group for table V_T001 is:




_________________________________

a) Menu:

System → Services → Table Maintenance → Extended TableMaintenance , (transaction code: � SM30 �).

Enter table V_DDAT and choose Display.

Use the Position... button to search for table V_T001. Note theauthorization group.

FCOR

2. The authorization group for table V_TGSB is:

_________________________________

a) Use the same search option as in the previous task for tableV_TGSB. Note the authorization group.

FCOR

Task 5:Create a role for reading tables V_T001 and V_TGSB.

1. Create the role GR##_FI_TAB_ANZ and write a short description.

a) Menu:


Create the role GR##_FI_TAB_ANZ and enter a short description(Description tab page).

2. Assign authorizations for transaction � SM30 � (Extended TableMaintenance) in the menu, and use the authorization objects to allowonly read access to the above tables.




Generate the profile and accept the proposed name.

a) Go to the Menu tab page and use the Transaction button to addtransaction � SM30 �.

Go to the Authorizations tab and choose Change authorizationdata.

Enter the value FCOR in the open authorization group field inauthorization object S_TABU_DIS and change the Activity field(ACTVT) to 03. Set the authorization object S_TRANSLAT toinactive.

Choose the menu path: Authorizations → Generate or thecorresponding button.

3. Assign the role to your user GR##-FI1. Perform a user mastercomparison and exit role maintenance.

a) On the User tab page, enter the user GR##-FI1 and perform auser master comparison (User comparison button). Close rolemaintenance and exit the transaction.

Task 6:Log on as GR##-FI1. Call transaction � SM30 �, and answer the followingquestions:

1. Can you display table V_T001? Why?

___________________________________________________

___________________________________________________

a) Yes. Because when this table is displayed, authorization groupFCOR, which is in the user master record, is checked.

2. Can you change table V_T001? Why?

___________________________________________________

a) No, because authorization to change (ACTVT = 02) was notassigned.

3. Can you display table V_TGSB? Why?

___________________________________________________

___________________________________________________

a) Yes. Because the same authorization group (FCOR) is checked asfor table V_T001, which is in the user master record.

4. Can you display table V_TVKO? Why?




___________________________________________________

___________________________________________________

a) No. The user does not have authorization for authorizationgroup VCOR.



Lesson Summary

You should now be able to:� Define password rules and system profile parameters� Protect special users in the SAP system� Protect SAP functions with authorization object S_TCODE� Protect tables and views using authorization groups� Protect programs with authorization groups� Describe tasks in user and authorization administration� List options for separating functions of user and authorization


(using authorization objects)


ADM940 Lesson: Troubleshooting and Administration Aids

Lesson:239

Troubleshooting and Administration AidsLesson Duration: 70 Minutes

Lesson OverviewIn this lesson, you will obtain an overview of the options for analyzingauthorization checks. The lesson will also discuss the information systemfor user maintenance and the Audit Information System.


� Analyze authorization checks in various ways� Use transaction � SU53 � to find missing authorizations (also for other



(AIS)

Explain what should be done if authorization checks fail. There are twooptions.

1. A user can call the authorization error analysis with transaction code� SU53 �. The missing authorizations are usually reported to theuser administrator. What now? Explain the display and the contentsof the transaction.

2. The administrator starts the authorizations trace. Generate a resultlist for your user (for example, for creating a user). Describe the resultand explain the return code (see also the participant text). Returncode � 0 � means that the authorization check was successful. Areturn code greater than zero means that authorizations are missing.

Consider the notes in the text and demonstrate the transactions describedby the individual slides in the system. If you do not have examples of yourown available, use the exercise descriptions to perform demonstrations.

Business ExampleMissing authorizations can be found with the analysis functions. Theresults established in this way are usually combined in new combinationsof authorizations. However, if you use existing authorizations that fulfill



the requirements, you have improved the clarity of the authorizationconcept. This is an information system and various evaluation functionsfor this purpose.

Error Analysis for Authorization ProblemsIf you cannot find documentation about authorization for a transaction,or if a failed authorization check is always reported when you execute atransaction, there are two ways in which you can determine the requiredauthorizations:

1. With the authorization error analysis and transaction code � SU53 �2. With the authorization trace � ST01 �

Discuss the options for error analysis with the participants and give asystem demonstration to show the results in the system. You can use theexamples from the exercise for this.

Base your demonstrations of the content of the lesson on the contents ofthe participant documentation.

Figure 98: Analyzing Authorization Checks

In the next example, a transaction from the FI area was executed andterminated due to a missing authorization. The system message is: �Youare not authorized for this function�.

To analyze this error, choose the menu path System → Utilities→ DisplayAuthorization Check or enter the transaction code � SU53 � in the commandfield.



Use the next slide to explain to the participants what the result oftransaction � SU53 � is like. Generate a failed authorization check andshow the result in the system.

Important points when discussing this transaction are:

� It displays only the last failed authorization check� The first call can only be started by the user himself or herself� The display is reset if the user logs on again� The display is not refreshed if a new error occurs, but only updated if

transaction � SU53 � is called again

Use the text below the figure to point out the special features.

Figure 99: � SU53 � Authorization Error Analysis

You now can analyze the last error in your system that occurred due to amissing authorization. You can call transaction SU53 in any session, notjust in the session in which the error occurred.

Example:In the figure above, user BLITZ calls transaction � FD02 � (ChangeCustomer). The message �You are not authorized for transaction FD02 �appears. User BLITZ then enters transaction code � /NSU53 � in thecommand field and the system displays the authorization object thatcaused the last failed authorization check. The system displays the



value of the object that the program required (at the top of thedisplay) and the value that the user BLITZ has in his or her usermaster record (below the required value).

In this case the authorization object F_KNA1_APP exists, but instead of therequired activity �02� (Change), user BLITZ is only authorized for activity�03� (Display).

The user can also use transaction � SU56 � to view which authorizationsare currently in his or her buffer.

Caution:The display called with transaction � SU53 � always shows the lastfailed authorization check for the user. This can be a long time ago.If, for example, the current problem did not occur due to missingerrors, but � SU53 � still displays something, the displaycould describe a problem which the user generated whencalling a transaction hours earlier. Incorrect values are oftenthen assigned to the new problem.

Hint:If a participant asks a question about the system profile parameterauth/check_value_write_on, you can therefore say that it is no longerused. It was previously used to deactivate the call for the user(value 0). For more information about this, see SAP Note 18529.

This incorrect interpretation can be avoided with a few simple steps.

If the user logs off and then logs in again , all entries that can be called usingtransaction � SU53 � are reset. If the user now starts the authorizationerror analysis, the display is empty.

Hint:If the user was prevented from executing an action, and theauthorization error analysis shows: All authorization checks have sofar been successful, the problem is not an authorization problem.The problem has another cause.

What to do if transaction � SU53 � does not provide a satisfactory result.There is also the trace (� ST01 �).



Pass the following information about the trace on to the participants:

� Do not run the trace unnecessarily, only when it is required� Always remember to deactivate the trace� Set filters so that your result is smaller and easier to read� The trace can also be executed by the administrator for other users� Always test the trace result again separately with the newly created

role

Figure 100: Authorization Trace ST01



You can analyze authorizations as follows:

1. Choose Tools → Administration → Monitor → Traces → System Traceor transaction � ST01 �.

2. Choose the Authorization Check trace component.3. To restrict the trace function to your own sessions, choose Edit →

Filter→ Shared. Enter your user ID in the Trace for user only field inthe displayed dialog box.

4. Start the trace by choosing the Trace on button. The trace isautomatically written to the hard disk.

5. Execute the relevant system actions.6. Once you have completed the analysis, choose Trace off.7. To display the results of the analysis, choose Goto → Analysis or the

Analysis button.Select the desired file and choose Start Reporting.

The results of the authorization check are displayed in the followingformat (see also the last figure):

<authorization object><return code>:::<field>=<tested value>

The return code shows whether or not the authorization code wassuccessful.

Hint:The return code �0� means that the check at this point was �successful �. Any other result means that an error occurred, whichmay have various causes, depending on the programming (seeSAP Note 209899).

Information Systems for Administrators and AuditYou should not immediately implement a result of a trace or of transaction� SU53 � as new roles or profiles. First analyze the system for existingsettings. The Information System and the Audit Info System (which is usedby auditors) are available to the administrator for this purpose.

At this point it is important to ensure that the participants understandthe following points.

1. First search to find out whether the required authorizations havealready been created and can be reused (possibly speak to the userdepartment).

This provides a good transition to the next slide.

2. Only if this is not the case, create new roles or profiles.



You can use the User Information System to obtain an overview of theauthorizations and users in your SAP system at any time using searchcriteria that you specify. In particular, you can display lists of users, towhich authorizations classified as critical are assigned. You can also usethe User Information System to:

Examples from the User Information System

� Compare roles and users� Display change documents for the authorization profile of a user� Display the transactions contained in a role� Create where-used lists

Show a few examples from the Information System in the system. Useexamples from the exercises for this, or use areas that you know are ofinterest. Show the menu path through the SAP Easy Accessmenu.

Figure 101: Information System

You can start the Information System through the SAP Menu by choosingTools → Administration → User Maintenance → Information System. Youcan also branch to the Information System authorizations from the UserMaintenance transaction (� SU01 �) by choosing the menu path Information→ Information System.

You can find elements of the authorization system using different selectioncriteria.



The Information System (RSUSR998) and parts of the Information Systemcan be called as executable reports using transaction � SA38 �: Here area few examples:

� RSUSR002; Users by complex selection criteria� RSUSR008; By critical combinations of authorizations at transaction

start� RSUSR0025; List of users with critical authorizations

� RSUSR020; Profiles by complex selection criteria

� RSUSR030; Authorizations by complex selection criteria

� RSUSR040; Authorization objects by complex selection criteria

� RSUSR070; Roles by complex selection criteria

� RSUSR100; Change documents for users� RSUSR101; Change documents for profiles

............

More detailed analyses can also be started using Reports:

� RSUSR003; Check the Passwords of Users �SAP*� and �DDIC� inAll Clients

� RSUSR200; List of Users by Logon Data and Password Change

.............

Another way to read information from the system is the Audit InformationSystem.

Show how an external audit places a system under the magnifying glass.Discuss only the area �System Audit/Authorizations� here. Show how tostart the AIS in the system.



Figure 102: Audit Information System

The Audit Information System (AIS) is a checking tool for

� External auditing� Internal auditing� System checks� Data protection

AIS improves the flow and quality of the check. It consists of the Auditarea menu and collects and structures SAP standard programs as well asdefining initial values for them. You can call AIS by choosing the menupath Information Systems→ Audit Information System or transaction � SECR�.

Hint:AIS is part of the SAP delivery as of SAP R/3 3.1I and SAP R/3 4.6A.For prior maintenance levels from SAP R/3 3.0D, you can importAIS in accordance with the instructions in SAP Note 100609.

The Audit area menu is structured according to the flow of the check.There are analysis programswith preset control data for each check field.

AIS is an integrated component of the SAP system. The internal auditorworks at his or her screen in his or her production environment. This userrequires a user master record with full display authorization.



Figure 103: Audit Information System Reporting Tree

To display a list of reports on any object, expand the node.

The reporting tree has two components:

1. System auditing functions2. Business auditing functions

Reports that are executed may be saved to the reporting tree for evaluationat a later time, without having to rerun time-consuming reports. As withany report, the output can be saved locally, sent as an SAP office mailattachment, or saved to a shared or private folder.

SAP has developed the AIS at the request of and in partnership withmembers of the SAP working group REVISION. The individual topics aredealt with in working groups. The results of these groups directly affect theAIS. In this way, themembers of theworking groupsmake their experiencesavailable. The partnership continues. For information about the Revisionworking group, see http://www.sap.com/germany/discsap/revis/index.htm.



Finally, note again the following: As an administrator, remain focused onyour authorization concept every time you receive a new request fromthe user departments.

� Avoid an unnecessarily large number of roles or profiles� Not every error that is displayed is connected to authorizations� When you receive requests, first search for authorizations to see if

they have already been created� Clarify whether these can be reused� Only create something new in response to a request if nothing

suitable already exists

Briefly summarize this lesson and emphasize to the participants that theyshould keep a focus on their authorization concept when they receiverequests from user departments.

1. Do not create an unnecessarily large number of roles/profiles2. Not every error that is displayed is connected to authorizations3. First search to see if requested authorizations have already been

created, and clarify whether these can be reused4. Only if this is not the case, create new roles or profiles.

Demonstrate interesting places in the information system and the AIS.You may wish to use examples from the exercises for your systemdemonstrations.



249 Exercise 10: Troubleshooting andAdministration AidsExercise Duration: 25 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Use the Audit Information System (AIS)� Use reports in the authorization information system� Analyze the created authorization concept� Answer practical questions

Business ExampleDuring your daily work as an administrator, you will regularly search forspecial settings, authorization values, roles, and other important things.You can find these in the system using corresponding links in the systemand are available in the AIS and information system.





Task 1:You are the data protection officer and want to check the SAP system�sassignment of authorizations and security.

1. Display all the users with incorrect logons (AIS).

How often did your users (GR##... or ADM940-##) log on incorrectly?

__________________________________________________

2. Check the passwords of the special users in AIS.

Are there unprotected special users? If yes, name two cases.

__________________________________________________

__________________________________________________

3. Check the logon rules in the AIS.

How many characters are set for the minimum password length?

_____________________________________

After how many incorrect logons is the user locked?

_____________________________________

Is the user automatically unlocked? If yes, when?

_____________________________________

Exit the Audit Information System (AIS).

Task 2:You are authorization administrator and are in the consolidation phaseafter the start of production.

1. Compare the settings of the authorizations between your userGR##-ADM and user GR??-ADM of your neighbor.

Are there differences? If yes, which?__________________________________________________________

2. Find out which users may execute Transaction � MB1C �.

If user GR??-MM1 of your neighbor is displayed,find out the date and time when it was created._________________________________________________________

3. Display all the users assigned to the role GR##_MM_MAT_ANZ.

List three of these users.

__________________________________________




__________________________________________

__________________________________________

4. Display an overview of all the users you created (GR##�) with theirassigned roles.

Which users still do not have module-specific roles?_________________________________________________________

Task 3:You have an additional task as the authorization administrator, in theconsolidation phase after production operation begins.

1. The sales manager with user ID GR##-SD1 calls you. He tellsyou that he cannot run any SD transactions (the composite roleGR##_SD_SALMGR is missing). His SAP Easy Access Menu onlycontains general transactions.

Look at this problem. Then make a small test and tell the salesmanager his new initial password, which you set up after the test.

2. You get a mail from the production manager immediately thereafter.He has employed a new senior store person who should only be ableto post in plant 1000 (role GR##_MM_IM_POST1000)..

Look at this problem. Then make a small test and tell the new seniorstore person his or her new initial password, which you set up afterthe test.

Hint: Use existing master data to solve this problem.



Solution 10: Troubleshooting andAdministration AidsTask 1:You are the data protection officer and want to check the SAP system�sassignment of authorizations and security.

1. Display all the users with incorrect logons (AIS).

How often did your users (GR##... or ADM940-##) log on incorrectly?

__________________________________________________

a) Menu: Information Systems → Audit Information System ,(transaction code: � SECR �).

Select the Complete Audit radio button and choose Start Audit.

Path:

System Audit → User Administration → Information SystemUsers and Authorizations→ Users→With Unsuccessful Logons

The number of incorrect logons is displayed in the last column.

2. Check the passwords of the special users in AIS.

Are there unprotected special users? If yes, name two cases.

__________________________________________________

__________________________________________________

a) Menu: Information Systems → Audit Information System

Choose Complete Audit and Start Audit.

Path:

System Audit → User Administration → Authentication →Special User → Check Passwords of Special Users

Unprotected special users are selected in red.

3. Check the logon rules in the AIS.

How many characters are set for the minimum password length?

_____________________________________

After how many incorrect logons is the user locked?

_____________________________________

Is the user automatically unlocked? If yes, when?




_____________________________________

Exit the Audit Information System (AIS).

a) Menu: Information Systems → Audit Information System

Choose Complete Audit and Start Audit.

Path:

System Audit → User Administration → Authentication →Logon Rule Parameters

Howmany characters are set for the minimum password length?

System Parameters: login/min_password_lng := � 3 �

b) After how many incorrect logons is the user locked?

System Parameters: login/fails_to_user_lock := � 12 �

c) Is the user automatically unlocked? If yes, when?

System Parameters: login/failed_user_auto_unlock := � atMidnight �

Double-click the system parameter, and the parameter isdisplayed: �The user is automatically unlocked at midnight�.

Task 2:You are authorization administrator and are in the consolidation phaseafter the start of production.

1. Compare the settings of the authorizations between your userGR##-ADM and user GR??-ADM of your neighbor.




Are there differences? If yes, which?__________________________________________________________

a) Menu:

Tools → Administration → User Maintenance → InformationSystem → Comparisons → From Users

Enter your user GR##-ADM and the user of your neighborGR??-ADM and choose execute.

Authorization values that are not the same are marked in brightred. Navigate in the detail view by double-clicking and look atthe different authorization values.

Are there differences? If yes, which?

Object Field Value (Interval)S_USER_PRO ACTVT same values

PROFILE different values (GR##* < >GR??*)

S_USER_GRP ACTVT same valuesPROFILE different values (ZGR##* < >

ZGR??*)S_USER_AGR ACTVT same values

ACT_GROUP different values (GR##* < >GR??*)

2. Find out which users may execute Transaction � MB1C �.




If user GR??-MM1 of your neighbor is displayed,find out the date and time when it was created._________________________________________________________

a) Menu:

Tools → Administration → User Maintenance → InformationSystem→Where-Used Lists→ Authorization Values→ In Users

Enter the authorization object S_TCODE and choose Enter Values.

Enter transaction code � MB1C � (in uppercase) and chooseExecute.

If user GR??-MM1 of your neighbor is displayed, find out thedate and time when it was created.

Select user GR??-MM1 and choose Change documents.

You can find the date of creation at the top of the right column.

3. Display all the users assigned to the role GR##_MM_MAT_ANZ.

List three of these users.

__________________________________________

__________________________________________

__________________________________________

a) Menu:

Tools → Administration → User Maintenance → InformationSystem → User → Users by Complex Selection Criteria → ByRole

Enter the role GR##_MM_MAT_ANZ and choose Execute.

4. Display an overview of all the users you created (GR##�) with theirassigned roles.




Which users still do not have module-specific roles?_________________________________________________________

a) Menu:

Tools → Administration → User Maintenance → InformationSystem → User → Users by Complex Selection Criteria → ByUser ID

Enter �GR##*� and execute the report.

Choose the Roles or Activity Groups button.

Which users still do not have module-specific roles?

GR##-FI1 GR##-FI2

GR##-SD1 GR##-SD2

The users could vary depending on whether you have performedthe optional tasks.

Task 3:You have an additional task as the authorization administrator, in theconsolidation phase after production operation begins.

1. The sales manager with user ID GR##-SD1 calls you. He tellsyou that he cannot run any SD transactions (the composite roleGR##_SD_SALMGR is missing). His SAP Easy Access Menu onlycontains general transactions.




Look at this problem. Then make a small test and tell the salesmanager his new initial password, which you set up after the test.

a) Menu:

Tools → Administration → User Maintenance → Users (SU01)

Display the user master record of user GR##-SD1 and checkthe assigned roles. The roles for the menu entries requested bythe sales manager are missing.

Assign the composite role GR##_SD_SALMGR to the userGR##-SD1 (on the Roles tab page) and save the user masterrecord.

Log on with the user to test the user and check that the usermenu contains the desired functions.

Then set a new initial password, such as ADM940, and mail itto the sales manager in the Business Workplace (transactioncode � SBWP �).

2. You get a mail from the production manager immediately thereafter.He has employed a new senior store person who should only be ableto post in plant 1000 (role GR##_MM_IM_POST1000)..




Look at this problem. Then make a small test and tell the new seniorstore person his or her new initial password, which you set up afterthe test.

Hint: Use existing master data to solve this problem.

a) In the exerciseWorking with the Profile Generator Part 1 you createdan role GR##_MM_IM_POST1000 that exactly corresponds tothe requirements.

Path:

Tools → Administration → User Maintenance → User ,(transaction code� SECR �_SU01).

Create a new user master record (GR##-MM3) and assign therole GR##_MM_IM_POST1000 to it. You should also assign therole GR##_MM_MAT_ANZ to it. Log on and test transaction �MB1C � (Enter Other Goods Receipts).

To test the transaction, try to make a posting both in plant 1000and in plant 1200. If you have set everything correctly, thesystem will only allow you to post in plant 1000.

Use the following data to test transaction � MB1C �

Movement type 561Plant 1000 or 1200Storage Location 0001

Choose Enter.Material P-100Quantity 10Choose Post (Save)

Then set a new initial password, such as ADM940, and mailit to the new senior store person in the Business Workplace(transaction code � SBWP �).



Lesson Summary

You should now be able to:� Analyze authorization checks in various ways� Use transaction � SU53 � to find missing authorizations (also for other



(AIS)


Unit Summary ADM940

Unit SummaryYou should now be able to:� Perform the steps necessary to install the Profile Generator� Find default values and check indicators in the system� Modify, delete, or extend the default values of the Profile Generator� Perform the necessary steps after an upgrade for postprocessing old

and new authorization values� Define password rules and system profile parameters� Protect special users in the SAP system� Protect SAP functions with authorization object S_TCODE� Protect tables and views using authorization groups� Protect programs with authorization groups� Describe tasks in user and authorization administration� List options for separating functions of user and authorization


(using authorization objects)� Analyze authorization checks in various ways� Use transaction � SU53 � to find missing authorizations (also for other



(AIS)


Unit 6261 Transporting Authorizations

This unit has only one lesson and describes the transport functionsfor authorization data. Describe what is transported and explain thepossibilities for changing system behavior (parameters)

Unit OverviewThis unit describes the transport of authorization data. Starting with usermaster records, through roles up to check indicators and customer defaultvalues for the Profile Generator.


� Copy user master records to other clients� Transport roles and describe the behavior in the system: With and

without profile information, with and without user assignments, in aCUA landscape or without CUA

� Transport check indicators using Transaction � SU25 �� Describe the transport behavior of composite, reference, and derived

roles� List other transport options

Unit ContentsLesson: Transporting Authorization Components ... . . . . . . . . . . . . . . . . . . . . . . .312

Exercise 11: Transporting Authorization Components.. . . . . . . . . . . . . . . .319


Unit 6: Transporting Authorizations ADM940

Lesson:262

Transporting Authorization ComponentsLesson Duration: 40 Minutes

Lesson OverviewThis lesson will provide an overview about how to transport user masterrecords, roles, and check indicators.


� Copy user master records to other clients� Transport roles and describe the behavior in the system: With and




In this lesson, you will provide an overview of the different transportoptions for user data, roles, and check indicators. After this lesson, theparticipants should be able to distinguish between the transport types andto perform the required actions in the system.

Business ExampleAuthorization components such as roles should be created and testedin development systems, and not in production systems. At the end ofthe test phase they are transported from the development systems tothe production system. The transport behavior varies depending onvarious profile parameters. It is also important whether or not CUA isimplemented in the system landscape.

Options for Transporting Authorization ComponentsUser data and authorization data must be exchanged in system landscapeswith multiple SAP systems. The data is either exchanged between differentclients of an SAP system or between clients of different SAP systems.

In principle, the SAP authorization concept differentiates between thefollowing transport contents.


ADM940 Lesson: Transporting Authorization Components

Which Authorization Components Can Be Transported?

� User master records� Roles� Authorization profiles� Check indicators

Authorization profiles can be transported together with their roles.Working with authorization profiles without an assigned role shouldremain the exception. The transport connection of transaction � SU02� for maintaining authorization profiles is only mentioned here forcompleteness and is not further discussed.

Remind the participants that it is only possible to transport all usermaster records when performing a client copy. It is not possible to selectindividual user master records.

Figure 104: Transporting User Master Records

User master records can be maintained centrally in one client of a system.If a new client is built, it can initially be filled with the user master recordsof the maintenance client. Client management transactions can be foundunder the menu path Tools → Administration → Administration → Clientmanagement→ ....

Local Client Copy

If a new client is filled with data from another client of the same SAPsystem, this copy process is called a local client copy. Since the data of bothclients is stored in the same database, it is not necessary to transport the



data using the network or the operating system. The local client copy isstarted with transaction � SCCL � or in the client management with ...→Client copy → Local copy.

Hint:Schedule the transport as a background job during the night. Thishelps to avoid data inconsistencies.

Client Copy Between Systems

If a new client is filled with data from another SAP system, it can be copiedwith a client transport (1) or as a remote client copy (2).

1. The client transport exchanges its data with a data export at operatingsystem level. Transaction � SCC8 � can be started in the clientmanagement by choosing ... → Client transport→ Client export.

2. In a remote client copy, the data is copied over the network and not asa file. Transaction � SCC9 � can be found in the client managementunder ... → Client copy → Remote copy.

Caution:Prior to each client copy, the data areas to be copied are deleted inthe target client.

Only the complete user master, and not individual users, can be copied.Roles are also copied when you copy Customizing data.

Hint:User master records can also be distributed using Central UserAdministration. In this case, it is possible to distributeindividual users.

Roles Without �Central User Administration�

SAP roles are available in all systems and are not transported. If rolesthat you developed yourself are to be transported between clients or SAPsystems, you must differentiate between situations where Central UserAdministration is implemented, and those in which it is not.

Summarize the participant text for the next slide in your own words anddescribe the special features when transporting roles without CUA tothe participants.



Figure 105: Transporting Roles Without Central User Authorization

If you are not using Central User Administration, roles can be transportedwith user assignments. The transport is started with a Customizingrequest, which you can create in the Profile Generator by choosingUtilities → Mass transport. The transport request is either importedinto another SAP system with the Transport Management System orinto another client of the same SAP system using transaction � SCC1�. The user master records of the target client must be compared afterthe import. You can do this manually from the Profile Generator bychoosing Utilities → Mass comparison or periodically in the background(PFCG_TIME_DEPENDENCY). You can also create the background jobthere.

By default, authorization profiles are transported with roles (since SAPR/3 4.6C). If this is not desired, you must prevent the data export in thesource system with the control entry (PROFILE_TRANSPORT:=NO) intable PRGN_CUST. The table entry can be made using maintenancetransaction � SM30 �.

Caution:If the Customizing entry �NO� is set, you must generate theprofiles in the target system using a mass generation beforeperforming a user master comparison. Transaction code � SUPC.�

You can start the mass generation in the Profile Generator by choosingUtilities → Mass generation.

Transporting Roles with User Assignment



If you do not want to transport the user assignments to roles, you canprotect the target system with an import lock. To do this, the control tablePRGN_CUSTmust contain the entry (USER_REL_IMPORT:=NO).

Caution:If you transport user assignments, the entire user assignment forthe role in the target system is replaced. Existing connections tothis role are removed.

You must also perform a user master comparison for all affectedroles in the target system after the import.

Roles with �Central User Administration�

Describe the transport of roles with CUA in the sameway as you did for theprevious slide. Show the participants the corresponding icons and actionsin the system for both descriptions. Take the user exercises into account.

Figure 106: Transporting Roles With Central User Authorization

Roles must also exist in the systems in which they are assigned to userswithin the Central User Administration. If systems are assigned to aCentral User Administration, roles must be transported without userassignment since these assignments are made in and distributed fromthe central system. If user assignments were transported, there would bea temporary inconsistency between the actual state of the system and itssubsystems. The imported assignments are deleted without being copiedto the central system the next time there is a distribution. For security



reasons, the import lock for user assignments therefore should be set forsystems within the Central User Administration. (� SM30 �, PRGN_CUST ,USER_REL_IMPORT := NO)

A Customizing request for roles is created analogously to the scenariowithout Central User Administration. The authorization profiles are alsotransported in the same way.

Uploading and Downloading Roles

Normally it is only possible to exchange data with transport requestsbetween SAP systems with the same release status. For example, if roleshave to be exchanged within the Central User Administration acrossreleases, this can be done by downloading or uploading roles, if necessary.

Hint:When you download the data, it is all stored in a local file, with theexception of the generated authorization profiles and theuser assignments.

After an upload, the role might have to be edited and generated. You canchoose to upload or download in the Profile Generator by choosing Role→ Upload/Download. Since SAP R/3 4.6C , you can save multiple roles in alocal file at the same time by choosing Utilities→Mass download.

Transporting the Customer Check Indicators

Figure 107: Transporting Check Indicators



The customer tables USOBX_ C and USOBT_ C , which control thebehavior of the Profile Generator, must be filled in each system in whichthe Profile Generator is used.

If these tables are adjusted to the customer�s needs, they can then betransported as a whole. This means that you transport all the settings forthe authorization checks, check indicators, and the corresponding fieldvalues.

1. The transport link can be found under step 3 of transaction � SU25 �,which must be executed when you activate the Profile Generator.

2. You can use transaction � SU24 � to change individual checkindicators. In this case, the system automatically immediately createsa transport request.

In both cases, a transport request is transported and distributed to otherSAP systems in the context of the Transport Management System.

Caution:During the transport, all of the check indicators and field values inthe target system are replaced, and steps 2a-2d cannot be used.

Show the participants how to call the functions discussed in the system. Inthis context, you should also discuss all of the menu options provided onthe initial screen of transaction � PFCG � with the participants.



269 Exercise 11: Transporting AuthorizationComponentsExercise Duration: 15 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Set an import lock for user assignments when transporting roles� Create a transport request for a role� Transport the contents of USOBX_C and USOBT_C

Business ExampleOn a daily basis, authorizations are created or changed or ProfileGenerator default values are adjusted. These settings must be transported.This exercise addresses and runs through a few examples on the topicof transport.





Task 1:You want to ensure that any user assignment that exists is never evaluatedin your system by a transport request for a role.

1. Where must you set the import lock?

______________________________________________________

2. What would happen if the transport request had user assignmentsand no import lock had been set up?

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

Task 2:Open transaction � PFCG � and enter ADM940_SD_SALES.

1. Create a transport request for the specified role (without userassignment). To do this, use the �Own Requests� button and choosethe request from which your user is assigned.

Note the transport request number:

______________________________________________________

2. Which objects can be transported with the role during the transport?

______________________________________________________

______________________________________________________

Task 3:Transport tables USOBX_C and USOBT_C.

1. Which transaction and which step is used to do this?

______________________________________________________

2. Which changes are included in this transport request? For moreinformation, read the help, which appears after you choose theTransport icon (the truck). After reading the help, terminate theprocess and do not create a transport request.

______________________________________________________

______________________________________________________Continued on next page



______________________________________________________

______________________________________________________

______________________________________________________



Solution 11: Transporting AuthorizationComponentsTask 1:You want to ensure that any user assignment that exists is never evaluatedin your system by a transport request for a role.

1. Where must you set the import lock?

______________________________________________________

a) You must use transaction � SM30 � to set the lock in tablePRGN_CUST with the entry user_rel_import := NO.

2. What would happen if the transport request had user assignmentsand no import lock had been set up?

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

a) If you transport the user assignments with the roles, the userassignments for the roles in the target system are completelyreplaced by those from the transport request.

Caution: As part of this, existing connections to usersthat are not contained in the transport request are alsodeleted.

Task 2:Open transaction � PFCG � and enter ADM940_SD_SALES.

1. Create a transport request for the specified role (without userassignment). To do this, use the �Own Requests� button and choosethe request from which your user is assigned.

Note the transport request number:




______________________________________________________

a) Menu :

Tools → Administration → User Maintenance → RoleAdministration → Roles , (or transaction code � PFCG �).

Enter the specified name for the role. Confirm your entry withEnter. Open the dialog for the transport request by choosing:Role → Transport or the transport role icon.

Transport request number (Example: <DEV>K900376)

2. Which objects can be transported with the role during the transport?

______________________________________________________

______________________________________________________

a) After confirming that a transport request is to be created, anotherselection screen appears. In this dialog box, you can decidewhich objects are to be included in the transport. You can selectthe following here:

� User assignment� Personalization objects

Task 3:Transport tables USOBX_C and USOBT_C.

1. Which transaction and which step is used to do this?

______________________________________________________

a) Use transaction � SU25 � for this action. Enter this directly inthe command field, or choose the menu path Environment →Installation/Upgrade in transaction � PFCG �.

You can write the tables to a transport req uest with step 3.

2. Which changes are included in this transport request? For moreinformation, read the help, which appears after you choose theTransport icon (the truck). After reading the help, terminate theprocess and do not create a transport request.

______________________________________________________

______________________________________________________

______________________________________________________

______________________________________________________




______________________________________________________

a) The following content is included in this transport:

You use this to transport the Profile Generator customer tables.This records all changes that you made in steps 1, 2a, and 2b in atransport request. Changes that you made to check indicatorsin transaction � SU24 � are also recorded.



Lesson Summary

You should now be able to:� Copy user master records to other clients� Transport roles and describe the behavior in the system: With and





Unit Summary ADM940

Unit SummaryYou should now be able to:� Copy user master records to other clients� Transport roles and describe the behavior in the system: With and





Unit 7277 Integration into the Company

Landscape

Many participants will already work with an authorization concept andbe familiar with the problems of the daily work. Part of the daily workis the assignment of authorizations for end users. Many processes arerepeated here. They are usually linked to certain rules, and are oftentime-consuming. Use the two lessons to describe other options forcontrolling users and assigning authorizations. Address the advantagesand disadvantages.

Unit OverviewSome of the daily work for an administrator is the assignment ofauthorizations to end users. These are often connected to certain rules andprocesses that always follow the same schema. Two additional methodsfor user maintenance and authorization assignment are introduced hereto help you optimize this regular process and the time spent. Theseare Central User Administration and the Integration into OrganizationalManagement.


� Create organizational units in HR Organizational Management� Link roles with the organizational plan objects� Link users with the organizational plan objects� Perform a comparison of the indirect role and user assignments� Compare user master record� Assign roles for a specific period of time� Explain how the central user administration functions� Specify the most important steps for setting up the central user

administration


Unit 7: Integration into the Company Landscape ADM940

� Define distribution rules for user data� Create, maintain and distribute users centrally� Perform system comparisons for users that are not yet maintained

centrally

Unit ContentsLesson: Integration into Organizational Management ... . . . . . . . . . . . . . . . . . .329

Exercise 12: Integration into Organizational Management .. . . . . . . . . .347Lesson: Central User Administration (CUA).. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355

Exercise 13: Working with Central User Administration.. . . . . . . . . . . . . .371


ADM940 Lesson: Integration into Organizational Management

Lesson:279

Integration into Organizational ManagementLesson Duration: 60 Minutes

Lesson OverviewThis lesson will give you an impression of the advantages and possibilitiesthat Organizational Management offers for assigning authorizations tousers in a company.


� Create organizational units in HR Organizational Management� Link roles with the organizational plan objects� Link users with the organizational plan objects� Perform a comparison of the indirect role and user assignments� Compare user master record� Assign roles for a specific period of time

The employees or users require corresponding authorizations to performtheir tasks. The authorization administrator usually assigns the requiredroles (single and/or composite roles) directly using transactions � SU01�, � SU10 �, and � PFCG �.

If the employee now changes his or her position in the company, allexisting direct links between the user and the roles must now be checked.New authorizations are added for new functions, and authorizations thatare no longer required are deleted (which is often forgotten). This meansan increased maintenance effort for the administration team.

If you had an organizational model of the company (HR-Org) in whichthere were fixed links between the authorizations/roles and organizationalunits (organizational unit, work center, position, job). This wouldmean that if an employee changed position, only the assignment to theorganizational unit would have to be changed, since the authorizations donot move with the user. This type of assignment is called indirect roleassignment using an HR Organizational Model.

Present this additional possibility for assigning authorizations in thislesson.



Business ExampleIf employees in your company often change position within the company,authorization administration can be significantly simplified through a linkto organizational units from HR Organizational Management.

Basic Concept of �Indirect Role Assignment�Requirements for daily administration

Explain that a significant amount of administration work is created if anemployee changes department, since the role assignment must be changedfor the employee. It is also possible that people might forget to removeauthorizations from the employee after a change of position within theorganization. Explain this with the following example.

Imagine that you must set up and assign authorizations for a trainee.During his or her training, this trainee works with various departments(procurement, controlling, HR department, and so on).

Over time, the trainee �collects� authorizations, and after some time hasbeen assigned various roles. He or she has successively received ever moreauthorizations, because the administration team has forgotten to removethe authorizations that are no longer relevant for the trainee after he or shechanges department.

� Managing role assignments directly for users can becomecumbersome in large implementations.

� As users move or change jobs in your organization, theirauthorizations must be reviewed.

Solution to reduce the administration effort required:

If the roles are now assigned to the objects of the organizational plan, suchas positions, the employees, who are indirectly assigned to these positionsthrough the organizational plan, can inherit the roles.



Advantage: As soon as an employee changes position, he or she also losesthe corresponding authorizations (since these depend not on the user,but on the position).

� Create roles based on organizational objects, such as positions in yourorganization. For example: Sales manager, accountant, and secretary.

� Assign the roles to your organizational plan. Users then inherit theauthorizations (indirectly) in accordance with their position in theorganizational plan.

Advantages:

Substitution and Transfers

� If roles were assigned directly to specific employees, then each timethe user�s responsibilities change, the corresponding assignment ofroles would have to be changed

� If, however, the assignments are based on the notion of positions, thenno adjustments will have to be made within the agent assignmentsof roles.

Time-Dependent Planning in Reorganization Processes

� SAP Organizational Management allows both the validity and theassignment of organizational objects to be planned and activatedaccording to the time available. You must schedule the User MasterRecord Update program so that profiles can be added or removedbased on changes to the organizational plan.

Structure of an SAP Organizational ManagementAn organizational plan is a set of information that dynamically describesthe structural and personal environment of your company. Using the toolsprovided by the Organizational Management component, you can create anorganizational plan.

Use the next slide to clarify what an organizational plan is. Discuss theconcepts of organizational units and positions.



Figure 108: Organizational Plans

Normally, organizational plans are built by linking objects of the followingtypes with each other:

� Organizational Unit: Can be, for example, a functional unit in thecompany (such as Sales and Distribution).

� Position: Represents a position in the staff assignments of anorganizational unit that is to be occupied by a person (employee),such as Sales Manager Europe.

� Job: While positions represent the concrete posts in a company thatare to be occupied by holders (such as Sales Manager Europe), jobsare general classifications of functions in a company (such as salesmanager) that are to be further specified by assigning properties. Jobsprovide job descriptions that are applicable to multiple positionswith similar tasks and properties.

� Task: Description of an activity that is to be performed withinorganizational units.

The maintenance interface available since SAP R/3 4.5 is introduced onthe next slide. However, you should use �Simple Maintenance� (see thenext instructor note)



Figure 109: Organization Plan User Interface

By choosing the menu path SAPMenu→Human Resources→OrganizationalManagement → Organizational Plan → Organization and Staffing, you havethree options for editing organizational plans:

� Create, transaction code: � PPOCE �� Change, transaction code: � PPOME �� Display, transaction code: � PPOSE �

Hint: You can, however, still use the simple maintenancemode toedit organizational plans (as in previous releases). To switch fromthe new maintenance interface to the simple maintenance mode,choose the following menu path: Settings→Maintenance Interface.



The new user interface consists of several screen areas:

� In the search area, you can find one or more objects that you want todisplay or edit (for example, a complete organizational structure, orall objects of a specific object type, such as all positions).

� The selection area lists the objects found. You can select one of theseobjects

� By double-clicking it to display the object and its environment inthe overview area and its properties in the detail area

� By clicking it once to assign it to another object throughDrag&Drop, for example, a position to an organizational unit.

� The overview area displays the selected object and its environment.

Use the �simple maintenance� for your demonstration in this lesson, sinceit requires significant effort (Customizing settings) to link roles to objectsin the organizational plan.

Hint: If a participant asks why the �simple maintenance� is usedon the next slides, you should argue that this can be used, but isnot relevant to the authorization concept.

On the other hand, authorization administrators are often notHR experts and can therefore learn to use �simple maintenance�significantly faster. Slide.

Figure 110: Simple Maintenance of an Organizational Plan



In the simple maintenancemode, you can edit organizational plans eitherin theOverall viewor in theHuman Resources view. TheOverall view providesspecific functions for users of the authorization system and SAP BusinessWorkflow. In this view you can, for example, work with roles. The Humanresources view provides specific functions for HR users.

The simple maintenance method uses a tree structure which allows you torapidly put together a basic framework for organizational plans. You useoptimized procedures to do this.

You work in three main windows. Each window covers specificmaintenance activities:

� The Organizational Structure window allows you to build up andmaintain the organizational structure for your organizational plan.

� The Staff Assignments window allows you to identify thefundamental staffing details required for an organizational plan.

� The Task Profilewindow allows you to assign roles to jobs, positions,organizational units, and holders of positions (users). WorkflowTasks are also assigned at this level, however, these are not relatedto authorizations.

The next slide shows the �six steps� for maintaining an organizationalplan. Provide an overview of these. These steps are then described indetail in the following slides.



Figure 111: Creating an Organizational Plan in Simple Maintenance

The above figure illustrates that the first step in Simple Maintenance is tocreate a root organizational unit. All other organizational units are thendefined in the organizational structure.

You can define organizational units and jobs in any order you like.However, they should be defined before you define the relevant positions.

Positions are created after the appropriate job(s) are created in the jobindex.

Holders are assigned to positions, not to jobs.

Having set up the organizational plan, you can assign roles toorganizational units, jobs, positions, and holders of positions (users).

Explain the definition of a root organizational unit. It is assigned anabbreviation and the validity period can be restricted.



Figure 112: Step 1: Defining the Root Organization

When you want to build a new organizational plan, you must first createa root organizational unit. The root organizational unit is the top-levelunit of an organizational structure, for example, the executive board.The root organizational unit is also your starting-point for enhancing theorganizational structure by adding lower-level units.

The date specified on the initial screen is used as the default for the validityperiods of all objects and relationships to be defined.

Additional subordinate organizational units are then defined. Workthrough an example of a company structure with the participants(production, sales and distribution, human resources, finance department,and so on).



Figure 113: Step 2: Creating Additional Organizational Units

Using the root organizational unit as your starting-point, you createadditional lower-level organizational units. In the above example, theBoard constitutes the higher-level object, while the organizational unitsProduction, Sales, HR and Accounting are lower-level objects.

To create organizational units in simple maintenance, you select theorganizational unit under which you want to add new organizationalunits. The relevant relationship records (A/B 002) between the lower-leveland the higher-level organizational unit are automatically created by thesystem.

Ask the participants what is then hung on an organization unit of thistype. The �jobs� and �positions�.

Extend the figure with jobs (general classification of functions in acompany, such as secretary), and positions (concrete positions to be filledby people, such as secretary to the sales and distribution department).These are added by choosing the Staff Assignments button.



Figure 114: Step 2: Editing the Organizational Structure

To change the hierarchical position of an organizational unit in theorganizational structure, you can reassign the relevant unit. If you reassigna unit, the relationships between the organizational units are changed. Thismeans that the current relationship records are automatically delimitedand new relationship records are created based on the reassignmentprocess.

To change the short or long text, use the Rename function.

Other functions include:

� Deleting objects and relationships� Delimiting objects and relationships� Determining the order of the organizational units

If required, you can show or hide other information, for example, theabbreviation, the object period, and the object key.



Figure 115: Step 3: Create jobs

To create jobs, go to the Staff Assignments screen and choose Edit→ Create→ Jobs there.

Figure 116: Step 4: Create Positions

To create a position in simple maintenance, you select the organizationalunit in the staff assignments under which you want to add the newposition. The relevant relationship record (A/B 003) between the positionand the higher-level organizational unit is automatically created by thesystem.



As part of the basic concept, you should link each position with a job. As aresult, the position automatically inherits the tasks and properties assignedto the describing job, considerably reducing the maintenance effort.

When you create a position in simple maintenance, you can choose adescribing job from the job index or directly create a new one. The relevantrelationship record (A/B 007) between the describing job and the positionis automatically created by the system. By default, the job descriptionis used as the position description.

You can create several positions simultaneously.

Use the next slide to discuss the possibilities for assigning tasks in theform of roles to the various organizational levels (processing view: overallview; button: task profile).

� You can assign roles (single or composite roles) to an organizationalunit (such as European Sales). This means that all employees thatbelong to European Sales inherit the corresponding authorizations(since they are linked with European Sales through positions).

� However, it is not possible to inherit authorizations acrossorganizational units.

� Roles can also be assigned to jobs and positions.

Figure 117: Step 5: Assign Tasks

A position (such as Sales Manager Europe) can be assigned directly to arole. You can also assign roles using the job (such as sales manager) and/orthe organizational unit (such as European Sales). The user assigned to thisposition then inherits all authorization profiles of these roles.



The user assigned inherits the authorization profiles related to thefollowing:

� Role: SALESMANAGER_EUROPE

Through the relationship: Position → Holder of position

� Role: SALESMANAGER

Through the relationship: Job→ Position→ Holder of position

� Role: SALES_EUROPE

Through the relationship: Organizational Unit → Position → Holder ofposition

You can also assign roles directly to a user. However, we recommend thatyou do not do this since you lose the benefits of an assignment using anorganizational plan.

Hint: Roles cannot be inherited across organizational units.Positions belonging to an organizational unit cannot inherit theroles assigned to a higher-level organizational unit.

Explain step 6: the holder assignment. Explain at this point that thisdoes not yet mean that the user has received the authorizations. Variouscomparison must first be performed (role and in the user master record).

Figure 118: Step 6: Assign Holder



Positions can be held either by persons or by users.

� Information on the Person object type is maintained in the HR masterdata. Persons are employees of the company.

� Users, on the other hand, are not necessarily employees. Users haveauthorizations to access the SAP system. They can occupy positionswithout being registered as an employee. This assignment is ofimportance in the context of the Workflow.

The next slide explains the steps required for the holder to receive theassigned authorization profiles in his or her user master record. Describethe steps and demonstrate the process in the system. You can use theexample from the exercise for the demonstration.

In the complete view in the Profile Generator, there is an �OrganizationalMgmt� button on the User tab page. Using this, the indirect userassignments are reconciled; that is, a comparison is performed betweenpositions and assigned users (see the next two slides).

Figure 119: Agent Assignment View (Role)

In order to assign roles to users, you can also use the role maintenancetransaction. You can access this through the menu path SAP Menu →Tools → Administration → User Maintenance→ Roles , or with transactioncode � PFCG �.



To be able to assign components of your organizational plan, youmust select the �Complete View� when entering the role maintenancetransaction (� PFCG �).

By choosing the Organizational Mgmt button, you jump to the screen Role:Change Agent Assignment.The �Indirect User Assignments� that havealready been maintained are displayed here.

Here you can use positions to assign users to a role(such asSALESMANAGER).

By choosing Create assignment, you can also define the followingrelationships:

� Role / Organizational unit� Role / Position� Role / User

Figure 120: Indirect User Assignment Reconciliation

If you choose the �Indirect user assignment reconciliation� button, thesystem reconciles the positions and the users assigned. Users that wereadded newly are entered, and user assignments that are no longer currentare deleted.

During the reconciliation process, the users assigned on the basis ofpositions are entered as indirect user assignments for the role.



Since assignments in Organizational Management are time-dependent,you must take this restricted validity into account when you assignusers. During the reconciliation process, the relationship period fromOrganizational Management is copied for the indirect user assignments.

If you perform a user master comparison (see next figure), the indirect userassignment is automatically reconciled. The same applies when runningthe report PFCG_TIME_DEPENDENCY.

Show the user master comparison with the last figure. Finally, emphasizethe following to the participants:

Hint: If you perform a user master comparison, the indirect roleassignments are always also reconciled. This means that followingquestion is always asked: Is the assignment of holder to positionstill valid?

The same also applies, if the comparison is performed usingtransaction � PFUD � or report PFCG_TIME_DEPENDENCY.

Figure 121: User master record comparison

If you change the users assigned to the role or generate an authorizationprofile, you must compare the user masters (User Comparison button). Thesystem compares the authorization profiles with the user master records.This means that profiles that are no longer current are removed fromthe user master records, and the current profiles are entered in the usermaster records.



293 Exercise 12: Integration intoOrganizational ManagementExercise Duration: Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Display organizational units in HR Organizational Management� Link roles and users with HR organizational units� Reconcile the relationships

Business ExampleThis exercise runs through the assignment of authorizations through theintegration of Organizational Management. Only the last stages of theindirect user and role reconciliation are performed; the system settingsrequired for this integration are not part of this exercise.





Task 1:A composite role and a user are to be assigned to the previously createdorganizational plan ADM940. The indirect relationships are then tobe displayed and reconciled, so that the user receives the appropriateauthorizations.

1. Navigate in the SAP menu to Organizational Management andthere, in expert mode, to the �simple maintenance�. Display theorganizational plan ADM940.

Hint: Menu Path: Human Resources → OrganizationalManagement→ Expert Mode→ Simple Maintenance→ Change

2. Go to the Staff assignments window. Select the root node and displaythe structural graphics.

3. Expand everything under theMaterials Management node. Place thecursor on the group ## position, and assign the holder GR##-MM2 oftype US to the position.

4. Select the group ## position and choose Task Profile. Link the positionwith the composite role GR33_MM_WHOUSR (from the exercise inthe lessonWorking with the Profile Generator Part 2).

Task 2:Perform a direct reconciliation.

1. Change your composite role GR##_MM_WHOUSE.

Hint: Caution: Choose Complete View on the initial screenof the function.


Is the user from exercise 1-3 assigned to your role?

__________________________________________________

3. Go to Organizational Management by choosing the OrganizationalManagement entry in the Gotomenu (or by clicking the appropriatebutton).

Reconcile the indirect user assignments of the role.

4. Go back.





______________________

What is the traffic light status of the Organizational Managementarea?

______________________

Display the user master record of user GR##-MM2.

Go to the Roles tab page.

How many roles are there?

______________________

How many profiles are entered?

______________________


Perform a complete user compare.

Display the user master record of user GR##-MM2 again.

How many roles are there now?

______________________

And how many profiles?

______________________



Solution 12: Integration intoOrganizational ManagementTask 1:A composite role and a user are to be assigned to the previously createdorganizational plan ADM940. The indirect relationships are then tobe displayed and reconciled, so that the user receives the appropriateauthorizations.

1. Navigate in the SAP menu to Organizational Management andthere, in expert mode, to the �simple maintenance�. Display theorganizational plan ADM940.

Hint: Menu Path: Human Resources → OrganizationalManagement→ Expert Mode→ Simple Maintenance→ Change

a)

Hint: This menu path leads to the old simplemaintenance, transaction code � PPOM_OLD �. Thelesson also described why this old maintenancetransaction is used, and not the new transaction.Short repetition: Since this lesson deals only withthe possibilities for assigning authorizations usingOrganizational Management, we have forgone thenew maintenance interface. With this interface, a fewmore steps would be required than with the simplemaintenance, and these would go beyond the scopeof the exercise. This deals only with the possibility ofassigning authorizations.

2. Go to the Staff assignments window. Select the root node and displaythe structural graphics.

a) Go to the staff assignments window by choosing the appropriatebutton.

Select the root node and display the structural graphics bychoosing the relevant button.




3. Expand everything under theMaterials Management node. Place thecursor on the group ## position, and assign the holder GR##-MM2 oftype US to the position.

a) Expand everything under theMaterials Management node. Placethe cursor on the group ## position (this is under theWarehouse)and assign the holder GR##-MM2 of type US to the position(choose the Assign holder button).

4. Select the group ## position and choose Task Profile. Link the positionwith the composite role GR33_MM_WHOUSR (from the exercise inthe lessonWorking with the Profile Generator Part 2).

a) Select the group ## position and choose the Task Profile button.Link the position with the composite role GR##_MM_WHOUSE(from the exercise for the lessonWorking with the Profile GeneratorPart 2), by placing the cursor on the group ## position andchoosing the Role button.

Task 2:Perform a direct reconciliation.


Hint: Caution: Choose Complete View on the initial screenof the function.

a) Menu: Tools → Administration → User Maintenance → RoleAdministration→ Roles, (transaction code � PFCG �).



__________________________________________________

a) No.

3. Go to Organizational Management by choosing the OrganizationalManagement entry in the Gotomenu (or by clicking the appropriatebutton).




Reconcile the indirect user assignments of the role.

a) Go to Organizational Management by choosing theOrganizational Management entry in the Gotomenu (or by clickingthe appropriate button).

Reconcile the indirect user assignments of the role by choosingthe icon Indirect user assignment reconciliation. The status iconthen changes from Red to Green.

4. Go back.


______________________

What is the traffic light status of the Organizational Managementarea?

______________________

Display the user master record of user GR##-MM2.

Go to the Roles tab page.

How many roles are there?

______________________

How many profiles are entered?

______________________

a) Yes.b) Greenc) Menu: Tools → Administration → User Maintenance → Users ,

(transaction code � SU01 �).

1 (3) roles (*)

d) 0 (2) profile(s) (*)


Perform a complete user compare.

Display the user master record of user GR##-MM2 again.

How many roles are there now?

______________________

And how many profiles?




______________________

a)

Hint: (*) Numbers in parentheses:

Role GR##_BC_PORTALS and ADM940_PLUS may havebeen created and assigned in an optional task in anotherlesson of the SAP course ADM940.

Menu: Tools → Administration → User Maintenance → RoleAdministration→Roles, (transaction code � PFCG �).

Menu: Tools → Administration → User Maintenance → Users ,(transaction code � SU01 �).

3 (5) roles (*)

b) 2 (4) profile(s) (*)



Lesson Summary

You should now be able to:� Create organizational units in HR Organizational Management� Link roles with the organizational plan objects� Link users with the organizational plan objects� Perform a comparison of the indirect role and user assignments� Compare user master record� Assign roles for a specific period of time


ADM940 Lesson: Central User Administration (CUA)

Lesson:300

Central User Administration (CUA)Lesson Duration: 60 Minutes

Lesson OverviewThis lesson will provide you with information about the principles ofCentral User Administration, to help you decide whether to implementCentral User Administration.


� Explain how the central user administration functions� Specify the most important steps for setting up the central user

administration� Define distribution rules for user data� Create, maintain and distribute users centrally� Perform system comparisons for users that are not yet maintained

centrally

The concept of Central User Administration is presented in this lesson.Under certain circumstances, using Central User Administration simplifiesuser administration.

To motivate the use of CUA, the trainer should clearly understand theusefulness of CUA. As part of your preparation, you should alreadyhave set up the CUA a number of times, and be familiar with the onlinedocumentation and relevant SAP Notes.

Before you can show CUA in the context of a demonstration, you must setit up. You should set up and test CUA immediately before this lesson.

What must be set up? For SAP course ADM940, there are three 8xx clientsavailable. These may even be distributed across three different trainingsystems. It is up to you which of these clients you use as the central systemand which as the child systems.

Logical system names are used by default in the training system, and arealready assigned to the clients. You can view the logical system nameusing transaction SCC4 or using the detailed view for the data records oftable T000. These names are important for the subsequent setting up ofRFC connections, since the required RFC connections must have exactlythe same names as the target clients.

You must next set up the required RFC connections between the 8xxtraining clients. You must set up a connection from the central system toeach of the child systems, and a connection from each child system to the



central system (child systems in the same SAP system as the central systemuse the loop back connection for this). It is important that you also createan RFC connection to the central system in the SAP system with the centralsystem. This is known as the loop back connection. The communicationsusers CUA_CENTRAL and CUA_CLIENT, which already exist, are usedfor the automatic log on in the relevant target clients. For technical details,such as about the communication users and their authorizations, see theother instructor notes in this lesson.

Caution: You cannot set up the CUA and RFC connections withthe normal ADM940 users that the participants use. You shoulduse your own login to do this.

Finally, the CUA is activated. To do this, call transaction SCUA. Youspecify a distribution model, such as ADM940_CUA, and assign thedesired child systems to this model. Then save. When you save, the CUAmodel is activated.

Hint:You do not necessarily have to show setting up the CUA as ademonstration, but should certainly show the creating of users andassigning of roles. The above short description of setting up theCUA is intended for trainers who are experienced with theCUA, who only require the required details, but alreadyknow the individual steps. If you are new to the CUAtopic, you should read the step-by-step installation of aCUA in course ADM102. You can order the correspondingADM102 Instructor Guide through B2B.

Business ExampleIn complex system landscapes, users in multiple systems must bemanaged locally. These users work in different systems with differentauthorizations. In the Central User Administration, the requiredmanagement functions can be carried out centrally on one system.

Introduction to Central User AdministrationIn complex system landscapes with multiple systems and clients, theadministration effort required to compare and update of the user masterrecords is very high. Employees join the company, leave, or change jobswithin the company. Individual users usually need to access varioussystems and clients to perform their work, and therefore require multipleusers.



Figure 122: Decentralized User Administration

Explain that user master records are client-dependent. Consistentmaintenance of users in complex landscapes with a large number of clientsrequires a great deal of effort. Therefore, you should implement CentralUser Administration in cases like this.

Since user master records are client-specific, they must be administered ineach client of each and every system. For example, if you want to createa new user, you must create it manually in all the clients of all the SAPsystems in which it should be valid.

User master records can be managed centrally in one client of a system. Ifa new client is built as a copy of another client, the new client can initiallybe filled with the user master records of that client. During this copy, theroles of the original client are copied together with the user master records.However, you cannot copy individual users selectively. The user masterrecords also cannot be automatically synchronized sequentially.



Figure 123: Central User Administration

Point out that the term �central system� means a central client.

The essential feature of the Central User Administration is the definitionof a central client in a selected system. It can be used to manage the usermaster records for all the clients of the system landscape. For example,you can define which roles should be assigned to which users in whichsystems. This greatly reduces the administrative cost for authorizationadministration.

Hint:You can decide individually for each user which systems thatuser should be able to log on to.

Caution:Central User Administration does not mean that everyuser must exist in each system of the system landscape. Inparticular, users of the child systems do not necessarilyneed to exist in the central system.



Which user master record data can is administered centrally or onlylocally can be individually set. Local administration by the user himselfor herself or by an administrator could be useful for certain data of theuser master record.

The authorization data is exchanged based on the ALE concept. ALEmeans Application Link Enabling and permits you to build and operatedistributed SAP links. It includes a business-controlled message exchangebetween loosely linked SAP systems. The application is integrated withasynchronous communication.

Hint:In the rest of this lesson the central client will be referred to as the�central system�. A �child system� is a client of an SAP systemincluded in the Central User Administration.

Figure 124: What Can be Distributed?

A client is chosen as the central system. The user master records for otherclients are administered from this central system. The figure shows twochild systems, client 810 and client 820, which are assigned to the centralsystem client 800.



The following data can be distributed with the Central UserAdministration:

� User master record data, such as the address, logon data, userdefaults and user parameters.

� The assignment of the user to roles or profiles for each child system.The advantage of administering assignments centrally is that you nolonger need to log onto each system in order to make system-specificassignments of roles and profiles; it is all managed at one location inthe central system.

� The initial password: When you create a new user, the initialpassword is distributed to the child systems as a default. Thepasswords are distributed in coded form.

� The lock status of a user. In addition to the locks caused by incorrectlogon that already existed in previous releases or those set manuallyby the local administrator, there is now also a new �global lock�. Thisapplies to all of the child systems in which the user is defined and canbe canceled in the central system or locally if required.

Participants often ask at this stage whether you can also administrate thepasswords of SAP users with Central User Administration. With theexception of the initial passwords, this is not possible. For cross-systempassword administration, we recommend the use of the Single Sign-On(SSO) procedure or an SAP Enterprise Portal with SSO. Customers mayrequire encryption software from third party vendors to install SSO.

Hint:Although roles and authorization profiles can be transported, theyare normally administered in the child systems and notcentrally. Different Customizing settings and releases in thechild systems normally make it necessary to adjust theroles individually. Therefore, Central User Administrationtransfers only an assignment of the users to roles and profiles,but not the authorization values that are contained in theauthorization profiles.



Setting Up CUA

Figure 125: ALE Setup

The following technical settings must be made to be able to use CUA:Logical ALE systems, assignment of logical systems to clients, RFCconnections with corresponding communication users and an ALEdistribution model.

Communication partners are addressed in the ALE scenario with aliases,which are called logical systems. In the central system, the central systemitself and every child system is defined by name in transaction � SALE�; menu path ALE → Sending and Receiving Systems → Logical Systems →Define Logical System. In the central system, all child systems and thecentral system are specified, in the child systems, the child system itselfand the central system are defined. The logical system names are assignedto the client definitions in the corresponding systems in transaction � SCC4� Each logical system therefore identifies a certain client of an SAP system.

Note that the central system itself must be specified in the central system.A consequence of this is that when setting up RFC connections, a loop backRFC to the central system must be explicitly set up, which the participantsoften forget or do not understand.



Communication between the central system and the child systems atnetwork level is performed using RFC (Remote Function Call). Thetechnical definition of the connection is maintained in transaction � SM59�. All the connections to all child systems must be created in the centralsystem, and the connection to the central system must be maintained inthe child systems. The RFC connection names must be the same as thenames of the logical systems. The communication must be performedusing communication users with certain RFC authorizations for CUA inthe relevant system.

The communication user CUA_CENTRAL in the central systemis assigned the following roles: SAP_BC_USR_CUA_CEN-TRAL, SAP_BC_USR_CUA_CENTRAL_BDIST, andSAP_BC_USR_CUA_SETUP_CENTRAL, all assigned as copiesin the customers namespace �Z*�. In the child system, the communicationuser CUA_CLIENT is assigned the following roles (also as rolecopies in the namespace �Z*�): SAP_BC_USR_CUA_CLIENT andSAP_BC_USR_CUA_SETUP_CLIENT.

Hint:The communication users CUA_CENTRAL and CUA_CLIENThave both been created in the training clients. This ensures that aclient can be used as either a child or as the central system. Theseusers are required for the automatic login in the target client; inboth cases, the password is �CUA�. In the case of RFCconnections to the child system, user CUA_CLIENT is entered forthe logon data; the CUA_CENTRAL user is used for RFCconnections to the central system.

What data is sent from where to where is defined in the ALE distributionmodel. User and company data is exchanged within the Central UserAdministration. The distribution model is created and generated in, anddistributed from transaction � BD64 � in the central system. It only needsto be generated in all of the child systems.

Central User Administration is then activated centrally in transaction �SCUA �.

The activation occurs when you save in transaction SCUA.



You can find a detailed description of Central User Administration in Units10 and 11 of Authorizations Made Easy 4.6 in the SAP online documentation.SAP course ADM102, �SAP Web AS Administration II�, deals with thetechnical implementation.

Figure 126: Setup of the Central User Administration

Explain the individual distribution attributes.

�Global� simply means administration in the central system, �local� meansadministration in the relevant local child system.

A special note about the attribute �Everywhere�. �Everywhere� does notreally mean everywhere, but rather global+local, that is, administration ispossible both centrally and locally.

Hint:�Everywhere� is only used for user locks. After activatingCUS, there are additional buttons in transaction SU01 forglobal locking and unlocking for users, and for locking andunlocking users locally.



You can define whether each individual component of a user masterrecord should be administered in the central system or locally in thechild systems. This is defined within Transaction � SCUM � in thecentral system. A field attribute can be defined for each input field of usermaintenance transaction � SU01 �.

� If a field of the user maintenance transaction has field attribute global,data for this field can only be maintained in the central system. Thedata is automatically distributed to the child systems when it is saved.Such fields are in display mode in the user maintenance transactionof the child systems, that is, you cannot change these fields.

� If you use field attribute default, a default value that is automaticallydistributed to the child systems when it is saved can be maintainedwhen you create a user in the central system. After distribution,the data is only maintained locally in the child systems and cannotbe returned.

� If you use field attribute Redistribution, the data can be maintainedin both the central system and the child systems. If a change is madeto the child system, the data is returned to the central system andpassed on to other existing child systems from there.

� The field attribute local means that the data for the correspondingfield can only be administered locally in the child systems. Whenfields of this type are changed in the central system, this data is notdistributed to the child systems.

� The field attributed everywhere is used if you can want to be able tochange data locally and globally. In the case of local maintenance,however, no redistribution takes place.

Caution: The attribute everywhere is only used for user locks, notfor other settings in transaction � SU01 �.



Integration of Existing Systems

Figure 127: Integration of Existing Systems

Discuss the two scenarios: a) If CUA is set up during the installation of theSAP systems, all other users are then automatically entered by the CUA. b)The CUA is set up in an existing system. In this case, the existing usersmust be entered, and possibly compared.

The integration of existing systems in the central user administrationdepends on whether there is a complete new installation of the systeminfrastructure or the user master records are built completely anew in allexisting systems, or whether the central user administration is set up ata time at which there are already users in the relevant systems that mustbe migrated to the central user administration.

For a new installation, all the users are newly created in the central systemand distributed by the Central User Administration. Distribution ensuresthat the user data is consistent in all systems.

If the Central User Administration is installed at a later time, the existingusers of the system infrastructure must be copied to the central system.This procedure is called migration. The user identifications copied fromthe child systems must be compared and adjusted in the central system.



Roles that were already developed and assigned to users in the old systemsmust be identified by name in the central system. Only then can the usersbe assigned centrally to roles. The old assignment between users and rolescan be copied if required.

Hint:The authorization-specific contents of the roles remain in the oldsystems and are still maintained there.

Figure 128: Copying User Master Records

Existing user master records are migrated to the central system withtransaction � SCUG � in the central system. This procedure can only beperformed once for each child system. �User identification� is the SAPlogon name to which a combination of the first and last names is assigned.

If the user identification to be copied is not yet contained in the CentralUser Administration, it is entered as new user. New users includingtheir user master records can be copied to the central system and thenmaintained there.

If the user identification to be copied is already in the Central UserAdministration with the identical first and last names, it is entered asidentical user. Identical users can be copied to the central system. The oldsystem assignment including the valid roles and profile assignment arerecorded there.



If the user identification to be copied is already in the Central UserAdministration with a different first or last name, it is entered as a differentuser. If the name given in the central system is correct, the user can becopied.

Copying means that the settings in the central system overwrite those inthe child system. This statement applies to the following SU01 tab pages:Address, logon data, defaults, and parameters. Existing entries on othertab pages are retained, especially those under Roles and Profiles.

If the name given in the child system is correct, the first or last name mustbe corrected in the central system using Transaction � SU01 �. If, on theother hand, there are two different people with identical user IDs, youcreate a new user ID for the user in the child system, delete the old user IDin the child system, and copy the user to the central system.

The conflict of identical user IDs for different people can also be solvedas follows: You create a new user ID for the user in the central system,delete the old ID in the central system and copy the user from the childsystem. Ultimately, both strategies have the same result. However, weassume that only important users exist in the central system and renamethe user in the child system.

Transaction � SCUG � shows the copied users under Already central users.



Central User Maintenance

Figure 129: Central User Maintenance

After activating Central User Administration, the appearance of usermaintenance transaction � SU01 � changes.

An additional tab Systems, under which the logical systems to whichthe user is distributed are entered, appears in the central system. Theuser is only known in these child systems and in the central system. ThecolumnSystems also appears on the Roles and Profiles tab pages. You cantherefore define the assignment of users to roles and profiles individuallyfor each child system. The data is distributed to the appropriate childsystems when you Save.

Existing roles are still maintained and new roles are still built in the childsystems. To be able to assign users in the central system the roles andprofiles defined in the child system, there is the Text comparison button inthe Roles and Profiles tab pages in the central system. The names of theroles and profiles defined in the child systems are stored in the centralsystem together with their short texts. The names of the roles and profilesare available in the central system in the value help (F4 help). Since theinformation in the child systems might change, you should occasionallyrepeat the text comparison.

Only the fields of SU01 for which the field attributes were not definedas �global� accept input in the child systems. It is not possible to createor copy users in the child systems.



You can also no longer assign roles to users in the Profile Generator ofthe child system.



311 Exercise 13: Working with Central UserAdministrationExercise Duration: 30 Minutes

Exercise ObjectivesAfter completing this exercise, you will be able to:� Set up new users� Check the settings for Central User Administration (CUA)

Business ExampleAs an administrator, you are to create users with Central UserAdministration.

System DataSystem: These SAP systems change weekly. Trainingadministration will provide you with the exact ID of your SAP R/3Enterprise system.Client: The training courses are held in the 8xx clients;training administration will provide you with the exact numbers. One ofthe clients is set up as the central system.User ID: The following CUA-specific dialog users areavailable in the training clients: ADM940, ZBVADMIN, and ZBVDEMO;the initial password in all three cases is init. The course participants set upadditional users ZBVADMIN-## and ZBVDEMO-## before they start theexercise. The communication users CUA_CENTRAL and CUA_CLIENTalso exist in the training clients.Password: Newly created users should be assigned thepassword INIT.



Set up instructions: The following CUA-specific user roles andauthorization profiles are required.

1. Role ADM940_BC_ADMIN with profile ADM94_BC_A. The rolehas a menu.

2. Role ADM940_DEMO_MENU with no generated profile, but with amenu.

3. Role ADM940_DEMO_R3 with the generated profile T-* and a menu.4. Role ADM940_DISPLAY with the profile ADM94_DISP. No menu.5. Role ADM940_PLUS with the profile ADM94_PLUS. No menu.6. Role ADM940_SD_SALES with the profile ADM940_SD_A. This role

has a menu.7. Role ADM940_USER with the profile ADM940_TRAI. No menu.8. Since the roles and authorizations are too extensive to describe here

in detail, see training system I20 and view the roles there.

Task 1: User Administration with the CUA

If the user ADM940-## was created in the central system, you can usethis user to create the DEMO user ZBVDEMO-##. If, on the other hand,the course participants are working in a child client, a ZBVADMIN-## usershould be created in the central system for each participant group.

Use the user ZBVDEMO as a template to create your own userZBVDEMO-##.

1. Create the user ZBVDEMO-## in the child system. Use the lastname �Samplename� and the initial password �init�. Check the usergroup; this user must be entered in the group �Training�. Assign roleADM940_ZBV_DEMO to your new user and save the settings.

Hint: All systems that you have entered on the Roles tab pageare automatically entered on the Systems tab page. You do notneed to enter them there separately.

2. Use the distribution log to check whether the new user was correctlycreated in the child system.




Task 2: Test the Newly Created UserCheck the settings for the new user in the system.

1. Log on to the relevant child system as user ZBVDEMO-##, and editthe relevant user master record with transaction � SU01 �. What doyou notice on the initial screen of the transaction?

2. Why can you not edit some fields, although you are in change mode?

Task 3: CUA SettingsCheck the CUA settings in the central system.

If the ADM940-## users exist in the child system, another user,ZBVADMIN-## must be set up for the participants for a login to the centralsystem.

1. Check whether the logical systems that your trainer lists are entered.

2. Check whether the logical systems have been assigned to the clientsin the current system.

3. Check the RFC destinations that connect the central and childsystems. What are the names of the RFC destinations?

4. Check the ALE distribution model. Which model is used for the CUA?

5. Check the distribution parameters for the fields. Which fields can bechanged in child systems?



Solution 13: Working with Central UserAdministrationTask 1: User Administration with the CUA

If the user ADM940-## was created in the central system, you can usethis user to create the DEMO user ZBVDEMO-##. If, on the other hand,the course participants are working in a child client, a ZBVADMIN-## usershould be created in the central system for each participant group.

Use the user ZBVDEMO as a template to create your own userZBVDEMO-##.

1. Create the user ZBVDEMO-## in the child system. Use the lastname �Samplename� and the initial password �init�. Check the usergroup; this user must be entered in the group �Training�. Assign roleADM940_ZBV_DEMO to your new user and save the settings.

Hint: All systems that you have entered on the Roles tab pageare automatically entered on the Systems tab page. You do notneed to enter them there separately.

a) Choose Tools→ Administration→ User Maintenance→ User or calltransaction � SU01 �. Create the user ZBVDEMO-##. On theAddress tab page, enter the password �init�. On the Roles tabpage, perform a Text comparison from child sys. so that the F4 helpin the central system is updated. After the text comparison hasbeen successfully complete, first enter the child system on theRole tab page and then choose role �ADM940_ZBV_DEMO�.

2. Use the distribution log to check whether the new user was correctlycreated in the child system.

a) You can call the distribution log in various ways: In transaction �SU01 �, choose Environment→ Distribution Log, or choose Tools→Administration→ User Maintenance→ Central User Administration→ Log Display

(transaction � SCUL �). Choose the User button and view thereceiving system for user ZBVDEMO-##. The child systemshould be displayed here. If you select the receiving system, youcan then choose the glasses icon to display the relevant usermaster record directly. If an error occurred during distributionor it was incomplete, choose Resend User.




Task 2: Test the Newly Created UserCheck the settings for the new user in the system.

1. Log on to the relevant child system as user ZBVDEMO-##, and editthe relevant user master record with transaction � SU01 �. What doyou notice on the initial screen of the transaction?

a) The initial password is �init�. On the initial screen of � SU01� in the child system, the buttons to Create and Copy users aremissing.

2. Why can you not edit some fields, although you are in change mode?

a) The fields that cannot be changed are set in such a way that theycan only be maintained in the central system.

Task 3: CUA SettingsCheck the CUA settings in the central system.

If the ADM940-## users exist in the child system, another user,ZBVADMIN-## must be set up for the participants for a login to the centralsystem.

1. Check whether the logical systems that your trainer lists are entered.

a) Call transaction � SALE �. Choose Sending and Receiving Systems→ Logical Systems → Define Logical System. Confirm a dialogbox with the Continue button.

2. Check whether the logical systems have been assigned to the clientsin the current system.

a) Call transaction � SALE �. Choose Sending and Receiving Systems→ Logical Systems→ Assign Client to Logical System. Confirm adialog box with the Continue button. Select the clients in questionand show the detailed display (Details button). There should bean entry in the Logical System field.

3. Check the RFC destinations that connect the central and childsystems. What are the names of the RFC destinations?

a) Call transaction � SALE �. Choose Sending and Receiving Systems→ Systems in Network → Define Target Systems for RFC Calls orstart transaction � SM59 �. View the SAP R/3 connections. TheRFC destinations have the same names as the logical systemsto which they are connecting.




4. Check the ALE distribution model. Which model is used for the CUA?

a) Call transaction � SALE �. ChooseModeling and ImplementingBusiness Processes → Predefined ALE Business Processes →Cross-Application Business Processes→ Central User Administration→ Select Model View for Central User Administration, or starttransaction � SCUA �. The system displays the model view used.

5. Check the distribution parameters for the fields. Which fields can bechanged in child systems?

a) Call transaction � SALE �. ChooseModeling and ImplementingBusiness Processes → Predefined ALE Business Processes →Cross-Application Business Processes→ Central User Administration→ Set Distribution Parameters for fields, or start transaction �SCUM �. All parameters that are not set to global can be changedin the child system.



Lesson Summary

You should now be able to:� Explain how the central user administration functions� Specify the most important steps for setting up the central user


centrally


Unit Summary ADM940

Unit SummaryYou should now be able to:� Create organizational units in HR Organizational Management� Link roles with the organizational plan objects� Link users with the organizational plan objects� Perform a comparison of the indirect role and user assignments� Compare user master record� Assign roles for a specific period of time� Explain how the central user administration functions� Specify the most important steps for setting up the central user


centrally


ADM940 Test Your Knowledge

319Test Your Knowledge

1. What is Central User Administration used for?Choose the correct answer(s).□ A To administer password for SAP users centrally□ B To maintain printer landscapes centrally□ C To administer user master records centrally□ D To create authorization profiles centrally


Test Your Knowledge ADM940

320Answers

1. What is Central User Administration used for?

Answer: C

For answer A) There is essentially no central password administrationin SAP systems.For B) Printer landscapes are not maintained with CUA.For C) CUA is used to administer user master records.For D) No profiles are created centrally with CUA.


Unit 8321 Use of Enterprise Portals

This unit is new in ADM940 and replaces the Workplace unit of theprevious course CA940. It provides a short introduction to the mySAPEnterprise Portal solution and a lesson about the security issues in theportal environment.

The issues dealt with are largely independent of the portal release (EP 5.0or EP 6.0). When this unit was created, EP 6.0 was in its ramp up process.As far as possible, new developments for EP 6.0 have been included. Usethe sources listed below to obtain more up-to-date information.

Unit OverviewMore and more SAP solutions are also working with or work exclusivelyin connection with the SAP Enterprise Portal. The following two lessonsshould clarify the extent to which the concepts of authorizations in theSAP system and in the portal environment fit together.

There is first a general introduction to the mySAP Enterprise Portalsolution, and then there is a lesson focusing on security issues.


� Specify reasons for implementing enterprise portals� Cite navigation and personalization options� Describe the core functions of the mySAP Enterprise Portal solution� List security functions of the SAP Enterprise Portal� Describe the options for exchanging roles

Unit ContentsLesson: Introduction to the mySAP Enterprise Portal Solution .. . . . . . . . . .382Lesson: Security Issues for the SAP Enterprise Portal . . . . . . . . . . . . . . . . . . . .401


Unit 8: Use of Enterprise Portals ADM940

Lesson:322

Introduction to the mySAP Enterprise Portal SolutionLesson Duration: 20 Minutes

Lesson OverviewThe mySAP Enterprise Portal solution gives you access to all relevant dataover a service friendly interface. It also allows you to convert structuredand unstructured knowledge into concrete knowledge. mySAP EnterprisePortal brings together information from SAP and non-SAP systems, datawarehouses, and desktop documents, as well as Web content and serviceson a central, unified platform.

This lesson provides an introduction to enterprise portals, anddemonstrates the advantages of the SAP solution.


� Specify reasons for implementing enterprise portals� Cite navigation and personalization options� Describe the core functions of the mySAP Enterprise Portal solution

The SAP Enterprise Portal (name of the software component) is animportant part of SAP NetWeaver. It contains People Integration as well asInformation Integration in the form of Knowledge Management (KM).

Customers can license mySAP Enterprise Portal (name of the solution)individually; typically, however, the portal is used to access information,applications, and services that other (SAP or non-SAP solutions provide).Examples: Employee Self-Services (ESS) in the context of mySAP HumanResources or Web-based analysis functions in the context of mySAPBusiness Intelligence. To put it another way: sooner or later, every SAPcustomer comes into contact with the SAP Enterprise Portal.

To differentiate between mySAP Enterprise Portal and SAP EnterprisePortal (status: October 2003): mySAP Enterprise Portal is the solution andincludes the technology and content. The SAP Enterprise Portal is purely atechnology component and is part of SAP NetWeaver. This positioningmay change in the future.

Describe the significant functions and unique selling points, withoutbecoming caught up in details. There is no exercise proposed for thislesson, but a short demonstration would be desirable. The user interfacereally is very intuitive and usually convinces customers more than warmwords.


ADM940 Lesson: Introduction to the mySAP Enterprise Portal Solution

For more information (some of it internal), see:

� Information about the product under the SAPNet Alias /ep� The documentation under http://help.sap.com/ep� Information about the development organization under the SAPNet

Alias /gbuip� Information about training under the SAPNet Alias /epf-ep� SAP course SAPEP (and other advanced courses)

Note: About the history of mySAP Enterprise Portal: Thepredecessor solution from SAP was the mySAP Workplace. In2001, SAP bought the Israeli/American company TopTier, whichoffered its own portal products (Enterprise Information Portal[EIP], Enterprise Unification Portal [EUP], and which SAP hadbeen working in the area of unification for some time. Initially, theSAP department (Business Intelligence and Workplace), TopTier,and the German company eSAP were combined to create the SAPsubsidiary SAP Portals. In 2002, this was integrated into SAP as theGBU Integration Platform (GBU IP).

Business ExampleYou are a sales manager who needs access to various SAP and non-SAPsystems for your daily work. Some of the information, applications, andservices that you need are from external sources outside of your company.This may include customer information or travel information. You alsoneed to collaborate regularly with other sales employees at differentlocations.

As you often travel for business reasons, you would like an intuitive,serviceable interface that you can use to complete your work effectivelyfrom any Internet terminal (with Web browser) using single sign on.


http://intranet.sap.com/ep

http://help.sap.com/ep

http://intranet.sap.com/gbuip

http://intranet.sap.com/epf-ep


Motivation Behind Enterprise PortalsIn today�s e-business world, companies often have extremely complex ITlandscapes. This includes information, applications, and services.

� Traditionally, information stored in application systems such asCRM, ERP (SAP R/3 Enterprise) and Legacy applications has onlybeen accessible within the context of the system in question. If thisdata is made available outside of the individual applications, theefficiency of the user is increased.

� An increasing amount of complex information makes it moreand more difficult for users to find the data and reports in datawarehouses that is needed to help them to make their decisions.

� TheWeb has become one of the most important sources of informationfor employees. One of today�s challenges is to replace traditionalmethods of accessing and using Web information with the intelligentintegrations of intranets and the Internet in other enterprise systems.

� Managing, maintaining, and searching for texts, e-mails, CADdrawings, and other unstructured data can be extremelytime-consuming.

Figure 130: The Challenge: Complex System Landscapes



Users need access to all these things in order to do their work. This isnormally realized using special programs on the desktop that involvelogging on several times. One of the main aims of an enterprise portalis facilitating and accelerating access to information, applications, andservices. The target group does not have to be limited to employees ofone particular company. You can use external portals to reach partners,customers, or other interested parties.

Core statement: An enterprise portal does not abolish the systemcomplexity, but rather combines the different interfaces for usersat a �single point of access�. You must not confuse this topic withsystem integration at process level (Process Integration, SAP ExchangeInfrastructure).

Features of the mySAP Enterprise Portal Solution

Figure 131: The Solution: mySAP Enterprise Portal



SAP has many years of experience as a portal provider. SAP EnterprisePortal is a new generation enterprise portal. This solution enables thefollowing:

� The integration of all kinds of company data and applications, as wellas the opportunity to control heterogeneous IT landscapes

� The optimal use of open standards for securing existing investments� The conversion of unstructured information into concrete knowledge,

and cross-company collaboration� The provision of enterprise portal content for users according to their

particular role within the company

Figure 132: Gains from mySAP Enterprise Portal

The mySAP Enterprise Portal solution includes the software componentSAP Enterprise Portal as well as predefined portal content. The firstdelivery (also known as �ramp-up� start) of SAP Enterprise Portal 5.0 tookplace in October 2001. SAP Enterprise Portal 6.0 was first delivered inNovember 2002.

Some technical aspects of the software component SAP Enterprise Portal:The core functions are written in Java � a J2EE runtime environment isrequired, as provided by SAP with the SAP J2EE Engine. The architectureis completely open. SOAP, UDDI, JCA, JAAS, LDAP, X.509, XML, andICE are supported. The portal has efficient security functions includingthe full support of directory services, digital certificates, and SSL (SecureSocket Layer) protocol. The portal is highly scalable and can thereforeaccommodate a large number of users. Mobile devices are also supportedby the portal (gives independence of time and place).



Figure 133: SAP Enterprise Portal and SAP NetWeaver

SAP Enterprise Portal is an important component of the integration andapplication platform SAP NetWeaver. It contains People Integration as wellas Information Integration in the form of Knowledge Management (KM).



User Interface: Navigation and PersonalizationUsers typically access the portal using a Web browser. Users only needto log on once in this case, because single sign on takes care of logging onto other systems. In the standard delivery (which can easily be modifiedin line with customer requirements), the browser window is divided intothe following three areas:

� The header area is the initial point of entry. It consists of themasthead and top-level navigation bar.

The masthead normally displays the company logo, the name of thecurrent user, and links to functions such as personalization, help, orlogging off. The top-level navigation bar consists of tabs that depictthe first two levels of the portal hierarchy.

� Users can access deeper levels in the hierarchy in the navigationpanel, using detailed navigation. This is similar to the SAP EasyAccess Menu in SAP systems.

Depending on the context, other areas may be displayed in thenavigation panel, providing Drag&Relate targets or related links.

� When users call up a particular portal hierarchy, the content area (theactual interface for working) changes appropriately. A page withseveral iViews or a whole-page iView appears.

Technically, an iView is a small program that calls up informationfrom an information source and displays it in the content area of theportal. You can consider the portal to be a �personal toolbox� thatcontains all necessary tools (in the form of iViews).



Figure 134: User Interface

The portal gives users many opportunities for personalization:

� Administrators can use Portal Administration to define the contentassigned to particular roles within a company. Belonging to a role inthe portal also decides how this content is displayed on the front endof the user, and how the navigates within it.

� If permitted by the portal administration, users can place role-basedcontent in the portal themselves. This includes setting the layout ofindividual pages and selecting and assigning iViews.

� When users log on, the portal analyzes the language setting madefor the browser being used. However, users can override this value ifthey wish to do so. The Platform Availability Matrix (PAM) includesa list of supported Web browsers and languages. You can find thePAM for each release of SAP Enterprise Portal in the SAP ServiceMarketplace using the alias /ep.

� Users can select a portal design that controls properties such as fontsize, color, and background images. SAP delivers several designsincluding one with optimal contrast for display using a projector.Portal administrators can use tools to determine the overall look&feelof the enterprise portal. This includes a user-friendly, role-basednavigation structure as well as the usage of the corporate identity ofthe company in question.



This lesson is stored in the �standard folder� in the Knowledge Warehouseand is included in a large number of courses. If a portal is available in thesystem setup for your course, you should, of course, also demonstrate it.

If not, here is a suggestion: The author of this lesson maintains a documentin SAPNet with various SAP-internal and external portals that allow ademo. The path to it (status: October 2003) is through SAPNet, alias/epf-ep, and then Additional Material (on the right under Quick Links) →Demosystems for mySAP Enterprise Portal.

The demonstration portals that the IDES group operates at demo.sap.com(can be called from the SAP intranet or using a SecureID card) areespecially important. There are predefined users and scenarios there(with a description, see IDES Demo Database, also available throughSAPNet, alias /ides. You should perform at least one demonstration here(perhaps from an application that you know especially well). Theoretically,participants from the course can also log on from the training room �however, due to the shared user, unusual results can occur, for examplefor personalization.

Caution: The IDES demo portals, in particular, can change atany time, for example due to the import of Support Packages ordue to upgrades. You should therefore test the demonstrationimmediately before performing it for the participants.

Business PackagesWhile your competitors are busy programming their enterprise portals,you can already be working productively with mySAP Enterprise Portal.This is because mySAP Enterprise Portal uses business packages todeliver predefined portal content that allows you to fulfill task- andbranch-specific requirements. Business packages contain numerousiViews that deliver transactions, reports, documents, and so on from the ITsystems in your company. Business packages speed up the implementationof your enterprise portal, increase productivity, and lead to a faster returnon investment.


http://intranet.sap.com/epf-ep

http://ENmo.sap.com

http://iwdf9166.wdf.sap-ag.de:1081/sap/bc/bsp/sap/zidesinfobase

http://intranet.sap.com/ides


Figure 135: Business Packages Deliver Predefined Portal Content

Business packages are divided into the following three groups in orderto meet the requirements of users, managers, and specialists as well aspossible.

� Business packages for users cover all tasks that all enterprise portalusers can carry out regardless of their role in the company. They helpbeginners to become familiar with the enterprise portal environmentas quickly as possible, thereby making users feel at ease with theportal. The content of these business packages includes e-mails, tasklists, calendar, travel cost reclamation, managing benefits, employeeself services, e-learning, and searching employee directories.

� Business packages for managers allow decision makers to carry outanalyses efficiently in order to gain relevant information. They alsoprovide tools that allow managers to plan and manager their staffand budget. Departmental heads, team managers and project leaderscan thereby reduce the amount of time they spend on administrativeissues so that they can concentrate on strategic tasks.

� Business packages for specialists target the needs of experts inaccounting, sales, marketing, and production. They deliver strategictools, analytical reports, and timely warnings that allow experts toreact quickly and accordingly using the correct information. Theyallow experts to obtain consistent, precise, and up-to-date informationfrom numerous sources.



Figure 136: www.iViewStudio.com: Portal Content and More

SAP operates the iViewStudio, a central marketplace for portal content,at www.iViewStudio.com. The content catalog contains information onthe current choice of portal content. SAP provides this content, sortedinto groups aimed at particular users, in the form of business packages.Registered users can download these packages from the iViewStudio andintegrate them into SAP Enterprise Portal. Business packages allow you tobuild portals �out-of-the-box� without needing additional development.They consist of preconfigured portal content geared to certain userprofiles: Role-based functions and processes, which are available to allusers along the entire value creation chain. They cover a large amount ofthe content needed for a particular task.

One area is aimed at developers of portal content. The Portal DevelopmentKit (PDK) is a tool for creating iViews. SAP provides the followingvariants as free downloads:

� PDK for Java: Development in Java with the SAP J2EE Engine� PDK for WebSphere: Development in Java with IBMWebSphere� PDK for .NET: Development in the Microsoft .NET framework

The PDK contains documentation, examples, and templates, as well asa text environment and wizards for creating iViews. It also providesdevelopers with technical content, an area for FAQs, and a discussionforum.

SAP enables customers and partners to create their own interfaces by usingopen interfaces and providing tools. Partners can use the iViewStudio tomake their content developments available to interested users.


http://www.iViewStudio.com


In addition to registration (for which customer number and portallicense are required � unlike downloading the PDK), the customer musthave licensed the associated mySAP solution to use Business Packagesproductively.

Call www.iViewStudio.com in the Web browser (displaying only does notrequire registration). Show some business packages in the Content Catalogarea. There is a detailed view for each business package (More Information),which provides exact information about system requirements, a list ofthe iViews contains, links to documentation, and (frequent) examplescreenshots. A list of all available iViews is also provided as a MicrosoftExcel file directly on the Content Catalog.

The PDK for .NET is currently (status: October 2003) still in development,and should be available at the end of 2003.

Knowledge ManagementKnowledge Management (KM) is a central component of SAP EnterprisePortal. An open architecture allows unstructured content from varioussources to be gathered together and presented to users logically andclearly. The following areas belong to KM:

� Content Management: Supports the entire lifecycle of documents,for example Creation→ Approval→ Publication→ Search for documents→ Reading documents→ Comments→ Archiving documents.

� Retrieval & Classification (TREX): Full-text search and automaticclassification of documents (for instance, in the form of a hierarchysuch as End User Documentation → Employee Self Service → VacationRequest.)




Figure 137: Integrated Knowledge Management

Users access document using a user-friendly, modifiable user interface.The physical location of documents is not relevant. Content Managementuses a range of connectors (repository managers) that are responsible forconnecting up the various data sources used. Supported products andprotocols include SAP Knowledge Warehouse (SAP KW), SAP CRM (forexample, for brochures), file servers, Web servers, WebDAV servers, XMLdocuments, Groupware products such as Microsoft Exchange and LotusNotes and document management products provided by third partiessuch as Documentum.

Core statement: With the SAP Enterprise Portal, the customerautomatically receives the Knowledge Management component at noextra cost (technically an optional additional installation). The documentsstored in different locations remain there physically, but can be accessedthrough a uniform and customizable interface.



If you cannot imagine KM, simply think about the SAP-internal SAPNet.Although this is not (yet) based on the KM of the portal, the functions(checking in documents, making pages available to certain target groups,notification of changes, feedback to the author, search functions) arecertainly comparable.

Note: Other products are available in the SAP environment underthe keyword �Knowledge Management�. These do not (directly)have anything to do with the portal. For more information, seethe SAPNet Alias /km.

CollaborationCollaboration is more important than ever in the current climate.Companies are more likely to have geographically distributed employeesand close integration with partners at all levels. mySAP Enterprise Portalprovides a comprehensive and flexible environment that users and teamscan access according to their needs.

Figure 138: Tools for Effective Collaboration


http://intranet.sap.com/km


The following tools and services belong to the component Collaborationwith SAP NetWeaver. This component builds on the KnowledgeManagement component of the portal.

� You can use Collaboration Room to define virtual work areas forteams, work groups, or communities. Templates help you with this.All members of a project have access to selected content within their�room� regardless of time or location.

� Real-Time Collaboration provides services for interactive onlinemeetings. Portal users can use Application Sharing to share individualiViews, entire applications, or their entire desktop with other portalusers at remote locations. This enables remote presentations, softwaredemos, and IT support for users or training.

You can also use the Real-Time Collaboration services InstantMessaging (to exchange brief messages with other portal users) andChat (to communicate with several other users online).

� Even collaboration products from third parties can be integratedseamlessly into SAP Enterprise Portal, either using groupwareservices (such as Microsoft Exchange or IBM Lotus Domino), or theSynchronous Collaboration Framework (SCF) (such as WebEx or LotusWeb Conferencing).

� The Collaboration Launch Pad allows users quick access to allCollaboration services. The launch pad can be called up from theportal masthead at any time.

Additional remark: Customers must license the tools combined as�Collaboration with SAP NetWeaver� separately; that is, they are not partof the mySAP Enterprise Portal license. For more details, refer customersto their sales contact.

This component was previously known as �Collaboration for mySAPEnterprise Portal�. For more information about its components and thecurrent naming, see the SAPNet alias /collaboration.

UnificationProducts tend to be more similar to one another these days. But is this alsotrue for enterprise portals? Not at all, because whilst many enterpriseportals simply display applications next to one another in a portal window,mySAP Enterprise Portal overcomes integration barriers and enables acentral point of access to different applications.


http://intranet.sap.com/collaboration


Figure 139: Drag&Relate Across System Borders

Innovative integration and navigation functions bring users the followingadvantages:

� The virtual grouping of data and information stored in differentsystems, applications, and information sources allows activities to becarried out across system borders.

� Tasks can be carried out more quickly because objects are positionedaccording to �logical relationships�. Example: For more informationabout a customer order that has not yet been delivered, you can clickon the customer order number and drag it onto the order component.Result: the sales order is displayed.

This process omits unnecessary steps: If you want to display adelivery status, you no longer have to call up aWeb browser, enter theinternet address of the carrier, log on to the Web site, and then enterthe customer order data. You can now do all the above in one step.

� Search times are decreased and repetitive steps are eliminated. Forexample, you do not have to search for the customer order numberand enter the sales information again. Unification consists of acompetitive, patented technology (Drag&Relate) that realizes thefront end integration of heterogeneous backend applications.

Core statement: Unification is a unique selling point of the SAP solution.

Additional remark: Customers must license Drag&Relate with non-SAPapplications separately; that is, they are not part of the mySAP EnterprisePortal license. For more details, refer customers to their sales contact.



SummaryThe mySAP Enterprise Portal solution offers a central point of entry to allapplications, Business Intelligence functions, document, and Web servicesin a company. Users are central players. They can use information fromdifferent sources and collaborate with one another inside and outsidethe company. Each portal is organized so that an optimal workingenvironment for quickly realizing business opportunities and solvingproblems is created. This guarantees an extensive provision of predefinedcontent, business packages, a fast implementation, and a higher return oninvestment than for comparable products. This makes the portal into auser-oriented platform for companies and their business partners.



Facilitated DiscussionThe participants should take the fact that no company can avoid the topicof enterprise portals from the discussion.


� Who uses an enterprise portal?� Does anyone already use SAP Enterprise Portal?� Which customers are planning an implementation?

In almost every (large) company, there is an intranet with informationand services for employees, they often also have information and servicesfor external users. In this way, these companies also operate one or more�portals�.



Lesson Summary

You should now be able to:� Specify reasons for implementing enterprise portals� Cite navigation and personalization options� Describe the core functions of the mySAP Enterprise Portal solution

Related Information

� Public information on the mySAP Enterprise Portal solution:http://www.sap.com/ep

� Information for customers and partners on the SAP ServiceMarketplace: http://service.sap.com/ep

� Documentation in SAP Help Portal (under SAP NetWeaver):http://help.sap.com

� Business packages and content for developers and content partners:http://www.iViewStudio.com

� Training information on the mySAP Enterprise Portal solution:http://www.sap.com/education

The Web pages mentioned provide current information on the entiremySAP Enterprise Portal solution. You need a user in order to access theSAP Service Marketplace (previously called an OSS or SAPNet user).The iViewStudio is available for general use. However, you need to beregistered as a user in order to use some functions, such as downloadingbusiness packages.


http://www.sap.com/ep

http://service.sap.com/ep

http://help.sap.com


http://www.sap.com/education

ADM940 Lesson: Security Issues for the SAP Enterprise Portal

Lesson:338

Security Issues for the SAP Enterprise PortalLesson Duration: 15 Minutes

Lesson OverviewThe SAP Enterprise Portal has powerful security functions. This lessonwill provide you with an overview of them and pay particular attention tothe exchange of roles with SAP systems.


� List security functions of the SAP Enterprise Portal� Describe the options for exchanging roles

Do not become bogged down in the individual protocols and standards.The core statement is �SAP Enterprise Portal is secure and provides a largenumber of security functions�. Focus on the exchange of roles betweenthe portal and SAP systems.

Caution: This lesson was created during the ramp up for SAPEnterprise Portal 6.0 and generally relates to this release. Not all ofthe listed methods apply fully for SAP Enterprise Portal 5.0.

Business ExampleAs an administrator, you want to allow the employees in your companyto access to systems of a mySAP Business Suite landscape using theSAP Enterprise Portal without a renewed logon begin required (SingleSign-On). There are roles in the SAP systems that are to be used for theportal.

Overview of the Security FunctionsThe mySAP Enterprise Portal ensures that important enterprise data isprotected � using proven technologies and supporting open standards.



Figure 140: Security Issues in the Portal Environment

User AdministrationThe user master records for the portal users are stored in a directory, whichcan be in a directory service (Directory Server connected using the LDAPprotocol), or (as of SAP Enterprise Portal 6.0) the portal database, or anSAP system (with SAP Web AS 6.20 or higher). This directory (more thanone can be operated simultaneously) contains the following information:

� (Portal) users� (Portal) groups� Assignment of users to groups� Assignment of users and/or groups to (portal) roles

Hint: These groups are not the same as the user groups in the SAPsystem.

For a list of the supported storage locations for the portal user directory,see the SAP Service Marketplace, under the Quick Link /pam60. You canuse the Replication Manager to replicate newly created or changed portalusers in external systems.



Powerful iViews are available to the administrator for user administration.The administrator can also easily define the rules for the password policyusing an iView. Finally, the SAP Enterprise Portal provides logging ofsecurity-relevant information, such as a user logon, or the approval of anewly created user (after self-registration).

Figure 141: User Administration

AuthenticationThe authentication (user logon) with the SAP Enterprise Portal can beperformed with a predefined user (�anonymous� users, for example, forpublic portals), by self-registration, by entering a user and password, andusing digital certificates. The digital certificates must meet the X.509v3standard, and can be issues by the free SAP Trust Center Service (seeQuick Link /tcs on the SAP Service Marketplace), a company-internal, oran external Public Key Infrastructure (PKI).

Portal logon using technology from third-party vendors is also supported(use of the Microsoft Windows logon, Web Access Management (WAM)products, or using the open JAAS interface). For more informationabout the Java Authentication and Authorization Service (JAAS), seehttp://java.sun.com/products/jaas.

Single Sign-On (SSO)Due to Single Sign-On, a single logon to the enterprise portal is sufficient.You therefore no longer need to identify yourself every time you accessanother application through the portal. This increases user efficiency andsatisfaction.


http://java.sun.com/products/jaas


Once the user has logged on successfully, the SAP Enterprise Portal issuesthe user with a SAP Logon Ticket. This represents the users credentials(user-specific, security-related information), and is technically stored asa temporary cookie in the user�s Web browser. The logon ticket containsinformation about

� User ID� Logon procedure� Validity period� Issuing portal system� Signature of the portal system

It does not contain any passwords, is signed by the portal server to protectagainst misuse, and should be protected by the SSL protocol when it istransported.

The logon ticket is used both to access SAP systems (requires a trustrelationship with the issuing portal and the user IDs to be identical) and fornon-SAP systems (optionally using Web server filters or user-programmedqueries).

Note: Different user IDs for the portal and in the SAP or non-SAPsystem can be implemented in the SAP Enterprise Portal usinguser mapping. The assignment can be made either by the portaladministrator or by the individual users.

Figure 142: Single Sign-On (SSO)



Communication and Network SecurityThe SAP Enterprise Portal is scalable (can run on one or more servers)and can therefore be adapted to different workload situations andbe embedded in the existing network topology. There are differentrequirements for a portal that is to be accessible over the Internet than for aportal used purely for an intranet.

Established security protocols for data exchange (such as HTTP, SNC)avoid people without authorization obtaining access to the transferredinformation.

Figure 143: Network Architecture

Portal ContentThe assignment of roles in the portal determines the content that a usercan access. As of SAP Enterprise Portal 6.0, the delegated administrationcan specify who can process which portal objects (such as iViews or roles).In large companies, you can specify multiple content administrators, eachof which is responsible only for their own area.

All portal objects are stored in a structured way in the portal catalog,and can be processed with a central tool, the Portal Content Studio. Thedelegated administration creates the possibility of allowing individualcontent administrators restricted views of the portal catalog. This iscontrolled using Access Control Lists (ACLs), which may allow only



read access to certain objects. SAP delivers a number of portal roles withthe portal (for example, for a user administrator). The customers cancustomize these or extend them with their own roles.

Note: Access to unstructured documents (Knowledge Managementarea) is also controlled using ACLs.

Caution: Portal roles determine which actions a user may executein the portal (such as creating an iView or calling a particulartransaction in an SAP system). The portal role also determines thenavigation in the user�s Web browser.

The portal role has no effect on the authorizations in the back endsystem (such as SAP R/3).

You should clarify at this point that the portal role specifies which contenta user can view and use in the portal � no more, and no less.

Theoretically, a user can �see� more in the portal (referring to navigationand menu paths, not to data) than he or she is permitted to in theSAP system and vice versa. Of course, ideally the view in the portal(determined by the portal role) would match the authorizations in the SAPsystem (specified using authorization profiles, which were created on thebasis of a SAP system role). There are tools for comparing portal roles andSAP system roles. These are briefly introduced in the next section.



Figure 144: Delegated Administration of Portal Objects

Exchanging Roles Between the Portal and the SAPSystemFor the following consideration, it is important to distinguish which typeof role is meant: A portal role determines the navigation possibilities(top-level navigation and detailed navigation) of a portal user, and theportal content that he or she can access. In the SAP system, the (classic)(SAP) role acts as a carrier for authorization profiles and (if you are usingSAP GUI) for the structure of the role-based SAP Easy Access menu.

The portal uses the authorization procedure of the relevant applicationin the backend system and therefore does not need to transfer anyauthorization profiles to the enterprise portal. This increases the securityand reduces the effort required for authorization administration. Thisalso ensures that the users can only access the data and information thatcorresponds to their authorization profile. The portal does not implementany central authorization maintenance.

Ideally, the portal role (what does the user see in the Web browser windowof the portal?) matches the role in the SAP system (what can the user do inthe SAP system?). To avoid duplicating work, it is possible to exchangeroles between the portal and an SAP system. However, when this is done,only the menu structure of the role is stored on the portal side, not theassociated authorization data from the SAP system.



The basic concept is relatively simple: Role menus can be exchangedbetween the portal and the SAP system (in both directions), optionallyincluding user assignment. There are, of course, various details andrestrictions to take into account. For more information about these, seethe excellent portal documentation.

Figure 145: Portal Roles and (SAP) Roles

Migrating SAP Roles to the SAP Enterprise PortalMany customers have implemented the role concept in their SAP systems.The effort invested in creating roles does not need to be repeated whenyou implement SAP Enterprise Portal.

The SAP Enterprise Portal provides a tool for this purpose, with whichyou can migrate SAP roles into the portal. Essentially, the menu of singleor composite roles and their descriptions are transferred, optionally alsothe assigned users (if the user IDs are identical in the portal and the SAPsystem.). Note that no authorization data is migrated.

Typically, a workset is created in the portal for each migrated SAP rolein this way. Worksets are reusable modules from which portal roles arecreated. One portal role (such as personnel manager) can therefore containthe functions of multiple SAP roles (such s HR administrator in SAP R/3and cost center manager is SAP BW).

Hint: The procedure described can also be used by customers whoare migrating from SAP Workplace to SAP Enterprise Portal.



Figure 146: Role Migration (SAP System → Portal)

Transferring Portal Roles to SAP SystemsDepending on the company structure and culture, the opposite transferdirection may also be of interest. In this way, a company that is newlyimplementing SAP can make the SAP Enterprise Portal the leading centralsystem for maintaining roles.

In this case, portal roles (or the underlying worksets) are the starting point.A portal role of this type is created by a content administrator and cancontain services (such as transactions, reports, or BSP applications) fromdifferent SAP systems.

The transfer requires some basic settings (Which SAP system is responsiblefor which roles? Where are user assignments maintained?) and isperformed in two steps: In a first step, which is initiated from the portal,the matching menu elements of the portal role are transferred to the SAPsystem. In a second step, you then specify the associated authorizationsin the SAP system (transaction � WP3R �, provided by the SAPEnterprise Portal Plug-In). Depending on the configuration of the systemresponsibility, there may be a number of �authorization roles� in the SAPsystem for which authorizations are to be maintained for one portal role.

For clarity: The authorization maintenance in transaction � WP3R � worksin a similar way to the Authorizations tab page in the role maintenancetransaction � PFCG �, only now the menu is assigned by the portal and notin the SAP system using transaction � PFCG �.



Figure 147: Role Transfer (Portal → SAP System)

The figure clarifies the assignment of roles and user data between theSAP Enterprise Portal and two connect SAP system landscapes. In thiscase, the SAP system landscapes each consist of one development system(DEV-A and DEV-B), and one production system (PRD-A and PRD-B). Theproduction system PRD-A is to take on the function of the central systemin a Central User Administration with global role assignment. The portaldefines roles with services in system landscapes A and B. The associatedauthorization roles are created and tested in development systems DEV-Aand DEV-B and then transported to the relevant production systemsdownstream. The data for the user assignment is transferred from theportal to each responsible single system (DEV-A, PRD-A, and DEV-B). Thesystem PRD-B has no responsibility for user assignment, but is ratherconnected as a child system in the Central User Administration of whichPRD-A is the central system. The central system PRD-A therefore receivesnot only the user data for itself, but also for system PRD-B.

Hint: The system described here is a complex example. Alandscape consisting of a single system is just as conceivable.



Facilitated DiscussionConsolidate understanding of the relationships between the SAPEnterprise Portal and SAP system.


Ask the participants for their preferred scenario for role maintenance whenusing the SAP Enterprise Portal. Two typical cases would be:

� �Decentralized� role and authorization maintenance in the SAPsystems and assembly of the user navigation using portal roles

� �Central � role maintenance in the portal, distribution of these rolesto the affected SAP systems, and specification of the associatedauthorizations there

Mixed forms are also conceivable. It is not possible to make arecommendation for all customers, since it depends on parameters such ascompany size, organizational structure, and distribution of responsibilities.



Lesson Summary

You should now be able to:� List security functions of the SAP Enterprise Portal� Describe the options for exchanging roles


ADM940 Unit Summary

Unit SummaryYou should now be able to:� Specify reasons for implementing enterprise portals� Cite navigation and personalization options� Describe the core functions of the mySAP Enterprise Portal solution� List security functions of the SAP Enterprise Portal� Describe the options for exchanging roles


Course Summary ADM940

Course SummaryYou should now be able to:

� List the elements and objects of the authorization concept� Explain the use and purpose of the Profile Generator� Analyze authorizations� Describe special objects for administrators

Related InformationFinally, a number of SAP Notes about the topic of authorizations arelisted below. You should also use the SAP Internet sites to keep yourselfinformed, as changes could take place at any time. The following list isonly intended to support you in finding out about various topics.

The structure is <SAP Note number><Text/description>

Release-Dependent

7642 Authorization protection of ABAP/4 programs

16466 Customer Namespace for SAP Objects

66687 Use of Network Security Products

169469 List of all activity groups with a manual S_TCODE

68048 Deactivating the Automatic User SAP*

82390 Generating Profile SAP_ALL

156250 Responsibilities Replaced as of Release 4.5A

198598 Profiles and References in Roles as of Release 4.6B

156196 Activity Groups Renamed as of Release 4.5A

80210 Profile Generator: Documentation

91721 Problem with org. levels in Profile Generator

323817 Creating organizational level fields for Profile Generator

314513 Org. level in Profile Generator

85234 Missing authorization when using Profile Generator

313587 Mass deletion of Activity Groups

203994 Changed behavior: User menus in 4.6

301344 Performance problems during menu editing in PFCG

167466 IMG authorizations with Profile Generator in 4.5

184906 Renaming users: Activity groups are missing


ADM940 Course Summary

355364 SU01 Role Assignment.: Changing validity period impossible

203617 High memory consumption with Easy Access Menu

66056 Authorization trace with Transaction ST01

205771 Migration of report trees in area menus

193251 Customer enhancements in area menus

65968 ABAP/4 Debugging authorizations as of Release 3.1G

314843 Authorization object S_TABU_LIN

67766 S_TCODE: Authorization check on transaction start

142724 Prevention of multiple dialog logons

159885 CUA: Collective Note for Central User Administration

171316 PFCG/SU03: F4 Help for Authorization Values

Release Independent

31395 System Parameters: Defined Where? Displayed How? Docu?

39267 Availability of SAP Security Guide

30724 Data protection and Security in R/3

23611 Collective Note: Security in SAP Products

20534 Authorization Check � A Short Introduction

20643 Naming Conventions for Authorizations

28175 Questions Regarding the Authorization Concept

2467 Password Rules and Preventing Unauthorized Logons

12466 Logon Restrictions in R/3

28186 What Does the Profile SAP_NEW Do?

29276 SAPCPIC: At which points are passwords visible?

2383 Documentation: Description of �super user� SAP*

113290 PFCG: Merg. process with authorization data: Explanation

77503 Audit Information System (AIS)

139418 Logging user actions

179145 Authorization checks for numeric values

23342 You are not authorized to ... Analysis

15253 Authorization check during transaction start


Course Summary ADM940

303468 Global User Manager: Frequently Asked Questions

93769 Additional Documentation Regarding the Authorization Concept� Documentation on Profile Generator (Authorization made easy forReleases 3.0F, 3.1G and 3.1H, 4.0B)


GlossaryACL

Access Control List: List that specifies which resources (such as portalobjects) a user can access with which authorizations

AISAudit Information System: An auditing tool aimed at improving thequality of audits. The AIS consists of an audit reporting tree and is astructured, preconfigured collection of standard SAP programs.

ALEApplication Link Enabling

APOAdvanced Planning and Optimization

authorizationEach authorization references an authorization object. It defines oneor more permissible values for each authorization field contained inthe authorization object. Authorizations are combined in profiles,which are entered in a user�s master record.

authorization fieldElement of an authorization object. In authorization objects,authorization fields represent values for individual system elementsthat must undergo authorization checking to verify a user�sauthorization.

authorization objectAuthorization objects allow you to define complex authorizations. Anauthorization object contains up to 10 authorization fields that arechecked in an AND relationship. This determines whether a user ispermitted to perform a certain action. To pass an authorization check,the user must satisfy the check for each field contained in the object.

authorization object classAuthorization classes are the organizational grouping of authorizationobjects.

authorization profileGrouping of multiple individual authorizations or other authorizationprofiles. Authorization profiles give users access to the system. Theycontain authorizations, which are identified using the name of anauthorization object and the name of an authorization.


Glossary ADM940

business packagePredefined portal content that SAP makes available at the addresswww.iViewStudio.com

CCMSComputer Center Management System: Integrated tools formonitoring and administration of SAP R/3 systems and independentSAP business components, with which operations such as resourcedistribution and the administration of SAP databases can beautomated.

content areaWork area of the portal browser window, in which a page withmultiple iViews or a whole-page iView is displayed.

Content ManagementAllows you to manage unstructured documents; is part of KnowledgeManagement (in the mySAP Enterprise Portal solution)

CRMCustomer RelationshipManagement. Supports all processes involvingdirect customer contact throughout the entire customer relationshiplife cycle - from market segmentation, sales lead generation andopportunities to post-sales and customer service.

CUACentral User Administration Management of users in a central system.A system group consists of several SAP systems with several clients.The same users are often created and the same roles assigned in eachclient. Central User Administration is designed to perform thesetasks in a central system and distribute the data to the systems inthe system group.

Drag&RelateLinking of data from different applications in the portal browserwindow (For example: dragging an object �customer number� on tothe action �display orders� immediately displays all of this customer�sorders)

IMGImplementation Guide. Tool for configuring the SAP system to meetcustomer requirements. The hierarchical structure of the IMG is basedon the application component hierarchy. The main section is IMGactivities, where the relevant system settings are made.

ITSInternet Transaction Server

iViewProgram that calls data from any information source and displays itin the content area of the portal.



ADM940 Glossary

iViewStudioCentral marketplace for Portal Content at the addresswww.iViewStudio.com

mySAP Enterprise PortalSAP solution for enterprise portals

navigation panelArea of the portal browser window, which allows you to call deeperhierarchy levels (detailed navigation), target objects for Drag&Relateoperations, or links to related objects.

PDKPortal Development Kit: Developer tool for creating iViews

Profile GeneratorTool for generating authorization profiles in role maintenance. Youuse the Profile Generator to generate an authorization profile basedon the activities in a role.

Retrieval & Classification (TREX)Powerful tool for searching and classifying documents; is part ofKnowledge Management (in the mySAP Enterprise Portal solution)

RFCRemote Function Call

SAP Easy AccessMenu that contains all functions required by a user, and which isassigned by the system administrator in the user master record usingroles. It can be extended individually using favorites.

SAP Enterprise PortalSoftware component of the mySAP Enterprise Portal solution

Single Sign-OnA single logon is sufficient to access various systems, such as fromthe SAP Enterprise Portal

TMSTransport Management System

unificationTechnology for linking information in the portal across applicationboundaries; basis for navigation using �Drag&Relate�

user bufferBuffer from which the data of a user master record is loaded whena user logs on.

UTCUniversal Time Coordinated



Glossary ADM940


IndexAAccess Control, 12ACL, 405Audit Information System(AIS), 295

auth/no_check_in_some_cases,223

authorization, 56authorization checks

at transaction start, 80in programs, 82

authorization conceptdecentralization of useradministration, 265implementationmethod, 20principle of dualcontrol, 269principle of treblecontrol, 270step 1: preparation, 23step 2: analysis &conception, 26step 3: implementation,33step 4: qualityassurance & tests,35step 5: cutover, 36strategy for userand authorizationadministration, 37

authorization erroranalysis, 288transaction code: ST01,292transaction code: SU53,289

authorization field, 56

authorization object, 56S_PROGRAM, 260S_TABU_CLI, 258S_TABU_DIS, 257S_TABU_LIN, 259S_TCODE, 255S_USER_AGR, 263S_USER_AUT, 264S_USER_GRP, 262S_USER_PRO, 264S_USER_SYS, 262S_USER_TCD, 263S_USER_VAL, 263

authorization object class,56

authorization profile, 56Bbusiness package, 390CCentral UserAdministration (CUA),356central usermaintenance(transaction code:SU01), 368copying user masterrecords (transactioncode: SCUG), 366distribution of fieldattributes (transactioncode: SCUM), 364graphical model, 358integration into existingsystems, 365

check indicatorC, 228CM, 228


Index ADM940

N, 228U, 228

Collaboration with SAPNetWeaver, 395

composite role, 169content area, 388Content Management, 393Customizing role, 168Ddecentralizing useradministration, 265

Derived role, 176detailed navigation, 388Drag&Relate, 396Eerror analysis, 288Ggeneral password rules andprofile parameters, 248

Iindirect role assignment,330

Information System, 293Information System: AIS,295

information systems foradministrators andaudit, 292

iView, 388iViewStudio, 392KKnowledge Management,393

MmySAP Enterprise Portal,386

Nnavigation panel, 388Oorganizationalmanagement, 330

organizational plan, 330assigning jobs, 340assigningorganizational units,338assigning positions, 340assigning tasks, 341assigningusers/persons, 343basic structure, 331create rootorganizational unit,337reconcile indirect userassignment, 344user mastercomparison, 345

PPDK, 392pfcg_time_dependency(user mastercomparison), 145

Portal Content Studio, 405Principle of dual control,269

Principle of treble control(example 1), 270

Principle of treble control(example 2), 272

Profile Generatorbasic setting: defaultvalues, 224basic setting:parameter, 222basic settings, 221central tool for creatingroles [PFCG], 128compare user masterrecord, 146generate authorizationprofile, 143icon legend, 204manual insertion ofauthorizations, 141


ADM940 Index

status texts forauthorizationmaintenance, 206the yellow traffic lightproblem, 206traffic light legend, 201upgrade, 229views (maintenanceoptions for roles), 131

Profile Generator defaultvaluesgreen, 225not maintained, 225red, 225yellow, 225

Profile Generator tab pageAuthorizations, 139Description, 132Menu, 134User, 144

profile parameters forpassword and logonrules, 250

Rreference role, 175Retrieval & Classification(TREX), 393

role typescomposite role, 169Customizing role, 168reference (root) rolesand derived roles, 175single role, 132

role-based authorizationconcept, 12

root role, 175Ssample authorizationconceptjob role, 48role distribution, 50

SAP Enterprise Portal, 386SAP* special user, 253single role, 132Single Sign-On, 403

special users in SAPsystems, 252

status texts forauthorizationmaintenancechanged, 206inactive/reactivate, 205maintained, 206new, 207old, 207standard, 206

System Access Control, 12Ttable usage

SSM_CUST, 175TACT, 59TACTZ, 59TSTCA, 81USOBT, 226USOBT_C, 225USOBT_C → upgrade,233USOBX, 226USOBX_C, 225USOBX_C → upgrade,233USR40, 249

top-level navigation, 388traffic light legend

green, 201red, 202yellow, 202

transport ofauthorizationcomponents, 312customer checkindicators, 318roles with CUA, 316roles with upload anddownload, 317roles without CUA, 315user master records, 313

Uunification, 396upgrade


Index ADM940

adjust default tables,233

Upgradeconvert manuallycreated profiles, 231Profile Generatoralready used, 233Profile Generator notyet used, 230using the profile:SAP_NEW, 235

user administrationprinciple of dualcontrol, 269principle of treblecontrol, 270

user and role menudisplay in SAP EasyAccess, 64structure, 62

user buffer, 84user data

change documents, 111

individual maintenance[SU01], 95mass maintenance[SU10], 109

User Information System,293

user master record tab pageaddress, 96defaults, 101groups, 106license data, 107logon data, 97parameters, 102personalization, 106profiles, 104roles, 104

user typecommunication, 100dialog, 100reference, 101service, 100system, 100


FeedbackSAP AG has made every effort in the preparation of this course toensure the accuracy and completeness of the materials. If you have anycorrections or suggestions for improvement, please record them in theappropriate place in the course evaluation.
