ca940-development authorization concept

ADM940 SAP Authorization Concept

© SAP Región Sur SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

AAADDDMMM999444000 SSSAAAPPP AAAuuuttthhhooorrriiizzzaaatttiiiooonnn CCCooonnnccceeepppttt

AAAppppppeeennndddiiixxx:::DDDeeevvveeelllooopppmmmeeennnttt ooofff AAAuuuttthhhooorrriiizzzaaatttiiiooonnn EEEllleeemmmeeennntttsss


2 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

SAP Región Sur

Argentina • Bolivia • Chile • Paraguay • Uruguay

Apendix. Development of Authorization Elements

© SAP Región Sur 3

SAP AG 2003

Appendix: Development of Authorization Elements

Appendix Content:

Authorization Elements Overview.

Authorization Fields.

Authorization Object.

Organization Level for Profile Generator.

Authority Checks.

Authorization Profile.

Access to Individual Tables and Views.

User Adminitrators.

Glossary.

Development of Authorization Elements

Appendix Content_______________________________________________________ 3 Authorization Elements Overview ___________________________________________ 5

Important Authorization Element Relationships ........................................................................... 6 Authorization Fields______________________________________________________ 8

Authorization Fields: Initial Screen............................................................................................... 9 Authorization Fields: Create ...................................................................................................... 11

Authorization Object ____________________________________________________ 12 Authorization Object: Authorization Object Class...................................................................... 13 Authorization Object: Initial Screen of List of Object.................................................................. 14 Authorization Object: Create...................................................................................................... 15 Authorization Object: Create Documentation Object................................................................. 16 Authorization Object: Defining Permitted Activities.................................................................... 17

Organizational Level for Profile Generator____________________________________ 18 Organization Level Fields .......................................................................................................... 19 Before Maintain ......................................................................................................................... 20 After Maintain ............................................................................................................................ 21 Maintain: Transaction SUPO_PREPARE and SUPO ..................................................................... 22 Maintain: Program PFCG_ORGFIELD_CREATE.......................................................................... 23

Authority Checks..______________________________________________________ 24 Authority Check: Overview ........................................................................................................ 25 Authority Check: Assign Objects to Transactions ...................................................................... 27 Authority Check: The ABAP Statement ..................................................................................... 28



Authorization Profile ____________________________________________________ 30 Authorization Profiles: Superuser.............................................................................................. 31 Authorization Profiles: End Users.............................................................................................. 33

Access to Individual Tables and Views ______________________________________ 35 Parameter Transaction (using SM30)......................................................................................... 36 Necessary Authorizations to Access.......................................................................................... 37 Parameter Transaction (using SE16)......................................................................................... 38 Necessary Authorizations to Access.......................................................................................... 39

User Administrators_____________________________________________________ 40 User Groups .............................................................................................................................. 41 Auxiliary User for User Groups SUPER ...................................................................................... 42

Glossary_____________________________________________________________ 43



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.



© SAP Región Sur

Important Authorization Element Relationships

SE11 (View s )

Domain

SE11 (Domain)

Authorization Object

SU21 (List of Objects)

Authorization Object Class

SU21 (List of objetc classes)

Authorization

PFCG (Authorizaton)

Authorization Profile

PFCG (Authorization)

ROLE

PFCGSU01 (Roles) , SU10 (Roles)

SU01 (Profiles), SU10 (Profiles)

USER

SU01, SU10

PFCG (User)

SU01 (Roles), SU10 (Roles)

PFCG (User)

PFCG(Authorization for authomatic use of table s USOBX_C

and USOBT_C ,and for manually

insertion )

Menu Area

SE43, PFCG (Menu)

PFCG(Menu)

PFCG (User)

SU01 (Roles), SU10 (Roles)

ABAP Program (Report)

SE38

Transaction

SE93, PFCG (Menu →Report)

PFCG(Description for Derived Role;Roles for Composite Role )

PFCG (Description for Derived Role)

SE93 (Using

parameter transaction)

View

SE11 (V iew)

Database Table

SE11 (Database table)

SE93, using Report transaction;PFCG (Menu), SE43 use Parameter transaction with START_REPORT)

Authorization Field

SU20

Data Element

SE11 (Data type)

Organizational Level Field

PFCG_ORGFIELD_CREATE

SE93(Using Parameter transaction withSE16 or SM30)

PFCG (Menu), SE43 use a Parameter transaction with START_REPORT

SE43

PFCG_ORGFIELD_CREATE

SU20

SE11 (Data type)

SU21(List of Objects)

Direct relationship

Undirect relationship

PFCG(Authorization)

SU21(List of Objects)

SE43, PFCG (Menu)

PFCG (Authorization)

n IMPORTANT TRANSACTIONS: For additional information, see transactions SU*, PF*, SM*.

PFCG Role maintenance1

PFUD User Master Data Reconciliation: Schedule PFCG_TIME_DEPENDENCY

RZ10 Maintenance of Profile Parameters

SA38 ABAP Reporting

SE11 ABAP/4 Dictionary Maintenance

SE12 ABAP/4 Dictionary Display

SE13 Technical Settings

SE16 Data Display/Maintenance (Data Browser)

SE38 ABAP Editor

SE43 Maintain Area Menu

1 In older releases, this description is Profile Generator or Activity Group Maintenance.



SE54 Maintenance View

SE84 R/3 Repository Information System

SE93 Maintain Transaction Codes

SM30 Enhanced Data Display

ST01 System Trace

SU01 User maintenance

SU01D User Display

SU02 Maintain Authorization Profiles

SU03 Maintain Authorizations

SU10, SU12 User mass maintenance

SU20 Maintain Authorization Fie lds

SU21 Maintain Authorization Objects

SU53 Display Check Values

SU56 Analyze User Buffer

SUGR Maintain User Groups

SUIM User Information System

n IMPORTANT TABLES: For additional information, use transaction SE11.

TACT Activities

TACTZ Valid activities for each authorization object

TBRG Authorization group (for tables and views)

TDDAT Maintenance Areas for Tables

TPGP ABAP/4 Authorization Groups

USOBT_C Relation Transaction / Auth. Object (Customer)

USOBX_C Check Table for Table USOBT_C

USR40 Table for Illegal Passwords

n IMPORTANT REPORTS: For additional information about SAP Authorization Concept, use transaction SE38. (See reports RSUSR*, PFCG*).

PFCG_ARGFIELD_CREATE Create Organizational Level Field for Profile Generator

PFCG_TIME_DEPENDENCY User Master Data Reconciliation

RSPARAM Profile Parameter Overview



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.




Authorization Field: Initial Screen

n In authorization objects, authorization fields represent the values to be tested during authorization checks.

n The authorization field are content into R/3’ transparent table AUTHX. This table is cross-client. Thus, the authorization field must be unique in the system because the must be unique in that table.

n To maintain authorization fields, choose Tools→ ABAP Workbench→ Development→ Other Tools→ Authorization Objects→ Fields, or execute Transaction SU20. The initial screen show:

• A tool bar include the follow buttons to maintain authorization fields:

ð Create: To add a new authorization field to the table AUTHX.

ð Display: To display data of an existing authorization field;

ð Find: To search an authorization field in the list Authorization check fields;

ð Change: To change data of an existing authorization field.

ð Delete: To delete an existing authorization field. You cannot delete an authorization field get used in an authorization object.



• The list Authorization check fields: This list displays all authorization fields in the system, always in alphabetical order.




Authorization Field: Create

n To create an authorization field press the Create button in the previous screen. Then, in the above screen:

• Enter the name of the field (Field name): Field names must be unique. SAP recommend that this name begin with the letter Y or Z.

• Assign a data element from the ABAP Dictionary to the field (Data element): The data element contribute to authorization field with a display description and a domain. For this reason, SAP recommend create a special data element for a new authorization field. Pressing enter appears the domain of linked to the entered data element.

• If desired, enter a Check Table, Value Table or Search Help for the possible entries (field Table Name under the Maintenance Dialog for Authorization Values section). The connection provides possible field values. Values ranges can also be defined using the domain with which a field is associated.

• Finally, press the Save button and exit with the Back button.

n In the initial screen, you can to find a new authorization field using the Find button.



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.




Authorization Object: Authorization Object Class

n For documentation purpose, the Authorization Object are classify in Authorization Object Class (or simply Object Class). Each Authorization Object must be assigned to an Object Class when it is created.

n To maintain Object Class and Authorization Object choose Tools→ ABAP Workbench→ Development→ Other Tools→ Authorization Objects→ Objects, or use Transaction SU21. Then, the system displays a list of existing object classes (see the background screen above).

• Object classes are organized according to the components of the system. Before you can create a new authorization object, you must define the object class for the component in which you are working. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names.

• The authorization class is cross-client.

• To create a new authorization class, press the Create button. The above front windows appear. Here you must define:

ð An authorization class ID (Object class);

ð A description (Text).

• To save, press the Save button.

• To display the list of authorization object of a specific authorization class, in the List of Object Classes screen select that authorization class (or double clicking).




Authorization Object: Initial Screen of List of Objetc

n For each authorization class, a list of authorization object is displayed2:

• To create a new authorization object, press the Create button;

• To change an old authorization object, press the Change button;

• To delete an old authorization object, press the Delete button;

• To display the data of an old authorization object, press the Display button;

• To see the Where-used list of an old authorization object, press the Where-used list button;

• To maintain documentation object of an old authorization object, press the Documentation button;

• Moreover, to regenerate the standard profile SAP_ALL, press the Regenerate SAP_ALL button.

2 In our example (screen above), this list is empty because ZUSR is a new authorization class.




Authorization Object: Create

n CREATING AND CHANGING AUTHORIZATION OBJECTS: To create authorization object, in the previous screen you must press the Create button. Then, a new modal window appears: Create authorization object. The follow information must be entered:

• Object: This is the Authorization Object Id (or Technical Name). An authorization object is cross-client; thus, the name must be unique in the whole system.

• Text: This is simply a description of the object3.

• Authorization fields: Here you must to specific the field of the new object. This field can be created using the Transaction SU20 or in addition, you can to use standard authorization fields. Note that when creating authorization objects, the structure of the object must be planned exactly. Changes to the structure are very complicated4.

3 In same cases, SAP recommends to refer the technical name in any position of this description because some report (as

Transaction SU02 for manual authorization profile management) only displays this description and not the technical name.

4 If you want to remove fields from the object, the whole authorization object must be deleted and recreated; you can add authorization fields to the object if the object is no longer used. Only then can the corresponding fields accept data.




Authorization Object: Create Documentation Object

n You can create detailed documentation of the authorization object. In the previous screen, press the Create object documentation button and the above screen will appear.

• In this screen you can to:

ð Describe where the authorization object is used and its meaning.

ð Describe each authorization field.

ð Describe the permitted values for every authorization field.

ð Document the permitted activities if you are using the authorization field ACTVT.

ð Add a reference to the authorization objects to your application documentation.

• To active the new documentation, press the Active button, and the Back button to exit.

If you want to change authorization fields for an object, this is only possible after all authorizations the object uses and

all calls of the AUTHORITY-CHECK language commands have been deleted.




Authorization Object: Defining Permitted Activities

n Permitted activities button: If you add the Activity authorization field (ACTVT), the Permitted activities button appears. In this step, you specify which activities are permitted for the ACTVT field in the authorization object. These activities are then offered as possible entries during creation of the authorizations.

To maintain permitted activities, press the Permitted activities button and mark the activities in the new front screen Define Values. In our example, the values “01” (Create or generate ), “02” (Change), “03” (Display) and “06” (Delete) are permitted.

n Automatic conversion checkbox: If the authorization object includes a setting permitting automatic conversion, the conversion will be executed when authorization data is entered that matches the conversion attributes of the corresponding authorization field.

This means that when creating authorizations, a number can be entered directly (instead of “0003”, you can just enter “3”, for example). When the authorizations are saved, the number is automatically converted to “0003”. This is necessary, as the language command AUTHORITY-CHECK checks the value “0003”5.

n To save, press the Save button6.

5 This property is applicable to any alphanumeric authorization field, not only to ACTVT (Activity) authorization field.



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.

6 In some system, is possible that the modal window Create authorization object remain in the front of the screen. Press

Cancel button and this window will disappear. But in the List of object of the authorization class, not will be displayed the new authorization object (ZUSERNAME, in our example). This is because the Transaction SU21 has not automatic refresh. Restart the Transaction SU21, and select the ZUSR object class again, and now, the ZUSERNAME will appear in the list so above screen.



Organization Level Fields

SAP AG 2003

n The current maintenance status of the authorizations at the various levels is shown by Traffic Lights: Green All fields below this level have been supplied with values. Check whether the values given are

appropriate. Yellow Below this level, there is at least one field (but not an organizational level) for which no data has been

entered. Red Below this level, there is at least one field for which no organizational level has been maintained.

n Sometimes, is necessary to convert common authorization fields into Organizational Field, called, Organizational Levels Fields.



Before Maintain

SAP AG 2003



After Maintain

SAP AG 2003



SAP AG 1999

Maintain: Transactions SUPO_PREPARE and SUPO



Maintain: Program PFCG_ORGFIELD_CREATE

SAP AG 2003



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.



Authority Check: Overview


System runtime

R/3 Transaction

Is the user authorized to start the

transaction?(Authorization object

S_TCODE is used here)

Is the transaction code valid?

(Check of table TSTC )

Is the transaction locked by the system

administrator?(Check of table TSTC )

Is an authorization object assigned to the

transaction code?(Check of table TSTCA)

Does the user has the necessary

authorization?(Any authorization object

can used here)

ERROR

Yes

No

Yes

Yes

Yes

No

NO

NO

YES

NOABAP Program

Does the user has the corresponding authorization?

(The ABAP statement AUTHORITY-CHECK is

used here with any authorization object)

ERROR

Continue

Warning

Yes No

n When a transaction is started, a system program executes various checks to ensure the user has the correct authorizations 7:

• Is the transaction code valid? The system check of table TSTC: if the answer is negative, the check fails.

• Is the transaction locked by the system administrator8? The system check of table TSTC: if the answer is now positive, the check fails.

• Is the user authorized to start the authorization? The authorization object S_TCODE (Transaction start) contains the field TCD (Transaction code). The user must have an authorization containing a value for the transaction code: if not, the check fails.

• Is an authorization object assigned to the transaction code? If yes, is the user authorized? If the user has not an authorization for the corresponding authorization object, the check fail;

7 All checks are executed internally with the ABAP statement AUTHORITY-CHECK. 8 To Lock/Unlock transactions in the entire system use Transaction SM01.



n If one of the above checks fails, the transaction is not started, and the system displays an error message.

n If none of the above checks fails, the transaction is started, and an ABAP program is usually called by the transaction to make other authorization checks triggered by the statement AUTHORITY-CHECK. In the program, in each authority check, the programmer can specify the following:

• The authorization object used and the required values for each authorization field;

• The reaction of the program if detects an authorization fault.



Authority Check: Assign Objects to Transactions


n To assign Authorization Object to Transaction use the transaction SE93 or choose Tools→ ABAP Workbench→ Development→ Other Tools→ Transactions9. In the above screen:

• You must enter the object ID in the Authorization object field.

• Pressing the Values button, the modal windows Values of Check Object appear: here you can define a unique value for each authorization field 10.

• To save, press the Save button.

9 If you are creating a new transaction, enter the transaction name and press the Create button; in the appearing windows

Create Transaction, enter the required information and press the Continue Enter button. Then the above window will appear.

10 In this example, an user will be authorized to start the transaction ZUSERNAME only if his user master record has an authorization using the object ZUSERNAME with the field USERNAME defined as “USERNAME” and the field Activity (ACTVT) equal to “03” (Display).



Authority Check: The ABAP Statement


n To maintain an ABAP Program user Transaction SE38 or choose Tools→ ABAP Workbench→ Development→ User interface→ ABAP Editor11.

n In the above screen, the report ZUSERNAME will could to show two possible message:

• “You are not authorized to display your USERNAME”: if the user has not the necessaries authorization to display his own username, this is, if has not an authorization as demand the AUTHORITY-CKECK statement.

• “Your USERNAME is MASTER”: If the user MASTER has an authorization to display his own username.

11 If you are creating a new ABAP program, enter the program name press the Create button; in the appearing windows

ABAP Program attribute enter the required information and press the Save Enter button. Then the above window will appear.



n The statements AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it searches in the specified authorization profile in the user master record to see whether the user has authorization for the authorization object specified in the command.

n If the authorization is found and it contains the correct values, the check is successful12.

12 In this program, an user is authorized to display his own username only if his user master record content an authorization

based on the object ZUSERNAME with the field USERNAME defined as his own username (this is, the sy-uname value) and the field Activity (ACTVT) equal to “03” (Display).



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.



Authorization Profile: Superuser


n The SAP System contains predefined profiles for superuser:

• SAP_NEW: You assign this profile to users who are to have access to all currently unprotected components. The SAP_NEW profile assures upward compatibility of authorizations. The profile ensures that users are not inconvenienced when a release or update includes new authorization checks for functions that were previously unprotected.

• SAP_ALL: You assign this profile to users who are to have all SAP authorizations, including superuser authorization. After setting up an authorization object, or after updating your system, you can regenerate profile SAP_ALL. Thus, this profile will have full authorization for all authorization objects in the entire system.



n If a user only has a SAP_ALL profile, when execute the Transaction ZUSERNAME is possible that a message error (like “Authorization Failed”) will be displayed. This happens because the SAP_ALL only has full authorization of each standard authorization object of the system, and not to customer authorization object as ZUSERNAME (see ZUSERNAME Transaction in the previous page). To repair this position, you must regenerate SAP_ALL.

n To regenerate SAP_ALL, in the initial screen of Transaction SU21, or in the List of Object screen of some object class (as the above screen), press button Regenerate SAP_ALL, and next, press the Yes button in the next windows Generate SAP_ALL profile .

n After regenerate, a new full authorization of the object ZUSERNAME was added to SAP_ALL profile.



Authorization Profile: End Users


n Is not recommendable that an end user has a profile like SAP_ALL or SAP_NEW. SAP recommend creating specific profile for each activity assigned to user, and that, to create a new profile, use the Profile generator. To use this tool, execute the Transaction PFCG or Tools→ Administration→ User Maintenance→ Role Administration→ Roles.

n In the above screen13, the definition of a authorization profile are showed with its two authorization, each one of an specific authorization object as14:

• S_TCODE: This authorization permits start the transaction ZUSERNAME to any user.

• ZUSERNAME: This authorization can be compiled as two independent authorizations:

ð With the value “USERNAME” in the field User name and “03” in the field Activity: Permits start the transaction ZUSERNAME to any end user due that this object is assigned to this transaction. Too, permit to user with username USERNAME (if this exits) to see his own username through the ABAP program ZUSERNAME.

13 To display the above window, in the initial screen of Profile Generator, enter the Role’ name; in the appearing windows,

select the Authorization tab, and press the Expert mode for profile generation button. 14 Assume that the Transaction ZUSERNAME call to ABAP program ZUSERNAME agree previous pages.



ð With the value “JUNIOR” in the field User Name and the value “03” in the field Activity : Grant to the user JUNIOR to see his own username using the ABAP program ZUSERNAME.



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.



SAP Región Sur

Parameter Transactions (using SM30)



SAP Región Sur

Necessary Authorizations to Access



SAP Región Sur

Parameter Transactions (using SE16)



SAP Región Sur

Necessary Authorizations to Access



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.



SAP AG 2003

Users Groups

SAP*DDIC…

VHYA2HWR

ADMGR1ADMGR2

…ADMGRx

FI_01FI_02…

FI_##

HR_01HR_02…

HR_##

...

GRx

SAP*

VHYA2HWR

ADMGRxADMGr1

GR1

ADM

SUPER

n User Group SUPER for super user or special users

• Only super users (profile SAP_ALL),

• System administrator

• Communication user (by example SAPCPIC, user for CUA or TMS).

• Any critical user (by example, auxiliary user for user group SUPER).

n User Group ADM for administrator users.

• Authorization Administrators.

• Users Administrators Only can maintain end users (not in user group SUPER or ADM).

• Roles/Profile Administrators

ð Only can display or maintain not user administrator profiles/roles.

ð Only can assign not administration profiles/roles to end users only.

n Others User Groups for not critical users.



Auxiliary User for User Group SUPER

SAP*DDIC…

VHYA2HWR

ADMGR1ADMGR2

…ADMGRx

FI_01FI_02…

FI_##

HR_01HR_02

…HR_##

...

GRx

SAP*

VHYA2HWR

ADMGRxADMGr1

GR1

ADM

SUPER

SAP AG 2003

n Any person can to lock a super user as SAP* or DDIC.

• Why? Because are a knew names;

• How? Simple, trying to enter with these users.

n Solution: Create an Auxiliary user for unlock purpose. For this user:

• User ID: Any unknown cryptically name. Example VHYA2HWR.

• Profile:

ð Permit start transaction SU10 or SU01 only (using authorization object S_TCODE)

ð to Block, Unlock, Change Initial Password only for super users (Activity 05 and User group SUPER in authorization object S_USER_GRP).



SAP AG 2003


Appendix Content:





Authority Checks.



User Adminitrators.

Glossary.



SAP AG 2003

Glossary

Glossary Content:

Commonly Terms Used under the contex of this course.

Further information: in your SAP system choosing Help→ Glossary.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

n ABAP Advanced Business Application Programming.

Programming language of the R/3 System.

n ABAP Dictionary Central storage facility containing metadata (data about data) for all objects in the R/3 System.

The ABAP Dictionary describes the logical structure of application development objects and their representation in the structures of the underlying relational database. All runtime environment components such as application programs or the database interface get information about these objects from the ABAP Dictionary.

The ABAP Dictionary is an active data dictionary and is fully integrated into the ABAP Workbench.

n ABAP Workbench SAP’s integrated graphical programming environment.

The ABAP Workbench supports the development of and changes to R/3 client/server applications written in ABAP. You can use the tools of the ABAP Workbench to write ABAP code, design screens, create user interfaces, use predefined functions, get access to database information,



control access to development objects, test applications for efficiency, and debug applications.

n Activation Process that makes a runtime object available. The effect of activation is to generate runtime objects, which are accessed by application programs and screen templates.

n Activity Group Role.

n Authorization Authority to execute a particular action in the SAP System.

Each authorization references one authorization object and defines one or more permissible values for each authorization field listed in the authorization object.

Authorizations are combined in profiles, which are entered in a user's master record.

n Authorization Fields In authorization objects, authorization fields represent values for individual system elements which are supposed to undergo authorization checking to verify a user's authorization.

n Authorization Objects Are structures of the SAP Repository that protect actions and the access to data in the SAP system. The authorization objects are delivered by SAP and are in SAP systems. To provide a better overview, authorization objects are divided into various object classes.

Authorization objects allow complex checks that involve multiple conditions that allow a user to perform an action. The condit ions are specified in Authorization Fields for the authorization objects and are AND linked for the check. An authorization object can include up to 10 authorization fields. Authorization objects and their fields have descriptive and technical names.

n Authorization Profile An authorization profile gives users access to the system. A profile contains individual authorizations, which are identified by the authorization name and one or more authorization objects.

If a profile is specified in a user master record, the user has all the authorizations defined in this profile.

n Client From a commercial law, organizational, and technical viewpoint, a closed unit within an R/3 System with separate master records within a table.

n Client-Dependent Specific only to one client. Settings in client-dependent tables relate only to the client that was accessed during the logon process. Such tables contain the client number in the table’s primary key. Client-dependent is a formerly used synonym for client-specific.

n Cross-Client Relevant for all clients in an R/3 System. Cross-client is synonymous with the formerly used term client-independent.



n CUA Central User Administration.

n Customer Development Additions to the standard, delivered SAP software using the ABAP Workbench. Customer developments involve creating customer-specific objects using the customer’s name range and namespace.

n Customizing Adjusting the R/3 System to specific customer requirements by selecting variants, parameter settings, etc.

n DEV Development System

System in a system landscape where development and Customizing work is performed.

DEV contains the SAP standard clients, a development and Customizing Client (CUST), a Sandbox Client (SAND), and Test Client (TEST). Since the Test Client usually does not contain realistic application data, only unit tests can be conducted in this client.

n Development Class A grouping of R/3 Repository objects belonging to a common area. Unlike the objects in a change request, the grouping is logical rather than temporal.

The development class is assigned a transport layer to ensure that all objects have the same consolidation route.

n Local Change Request Change request that cannot be transported to other R/3 Systems.

n Local Object A Repository object assigned to a local development class such as the development class $TMP.

Local objects are local to the R/3 System on which they are created and cannot be transported.

n Master Data Master data is a type of application data that changes infrequently, but is required for the completion of most business transactions.

Examples of master data include lists of customers, vendors, and materials, and even the company’s chart of accounts.

n Namespace Set of all names that satisfy the specific properties of the namespace.

A namespace is defined by a prefix SAP provides to the customer or complementary software partner.

n Nametab A Nametab is the runtime object of a table.

The runtime object contains all the information stored in the ABAP Dictionary in a format that is optimized for the application programs.

n PRD Production System.

System that contains an enterprise’s active business processes.



This is where “live” production data is entered.

PDR usually contains only the Production Client (PROD) and the SAP standard clients.

n Profile Generator Automatically generates an authorization profile based on the activities in an activity group. Use transaction code PFCG.

n QAS Quality Assurance System.

System in which final testing is carried out. Tested, stable development objects and Customizing settings are transported into the quality assurance system from the development system at times defined for final testing. After verification and sign-off, development objects and Customizing settings are delivered to the production system.

QAS includes a Test Client (QTST) and a Training Client (TRNG).

n R/3 Real-time, Version Three.

Consists of a central instance offering the services DVEBMGS (Dialog, Update, Enqueue, Background Processing, Message, Gateway, Spool), a database instance, optional dialog instances offering the service D (Dialog), and optional PC front ends.

n R/3 Repository Central storage facility for all development objects in the ABAP Workbench.

These development objects include ABAP programs, screens, and documentation.

n R/3 Runtime Environment Set of programs that must be available for execution at runtime.

The ABAP interpreters in the runtime environment do not use the original of an ABAP program. Rather, they use a copy generated once only during runtime (early binding).

Runtime objects, such as programs and screens, are automatically regenerated (late binding) when a time stamp comparison between the object and the ABAP Dictionary detects a difference.

n Release The process by which the owner of a change request or task indicates that the contents of the change request or task have been unit tested. Release of a change request of either type Transportable or Customizing initiates the export process.

n Return Code Value that indicates whether a tool (either within R/3 or on the operating system level) ran successfully, with warnings, or with errors.

n Role Collection of activities that cover a specific work area. For example, the activity group "accounts payable accounting" contains all the transactions and reports that accountants need



to perform their daily tasks.

You can create a user menu for an activity group (role). You assign transactions, reports, and Internet/intranet links to the user menu. This menu is displayed when users assigned the activ ity group log on to the system.

Authorizations are automatically granted for the activities included in the activity group. These authorizations can be changed.

n SAP AS SAP Application Server.

n SAP BW SAP Business Information Warehouse.

n SAP CRM Customer Relationship Management.

n SAP EP SAP Enterprise Portal.

SAP EP is the component that brings all of these various components together. Via the portal, the end user has access to the backend systems using a single user interface, the Portal Client.

n SAP ITS SAP Internet Transaction Server.

Gateway between the R/3 System and the World Wide Web.

n SAP Web AS SAP Web Application Server.

The SAP Web AS is a “normal” application server that has been extended with a protocol handler called the Internet Communication Manager that processes the HTTP requests.

n System Landscape The R/3 Systems and clients required for a company’s implementation and maintenance of R/3.

For example, a common system landscape consists of a development system, a quality assurance system, and a production system.

n Transaction Code Succession of alphanumeric characters used to name a transaction, that is, a particular ABAP program in the R/3 System.

For example, Transaction VA01 (create customer order).

n User Master Data Logon and authorization information for R/3 users.

Only users who have a user master record can log on to a client in an R/3 System and use specific transactions.

n View Virtual table simultaneously displaying data from several real tables in the ABAP Dictionary.

When you create a table, you assign a key to it. However, the fields in the key may be inadequate for solving some problems, so you can generate a view from several tables or parts of tables.



n Workbench Change Request Change request for recording and transporting R/3 Repository objects and changed system settings from cross-client tables (Client-Independent Customizing).



SAP Región Sur

Argentina • Bolivia • Chile • Paraguay • Uruguay

ca940-development authorization concept

Documents