This action might not be possible to undo. Are you sure you want to continue?
The authorizations for users are created using roles and profiles. The administrator creates the roles, and the system supports him or her in creating the associated authorizations.
B Object Class
Authorization Object User Master Maintenance: User Groups Activity User Group
Authorization A Create, Change,Display SUPER B Display Finance
Fig 1.1 Authorization Concepts Authorization objects allow complex checks that involve multiple conditions that allow a user to perform an action. An authorization is always associated with exactly one authorization object and contains the value for the fields for the authorization objects. An authorization is a permission to perform a certain action in the SAP System. The action is defined on the basis of the values for the individual fields of an authorization object. When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user context. The user context is in the user buffer( in the main memory) of the application Server. When the user calls a transaction, the system checks whether the use has an authorization in the user context that allows him/her to call the selected transaction. Authorization checks use the authorizations in the user context. All the authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden. The user gets the necessary authorization through Roles. The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu. The details of user administration is specified in my other BOK “User Administration in SAP R3 System”. How to Create a new Role
And modify that newly created one. delivered by SAP in the source role and specify the user defined role as the target role 4. 6. Choose the pushbutton Copy role. Now new role has been created successfully. Now select the appropriate role. for creation of new roles • • Copy an existing role (SAP pre-defined role). If you want to modify them. 2. Using this icon (Copy Role).” 5.There are 2 ways. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. based up on the business requirements. And based on the requirements deselect/remove unnecessary authorizations from that SAP. Prerequisites Check the suitability of the roles delivered by SAP before you create your own roles. Now we can edit the new role by pressing the pushbutton “change role”. all you need to do is copy the SAP template (Roles provided by SAP). . Procedure The copying a existing role is described below. To create a single role: 1. . Now choose the pushbutton “copy all/ copy selectively. 3. Creating a new role. You go to the role maintenance. Copy an existing role You can use the user role examples just as they are delivered with the SAP System.
7. . Now we can assign this new role to the user. This reduces the risk of giving all the authorizations to a user.
change and view the Sales Order. Creating a new role Based up on the business requirements we have to create roles. Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. Procedure The creation of a single role is described below. . we have to assign only that particular role with which he will be able to create. To create a single role: 1. You go to the role maintenance. consider a business scenario where we want to create a role for a particular user.For example. Here in the above scenario. which are not provided by SAP. who works in sales department.
Choose Create Role. Do not use the SAP namespace for your user roles.2. we will prefix the role with ‘Z_’ or ‘Y_’. You may use an existing role as a reference. 4. Enter a meaningful role description text. And save the role. To distinguish between the names of User defined roles and SAP predefined roles. 5. 3. You can describe the activities in the role in detail. Specify a name for the role. The roles delivered by SAP have the prefix 'SAP_'. .
. programs and/or web addresses to the role in the Menu tab.Assign transactions.
6. . The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System.
SAP will supply with a profile name. You can create the authorizations for the transactions in the role menu structure in the authorizations tab. To get the profile name for this particular role. Profile generator .7. And press the pushbutton ‘Change Authorization Data’ for maintaining authorization data and generating profiles. press the pushbutton “propose profile names”.
division. its better to specify the company code and the rest. all the authorization values must be manually checked and adjusted if required in accordance with the actual requirements and authorities. Profile generator .1. we will see the red color dot against each Authorization Object. Activity and Tasks. which I had specified in fig 1. User group.Specify the company code. To avoid this. However. If we don’t specify any organization code. press Save button. there will be some Authorization objects. Authorization object Activity User group Tasks For each role. sales organization distribution channel etc.
This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.Once we see all the authorization object are green. This function is most useful when you use the Workplace. To distribute the role into a particular target system. You should only use RFC destinations which were created using the Trusted System concept to guarantee that the same user is used in the target system.6C) and choose Distribute. If the Target system field is empty. then we can generate the profile for this particular role by pressing that ‘generate’ pushbutton . the transactions are called in the system in which the user is logged on. Advanced Concepts If you want to call the transactions in a role in another system. you can use any destination containing a logical system with the same name. . specify the target system (its Release must be 4. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC. enter the RFC destination of the other system in the Target system field. With this we have successfully created a role. You can also specify a variable which refers to an RFC destination. If you use the Workplace Web Browser.
Click on the menu branches and copy them. You can also copy the menu structure of a role delivered by SAP. o from a role this function copies a defined role menu structure in the same system into the current role. o from an area menu You can copy area menus (SAP Standard and your own) into a role menu.You can create the user menu: o from the SAP menu You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu. . Choose an area menu from the list of menus and copy the transactions you want. o o Import from file Transaction You can put a transaction code in the user menu directly.
o Program This function puts programs. Role maintenance automatically creates the authorizations that are associated with the transactions specified in the menu tree. When integrating files. you can add Internet Address or Links or Files. You can skip the selection screen. They need not be given a transaction code. ABAP Report Choose a report and a variant. transaction variants or queries in the user menu. You can also specify BW Web Reports. Save your entries. Result You have created a role. o Others By choosing the other button. all the authorization values . However. you must use the storage paths instead of URLs. 7. and links to external mail systems and Knowledge Warehouse.
must be manually checked and adjusted if required in accordance with the actual requirements and authorities. .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.