SAP R/3 BASIS TrainingUser &

Authorization

USER Concept(1)

One of the basic part of R/3 Security is user concept .

After installation of R/3 and client creation, one of the first step is

create users in the new client.

It must be noted that Users are Client dependent

User in one client is not be a user of another client.

They are valid for only the client they were created or assigned.

User Name and user attributes comprises the User Master Records

By default SAP comes with two super users

SAP*

DDIC

These two super users are available for every client in R/3 system when a new

client is created. But the nature of these two super user are slightly different.

SAP* has all the authorization

DDIC is authorized to administer the R/3 repository.

Transaction code for User Maintenance SU01 Navigation On menu Tools --> Administration --> User Maintenance --> Users

Transaction code for User Maintenance SU01 Navigation On menu Tools --> Administration --> User Maintenance --> Users

User Master Record(1)

A User Master Record consists of following information:

User Name

Assigned Client

Password (Changeable in future)

Company Address

User Type

Start Menu

Logon Language

Personal Printer Setting

Time Zone

Activity Groups

Authorizations

Expiration Date

Default Parameter Setting

User master record maintain through the transaction code SU01.

An user can be assigned to many activity groups & an activity group can be assign to many users.

Password Restriction(1)Password can not be word ‘sap’ or ‘pass’ .

Password can not begin with any sequence of three characters

contained in the user-id like FREDSMITH user can not set password

starts with FRE ,RED,EDS ,SMI .

Password can not begin with 3 identical characters. I.e. aaamy or bbbt.

When a user changes his password ,he may not use any of the last five passwords.

Password Restriction(2)Minimum password length can be set by the by the parameter

login/min_password_lng (value 3 ).

Administrator can set the password expiration date by the parameter

login/password_expiration_time (no of days) .

Number of incorrect logons allowed for a user master record until

the logon procedure is terminated , can be set by the parameter

login/fails_to_session_end (value 3 ).Number of incorrect logons allowed for a user master record until

logon is rejected for this user, can be set by login/fails_to_user_lock

(value 3 ). The lock is released at midnight.

rdisp/gui_auto_logout (in seconds) parameter sets automatically logout

if user not uses sapgui defined time.if set 0 then never automatically

logout.

User sap* & DDIC (1)

SAP R/3 system includes in the default installation two super users

‘DDIC’ & ‘SAP*’ .

sap* user created with the password ‘06071992’ .

DDIC user created with the password ‘19920706’ .

EARLYWATCH user created with the password ‘SUPPORT’ .

In new client sap* created with default password ‘pass’ with unlimited access right .Sap* is the only super user, who does not require any user master

record , because its authorization given by system code.But DDIC

maintains user master record .

It is better to deactivate the user sap* (not delete) .

User DDIC (for data dictionary) is the maintenance user for certain

installation & setup tasks .

•EARLYWATCH user is used by Sap's EARLYWATCH experts.

User sap* & DDIC(2)

SAP* 000 ,001,066DDIC 000, 001EARLYWATCH 066

Default users coming after new installation Default users coming after new installation

Create User Step 1

Use The Transaction Code SU01 for user maintenance .

Choose this button for create new user

Choose this button for create new user

Create User Step 2

Enter User InfoEnter User Info

Create User Step 3Enter these important data

Enter these important data

Create User Step 4Choose Role from the menu

Choose Role from the menu

Create User Step 5 Corresponding profile will come automatically

Corresponding profile will come automatically

Create User Step 6 User can set USER-Parameters

User can set USER-Parameters

After entering all data choose save button

Create User Step 7 User will created &‘Last changed by’ also modified

User will created &‘Last changed by’ also modified

USER CREATION COMPLETE NOW .

Activity Group(1) or ROLE

•A role or activity group is a collection of R/3 transactions ,authorizations and additional objects .

•Administrator can create ,display ,change ,copy & transport a Role .

•Transaction code PFCG used to maintain Role.

Composite Activity Group or Role•Composite activity groups are made up of a collection of activity groups.

•Users assigned to a composite activity are automatically added to the

activity groups during a user comparison.

•Composite activity groups themselves do not contain any authorization

data .

USER Assignment

Users can be assigned to a single activity groups or to composite activity

groups which mostly represent job roles .

Users that assign to an activity group may execute the transactions,

reports , or any other task in the activity group with the corresponding

Authorizations.

Create Role Step 1

Use Transaction code PFCG to maintain role /activity group

Choose the option Create

Choose the option Create

Create Role Step 2

1.Enter The Description

1.Enter The Description

2.Choose the option MENU

2.Choose the option MENU

Now to create the role choose menu

Created user name will display

Created user name will display

Create Role Step 3

To create ROLEChoose any one

To create ROLEChoose any one

We can choose any one or all option at a time.

Create Role Step 4

We choosethree from the menu .

We choosethree from the menu .

We choose according our Requirement from ‘SAP MENU’.

Create Role Step 5Our three selected menu appeared on Role menu .

1.Our chosen three will come on role menu

1.Our chosen three will come on role menu

2.Again we choose Transaction

2.Again we choose Transaction

Create Role Step 6Assign the transaction codes using the button Assign Transaction

Assign the transaction codes using the button Assign Transaction

Create Role Step 7

Then chosen transaction code appeared on Role Menu

Then chosen transaction code appeared on Role Menu

Create Role Step 8

1.Choose Authorizations from TAB

1.Choose Authorizations from TAB

2.Choose the button‘Change authorization data’

2.Choose the button‘Change authorization data’

Create Role Step 91.Choose Range of values OrFull Authorization

1.Choose Range of values OrFull Authorization

Create Role Step 10These authorization will come on the ROLE

These authorization will come on the ROLE

Create Role Step 11Change the authorizations & save Color have changed

Change the authorizations & save Color have changed

Save the profile give the name of the profile

Save the profile give the name of the profile

Create Role Step 12

Get the message ‘Profiles created’

Get the message ‘Profiles created’

Create Role Step 13

Assign the ‘USER’To whom this role have to assign

Assign the ‘USER’To whom this role have to assign

Choose the option ‘USER COMPARE’

Choose the option ‘USER COMPARE’

Choose the option ‘Complete compare’

Choose the option ‘Complete compare’

Create Role Step 14Open the user to whom the role have to assign

Open the user to whom the role have to assign

Create Role Step 15Assigned profile appeared on the userProfile list

Assigned profile appeared on the userProfile list

Create Role Step 16

Choose the option ‘From Other role’

Choose the option ‘From Other role’

Again create role from other created role using PFCG

Create Role Step 17

Choose one role from ‘Before created or sap defined role’

Choose one role from ‘Before created or sap defined role’

Create Role Step 18

Choose the options from the list

Choose the options from the list

Create Role Step 19

1.Chosen menu Comes to the role menu

1.Chosen menu Comes to the role menu

2. Now choose‘From Area Menu’

2. Now choose‘From Area Menu’

Again create role from area menu using PFCG

Create Role Step 20

Choose one PC14Choose one PC14

Create Role Step 21

Choose the option ‘Payroll’

Choose the option ‘Payroll’

Create Role Step 22

Chosen option ‘Payroll’ will come

Chosen option ‘Payroll’ will come

Now perform the step 8

CREATE ROLE USING SPRO –Step 1

Choose GOTOProject Management

Choose GOTOProject Management

Use Transaction Code SPRO to create a new project

CREATE ROLE USING SPRO –Step 2

All created project will show .

Choose To create new project

Choose To create new project

Choose Give new name

Choose Give new name

CREATE ROLE USING SPRO –Step 3

Enter the DATE here

Enter the DATE here

CREATE ROLE USING SPRO –Step 4

Specify the scope of the project

Specify the scope of the project

Select the modules which are required

Select the modules which are required

Choose the buttonChoose the button

CREATE ROLE USING SPRO –Step 5

1. Select the option Generate Project IMG

1. Select the option Generate Project IMG

2. Choose this option2. Choose this option3.Project creation start in background.

3.Project creation start in background.

CREATE ROLE USING SPRO –Step 6

Project PROJ_TEST created in background

Project PROJ_TEST created in background

CREATE ROLE USING SPRO –Step 7Use the transaction code PFCG to assign the authorizations related to a particular project.

Choose create option for new role

Choose create option for new role

CREATE ROLE USING SPRO –Step 8

1.Choose the navigationUtilities Customizing Auth

1.Choose the navigationUtilities Customizing Auth

2. This screen will appear2. This screen will appear

3. Choose ‘Add’3. Choose ‘Add’

4. This screen appearsChoose ‘IMG PROJECT’

4. This screen appearsChoose ‘IMG PROJECT’

CREATE ROLE USING SPRO –Step 9

Choose one project from the liste.g. PROJ_TEST

Choose one project from the liste.g. PROJ_TEST

CREATE ROLE USING SPRO –Step 10

All transaction code related to the project PROJ_TEST will appear

All transaction code related to the project PROJ_TEST will appear

Now follow the method of role creation. After that Z_NEW_AG_SPRO will be created

Use the transaction code SU53(1) One user ,tring to Work on transaction code IL08 .But he is not authorized to doing that job .One user ,tring to Work on transaction code IL08 .But he is not authorized to doing that job .

This message will come, If the user have no authorization for the TC

This message will come, If the user have no authorization for the TC

Use the transaction code SU53(2)Using the transaction code SU53 we can find which authorization need to perform the task .Using the transaction code SU53 we can find which authorization need to perform the task .

This is the missing authorizations

This is the missing authorizations

This are the available authorizations

This are the available authorizations

Authorization structure(1)

User Master Record

User Master Record

Composite Profile

Composite Profile

Authorization Profile

Authorization Profile

Authorization Object

Authorization ObjectAuthorizationsAuthorizations

Authorization Fields

Authorization Fields

Profile/ Composite

Profile

Profile/ Composite

Profile

Authorization(1)Authorization system of sap R/3 system is the general term which groups all the technical & management elements for granting access privileges to users to enforce the R/3 system security.

By entering some authorization profile to a user, mainly administrator give to user some access on sap particular sap object.

Authorization profile are group of authorizations .Instead of giving each authorization to a user ,administrator gives authorization profile to a user.

Authorization profiles can be simple or composite .composite profiles contain other profiles.

Authorization profile uses an activation method.When authorization or profiles are created or modified ,they must be activated to become effective.

Profiles are assigned to users in the user master record.

Authorization(2)

The Authorizations determine which activities a user can perform .

The system administrator cannot decide which business authorization user needs because it is up to the user department to decide the kind of permissions the user should be given to carry out his business tasks.The user department decide which authorization need the user.The system administrator assigns that authorization to the user as per the user department request.

Each authorization is based on authorization object.

Authorization object consists of authorization fields and possible values.

Because of the vastness of the R/3 system and its functional range,the authorization objects are further divided into areas called as Object class.

An Authorization allows to carry out an R/3 task based on a set of field values in an authorization object

Authorizations allow to determine the number of specific values or value ranges for a field.

ACTVT is an authorization field which present almost all authorization object

Activities : Meaning01 : Create or Generate 42 : Convert to DB02 : Change 43 : Release03 : Display 50 : Move05 : Lock 51 : MM : Initialize pe06 : Delete 59 : Distribute07 : Activate, Generate 60 : Import08 : Display change documents 64 : Generate11 : Change number range status 65 : Reorganize13 : Initialize number levels 70 : Administer16 : Execute 71 : Analyze17 : Maintain number range object 75 : Remove21 : Transport 78 : Assign22 : Enter, Include, Assign 90 : Copy23 : Maintain A6 : Read with filter24 : Archive A7 : Write with filter33 : Read A8 : Process mass data34 : Write DL : Download36 : Extended maintenance UL : Upload37 : Accept P0 : Accept CCMS CSM data40 : Create in DB P1 : Edit CCMS CSM data41 : Delete in DB P2 : Maintain CCMS CSM methods12 : Maintain & generate change documents 68 : Model * all possible values

01 : Create or Generate 42 : Convert to DB02 : Change 43 : Release03 : Display 50 : Move05 : Lock 51 : MM : Initialize pe06 : Delete 59 : Distribute07 : Activate, Generate 60 : Import08 : Display change documents 64 : Generate11 : Change number range status 65 : Reorganize13 : Initialize number levels 70 : Administer16 : Execute 71 : Analyze17 : Maintain number range object 75 : Remove21 : Transport 78 : Assign22 : Enter, Include, Assign 90 : Copy23 : Maintain A6 : Read with filter24 : Archive A7 : Write with filter33 : Read A8 : Process mass data34 : Write DL : Download36 : Extended maintenance UL : Upload37 : Accept P0 : Accept CCMS CSM data40 : Create in DB P1 : Edit CCMS CSM data41 : Delete in DB P2 : Maintain CCMS CSM methods12 : Maintain & generate change documents 68 : Model * all possible values

Authorization(3)We can assign authorization values to these fields .The values of the field decide what data would access by the user to whom this object assigned.

FIELD VALUEFIELD VALUE

Customer type(CUSTTYPE) *

Activity(ACTVT) 02

* all possible values , 02 display only

Authorization profile(1)

An authorization profile consists group of authorization object .I.e a group of access privileges.

User authorizations are not directly assigned to the user master records.Instead these authorizations are assigned as authorization profiles.

Changing the contents of the authorizations inside a profile affects all users that are given that profile when this is activated.

A users authorizations are loaded into the user buffer only when they logon.

Changes affect all users to whom this profile is assigned and take effect only when the user logs on.

Number of profiles generated depends on the number of authorizations in each activity group .

A maximum 150 authorizations fit into a profile .If there are more than

150 authorizations,an additional profile is generated.

Authorization profiles beginning with a T ,like T-SM-NEW1.When more than profile created then the name will be T-SM-NEW1_1 ,T-SM-NEW1_2

Composite profile(1)Composite profiles are sets of authorization profiles both simple & composite.

A composite profile can contain an unlimited number of profiles.

Composite profiles are suitable for users who have different responsibilities or job tasks in the system

Making modification to any of the profiles in the list of composite profiles directly affects the access privileges of all users having that composite profile in the user master record.

Authorization Object field(1)

Authorization fields represent values for individual system elements which are supposed to undergo authorization checking to verify a user's authorization.

The activity field in an authorization object defines the possible actions which could be performed over a particular application object.

An authorization field can be for example a user group, a company code,a purchasing group , a development class or an application area or an activity.

For example activity 03 always Display . If an authorization contains two fields such as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT is 03 ,then a user containing this authorization can only display all company codes.

Not all authorization objects have the ACTVT authorization field.

Authorization Object(1)An authorization object can contain a maximum of 10 authorization fields.

Users are permitted to perform a system function only after passing the test for every field in the authorization object.

Authorization objects are grouped in object classes belonging to different application areas which are used to limit the search for objects,thus making it faster to navigate among the many R/3 system objects.

SAP predefined authorization objects should not be modified or deleted,except if instructed by the SAP support personnel.

Deleting or changing standard authorization objects can cause severe errors in the programs that check those objects.

For example ,

MM_E stands for the object class Materials Management-Purchasing

There is an authorization object M_BEST_EKG for die ordering .

M_BEST_EKG object consists of 2 authorization fields

1. ACTVT to define user activity with values ’02’ ,’03’

2. EKGR to define purchasing group with values ‘xyz’ ,’abc’ .

If actvt have values 02 for change ,03 for display and, user can maintain only purchasing group ‘xyz’ ,’abc’ can not create new purchasing group.

FIND USERS BY ADDRESS DATAUse Transaction code S_BCE_68001393Navigation Path Tools Administration User Maintenance Information System Users By Address Data

Restricting Password String

Use Transaction code SM30 Maintain Table USR40Where ‘*’ substitutes a group of characters & ‘?’ a single character .

To avoid the use of passwords which start with similar words .

User can not use these string as a password

User can not use these string as a password

Role assigned to Which Users(1)

Use Transaction code: SE38 Program :RSUSR070Navigation Path Tools Administration User Maintenance Information System Roles By Role Name

Role assigned to Which Users(2)

After Entering the Role we get the following screen

We get USER ASSIGNMENT , PROFILE ASSIGNMENT, TRANSACTION CODE list which assigned to the Role.

Role assigned to Which Users(3)

List of users Which assigned to the Particular Role

Role assigned to Which Users(4)List of Profiles assigned to the particular Role

Role assigned to Which Users(5)

List of Transaction codes assigned to the particular Role

Maintaining the Object ClassUsing the transaction code SU03 User can maintain the object classUsing the transaction code SU03 User can maintain the object class

Available authorizations of the logon user(1)Using the transaction code SU56 we get the ‘authorization’ & ‘authorization object’ assigned to a user.Using the transaction code SU56 we get the ‘authorization’ & ‘authorization object’ assigned to a user.

Double Click on the Authorization object to get the details .

Double Click on the Authorization object to get the details .

Available authorizations of the logon user(2)

Double Click on the ‘permitted values’ to get the details .

Double Click on the ‘permitted values’ to get the details .

Authorization fields corresponding to the Authorization Object.

Authorization fields corresponding to the Authorization Object.

Available authorizations of the logon user(3)

Double Click on the Authorizations to get the details .

Double Click on the Authorizations to get the details .

To get the details of an Authorization Object(1)Use Transaction Code SE38 then Use program : RSUSR040Consider an Authorization object S_DEVELOP

To get the details of an Authorization Object(2)

Authorization Object & corresponding Object Class.

Authorization Object & corresponding Object Class.

To get the details of an Authorization Object(3)

Authorization FieldsAssociated with the Authorization object

Authorization FieldsAssociated with the Authorization object

Double click on Permitted Activities

Double click on Permitted Activities

To get the details of an Authorization Object(4)Use Transaction Code SU03

Double click on object class BC_C

Double click on object class BC_C

To get the details of an Authorization Object(4)Use Transaction Code SU03

Important Authorization profiles

SAP_ALL All authorization in R/3 system

SAP_NEW To create new objects

S_A.CUSTOMIZ Customizing (for all system setting activity)

S_A.DEVELOP Developers with all authorizations to work in ABAP WB.

S_A.SHOW Basis :Display authorization only

S_A.USER System Administrator

S_ABAP_ALL All authorizations for ABAP

S_ADMI_SPO_A spool :all administration authorization

S_ADMI_SPO_D spool :device administration

S_ADMI_SPO_E spool :extended administration

S_ADMI_SPO_J spool :job administration for all clients

S_ADMI_SPO_T spool :Device type administration

SOME IMPORTANT TABLES

USR01 Contains the runtime data of the user master recordsUSR02 The table containing logon information such as the passwordUSR03 Includes the users' address informationUSR04 Contains users' authorizationsUSR05 It is the users' parameter ID tableUSR09 Contains user menusUSR10 It is the table for user authorization profilesUSR11 Contains the descriptive texts for profilesUSR12 It the user master authorization values tableUSR13 Contains the descriptive short texts for authorizationsUSR14 Contains the logon language versions per userUSR30 Includes additional information for user menus TOBJ Authorization objects table containing the authorization fields for each. TACT Contains the list of standard activities in the system. TACTZIs the table which defines the relationship between the authorization objects and the activities in those objects containing the Activity authorization field. TSTC Is the transaction code table where authorization objects and values can be defined.

Create a super user(1)

It is sap recommended do not use sap* ,create one super user .

•SAP_ALL is only profile defining that user can create one super user & with the authorization of creation of a new object.

•SAP_NEW is the profile which gives the permission to create a new object

Profile Generator

•Profile generator(PG) tool helps the authorization administrator create,generate ,and assign authorization profiles.

•It is available from SAP r/3 version 3.1G

•Check the parameter auth/no_check_in_some_cases =Y using the TC RZ11 ,setting before using first time profile generator .