CA940-Development Authorization Concept

ADM940
SAP Authorization Concept
ADM940
Appendix: Development of Authorization Elements
SAP Regin Sur
SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20
ADM940
SAP Regin Sur

Argentina Bolivia Chile Paraguay Uruguay
Apendix.
Development of Authorization Elements
Appendix Content:
Authorization Elements Overview. Authorization Fields. Authorization Object. Organization Level for Profile Generator. Authority Checks. Authorization Profile. Access to Individual Tables and Views. User Adminitrators. Glossary.
SAP AG 2003

Appendix Content_______________________________________________________ 3 Authorization Elements Overview ___________________________________________ 5
Important Authorization Element Relationships ........................................................................... 6
Authorization Fields______________________________________________________ 8
Authorization Fields: Initial Screen............................................................................................... 9 Authorization Fields: Create ...................................................................................................... 11
Authorization Object ____________________________________________________ 12

Authorization Object: Authorization Object Class...................................................................... 13 Authorization Object: Initial Screen of List of Object.................................................................. 14 Authorization Object: Create...................................................................................................... 15 Authorization Object: Create Documentation Object................................................................. 16 Authorization Object: Defining Permitted Activities.................................................................... 17
Organizational Level for Profile Generator____________________________________ 18

Organization Level Fields .......................................................................................................... 19 Before Maintain ......................................................................................................................... 20 After Maintain ............................................................................................................................ 21 Maintain: Transaction SUPO_PREPARE and SUPO ..................................................................... 22 Maintain: Program PFCG_ORGFIELD_CREATE.......................................................................... 23
Authority Checks..______________________________________________________ 24
Authority Check: Overview ........................................................................................................ 25 Authority Check: Assign Objects to Transactions ...................................................................... 27 Authority Check: The ABAP Statement ..................................................................................... 28
SAP Regin Sur
ADM940

Authorization Profile ____________________________________________________ 30
Authorization Profiles: Superuser.............................................................................................. 31 Authorization Profiles: End Users.............................................................................................. 33
Access to Individual Tables and Views ______________________________________ 35

Parameter Transaction (using SM30)......................................................................................... 36 Necessary Authorizations to Access.......................................................................................... 37 Parameter Transaction (using SE16)......................................................................................... 38 Necessary Authorizations to Access.......................................................................................... 39
User Administrators_____________________________________________________ 40
User Groups .............................................................................................................................. 41 Auxiliary User for User Groups SUPER...................................................................................... 42
Glossary_____________________________________________________________ 43
Apendix.
Appendix Content:
SAP AG 2003
SAP Regin Sur
ADM940
Important Authorization Element Relationships

SE38 SE11 (Database table) PFCG (Menu), SE43 use a Parameter transaction with START_REPORT SU01 (Roles), SU10 (Roles) PFCG (User) PFCG (Menu) SE43, PFCG (Menu) SE43, PFCG (Menu)
ABAP Program (Report)

SE93, using Report transaction; PFCG (Menu), SE43 use Parameter transaction with START_REPORT) SE93, PFCG (Menu Report)
Database Table
SE11 ( V i e w )
Menu Area
SE43 PFCG (Description for Derived Role)
Transaction
SU01, SU10 SU01 (Roles) , SU10 (Roles)
PFCG
SE93 (Using parameter transaction)
SE93 (Using Parameter transaction with SE16 or SM30)
View
SE11 (View s )
USER
ROLE
PFCG (User) SU01 (Roles), SU10 (Roles)
PFCG (Authorization) PFCG (Authorization)
PFCG (Description for Derived Role; Roles for Composite Role )
PFCG_ORGFIELD_CREATE
PFCG (User)
Authorization Profile
SU01 (Profiles), SU10 (Profiles)
PFCG (Authorization)
Organizational Level Field

PFCG_ORGFIELD_CREATE
PFCG (Authorizaton)
SU21 (List of Objects)
SU20 SU21 (List of Objects)
Authorization
PFCG (Authorization for authomatic use of table s U S O B X _ C and U S O B T _ C , and for manually insertion )
Authorization Object
Authorization Field
SU20 SE11 (Data type)
SU21 (List of Objects) SU21 (List of objetc classes)
Authorization Object Class
Data Element
SE11 (Data type) Direct relationship Undirect relationship SE11 (Domain)
Domain
SAP Regin Sur
n IMPORTANT TRANSACTIONS:
For additional information, see transactions SU*, PF*, SM*. PFCG PFUD RZ10 SA38 SE11 SE12 SE13 SE16 SE38 SE43 Role maintenance1 User Master Data Reconciliation: Schedule PFCG_TIME_DEPENDENCY Maintenance of Profile Parameters ABAP Reporting ABAP/4 Dictionary Maintenance ABAP/4 Dictionary Display Technical Settings Data Display/Maintenance (Data Browser) ABAP Editor Maintain Area Menu
In older releases, this description is Profile Generator or Activity Group Maintenance. SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20
Apendix.
SE54 SE84 SE93 SM30 ST01 SU01 SU01D SU02 SU03 SU10, SU12 SU20 SU21 SU53 SU56 SUGR SUIM
n IMPORTANT TABLES:
Maintenance View R/3 Repository Information System Maintain Transaction Codes Enhanced Data Display System Trace User maintenance User Display Maintain Authorization Profiles Maintain Authorizations User mass maintenance Maintain Authorization Fie lds Maintain Authorization Objects Display Check Values Analyze User Buffer Maintain User Groups User Information System
For additional information, use transaction SE11. TACT TACTZ TBRG TDDAT TPGP USOBT_C USOBX_C USR40
n IMPORTANT REPORTS:
Activities Valid activities for each authorization object Authorization group (for tables and views) Maintenance Areas for Tables ABAP/4 Authorization Groups Relation Transaction / Auth. Object (Customer) Check Table for Table USOBT_C Table for Illegal Passwords
For additional information about SAP Authorization Concept, use transaction SE38. (See reports RSUSR*, PFCG*). PFCG_ARGFIELD_CREATE PFCG_TIME_DEPENDENCY RSPARAM Create Organizational Level Field for Profile Generator User Master Data Reconciliation Profile Parameter Overview
SAP Regin Sur
ADM940
Appendix Content:
SAP AG 2003
Apendix.
Authorization Field: Initial Screen
SAP Regin Sur 2001
n In authorization objects, authorization fields represent the values to be tested during authorization checks. n The authorization field are content into R/3 transparent table AUTHX. This table is cross-client. Thus, the
authorization field must be unique in the system because the must be unique in that table.
n To maintain authorization fields, choose Tools ABAP Workbench Development Other Tools Authorization Objects Fields, or execute Transaction SU20. The initial screen show:
A tool bar include the follow buttons to maintain authorization fields:

Create :
To add a new authorization field to the table AUTHX.

Display:
To display data of an existing authorization field;

Find :
To search an authorization field in the list Authorization check fields;

Change:
To change data of an existing authorization field.

Delete :
To delete an existing authorization field. You cannot delete an authorization field get used in an authorization object.
SAP Regin Sur 9
ADM940
The list Authorization check fields: This list displays all authorization fields in the system, always in alphabetical order.
10
Apendix.
Authorization Field: Create
SAP Regin Sur 2001
n To create an authorization field press the Create button in the previous screen. Then, in the above screen:
Enter the name of the field (Field name ): Field names must be unique. SAP recommend that this name begin with the letter Y or Z. Assign a data element from the ABAP Dictionary to the field (Data element): The data element contribute to authorization field with a display description and a domain. For this reason, SAP recommend create a special data element for a new authorization field. Pressing enter appears the domain of linked to the entered data element. If desired, enter a Check Table, Value Table or Search Help for the possible entries (field Table Name under the Maintenance Dialog for Authorization Values section). The connection provides possible field values. Values ranges can also be defined using the domain with which a field is associated. Finally, press the Save button and exit with the Back button.
n In the initial screen, you can to find a new authorization field using the Find button.
SAP Regin Sur
11
ADM940
Appendix Content:
SAP AG 2003
12
Apendix.
Authorization Object: Authorization Object Class
SAP Regin Sur 2001
n For documentation purpose, the Authorization Object are classify in Authorization Object Class (or simply
Object Class). Each Authorization Object must be assigned to an Object Class when it is created.
n To maintain Object Class and Authorization Object choose Tools ABAP Workbench Development Other Tools Authorization Objects Objects , or use Transaction SU21. Then, the system displays a list of
existing object classes (see the background screen above). Object classes are organized according to the components of the system. Before you can create a new authorization object, you must define the object class for the component in which you are working. If you do so, select class names that begin with Y or Z to avoid conflicts with SAP names. The authorization class is cross-client. To create a new authorization class, press the Create button. The above front windows appear. Here you must define:

An authorization class ID (Object class); A description (Text).
To save, press the Save button. To display the list of authorization object of a specific authorization class, in the List of Object Classes screen select that authorization class (or double clicking).
SAP Regin Sur 13
ADM940
Authorization Object: Initial Screen of List of Objetc
SAP Regin Sur 2001
n For each authorization class, a list of authorization object is displayed :
To create a new authorization object, press the Create button; To change an old authorization object, press the Change button; To delete an old authorization object, press the Delete button; To display the data of an old authorization object, press the Display button; To see the Where-used list of an old authorization object, press the Where-used list button; To maintain documentation object of an old authorization object, press the Documentation button; Moreover, to regenerate the standard profile SAP_ALL, press the Regenerate SAP_ALL button.
In our example (screen above), this list is empty because ZUSR is a new authorization class. SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20
14
Apendix.
Authorization Object: Create
SAP Regin Sur 2001
n CREATING AND CHANGING AUTHORIZATION OBJECTS:
To create authorization object, in the previous screen you must press the Create button. Then, a new modal window appears: Create authorization object. The follow information must be entered: Object: This is the Authorization Object Id (or Technical Name). An authorization object is cross-client; thus, the name must be unique in the whole system. Text: This is simply a description of the object3 . Authorization fields: Here you must to specific the field of the new object. This field can be created using the Transaction SU20 or in addition, you can to use standard authorization fields. Note that when creating authorization objects, the structure of the object must be planned exactly. Changes to the structure are very complicated4 .
3
In same cases, SAP recommends to refer the technical name in any position of this description because some report (as Transaction SU02 for manual authorization profile management) only displays this description and not the technical name. If you want to remove fields from the object, the whole authorization object must be deleted and recreated; you can add authorization fields to the object if the object is no longer used. Only then can the corresponding fields accept data. 15
SAP Regin Sur
ADM940
Authorization Object: Create Documentation Object
SAP Regin Sur 2001
n You can create detailed documentation of the authorization object. In the previous screen, press the Create object documentation button and the above screen will appear.
In this screen you can to:

Describe where the authorization object is used and its meaning. Describe each authorization field. Describe the permitted values for every authorization field. Document the permitted activities if you are using the authorization field ACTVT. Add a reference to the authorization objects to your application documentation.
To active the new documentation, press the Active button, and the Back button to exit.
If you want to change authorization fields for an object, this is only possible after all authorizations the object uses and all calls of the AUTHORITY-CHECK language commands have been deleted. 16 SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20
Apendix.
Authorization Object: Defining Permitted Activities
SAP Regin Sur 2001
n Permitted activities button:
If you add the Activity authorization field (ACTVT), the Permitted activities button appears. In this step, you specify which activities are permitted for the ACTVT field in the authorization object. These activities are then offered as possible entries during creation of the authorizations. To maintain permitted activities, press the Permitted activities button and mark the activities in the new front screen Define Values. In our example, the values 01 (Create or generate ), 02 (Change), 03 (Display) and 06 (Delete) are permitted.
n Automatic conversion checkbox:
If the authorization object includes a setting permitting automatic conversion, the conversion will be executed when authorization data is entered that matches the conversion attributes of the corresponding authorization field. This means that when creating authorizations, a number can be entered directly (instead of 0003, you can just enter 3, for example). When the authorizations are saved, the number is automatically converted to 0003. This is necessary, as the language command AUTHORITY-CHECK checks the value 00035 .
n To save, press the Save button .
6
This property is applicable to any alphanumeric authorization field, not only to ACTVT (Activity) authorization field. 17
SAP Regin Sur
ADM940
Appendix Content:
SAP AG 2003
In some system, is possible that the modal window Create authorization object remain in the front of the screen. Press Cancel button and this window will disappear. But in the List of object of the authorization class, not will be displayed the new authorization object (ZUSERNAME, in our example). This is because the Transaction SU21 has not automatic refresh. Restart the Transaction SU21, and select the ZUSR object class again, and now, the ZUSERNAME will appear in the list so above screen. SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20
18
Apendix.
Organization Level Fields
SAP AG 2003
The current maintenance status of the authorizations at the various levels is shown by Traffic Lights:
Green Yellow Red All fields below this level have been supplied with values. Check whether the values given are appropriate. Below this level, there is at least one field (but not an organizational level) for which no data has been entered. Below this level, there is at least one field for which no organizational level has been maintained.
n Sometimes, is necessary to convert common authorization fields into Organizational Field, called,
Organizational Levels Fields.
SAP Regin Sur
19
ADM940
Before Maintain
SAP AG 2003
20
Apendix.
After Maintain
SAP AG 2003
SAP Regin Sur
21
ADM940
Maintain: Transactions SUPO_PREPARE and SUPO
SAP AG 1999
22
Apendix.
Maintain: Program PFCG_ORGFIELD_CREATE
SAP AG 2003
SAP Regin Sur
23
ADM940
Appendix Content:
SAP AG 2003
24
Apendix.
Authority Check: Overview

System runtime
Is the transaction code valid? (Check of table TSTC )
ABAP Program NO
Does the user has the corresponding authorization?
(The ABAP statement AUTHORITY-CHECK is used here with any authorization object)
Yes
Is the transaction locked by the system YES administrator? (Check of table TSTC )
ERROR
Yes
No
No
Is the user authorized to start the transaction?

(Authorization object S_TCODE is used here)
ERROR
NO
Warning
Yes R/3 Transaction

Is an authorization object assigned to the Yes transaction code?
(Check of table TSTCA)
Does the user has the necessary authorization?

(Any authorization object can used here)
NO
Continue
No
SAP Regin Sur 2001
Yes
n When a transaction is started, a system program executes various checks to ensure the user has the correct
authorizations 7 :
Is the transaction code valid ? The system check of table TSTC: if the answer is negative, the check fails. Is the transaction locked by the system administrator8 ? The system check of table TSTC: if the answer is now positive, the check fails. Is the user authorized to start the authorization? The authorization object S_TCODE (Transaction start) contains the field TCD (Transaction code). The user must have an authorization containing a value for the transaction code: if not, the check fails. Is an authorization object assigned to the transaction code? If yes, is the user authorized? If the user has not an authorization for the corresponding authorization object, the check fail;
7 8
All checks are executed internally with the ABAP statement AUTHORITY-CHECK. To Lock/Unlock transactions in the entire system use Transaction SM01. 25
SAP Regin Sur
ADM940
n If one of the above checks fails, the transaction is not started, and the system displays an error message. n If none of the above checks fails, the transaction is started, and an ABAP program is usually called by the
transaction to make other authorization checks triggered by the statement AUTHORITY-CHECK. In the program, in each authority check, the programmer can specify the following: The authorization object used and the required values for each authorization field; The reaction of the program if detects an authorization fault.
26
Apendix.
Authority Check: Assign Objects to Transactions
SAP Regin Sur 2001
n To assign Authorization Object to Transaction use the transaction SE93 or choose Tools ABAP 9 Workbench Development Other Tools Transactions . In the above screen:
You must enter the object ID in the Authorization object field. Pressing the Values button, the modal windows Values of Check Object appear: here you can define a unique value for each authorization field 10 . To save, press the Save button.
10
If you are creating a new transaction, enter the transaction name and press the Create button; in the appearing windows Create Transaction, enter the required information and press the Continue Enter button. Then the above window will appear. In this example, an user will be authorized to start the transaction ZUSERNAME only if his user master record has an authorization using the object ZUSERNAME with the field USERNAME defined as USERNAME and the field Activity (ACTVT) equal to 03 (Display). 27
SAP Regin Sur
ADM940
Authority Check: The ABAP Statement
SAP Regin Sur 2001
n To maintain an ABAP Program user Transaction SE38 or choose Tools ABAP 11 Workbench Development User interface ABAP Editor . n In the above screen, the report ZUSERNAME will could to show two possible message:
You are not authorized to display your USERNAME: if the user has not the necessaries authorization to display his own username, this is, if has not an authorization as demand the AUTHORITY-CKECK statement. Your USERNAME is MASTER: If the user MASTER has an authorization to display his own username.
11
If you are creating a new ABAP program, enter the program name press the Create button; in the appearing windows ABAP Program attribute enter the required information and press the Save Enter button. Then the above window will appear. SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20
28
Apendix.
n The statements AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it
searches in the specified authorization profile in the user master record to see whether the user has authorization for the authorization object specified in the command.
n If the authorization is found and it contains the correct values, the check is successful .
12
12
In this program, an user is authorized to display his own username only if his user master record content an authorization based on the object ZUSERNAME with the field USERNAME defined as his own username (this is, the sy-uname value) and the field Activity (ACTVT) equal to 03 (Display). 29
SAP Regin Sur
ADM940
Appendix Content:
SAP AG 2003
30
Apendix.
Authorization Profile: Superuser
SAP Regin Sur 2001
n The SAP System contains predefined profiles for superuser:
SAP_NEW: You assign this profile to users who are to have access to all currently unprotected components. The SAP_NEW profile assures upward compatibility of authorizations. The profile ensures that users are not inconvenienced when a release or update includes new authorization checks for functions that were previously unprotected. SAP_ALL: You assign this profile to users who are to have all SAP authorizations, including superuser authorization. After setting up an authorization object, or after updating your system, you can regenerate profile SAP_ALL. Thus, this profile will have full authorization for all authorization objects in the entire system.
SAP Regin Sur
31
ADM940
n If a user only has a SAP_ALL profile, when execute the Transaction ZUSERNAME is possible that a message
error (like Authorization Failed) will be displayed. This happens because the SAP_ALL only has full authorization of each standard authorization object of the system, and not to customer authorization object as ZUSERNAME (see ZUSERNAME Transaction in the previous page). To repair this position, you must regenerate SAP_ALL.
n To regenerate SAP_ALL, in the initial screen of Transaction SU21, or in the List of Object screen of some object class (as the above screen), press button Regenerate SAP_ALL, and next, press the Yes button in the next windows Generate SAP_ALL profile . n After regenerate, a new full authorization of the object ZUSERNAME was added to SAP_ALL profile.
32
Apendix.
Authorization Profile: End Users
SAP Regin Sur 2001
n Is not recommendable that an end user has a profile like SAP_ALL or SAP_NEW. SAP recommend creating
specific profile for each activity assigned to user, and that, to create a new profile, use the Profile generator. To use this tool, execute the Transaction PFCG or Tools Administration User Maintenance Role Administration Roles.
n In the above screen , the definition of a authorization profile are showed with its two authorization, each one
13
of an specific authorization object as 14 :
S_TCODE: This authorization permits start the transaction ZUSERNAME to any user. ZUSERNAME: This authorization can be compiled as two independent authorizations:
With the value USERNAME in the field User name and 03 in the field Activity : Permits start the transaction ZUSERNAME to any end user due that this object is assigned to this transaction. Too, permit to user with username USERNAME (if this exits) to see his own username through the ABAP program ZUSERNAME.
13
14
To display the above window, in the initial screen of Profile Generator, enter the Role name; in the appearing windows, select the Authorization tab, and press the Expert mode for profile generation button. Assume that the Transaction ZUSERNAME call to ABAP program ZUSERNAME agree previous pages. 33
SAP Regin Sur
ADM940
With the value JUNIOR in the field User Name and the value 03 in the field Activity : Grant to the user JUNIOR to see his own username using the ABAP program ZUSERNAME.
34
Apendix.
Appendix Content:
SAP AG 2003
SAP Regin Sur
35
ADM940
Parameter Transactions (using SM30)
SAP Regin Sur
36
Apendix.
Necessary Authorizations to Access
SAP Regin Sur
SAP Regin Sur
37
ADM940
Parameter Transactions (using SE16)
SAP Regin Sur
38
Apendix.
Necessary Authorizations to Access
SAP Regin Sur
SAP Regin Sur
39
ADM940
Appendix Content:
SAP AG 2003
40
Apendix.
Users Groups
SUPER VHYA2HWR
SAP* DDIC VHYA2HWR
SAP*
ADM ADMGR1 ADMGR2 ADMGRx
ADMGr1
ADMGRx
GR1 FI_01 FI_02 FI_##

SAP AG 2003
GRx HR_01 HR_02 HR_##
...
n User Group SUPER for super user or special users
Only super users (profile SAP_ALL), System administrator Communication user (by example SAPCPIC, user for CUA or TMS). Any critical user (by example, auxiliary user for user group SUPER).
n User Group ADM for administrator users.
Authorization Administrators. Users Administrators Only can maintain end users (not in user group SUPER or ADM). Roles/Profile Administrators

Only can display or maintain not user administrator profiles/roles. Only can assign not administration profiles/roles to end users only.
n Others User Groups for not critical users.
SAP Regin Sur
41
ADM940
Auxiliary User for User Group SUPER
SUPER VHYA2HWR
SAP* DDIC VHYA2HWR
SAP*
ADM ADMGR1 ADMGR2 ADMGRx
ADMGr1
ADMGRx
GR1 FI_01 FI_02 FI_##
GRx HR_01 HR_02 HR_##
...
SAP AG 2003
n Any person can to lock a super user as SAP* or DDIC.
Why? Because are a knew names; How? Simple, trying to enter with these users.
n Solution: Create an Auxiliary user for unlock purpose. For this user:
User ID: Any unknown cryptically name. Example VHYA2HWR. Profile:

Permit start transaction SU10 or SU01 only (using authorization object S_TCODE) to Block, Unlock, Change Initial Password only for super users (Activity 05 and User group SUPER in authorization object S_USER_GRP).
42
Apendix.
Appendix Content:
SAP AG 2003
SAP Regin Sur
43
ADM940
Glossary
Glossary Content:
Commonly Terms Used under the contex of this course. Further information: in your SAP system choosing Help Glossary.
ABCD EFGHI JKLM NOPQ RSTUV WXYZ

SAP AG 2003
n ABAP
Advanced Business Application Programming. Programming language of the R/3 System. Central storage facility containing metadata (data about data) for all objects in the R/3 System. The ABAP Dictionary describes the logical structure of application development objects and their representation in the structures of the underlying relational database. All runtime environment components such as application programs or the database interface get information about these objects from the ABAP Dictionary. The ABAP Dictionary is an active data dictionary and is fully integrated into the ABAP Workbench.
n ABAP Dictionary
n ABAP Workbench
SAPs integrated graphical programming environment. The ABAP Workbench supports the development of and changes to R/3 client/server applications written in ABAP. You can use the tools of the ABAP Workbench to write ABAP code, design screens, create user interfaces, use predefined functions, get access to database information,
44
Apendix.
control access to development objects, test applications for efficiency, and debug applications.
n Activation
Process that makes a runtime object available. The effect of activation is to generate runtime objects, which are accessed by application programs and screen templates. Role. Authority to execute a particular action in the SAP System. Each authorization references one authorization object and defines one or more permissible values for each authorization field listed in the authorization object. Authorizations are combined in profiles, which are entered in a user's master record.
n Activity Group n Authorization
n Authorization Fields
In authorization objects, authorization fields represent values for individual system elements which are supposed to undergo authorization checking to verify a user's authorization. Are structures of the SAP Repository that protect actions and the access to data in the SAP system. The authorization objects are delivered by SAP and are in SAP systems. To provide a better overview, authorization objects are divided into various object classes. Authorization objects allow complex checks that involve multiple conditions that allow a user to perform an action. The condit ions are specified in Authorization Fields for the authorization objects and are AND linked for the check. An authorization object can include up to 10 authorization fields. Authorization objects and their fields have descriptive and technical names.
n Authorization Objects
n Authorization Profile
An authorization profile gives users access to the system. A profile contains individual authorizations, which are identified by the authorization name and one or more authorization objects. If a profile is specified in a user master record, the user has all the authorizations defined in this profile.
n Client
From a commercial law, organizational, and technical viewpoint, a closed unit within an R/3 System with separate master records within a table. Specific only to one client. Settings in client-dependent tables relate only to the client that was accessed during the logon process. Such tables contain the client number in the tables primary key. Client-dependent is a formerly used synonym for client-specific. Relevant for all clients in an R/3 System. Cross-client is synonymous with the formerly used term client-independent.
45
n Client-Dependent
n Cross-Client
SAP Regin Sur
ADM940 n CUA n Customer Development
Central User Administration. Additions to the standard, delivered SAP software using the ABAP Workbench. Customer developments involve creating customer-specific objects using the customers name range and namespace. Adjusting the R/3 System to specific customer requirements by selecting variants, parameter settings, etc. Development System System in a system landscape where development and Customizing work is performed. DEV contains the SAP standard clients, a development and Customizing Client (CUST), a Sandbox Client (SAND), and Test Client (TEST). Since the Test Client usually does not contain realistic application data, only unit tests can be conducted in this client.
n Customizing n DEV
n Development Class
A grouping of R/3 Repository objects belonging to a common area. Unlike the objects in a change request, the grouping is logical rather than temporal. The development class is assigned a transport layer to ensure that all objects have the same consolidation route.
n Local Change Request n Local Object
Change request that cannot be transported to other R/3 Systems. A Repository object assigned to a local development class such as the development class $TMP. Local objects are local to the R/3 System on which they are created and cannot be transported.
n Master Data
Master data is a type of application data that changes infrequently, but is required for the completion of most business transactions. Examples of master data include lists of customers, vendors, and materials, and even the companys chart of accounts.
n Namespace
Set of all names that satisfy the specific properties of the namespace. A namespace is defined by a prefix SAP provides to the customer or complementary software partner.
n Nametab
A Nametab is the runtime object of a table. The runtime object contains all the information stored in the ABAP Dictionary in a format that is optimized for the application programs.
n PRD
Production System. System that contains an enterprises active business processes.
46
Apendix.
This is where live production data is entered. PDR usually contains only the Production Client (PROD) and the SAP standard clients.
n Profile Generator n QAS
Automatically generates an authorization profile based on the activities in an activity group. Use transaction code PFCG. Quality Assurance System. System in which final testing is carried out. Tested, stable development objects and Customizing settings are transported into the quality assurance system from the development system at times defined for final testing. After verification and sign-off, development objects and Customizing settings are delivered to the production system. QAS includes a Test Client (QTST) and a Training Client (TRNG).
n R/3
Real-time, Version Three. Consists of a central instance offering the services DVEBMGS (Dialog, Update, Enqueue, Background Processing, Message, Gateway, Spool), a database instance, optional dialog instances offering the service D (Dialog), and optional PC front ends.
n R/3 Repository
Central storage facility for all development objects in the ABAP Workbench. These development objects include ABAP programs, screens, and documentation.
n R/3 Runtime Environment
Set of programs that must be available for execution at runtime. The ABAP interpreters in the runtime environment do not use the original of an ABAP program. Rather, they use a copy generated once only during runtime (early binding). Runtime objects, such as programs and screens, are automatically regenerated (late binding) when a time stamp comparison between the object and the ABAP Dictionary detects a difference.
n Release
The process by which the owner of a change request or task indicates that the contents of the change request or task have been unit tested. Release of a change request of either type Transportable or Customizing initiates the export process. Value that indicates whether a tool (either within R/3 or on the operating system level) ran successfully, with warnings, or with errors. Collection of activities that cover a specific work area. For example, the activity group "accounts payable accounting" contains all the transactions and reports that accountants need
47
n Return Code
n Role
SAP Regin Sur
ADM940
to perform their daily tasks. You can create a user menu for an activity group (role). You assign transactions, reports, and Internet/intranet links to the user menu. This menu is displayed when users assigned the activ ity group log on to the system. Authorizations are automatically granted for the activities included in the activity group. These authorizations can be changed.
n SAP AS n SAP BW n SAP CRM n SAP EP
SAP Application Server. SAP Business Information Warehouse. Customer Relationship Management. SAP Enterprise Portal. SAP EP is the component that brings all of these various components together. Via the portal, the end user has access to the backend systems using a single user interface, the Portal Client.
n SAP ITS
SAP Internet Transaction Server. Gateway between the R/3 System and the World Wide Web. SAP Web Application Server. The SAP Web AS is a normal application server that has been extended with a protocol handler called the Internet Communication Manager that processes the HTTP requests.
n SAP Web AS
n System Landscape
The R/3 Systems and clients required for a companys implementation and maintenance of R/3. For example, a common system landscape consists of a development system, a quality assurance system, and a production system.
n Transaction Code
Succession of alphanumeric characters used to name a transaction, that is, a particular ABAP program in the R/3 System. For example, Transaction VA01 (create customer order). Logon and authorization information for R/3 users. Only users who have a user master record can log on to a client in an R/3 System and use specific transactions.
n User Master Data
n View
Virtual table simultaneously displaying data from several real tables in the ABAP Dictionary. When you create a table, you assign a key to it. However, the fields in the key may be inadequate for solving some problems, so you can generate a view from several tables or parts of tables.
48
Apendix. n Workbench Change Request
Change request for recording and transporting R/3 Repository objects and changed system settings from cross-client tables (Client-Independent Customizing).
SAP Regin Sur
49
ADM940
SAP Regin Sur

Argentina Bolivia Chile Paraguay Uruguay
50

CA940-Development Authorization Concept

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CA940-Development Authorization Concept

Uploaded by

Copyright:

Available Formats

ADM940

SAP Authorization Concept

SAP Regin Sur

SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20

SAP Authorization Concept

SAP Regin Sur

SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20

Development of Authorization Elements

Appendix: Development of Authorization Elements

Development of Authorization Elements

Authorization Object ____________________________________________________ 12

Organizational Level for Profile Generator____________________________________ 18

SAP Regin Sur

SAP Authorization Concept

Access to Individual Tables and Views ______________________________________ 35

SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20

Development of Authorization Elements

Appendix: Development of Authorization Elements

SAP Regin Sur

SAP Authorization Concept

Important Authorization Element Relationships

ABAP Program (Report)

SU01, SU10 SU01 (Roles) , SU10 (Roles)

SE93 (Using parameter transaction)

SE93 (Using Parameter transaction with SE16 or SM30)

PFCG (User) SU01 (Roles), SU10 (Roles)

PFCG (Authorization) PFCG (Authorization)

PFCG (Description for Derived Role; Roles for Composite Role )

SU01 (Profiles), SU10 (Profiles)

Organizational Level Field

SU21 (List of Objects)

SU20 SU21 (List of Objects)

SU21 (List of Objects) SU21 (List of objetc classes)

Authorization Object Class

SE11 (Data type) Direct relationship Undirect relationship SE11 (Domain)

SAP Regin Sur

Development of Authorization Elements

SAP Regin Sur

SAP Authorization Concept

Appendix: Development of Authorization Elements

SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20

Development of Authorization Elements

Authorization Field: Initial Screen

SAP Regin Sur 2001

A tool bar include the follow buttons to maintain authorization fields:

To add a new authorization field to the table AUTHX.

To display data of an existing authorization field;

To search an authorization field in the list Authorization check fields;

To change data of an existing authorization field.

SAP Authorization Concept

SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20

Development of Authorization Elements

Authorization Field: Create

SAP Regin Sur 2001

SAP Regin Sur

SAP Authorization Concept

Appendix: Development of Authorization Elements

SAP R/3 Enterprise 4.7 SAP Web Application Server 6.20

Development of Authorization Elements

Authorization Object: Authorization Object Class

SAP Regin Sur 2001

An authorization class ID (Object class); A description (Text).

SAP Authorization Concept

Authorization Object: Initial Screen of List of Objetc