Microsoft-SAP Technology Center Proof-of-Concept and Demo Overview
Authorisation Concept in Sap
Transcript of Authorisation Concept in Sap
Authorization Concept
The authorizations for users are created using roles and profiles. The administrator creates the roles, and the system supports him or her in creating the associated authorizations.
Fig 1.1 Authorization Concepts
Authorization objects allow complex checks that involve multiple conditions that allow a user to perform an action. An authorization is always associated with exactly one authorization object and contains the value for the fields for the authorization objects.
An authorization is a permission to perform a certain action in the SAP System. The action is defined on the basis of the values for the individual fields of an authorization object.When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user context. The user context is in the user buffer( in the main memory) of the application Server.
When the user calls a transaction, the system checks whether the use has an authorization in the user context that allows him/her to call the selected transaction. Authorization checks use the authorizations in the user context.
All the authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden.
The user gets the necessary authorization through Roles. The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu.
The details of user administration is specified in my other BOK “User Administration in SAP R3 System”.
Authorization Object
User MasterMaintenance: User
GroupsActivity
User Group
AuthorizationA
Create, Change,DisplaySUPER
BDisplayFinance
B
Basis Admin
Object Class
How to Create a new Role
There are 2 ways, for creation of new roles
Copy an existing role (SAP pre-defined role). Creating a new role, based up on the business requirements.
Copy an existing role
You can use the user role examples just as they are delivered with the SAP System.
Prerequisites
Check the suitability of the roles delivered by SAP before you create your own roles. If you want to modify them, all you need to do is copy the SAP template (Roles provided by SAP). And modify that newly created one.
Procedure
The copying a existing role is described below.
Using this icon (Copy Role). .
To create a single role:
1. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP
Easy Access. You go to the role maintenance.
2. Choose the pushbutton Copy role.
3. Now select the appropriate role, delivered by SAP in the source role and specify the user
defined role as the target role
4. Now choose the pushbutton “copy all/ copy selectively.”
5. Now new role has been created successfully. Now we can edit the new role by pressing
the pushbutton “change role”.
6. And based on the requirements deselect/remove unnecessary authorizations from that
SAP.
7. Now we can assign this new role to the user.
This reduces the risk of giving all the authorizations to a user.
For example, consider a business scenario where we want to create a role for a particular user, who works in sales department.
Creating a new role
Based up on the business requirements we have to create roles, which are not provided by SAP.
Here in the above scenario, we have to assign only that particular role with which he will be able to create, change and view the Sales Order.
Procedure
The creation of a single role is described below.
To create a single role:
1. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. You go to the role maintenance.
2. Specify a name for the role.
The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for your user roles.
3. To distinguish between the names of User defined roles and SAP predefined roles, we will prefix the role with ‘Z_’ or ‘Y_’.
4. Choose Create Role.
5. Enter a meaningful role description text. You can describe the activities in the role in detail. And save the role.
You may use an existing role as a reference.
Assign transactions, programs and/or web addresses to the role in the Menu tab.
6. The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System.
7. You can create the authorizations for the transactions in the role menu structure in the authorizations tab.
To get the profile name for this particular role, press the pushbutton “propose profile names”. SAP will supply with a profile name.
And press the pushbutton ‘Change Authorization Data’ for maintaining authorization data and generating profiles.
Profile generator
Specify the company code, division, sales organization distribution channel etc, press Save button.
If we don’t specify any organization code, we will see the red color dot against each Authorization Object. To avoid this, its better to specify the company code and the rest.
For each role, there will be some Authorization objects, User group, Activity and Tasks, which I had specified in fig 1.1.
However, all the authorization values must be manually checked and adjusted if required in accordance with the actual requirements and authorities.
Authorization object
Activity
User group
Tasks
Profile generator
Once we see all the authorization object are green, then we can generate the profile for this particular role by pressing that ‘generate’ pushbutton .
With this we have successfully created a role.
Advanced Concepts
If you want to call the transactions in a role in another system, enter the RFC destination of the other system in the Target system field.
You should only use RFC destinations which were created using the Trusted System concept to guarantee that the same user is used in the target system. This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.
If you use the Workplace Web Browser, you can use any destination containing a logical system with the same name.
If the Target system field is empty, the transactions are called in the system in which the user is logged on.
You can also specify a variable which refers to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.
To distribute the role into a particular target system, specify the target system (its Release must be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.
You can create the user menu:
o from the SAP menu
You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.
o from a role
this function copies a defined role menu structure in the same system into the current role. You can also copy the menu structure of a role delivered by SAP. Click on the menu branches and copy them.
o from an area menu
You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu from the list of menus and copy the transactions you want.
o Import from file
o Transaction
You can put a transaction code in the user menu directly.
o Program
This function puts programs, transaction variants or queries in the user menu. They need not be given a transaction code.
ABAP Report
Choose a report and a variant. You can skip the selection screen.
o Others
By choosing the other button, you can add Internet Address or Links or Files. When integrating files, you must use the storage paths instead of URLs. You can also specify BW Web Reports, and links to external mail systems and Knowledge Warehouse.
7. Save your entries.
Result
You have created a role. Role maintenance automatically creates the authorizations that are associated with the transactions specified in the menu tree. However, all the authorization values
must be manually checked and adjusted if required in accordance with the actual requirements and authorities.