user authorization
DESCRIPTION
sap user authorizationTRANSCRIPT
SAP R/3 BASIS TrainingUser &
Authorization
USER Concept(1)
One of the basic part of R/3 Security is user concept .
After installation of R/3 and client creation, one of the first step is
create users in the new client.
It must be noted that Users are Client dependent
User in one client is not be a user of another client.
They are valid for only the client they were created or assigned.
User Name and user attributes comprises the User Master Records
By default SAP comes with two super users
SAP*
DDIC
These two super users are available for every client in R/3 system when a new
client is created. But the nature of these two super user are slightly different.
SAP* has all the authorization
DDIC is authorized to administer the R/3 repository.
Transaction code for User Maintenance SU01 Navigation On menu Tools --> Administration --> User Maintenance --> Users
Transaction code for User Maintenance SU01 Navigation On menu Tools --> Administration --> User Maintenance --> Users
User Master Record(1)
A User Master Record consists of following information:
User Name
Assigned Client
Password (Changeable in future)
Company Address
User Type
Start Menu
Logon Language
Personal Printer Setting
Time Zone
Activity Groups
Authorizations
Expiration Date
Default Parameter Setting
User master record maintain through the transaction code SU01.
An user can be assigned to many activity groups & an activity group can be assign to many users.
Password Restriction(1)Password can not be word ‘sap’ or ‘pass’ .
Password can not begin with any sequence of three characters
contained in the user-id like FREDSMITH user can not set password
starts with FRE ,RED,EDS ,SMI .
Password can not begin with 3 identical characters. I.e. aaamy or bbbt.
When a user changes his password ,he may not use any of the last five passwords.
Password Restriction(2)Minimum password length can be set by the by the parameter
login/min_password_lng (value 3 ).
Administrator can set the password expiration date by the parameter
login/password_expiration_time (no of days) .
Number of incorrect logons allowed for a user master record until
the logon procedure is terminated , can be set by the parameter
login/fails_to_session_end (value 3 ).Number of incorrect logons allowed for a user master record until
logon is rejected for this user, can be set by login/fails_to_user_lock
(value 3 ). The lock is released at midnight.
rdisp/gui_auto_logout (in seconds) parameter sets automatically logout
if user not uses sapgui defined time.if set 0 then never automatically
logout.
User sap* & DDIC (1)
SAP R/3 system includes in the default installation two super users
‘DDIC’ & ‘SAP*’ .
sap* user created with the password ‘06071992’ .
DDIC user created with the password ‘19920706’ .
EARLYWATCH user created with the password ‘SUPPORT’ .
In new client sap* created with default password ‘pass’ with unlimited access right .Sap* is the only super user, who does not require any user master
record , because its authorization given by system code.But DDIC
maintains user master record .
It is better to deactivate the user sap* (not delete) .
User DDIC (for data dictionary) is the maintenance user for certain
installation & setup tasks .
•EARLYWATCH user is used by Sap's EARLYWATCH experts.
User sap* & DDIC(2)
SAP* 000 ,001,066DDIC 000, 001EARLYWATCH 066
Default users coming after new installation Default users coming after new installation
Create User Step 1
Use The Transaction Code SU01 for user maintenance .
Choose this button for create new user
Choose this button for create new user
Create User Step 2
Enter User InfoEnter User Info
Create User Step 3Enter these important data
Enter these important data
Create User Step 4Choose Role from the menu
Choose Role from the menu
Create User Step 5 Corresponding profile will come automatically
Corresponding profile will come automatically
Create User Step 6 User can set USER-Parameters
User can set USER-Parameters
After entering all data choose save button
Create User Step 7 User will created &‘Last changed by’ also modified
User will created &‘Last changed by’ also modified
USER CREATION COMPLETE NOW .
Activity Group(1) or ROLE
•A role or activity group is a collection of R/3 transactions ,authorizations and additional objects .
•Administrator can create ,display ,change ,copy & transport a Role .
•Transaction code PFCG used to maintain Role.
Composite Activity Group or Role•Composite activity groups are made up of a collection of activity groups.
•Users assigned to a composite activity are automatically added to the
activity groups during a user comparison.
•Composite activity groups themselves do not contain any authorization
data .
USER Assignment
Users can be assigned to a single activity groups or to composite activity
groups which mostly represent job roles .
Users that assign to an activity group may execute the transactions,
reports , or any other task in the activity group with the corresponding
Authorizations.
Create Role Step 1
Use Transaction code PFCG to maintain role /activity group
Choose the option Create
Choose the option Create
Create Role Step 2
1.Enter The Description
1.Enter The Description
2.Choose the option MENU
2.Choose the option MENU
Now to create the role choose menu
Created user name will display
Created user name will display
Create Role Step 3
To create ROLEChoose any one
To create ROLEChoose any one
We can choose any one or all option at a time.
Create Role Step 4
We choosethree from the menu .
We choosethree from the menu .
We choose according our Requirement from ‘SAP MENU’.
Create Role Step 5Our three selected menu appeared on Role menu .
1.Our chosen three will come on role menu
1.Our chosen three will come on role menu
2.Again we choose Transaction
2.Again we choose Transaction
Create Role Step 6Assign the transaction codes using the button Assign Transaction
Assign the transaction codes using the button Assign Transaction
Create Role Step 7
Then chosen transaction code appeared on Role Menu
Then chosen transaction code appeared on Role Menu
Create Role Step 8
1.Choose Authorizations from TAB
1.Choose Authorizations from TAB
2.Choose the button‘Change authorization data’
2.Choose the button‘Change authorization data’
Create Role Step 91.Choose Range of values OrFull Authorization
1.Choose Range of values OrFull Authorization
Create Role Step 10These authorization will come on the ROLE
These authorization will come on the ROLE
Create Role Step 11Change the authorizations & save Color have changed
Change the authorizations & save Color have changed
Save the profile give the name of the profile
Save the profile give the name of the profile
Create Role Step 12
Get the message ‘Profiles created’
Get the message ‘Profiles created’
Create Role Step 13
Assign the ‘USER’To whom this role have to assign
Assign the ‘USER’To whom this role have to assign
Choose the option ‘USER COMPARE’
Choose the option ‘USER COMPARE’
Choose the option ‘Complete compare’
Choose the option ‘Complete compare’
Create Role Step 14Open the user to whom the role have to assign
Open the user to whom the role have to assign
Create Role Step 15Assigned profile appeared on the userProfile list
Assigned profile appeared on the userProfile list
Create Role Step 16
Choose the option ‘From Other role’
Choose the option ‘From Other role’
Again create role from other created role using PFCG
Create Role Step 17
Choose one role from ‘Before created or sap defined role’
Choose one role from ‘Before created or sap defined role’
Create Role Step 18
Choose the options from the list
Choose the options from the list
Create Role Step 19
1.Chosen menu Comes to the role menu
1.Chosen menu Comes to the role menu
2. Now choose‘From Area Menu’
2. Now choose‘From Area Menu’
Again create role from area menu using PFCG
Create Role Step 20
Choose one PC14Choose one PC14
Create Role Step 21
Choose the option ‘Payroll’
Choose the option ‘Payroll’
Create Role Step 22
Chosen option ‘Payroll’ will come
Chosen option ‘Payroll’ will come
Now perform the step 8
CREATE ROLE USING SPRO –Step 1
Choose GOTOProject Management
Choose GOTOProject Management
Use Transaction Code SPRO to create a new project
CREATE ROLE USING SPRO –Step 2
All created project will show .
Choose To create new project
Choose To create new project
Choose Give new name
Choose Give new name
CREATE ROLE USING SPRO –Step 3
Enter the DATE here
Enter the DATE here
CREATE ROLE USING SPRO –Step 4
Specify the scope of the project
Specify the scope of the project
Select the modules which are required
Select the modules which are required
Choose the buttonChoose the button
CREATE ROLE USING SPRO –Step 5
1. Select the option Generate Project IMG
1. Select the option Generate Project IMG
2. Choose this option2. Choose this option3.Project creation start in background.
3.Project creation start in background.
CREATE ROLE USING SPRO –Step 6
Project PROJ_TEST created in background
Project PROJ_TEST created in background
CREATE ROLE USING SPRO –Step 7Use the transaction code PFCG to assign the authorizations related to a particular project.
Choose create option for new role
Choose create option for new role
CREATE ROLE USING SPRO –Step 8
1.Choose the navigationUtilities Customizing Auth
1.Choose the navigationUtilities Customizing Auth
2. This screen will appear2. This screen will appear
3. Choose ‘Add’3. Choose ‘Add’
4. This screen appearsChoose ‘IMG PROJECT’
4. This screen appearsChoose ‘IMG PROJECT’
CREATE ROLE USING SPRO –Step 9
Choose one project from the liste.g. PROJ_TEST
Choose one project from the liste.g. PROJ_TEST
CREATE ROLE USING SPRO –Step 10
All transaction code related to the project PROJ_TEST will appear
All transaction code related to the project PROJ_TEST will appear
Now follow the method of role creation. After that Z_NEW_AG_SPRO will be created
Use the transaction code SU53(1) One user ,tring to Work on transaction code IL08 .But he is not authorized to doing that job .One user ,tring to Work on transaction code IL08 .But he is not authorized to doing that job .
This message will come, If the user have no authorization for the TC
This message will come, If the user have no authorization for the TC
Use the transaction code SU53(2)Using the transaction code SU53 we can find which authorization need to perform the task .Using the transaction code SU53 we can find which authorization need to perform the task .
This is the missing authorizations
This is the missing authorizations
This are the available authorizations
This are the available authorizations
Authorization structure(1)
User Master Record
User Master Record
Composite Profile
Composite Profile
Authorization Profile
Authorization Profile
Authorization Object
Authorization ObjectAuthorizationsAuthorizations
Authorization Fields
Authorization Fields
Profile/ Composite
Profile
Profile/ Composite
Profile
Authorization(1)Authorization system of sap R/3 system is the general term which groups all the technical & management elements for granting access privileges to users to enforce the R/3 system security.
By entering some authorization profile to a user, mainly administrator give to user some access on sap particular sap object.
Authorization profile are group of authorizations .Instead of giving each authorization to a user ,administrator gives authorization profile to a user.
Authorization profiles can be simple or composite .composite profiles contain other profiles.
Authorization profile uses an activation method.When authorization or profiles are created or modified ,they must be activated to become effective.
Profiles are assigned to users in the user master record.
Authorization(2)
The Authorizations determine which activities a user can perform .
The system administrator cannot decide which business authorization user needs because it is up to the user department to decide the kind of permissions the user should be given to carry out his business tasks.The user department decide which authorization need the user.The system administrator assigns that authorization to the user as per the user department request.
Each authorization is based on authorization object.
Authorization object consists of authorization fields and possible values.
Because of the vastness of the R/3 system and its functional range,the authorization objects are further divided into areas called as Object class.
An Authorization allows to carry out an R/3 task based on a set of field values in an authorization object
Authorizations allow to determine the number of specific values or value ranges for a field.
ACTVT is an authorization field which present almost all authorization object
Activities : Meaning01 : Create or Generate 42 : Convert to DB02 : Change 43 : Release03 : Display 50 : Move05 : Lock 51 : MM : Initialize pe06 : Delete 59 : Distribute07 : Activate, Generate 60 : Import08 : Display change documents 64 : Generate11 : Change number range status 65 : Reorganize13 : Initialize number levels 70 : Administer16 : Execute 71 : Analyze17 : Maintain number range object 75 : Remove21 : Transport 78 : Assign22 : Enter, Include, Assign 90 : Copy23 : Maintain A6 : Read with filter24 : Archive A7 : Write with filter33 : Read A8 : Process mass data34 : Write DL : Download36 : Extended maintenance UL : Upload37 : Accept P0 : Accept CCMS CSM data40 : Create in DB P1 : Edit CCMS CSM data41 : Delete in DB P2 : Maintain CCMS CSM methods12 : Maintain & generate change documents 68 : Model * all possible values
01 : Create or Generate 42 : Convert to DB02 : Change 43 : Release03 : Display 50 : Move05 : Lock 51 : MM : Initialize pe06 : Delete 59 : Distribute07 : Activate, Generate 60 : Import08 : Display change documents 64 : Generate11 : Change number range status 65 : Reorganize13 : Initialize number levels 70 : Administer16 : Execute 71 : Analyze17 : Maintain number range object 75 : Remove21 : Transport 78 : Assign22 : Enter, Include, Assign 90 : Copy23 : Maintain A6 : Read with filter24 : Archive A7 : Write with filter33 : Read A8 : Process mass data34 : Write DL : Download36 : Extended maintenance UL : Upload37 : Accept P0 : Accept CCMS CSM data40 : Create in DB P1 : Edit CCMS CSM data41 : Delete in DB P2 : Maintain CCMS CSM methods12 : Maintain & generate change documents 68 : Model * all possible values
Authorization(3)We can assign authorization values to these fields .The values of the field decide what data would access by the user to whom this object assigned.
FIELD VALUEFIELD VALUE
Customer type(CUSTTYPE) *
Activity(ACTVT) 02
* all possible values , 02 display only
Authorization profile(1)
An authorization profile consists group of authorization object .I.e a group of access privileges.
User authorizations are not directly assigned to the user master records.Instead these authorizations are assigned as authorization profiles.
Changing the contents of the authorizations inside a profile affects all users that are given that profile when this is activated.
A users authorizations are loaded into the user buffer only when they logon.
Changes affect all users to whom this profile is assigned and take effect only when the user logs on.
Number of profiles generated depends on the number of authorizations in each activity group .
A maximum 150 authorizations fit into a profile .If there are more than
150 authorizations,an additional profile is generated.
Authorization profiles beginning with a T ,like T-SM-NEW1.When more than profile created then the name will be T-SM-NEW1_1 ,T-SM-NEW1_2
Composite profile(1)Composite profiles are sets of authorization profiles both simple & composite.
A composite profile can contain an unlimited number of profiles.
Composite profiles are suitable for users who have different responsibilities or job tasks in the system
Making modification to any of the profiles in the list of composite profiles directly affects the access privileges of all users having that composite profile in the user master record.
Authorization Object field(1)
Authorization fields represent values for individual system elements which are supposed to undergo authorization checking to verify a user's authorization.
The activity field in an authorization object defines the possible actions which could be performed over a particular application object.
An authorization field can be for example a user group, a company code,a purchasing group , a development class or an application area or an activity.
For example activity 03 always Display . If an authorization contains two fields such as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT is 03 ,then a user containing this authorization can only display all company codes.
Not all authorization objects have the ACTVT authorization field.
Authorization Object(1)An authorization object can contain a maximum of 10 authorization fields.
Users are permitted to perform a system function only after passing the test for every field in the authorization object.
Authorization objects are grouped in object classes belonging to different application areas which are used to limit the search for objects,thus making it faster to navigate among the many R/3 system objects.
SAP predefined authorization objects should not be modified or deleted,except if instructed by the SAP support personnel.
Deleting or changing standard authorization objects can cause severe errors in the programs that check those objects.
For example ,
MM_E stands for the object class Materials Management-Purchasing
There is an authorization object M_BEST_EKG for die ordering .
M_BEST_EKG object consists of 2 authorization fields
1. ACTVT to define user activity with values ’02’ ,’03’
2. EKGR to define purchasing group with values ‘xyz’ ,’abc’ .
If actvt have values 02 for change ,03 for display and, user can maintain only purchasing group ‘xyz’ ,’abc’ can not create new purchasing group.
FIND USERS BY ADDRESS DATAUse Transaction code S_BCE_68001393Navigation Path Tools Administration User Maintenance Information System Users By Address Data
Restricting Password String
Use Transaction code SM30 Maintain Table USR40Where ‘*’ substitutes a group of characters & ‘?’ a single character .
To avoid the use of passwords which start with similar words .
User can not use these string as a password
User can not use these string as a password
Role assigned to Which Users(1)
Use Transaction code: SE38 Program :RSUSR070Navigation Path Tools Administration User Maintenance Information System Roles By Role Name
Role assigned to Which Users(2)
After Entering the Role we get the following screen
We get USER ASSIGNMENT , PROFILE ASSIGNMENT, TRANSACTION CODE list which assigned to the Role.
Role assigned to Which Users(3)
List of users Which assigned to the Particular Role
Role assigned to Which Users(4)List of Profiles assigned to the particular Role
Role assigned to Which Users(5)
List of Transaction codes assigned to the particular Role
Maintaining the Object ClassUsing the transaction code SU03 User can maintain the object classUsing the transaction code SU03 User can maintain the object class
Available authorizations of the logon user(1)Using the transaction code SU56 we get the ‘authorization’ & ‘authorization object’ assigned to a user.Using the transaction code SU56 we get the ‘authorization’ & ‘authorization object’ assigned to a user.
Double Click on the Authorization object to get the details .
Double Click on the Authorization object to get the details .
Available authorizations of the logon user(2)
Double Click on the ‘permitted values’ to get the details .
Double Click on the ‘permitted values’ to get the details .
Authorization fields corresponding to the Authorization Object.
Authorization fields corresponding to the Authorization Object.
Available authorizations of the logon user(3)
Double Click on the Authorizations to get the details .
Double Click on the Authorizations to get the details .
To get the details of an Authorization Object(1)Use Transaction Code SE38 then Use program : RSUSR040Consider an Authorization object S_DEVELOP
To get the details of an Authorization Object(2)
Authorization Object & corresponding Object Class.
Authorization Object & corresponding Object Class.
To get the details of an Authorization Object(3)
Authorization FieldsAssociated with the Authorization object
Authorization FieldsAssociated with the Authorization object
Double click on Permitted Activities
Double click on Permitted Activities
To get the details of an Authorization Object(4)Use Transaction Code SU03
Double click on object class BC_C
Double click on object class BC_C
To get the details of an Authorization Object(4)Use Transaction Code SU03
Important Authorization profiles
SAP_ALL All authorization in R/3 system
SAP_NEW To create new objects
S_A.CUSTOMIZ Customizing (for all system setting activity)
S_A.DEVELOP Developers with all authorizations to work in ABAP WB.
S_A.SHOW Basis :Display authorization only
S_A.USER System Administrator
S_ABAP_ALL All authorizations for ABAP
S_ADMI_SPO_A spool :all administration authorization
S_ADMI_SPO_D spool :device administration
S_ADMI_SPO_E spool :extended administration
S_ADMI_SPO_J spool :job administration for all clients
S_ADMI_SPO_T spool :Device type administration
SOME IMPORTANT TABLES
USR01 Contains the runtime data of the user master recordsUSR02 The table containing logon information such as the passwordUSR03 Includes the users' address informationUSR04 Contains users' authorizationsUSR05 It is the users' parameter ID tableUSR09 Contains user menusUSR10 It is the table for user authorization profilesUSR11 Contains the descriptive texts for profilesUSR12 It the user master authorization values tableUSR13 Contains the descriptive short texts for authorizationsUSR14 Contains the logon language versions per userUSR30 Includes additional information for user menus TOBJ Authorization objects table containing the authorization fields for each. TACT Contains the list of standard activities in the system. TACTZIs the table which defines the relationship between the authorization objects and the activities in those objects containing the Activity authorization field. TSTC Is the transaction code table where authorization objects and values can be defined.
Create a super user(1)
It is sap recommended do not use sap* ,create one super user .
•SAP_ALL is only profile defining that user can create one super user & with the authorization of creation of a new object.
•SAP_NEW is the profile which gives the permission to create a new object
Profile Generator
•Profile generator(PG) tool helps the authorization administrator create,generate ,and assign authorization profiles.
•It is available from SAP r/3 version 3.1G
•Check the parameter auth/no_check_in_some_cases =Y using the TC RZ11 ,setting before using first time profile generator .