creating role in pfcg
DESCRIPTION
role creation in sapTRANSCRIPT
1.How to view session manager2.When will u use authorization templatesspool display and print and what more?
3.Purpose of PFCG_TIME_DEPENDENCY report
4.Never enter the generated authorization profiles directly in the user master records?whyYou can only link generated profiles and users
by assigning the corresponding role to the users, and then
performing a user master record comparison. During the comparison of
the user master records, the profiles for the role are entered for
all users of the role.
5.Difference between automated generated profile and manually created d6.Reason to maintiain a auth obj in std and maintainded and not in CHANGED AND MANUALLY
Changed:When the authorization object values are changed from the proposal values configured in SU24, the object status is "changed". This removes the link between the object and the related transactions. If you remove a menu transaction the objects configured for it are in "changed" status, those objects will remain in the role. For this reason it is recommended that SU24 is configured correctly to remove the need to have authorization objects in "changed" status.
Manually:Authorization objects can be manually added to roles to provide additional authorization over and above that configured in SU24. As with authorization objects in "changed" status, there is no link to any menu transactions. When used correctly, manually added authorization objects can be very effective in situations where updating SU24 is not desirable. If not documented or managed correctly they can also facilitate authorization creep in a build
.
7.delete a tcode from menu and generate the profile what is the effect?
First effect(in roles s_tcode still containing that particular deleted tcode
So s_tcode auth obj will be in changed status
Second effect (If s_tcode auth obj in changed status T-Code deletions made in the menu path DO NOT override the T-Code value in S_TCODE.
The T-Code doesn't exist in the menu, but can be called because it still exists in S_TCODE.8.When deleting T-Codes from menu, check to see that S_TCODE is in STANDARD status. If it is in CHANGED status, take these steps to get S_TCODE back into STANDARD status:How can u delete a auth obj from the role
Inactivate and delete the S_TCODE object using the trash can.
Use the Expert mode for profile generation button to regenerate the role from the T-Code menu entries:
Check the Read old status and merge with new data button. This will merge the objects with an Old status with new objects pulled in from the current SU24 configuration:
The S_TCODE object should now be in STANDARD status.
Maintain any yellow objects, merge, reorganize, save, and generate9.When you change a role what is the action
When you change a role, you must regenerate the authorization profile. In this case, the status of the profile generation is displayed red or yellow at the top of the Authorizations tab page.
If the status display is red, you must perform an authorization data comparison, since the menu was changed since the last profile generation or no authorization data exists.
If the display is yellow, the authorization data for the role was changed and saved after the last generation. The generated profile is no longer current. You need to regenerate it.
10.what is the significance of the three options that we get when we choose expert mode is as follows:Choose one of the options to maintain the authorization values (in normal mode, the correct option is automatically set):
1>Delete and recreate profile and authorizations
All authorizations are recreated. Values which had previously been maintained, changed or entered manually are lost. Only the maintained values for organizational levels remain.
2>Edit old status
The last saved authorization data for the role is displayed. This is not useful, if transactions in the role menu have been changed.
3>Read old status and merge with the new data
If you change transactions in the role menu, this option is the preconfigured. The profile generator compares the existing authorization data with the authorization default values for the menu transactions. If new authorizations are added during this process, they receive the status New. Authorizations that already existed receive the status Old.
Note the following during the comparison:
Values for organizational levels that are no longer required are deleted, all others are retained. If new organizational levels are added, you need to maintain them.
The standard authorization for the object S_TCODE is always automatically filled with the current transactions from the role menu. It cannot be copied or manually changed, only deactivated.
What is the effect When u add a tcode in s_user_tcd directly t Code will not be visible at menu tab even after deleting s-tcode auth obj and eprt mode profile generationCreating role in PFCG
Step 1 Enter a name for the role and choose Create Role.
You should note that the roles supplied by SAP begin with the pr
"SAP_". If you are creating your own user roles, do not use the
namespace.
Step 2
On the next screen, describe the functions that the role is to
include.
Save the role
Step 3
Assign transactions to the role on the Menu tab page:
- By specifying the transactions directly
- By assigning menu branches from the SAP menu The menu options selected in this step are displayed in the Session Manager and on the "SAP Easy Access" logon screen as the User menu
for all users who are assigned to the role.How to view session manager
Step 4
On the Authorizations tab page, choose Change authorizationdata.
Depending on the transactions you have chosen, the system may
display a dialog box that asks you to maintain the organizational
levels. These are authorization fields that occur in several
authorizations at the same time and that can be maintained together, An example is the company code, which occurs in several
authorization objects. When you assign values to the organizational
levels, you maintain the authorization fields for all authorizations
in the tree display that is displayed at the same time.Organizational levels are not maintained. ChooseOrg. levelsto maintain the organizational levels.
Specify a global value for this role for each field representing an organizational level. If, for example, the organizational levelPLANTSappears in several authorizations, you only need to maintain the plant values once on theOrganizational levelsscreen.
You can display a list of all existing organizational levels using Transaction SUPO.
The system displays a tree display for all authorizations that are
proposed by SAP for the chosen transactions. The authorizations
already have some values.//kavya
All auth classes will be standard
I updated pfcg in su24 auth obj called s_user_agr values chaged but still the auth obj in std but updated
If u click on traffic lights) status will be maintainedWhen u assign auth filed values white lines (by editing ) status will be changedWhen u click on manually button to add auth obj manually then the status will be manually//check it When u redefine values in su24 then status will be?.//kavya - Yellow traffic light icons in the tree display indicate that you
need to manually postprocess authorization values. You enter
these values by clicking a white line next to the name of the
authorization field. Once you have maintained the values, the
authorizations are regarded as having been manually modified. They are not overwritten if you include additional transactions
and reprocess the authorizations. By clicking the traffic light
icon, you can assign full authorization for the hierarchy level
for all unmaintained fields.
- Red traffic light icons indicate that there are organizational
levels that do not yet have values. You can enter or change
these values by choosing Org. levels....
- If you want additional functions in the tree display, such as to
copy or summarize authorizations, choose Utilities -> Settings
and select the appropriate option.
- Generate an authorization profile for the authorizations by
choosing Generate.
- Enter a name for the authorization profile in the next dialog
box, or use the valid name in the customer namespace that is
proposed.
- Exit the tree display once the profile is generated.
- If you change the menu selection and call up the menu display
for the authorizations again, the system tries to mix the
authorizations for the newly added transactions with the
existing authorizations. This may mean that the traffic light
icons turn yellow, as new incomplete authorizations appear in
the tree display. You need to either manually assign values to
these, or delete them.
- You can delete an authorization by first deactivating it and
then deleting it.
When will u use authorization templatesspool display and print and what more? - General authorizations such as spool display and print are not
usually stored with transactions. For this purpose, you can add
authorization templates to the existing data. To do this, choose
Edit -> Insert authorizations -> From template... and choose one
of the templates (for example, SAP_USER_B Basis authorization
for application users or SAP_PRINT Print authorization).
Alternatively, you can create a separate role for these general
authorizations whereby the overview is much clearer.
Step 5
On the Users tab, assign the users to the role.
- The system displays the menu options for the role in the Session
Manager as the user menu for the users assigned.
- Otherwise, the generated authorization profiles are
automatically entered in the user master records when you
perform the User master record comparison . To do this, choose
Compare users on the Users tab page and choose Full comparison.
- If you do not restrict the period of the assignments and use the
default period (current date to 12.31.9999), no further action
is necessary. Purpose of PFCG_TIME_DEPENDENCY report
If you make any other time restrictions, you need
to schedule report PFCG_TIME_DEPENDENCY to run daily. This
report automatically updates the user master records. You must
also schedule this report if you are using Organization
Management.
Caution
Never enter the generated authorization profiles directly in the
user master records, as is the case with authorization profiles that
are created manually. You can only link generated profiles and users
by assigning the corresponding role to the users, and then
performing a user master record comparison. During the comparison of
the user master records, the profiles for the role are entered for
all users of the role.
Step 6
To transport the role to another system, you must enter the role in
a transport request.
- To do this choose Role -> Transport. You can now specify whether
or not the user assignment should also be transported.
- The authorization profiles are transported unless you have
explicitly specified that you do not want to transport the
profiles.
- After the import into the target system, you have to perform a
complete user master comparison again for the imported roles.
You can start this comparison manually or use report
PFCG_TIME_DEPENDENCY to execute it automatically, if the report
is scheduled to run periodically in the target system.
SAP PFCG Create a role1. Go to Tcode PFCG2. Enter New Role Name you want to create
3. Click "Role " button
4. Describe the Role in "Description" field
5. Click "Menu" tab
6. Click "Transaction" button to add Tcode
7. Click
8. Click "Authorizations" tab
9. Click "pencil" button to change authorization
When u click on company code from u get thbelow screen to slect a company .i searched inr and selected Indian compAssign full auth and save
10. Put "Org element value"
11. Save
12. Fill in the missing authorization
13. If We wish to give full authorization to this role , Hit the "check" button
This is the current BC_A Object class
And this is the whole roles list
14. Save the role.
15 Enter profile name.
(we can get auto generated profile name from system if we leave it blank).16. Generatefor authorization17. Click "user" tab to assign role to relevant users
18. Clickto make comparison of users
SAP Security Check indicators-SU24
Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the relationships between the particular transaction and its authorization objects. It is possible to add or subtract the checks performed in the transaction by changing the appropriate flag.The benefit of transaction SU24 occurs when transactions are added to or deleted from Role Groups using the Profile Generator.
When new transactions are added, the Profile Generator will add all authorization values maintained in SU24 for the transaction(s).
When deleting transaction the Profile Generator will remove all authorization values that are maintained in SU24 for the transaction.Activities performed:Check/Maintain Authorization Values
Addition of Authorization Object to tcode
Deletion of Authorization Object from tcode
Check Ind. Proposal Meaning Explanation
Check YS Check /Maintained The object will be inserted along with the values in the role. The object will be checked along with the values during runtime of the transaction.
Check NO Check This object will not be inserted into the roles. A check on the object along with the values will be done during the runtime of the transaction
Do not Check NO Do Not Check The object will not be inserted into the roles and there will not be any check performedduring runtime of the transaction.Status Texts for authorizations
Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults
Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value
Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value.
Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it was not proposed by the Profile Generator).
Effect of SU24 changes in Role Groups
Authorization objects are maintained in SU24 for a particular transaction code. When a transaction code is added to role, only the authorization objects having check as check indicator value and yes as proposal value, maintained for that tcode will be added into the role group.
1) Adding Tcodes to a role
When a new Tcode is added to a role
When a new tcode is added to a role, going in either change authorization data or expert mode provides the same result. All the authorizations maintained for the tcode at SU24 level is added to the role.
The program adds new standard authorizations for objects in the roles If the authorization default values contain objects that were previously not existingOr only had authorizations in the status Changed or ManualA new standard authorization is not included
if the authorization fields contain identical authorizations in the status Standard in both authorizations, and the fields maintained in the old authorizations are empty in the new standard authorization.
If there were already authorizations in the status Maintained (active or inactive) or Inactive Standard before the merge, the program compares the values and the maintenance status of all authorization fields to determine whether new standard authorizations must be extended.
Changing SU24 values for a tcode
If the authorization data is changed for any tcode in SU24 and tcode is already present in the role, then going in the expert mode with option read old data and compare with new data will only reflect the additional changes. Change authorization data will not pull the new data for the tcode maintained at SU24 level2) Removing Tcodes from the role
When you remove transactions from the role menu, this has the following effect on the authorizations.
A standard authorization for which the associated transaction was removed from the role menu is removed during the merge, unless at least one other transaction that remains in the menu uses the same authorization default value. This applies both for active and inactive standard authorizations.
Authorizations in the statuses Changed and Manual are not affected by the merge. They are therefore always retained.
In the Authorizations tab of a role are the authorisation objects and their values.
These value sets form the profile authorizations which get loaded into the user buffer. To help monitor and manage the authorization objects in the roles, each authorization object set has an associated status.
Standard:The authorization values in the role are the same as those configured in SU24 for the relevant transaction/s. When the relevant transaction/s is removed from the role menu, the corresponding authorization object/s are removed.
Maintained:Where an object has been maintained for a transaction in SU24, but the values are not fully defined, the object appears in the role with one or more empty fields. When these fields are updated then the object status is "maintaned". As with objects in status "standard", removing the relevant transaction/s from the menu will result in the object/s being removed from the authorizations tab.
Changed:When the authorization object values are changed from the proposal values configured in SU24, the object status is "changed". This removes the link between the object and the related transactions. If you remove a menu transaction the objects configured for it are in "changed" status, those objects will remain in the role. For this reason it is recommended that SU24 is configured correctly to remove the need to have authorization objects in "changed" status.
Manually:Authorization objects can be manually added to roles to provide additional authorization over and above that configured in SU24. As with authorization objects in "changed" status, there is no link to any menu transactions. When used correctly, manually added authorization objects can be very effective in situations where updating SU24 is not desirable. If not documented or managed correctly they can also facilitate authorization creep in a build.