1.How to view session manager2.When will u use authorization templatesspool display and print and what more?

3.Purpose of PFCG_TIME_DEPENDENCY report

4.Never enter the generated authorization profiles directly in the user master records?whyYou can only link generated profiles and users

by assigning the corresponding role to the users, and then

performing a user master record comparison. During the comparison of

the user master records, the profiles for the role are entered for

all users of the role.

5.Difference between automated generated profile and manually created d6.Reason to maintiain a auth obj in std and maintainded and not in CHANGED AND MANUALLY

Changed:When the authorization object values are changed from the proposal values configured in SU24, the object status is "changed". This removes the link between the object and the related transactions. If you remove a menu transaction the objects configured for it are in "changed" status, those objects will remain in the role. For this reason it is recommended that SU24 is configured correctly to remove the need to have authorization objects in "changed" status.

Manually:Authorization objects can be manually added to roles to provide additional authorization over and above that configured in SU24. As with authorization objects in "changed" status, there is no link to any menu transactions. When used correctly, manually added authorization objects can be very effective in situations where updating SU24 is not desirable. If not documented or managed correctly they can also facilitate authorization creep in a build

.

7.delete a tcode from menu and generate the profile what is the effect?

First effect(in roles s_tcode still containing that particular deleted tcode

So s_tcode auth obj will be in changed status

Second effect (If s_tcode auth obj in changed status T-Code deletions made in the menu path DO NOT override the T-Code value in S_TCODE.

The T-Code doesn't exist in the menu, but can be called because it still exists in S_TCODE.8.When deleting T-Codes from menu, check to see that S_TCODE is in STANDARD status. If it is in CHANGED status, take these steps to get S_TCODE back into STANDARD status:How can u delete a auth obj from the role

Inactivate and delete the S_TCODE object using the trash can.

Use the Expert mode for profile generation button to regenerate the role from the T-Code menu entries:

Check the Read old status and merge with new data button. This will merge the objects with an Old status with new objects pulled in from the current SU24 configuration:

The S_TCODE object should now be in STANDARD status.

Maintain any yellow objects, merge, reorganize, save, and generate9.When you change a role what is the action

When you change a role, you must regenerate the authorization profile. In this case, the status of the profile generation is displayed red or yellow at the top of the Authorizations tab page.

If the status display is red, you must perform an authorization data comparison, since the menu was changed since the last profile generation or no authorization data exists.

If the display is yellow, the authorization data for the role was changed and saved after the last generation. The generated profile is no longer current. You need to regenerate it.

10.what is the significance of the three options that we get when we choose expert mode is as follows:Choose one of the options to maintain the authorization values (in normal mode, the correct option is automatically set):

1>Delete and recreate profile and authorizations

All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.

2>Edit old status

The last saved authorization data for the role is displayed. This is not useful, if transactions in the role menu have been changed.

3>Read old status and merge with the new data

If you change transactions in the role menu, this option is the preconfigured. The profile generator compares the existing authorization data with the authorization default values for the menu transactions. If new authorizations are added during this process, they receive the status New. Authorizations that already existed receive the status Old.

Note the following during the comparison:

Values for organizational levels that are no longer required are deleted, all others are retained. If new organizational levels are added, you need to maintain them.

The standard authorization for the object S_TCODE is always automatically filled with the current transactions from the role menu. It cannot be copied or manually changed, only deactivated.

What is the effect When u add a tcode in s_user_tcd directly t Code will not be visible at menu tab even after deleting s-tcode auth obj and eprt mode profile generationCreating role in PFCG

Step 1 Enter a name for the role and choose Create Role.

You should note that the roles supplied by SAP begin with the pr

"SAP_". If you are creating your own user roles, do not use the

namespace.

Step 2

On the next screen, describe the functions that the role is to

include.

Save the role

Step 3

Assign transactions to the role on the Menu tab page:

- By specifying the transactions directly

- By assigning menu branches from the SAP menu The menu options selected in this step are displayed in the Session Manager and on the "SAP Easy Access" logon screen as the User menu

for all users who are assigned to the role.How to view session manager

Step 4

On the Authorizations tab page, choose Change authorizationdata.

Depending on the transactions you have chosen, the system may

display a dialog box that asks you to maintain the organizational

levels. These are authorization fields that occur in several

authorizations at the same time and that can be maintained together, An example is the company code, which occurs in several

authorization objects. When you assign values to the organizational

levels, you maintain the authorization fields for all authorizations

in the tree display that is displayed at the same time.Organizational levels are not maintained. ChooseOrg. levelsto maintain the organizational levels.

Specify a global value for this role for each field representing an organizational level. If, for example, the organizational levelPLANTSappears in several authorizations, you only need to maintain the plant values once on theOrganizational levelsscreen.

You can display a list of all existing organizational levels using Transaction SUPO.

The system displays a tree display for all authorizations that are

proposed by SAP for the chosen transactions. The authorizations

already have some values.//kavya

All auth classes will be standard

I updated pfcg in su24 auth obj called s_user_agr values chaged but still the auth obj in std but updated

If u click on traffic lights) status will be maintainedWhen u assign auth filed values white lines (by editing ) status will be changedWhen u click on manually button to add auth obj manually then the status will be manually//check it When u redefine values in su24 then status will be?.//kavya - Yellow traffic light icons in the tree display indicate that you

need to manually postprocess authorization values. You enter

these values by clicking a white line next to the name of the

authorization field. Once you have maintained the values, the

authorizations are regarded as having been manually modified. They are not overwritten if you include additional transactions

and reprocess the authorizations. By clicking the traffic light

icon, you can assign full authorization for the hierarchy level

for all unmaintained fields.

- Red traffic light icons indicate that there are organizational

levels that do not yet have values. You can enter or change

these values by choosing Org. levels....

- If you want additional functions in the tree display, such as to

copy or summarize authorizations, choose Utilities -> Settings

and select the appropriate option.

- Generate an authorization profile for the authorizations by

choosing Generate.

- Enter a name for the authorization profile in the next dialog

box, or use the valid name in the customer namespace that is

proposed.

- Exit the tree display once the profile is generated.

- If you change the menu selection and call up the menu display

for the authorizations again, the system tries to mix the

authorizations for the newly added transactions with the

existing authorizations. This may mean that the traffic light

icons turn yellow, as new incomplete authorizations appear in

the tree display. You need to either manually assign values to

these, or delete them.

- You can delete an authorization by first deactivating it and

then deleting it.

When will u use authorization templatesspool display and print and what more? - General authorizations such as spool display and print are not

usually stored with transactions. For this purpose, you can add

authorization templates to the existing data. To do this, choose

Edit -> Insert authorizations -> From template... and choose one

of the templates (for example, SAP_USER_B Basis authorization

for application users or SAP_PRINT Print authorization).

Alternatively, you can create a separate role for these general

authorizations whereby the overview is much clearer.

Step 5

On the Users tab, assign the users to the role.

- The system displays the menu options for the role in the Session

Manager as the user menu for the users assigned.

- Otherwise, the generated authorization profiles are

automatically entered in the user master records when you

perform the User master record comparison . To do this, choose

Compare users on the Users tab page and choose Full comparison.

- If you do not restrict the period of the assignments and use the

default period (current date to 12.31.9999), no further action

is necessary. Purpose of PFCG_TIME_DEPENDENCY report

If you make any other time restrictions, you need

to schedule report PFCG_TIME_DEPENDENCY to run daily. This

report automatically updates the user master records. You must

also schedule this report if you are using Organization

Management.

Caution

Never enter the generated authorization profiles directly in the

user master records, as is the case with authorization profiles that

are created manually. You can only link generated profiles and users

by assigning the corresponding role to the users, and then

performing a user master record comparison. During the comparison of

the user master records, the profiles for the role are entered for

all users of the role.

Step 6

To transport the role to another system, you must enter the role in

a transport request.

- To do this choose Role -> Transport. You can now specify whether

or not the user assignment should also be transported.

- The authorization profiles are transported unless you have

explicitly specified that you do not want to transport the

profiles.

- After the import into the target system, you have to perform a

complete user master comparison again for the imported roles.

You can start this comparison manually or use report

PFCG_TIME_DEPENDENCY to execute it automatically, if the report

is scheduled to run periodically in the target system.

SAP PFCG Create a role1. Go to Tcode PFCG2. Enter New Role Name you want to create

3. Click "Role " button

4. Describe the Role in "Description" field

5. Click "Menu" tab

6. Click "Transaction" button to add Tcode

7. Click

8. Click "Authorizations" tab

9. Click "pencil" button to change authorization

When u click on company code from u get thbelow screen to slect a company .i searched inr and selected Indian compAssign full auth and save

10. Put "Org element value"

11. Save

12. Fill in the missing authorization

13. If We wish to give full authorization to this role , Hit the "check" button

This is the current BC_A Object class

And this is the whole roles list

14. Save the role.

15 Enter profile name.

(we can get auto generated profile name from system if we leave it blank).16. Generatefor authorization17. Click "user" tab to assign role to relevant users

18. Clickto make comparison of users

SAP Security Check indicators-SU24

Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the relationships between the particular transaction and its authorization objects. It is possible to add or subtract the checks performed in the transaction by changing the appropriate flag.The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups using the Profile Generator.

When new transactions are added, the Profile Generator will add all authorization values maintained in SU24 for the transaction(s).

When deleting transaction the Profile Generator will remove all authorization values that are maintained in SU24 for the transaction.Activities performed:Check/Maintain Authorization Values

Addition of Authorization Object to tcode

Deletion of Authorization Object from tcode

Check Ind. Proposal Meaning Explanation

Check YS Check /Maintained The object will be inserted along with the values in the role. The object will be checked along with the values during runtime of the transaction.

Check NO Check This object will not be inserted into the roles. A check on the object along with the values will be done during the runtime of the transaction

Do not Check NO Do Not Check The object will not be inserted into the roles and there will not be any check performedduring runtime of the transaction.Status Texts for authorizations

Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults

Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value

Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value.

Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it was not proposed by the Profile Generator).

Effect of SU24 changes in Role Groups

Authorization objects are maintained in SU24 for a particular transaction code. When a transaction code is added to role, only the authorization objects having check as check indicator value and yes as proposal value, maintained for that tcode will be added into the role group.

1) Adding Tcodes to a role

When a new Tcode is added to a role

When a new tcode is added to a role, going in either change authorization data or expert mode provides the same result. All the authorizations maintained for the tcode at SU24 level is added to the role.

The program adds new standard authorizations for objects in the roles If the authorization default values contain objects that were previously not existingOr only had authorizations in the status Changed or ManualA new standard authorization is not included

if the authorization fields contain identical authorizations in the status Standard in both authorizations, and the fields maintained in the old authorizations are empty in the new standard authorization.

If there were already authorizations in the status Maintained (active or inactive) or Inactive Standard before the merge, the program compares the values and the maintenance status of all authorization fields to determine whether new standard authorizations must be extended.

Changing SU24 values for a tcode

If the authorization data is changed for any tcode in SU24 and tcode is already present in the role, then going in the expert mode with option read old data and compare with new data will only reflect the additional changes. Change authorization data will not pull the new data for the tcode maintained at SU24 level2) Removing Tcodes from the role

When you remove transactions from the role menu, this has the following effect on the authorizations.

A standard authorization for which the associated transaction was removed from the role menu is removed during the merge, unless at least one other transaction that remains in the menu uses the same authorization default value. This applies both for active and inactive standard authorizations.

Authorizations in the statuses Changed and Manual are not affected by the merge. They are therefore always retained.

In the Authorizations tab of a role are the authorisation objects and their values.

These value sets form the profile authorizations which get loaded into the user buffer. To help monitor and manage the authorization objects in the roles, each authorization object set has an associated status.

Standard:The authorization values in the role are the same as those configured in SU24 for the relevant transaction/s. When the relevant transaction/s is removed from the role menu, the corresponding authorization object/s are removed.

Maintained:Where an object has been maintained for a transaction in SU24, but the values are not fully defined, the object appears in the role with one or more empty fields. When these fields are updated then the object status is "maintaned". As with objects in status "standard", removing the relevant transaction/s from the menu will result in the object/s being removed from the authorizations tab.

Changed:When the authorization object values are changed from the proposal values configured in SU24, the object status is "changed". This removes the link between the object and the related transactions. If you remove a menu transaction the objects configured for it are in "changed" status, those objects will remain in the role. For this reason it is recommended that SU24 is configured correctly to remove the need to have authorization objects in "changed" status.

Manually:Authorization objects can be manually added to roles to provide additional authorization over and above that configured in SU24. As with authorization objects in "changed" status, there is no link to any menu transactions. When used correctly, manually added authorization objects can be very effective in situations where updating SU24 is not desirable. If not documented or managed correctly they can also facilitate authorization creep in a build.