ABAP – USR relationshipsClient

User

Dialog Service

ReferenceBackground

Communication

Group

Administrator(A User)

Manages group of user

Single Role

M:N

Authorization profile

1:1

Object Class

Auth. object

Auth. field

1:n

1:n

1:10

1:1

Belong to a

Transactions1:n

Types of users

Composite Roles

n 1

n

m

Can belong to a group

1:n This applies only when using SAP predefined profiles

PFCG – Role SUGR – User GroupSU01 – User SU10 – User Mass Maintenance SUIM – User Information SystemSPRO – Implementation GuideSE93 - Copy transaction, create transaction, SU24 – Authorization maintenanceSU25PFUD – User Master comparisonSUPC – Mass generation of profiles

SAP user creation

Role creation (PFCG)

Assign Transaction (Menu tab)

Assign Transaction (Menu tab)

Auth Values by

1) Choice list 2) Spro3) F14) SU035) Help.sap.com,

sdn.sap.com, service.sap.com

6) Google7) Business User

User Creation(SU01)

Change Auth Data

SU01 – User creationPFCG - Role creationSU03 - Maintain Auth profiles – said to be replaced by pfcg

Auto gen Auth. Profile name

(Auth tab)Set Org. Values

Set Auth vales

Generate

Assign User(s)(User tab)

User Comparison

SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations.

Role creation (PFCG)

Copy SAP* role to Z/Y role and edit

the copy

Auth Values by

1) Choice list 2) Spro3) F14) SU035) Help.sap.com,

sdn.sap.com, service.sap.com

6) Google7) Business User

User Creation(SU01)

Change Auth Data

SU01 – User creationPFCG - Role creationSU03 - Maintain Auth profiles – said to be replaced by pfcg

Auto gen Auth. Profile name

(Auth tab)

Set Org. Values

Set Auth vales

Generate

Assign User(s)(User tab)

User Comparison

Typical USR creationAt customer location

SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations.

SUPC For mass generation of authorization profile. This was used in older versions predating PFCG

At the start of PFCG make the following setting to be able to see the “Org. Mgt” button.

Role creation (PFCG)

Copy SAP* role to Z/Y role and edit

the copy

Change Auth Data

SU01 – User creationPFCG - Role creationSU03 - Maintain Auth profiles – said to be replaced by pfcg

SU24 – Authorization managementSUPC – Mass generation of authorization profileSU53 - The last authorization errorST01 – Trace authorization check

Auto gen Auth. Profile name

(Auth tab)

Set Org. Values

Set Auth vales

Generate

Click Org . Mgmt.(User tab)

Click on create assignment

Authorization using HR Organization structure

Select Org. level entity

( Ex. Position, job)

Click on indirect assignment

User comparison ….

The user assigned to the position/job in

HR will be assigned the current role.

PFCG – Assigning users by reference using Organizational Management

- Position exists, - person assigned to position NO - Infotype/subtype (105/0001) - SAP User Id

- Position exists, - Person assigned to position - 105/0001 defined ( using PA 30 )NO - SAP User Id

- Position exists, - Person assigned to position - 105/0001 defined ( using PA 30 ) - SAP User Id defined (SU01)

HR & Basis transaction auth ‘check’ disablement is not allowed when using SU24,But allowed to change auth field values.Duplicate Auth Objects cannot be added. To do this PFCG, manual entry has to be used.

When using SU24 to uncheck auth object check ( S_TRANSL),for PA30.

Structural Authorization – to mange person’s info types

Review Org. Struct(PPROME)

Requirement: A user to maintain info type (PA30, PPOME?) for employees in her organization ‘x’ levels below and/or ‘y’ levels above

OOAC -> OOAW -> OOSP -> OOSB

Set “Struct Auth. Check” to 1

(OOAC)

Review Evaluation Paths

(OOAW)

Create struct. Auth profile(OOSP)

Look up the SAP user id

(105/0001 )(PA30)

Create 105/0001 , if non-

existent(PA30)

Create/validate SAP user defined in PA30

(105/0001)

(SU01)

Associate user to Auth profile

(OOSB)

Create profile for user , add PA30 and

SU53(PFCG)

Login as the new user and test PA30

Run PA30 with ST01 trace on and check for required authorization

objects

Set the required Auth Objects using PFCG in

the new profile

Run SU53, apply required authorization, run PA30,

SU53…. Until no auth errors occur.

Assign user by assigning role to the Org. Unit of the user

Exclude user from modifying own HR data(P_PERNR Auth. object)

Should not have any other P_PERNR other than the one above

<Dummy> in SU53 = *

SAP Library on Structured auth.

Structural Authorization – Additional Info: PPOME

OOAC - Structural Authorization Check settingIf you want authorization to be refused as default, set themain switch to 1 or 2, other wise to 3 or 4. The following combinationare possible:

Evaluate organizational unit/Reject authorization as default: 1Evaluate organizational unit/Grant authorization as default: 3Never evaluate organizational unit/Reject authorization as default: 2Never evaluate organizational unit/Grant authorization as default: 4

OOAC

Click here and check ‘id’ to be

displayed

Status codes are 1) Active 2) Planned3) Submitted4) Approved5) rejected

Periods are D – Key Date M – Current month Y – Current year P - Past F - Future

Flag for Excluded Structural ProfilesIf not set - NCERTO, can view org unit 50004515 and 3 levels lower in the hierarchy. List shown when ‘I’ is pressed and personnel not assigned to any org unit will be displayed in PA30. NCERTO will be included in the list.If set – The list shown when ‘I’ is pressed will be excluded when using PA30, and personnel not assigned to any org unit . NCERTO will be included.

Clicking in ‘i’, should bring a finite/small list.. If ‘All’ is in the auth profile column, the user does not have infotype 105/0001 defined, or SAP user has not been created (SU01)

OOSP

OOSB

Structural Authorization – Additional Info OOSP, OOSB

Addition filtering of result set can be controlled by custom function (ABAP,JAVA)

Sequence number. Can have more than one row for the Auth profile.

Evaluation defined in OOAW transaction

Object Type defines the number entered in ‘Object I’

Sign if ‘+’ depth value applies below ‘object. Type ,If sign ‘-’ it applies above.Default is ‘+’

Make sure the start date and end date are as required

OOSP

Depth of 3 covers only the department employees..Need to understand this better.The number given does not correspond to Org. Levels, in testing

The auth. Check for PA30 failed

The green tick should show for authorization checks. The HR stuct check can show failure to reflect the personals excluded by the structural auth defined in OOSP and OOSB( the exclude flag)

Structural Authorization – Additional Info PA30 and SU53

The key transactions and programs to keep handy when working with structural profiles are OOAC (activate structural authorization checks -- this is configuration and transportable), OOSP (create structural profiles -- also transportable), OOAW (create evaluation paths, which are used by structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position assignments, the holders of those positions, and the usernames associated with those holders, ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB (checks which users have which profiles -- but not recommended as a way of directly assigning them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and RHBAUS00 (create indexes for users with large structural authorizations, for performance reasons), and RHSTRU00 (display structures via evaluation path, for testing and development purposes).

Transaction OOSP - Definition of Authorization Profiles (Table T77PR):Create the structural authorizations that you then assign to the administrator users in transaction OOSB.See: Definition of Structural AuthorizationsTransaction OOSB – Assignment of Profile to Users (T77UA):Assign the authorization profiles from transaction OOSP to the administrator users.See: Assignment of Structural Authorizations

Add all personals not associated to a

org. unit.

Structural Authorization – Filters in the process

Master list - all personnel in client

AC_AW_SP_SB -> OOAC, OOAW, OOSP, OOSB

In OOSB is ‘exclude’ check box checked

‘A’ List included ‘ A’ list excluded

Filter down to list defined in OOSP/OOSB

( ‘A’ list) ( when ‘i’ is clicked )

Not checkedchecked

Auth Object ‘P_PERNER’ field

value ‘ ‘

User of PA 30 included

User of PA 30 excluded

??????

Allow editing based the check made in

OOSP

Filter 1

Filter 2

Filter 3

Default addition

Cost CenterPersonnel

Area

Sub-Area

Organizational Unit

Business Area

Person /Employee

Position(VP of..)

Job(VP)

Org. Key

Work Center

Credit Control Area

Info type(105 -

Communication)

Sub-Info type(0001 - usr id.)

Profit Centers

Line of business

Company Code

HR – Entity relations

Legal Person

n

Company

n

Client

1n

n

m

Functional Areas

Employee Group

Employee Sub-Group

n

n

n

n

n

n

SPRO - Implementation guidePA30 - Maintain HR MasterPPOME – Change Org. and staffing

n Obj. Type KeyOrg. Units OJobs CPositions SCost centers KPersons P

Does

holds

is a

Position – another prespective

User Creation(SU01)

Super User creation

Out of the box clients and usersClient User Description000 Sap* Is used during install. But its password is not ‘pass’

subsequently .If the User Sap* is deleted. We can login again with SAP* and passwd “pass”.Deactivate the special properties of SAP*, set the system profile ( NEED TO CHECK THIS OUT ONCE MORE)parameter login/no_automatic_user_sapstar to a value greater than zero. If the parameter is set, then SAP* has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on.

001 Ddic Maintainer to data dictionary and software logisticsDo not delete. Manage the password.

066 Earlywatch Used in earlywatch functions – performance and monitoringDo not delete. Manage the password.

Type PurposeDialog Individual, interactive system access.

System Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA).

Communication Dialog-free communication for external RFC calls.

Service Dialog user available to a larger, anonymous group of users.

Reference General, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01. No logon is possible.

ABAP User Types 

http://help.sap.com/saphelp_nw04/helpdata/EN/52/67119e439b11d1896f0000e8322d00/frameset.htm

Central User Administration

Central system

Childsystem

ALE – Application link enabling

Application Link Enabling (ALE) is a technology to create and run distributed applications.

The IDoc interface exchanges business data with an external system.The IDoc interface consists of the definition of a data structure, along with processing logic for this data structure.

You need the IDoc interface in the following scenarios:· Electronic data exchange (EDI)· Connect other business application systems (e.g. PC applications, external Workflow tools) by IDoc· Application Link Enabling (ALE).Application Link Enabling (ALE) is a technology to create and run distributed applications.

Central User Administration (CUA) system. With active Central User Administration, you can only delete or create child system users in the central system. You can change users that already exist in the child system, if the settings that you choose for the distribution of the data (transaction SCUM) allow this.

User Management Engine – Java

UME

SAP ERP CRM SRMSCM

Accounting Logistics HR

Financial accounting Controlling

SAPSAP for Banking

SAP for Retail

SAP for Automotive

SAP for Chemical

SAP for Chemical

SAP for Health care

PLM IS

BI

BW

SAP Solutions

Solution Manager – IT management

This is the user id

This is a warning message. Press

‘Enter’ to ignore the warning

PA30 - Creating info type – 105, subtype 0001 ( userid)