Академический Документы
Профессиональный Документы
Культура Документы
• Role types:
o Single role: a single role is the data container of the transactions and the
authorization objects and is assigned to the users as per the functions performed
by the user
o Composite role: it is a collection of single roles and it should contain at least
one single role. Composite role do not contain any authorization data. Cannot
assign composite role to a composite role
o Derived roles: roles that are derived from the existing role. They inherit all
the transactions and the authorizations from the source role
o User assignment: users can be assigned to a single or to a composite role
• Organizational levels: the security administrator can specify the levels to which
the users need access (company code, cost center, sales organization etc..)
User comparison: to update UMR this icon is clicked once user id is assigned
Apart from the transactions, we can also assign reports, ABAP/4 queries, internet URLs,
links to documents on a share drive in the company's network etc
SINGLE ROLE
CREATION
Transaction PFCG
• Enter the role name and enter the create button. There are some limitations in
naming a role
o A customer role name should begin with a Z or Y
o The second character should not be an underscore (_)
• When a role is created and saved an entry is made in the AGR_DEFINE table and
can be seen using the transaction SE16
Menu tab
Authorization tab
• It is to maintain the organizational levels and values for the fields of the
authorization objects associated with the transaction codes
• List of authorization objects can be found in the table TOBJ
• To maintain the org levels and field values click on the change authorization data
• Organizational levels defined in the system can be checked using the T- code SPRO
• To see the list of authorization classes - SU02
• Once authorization tab is done, entries about the profile can be seen in some of the
tables AGR_1250, AGR_1251, AGR_1016, AGR_1016B, AGR_1252
Assigning users to the role
• Enter user id's and once it is done click user comparison and then click on
complete comparison
• An entry for each user is made in the AGR_USERS table
• In the menu select from the SAP menu window will open with check boxes and at
bottom of the screen activate the technical names. These technical names are
nothing but the transactions
• In the same screen find for the transaction which you want using the find button by
entering the transaction code
• It will take you to the menu path where the transaction code is. Now, check the box
corresponding to the t-code you need, it will select the parent nodes as well
• If any other transaction need to be found and included we can. Finally select the
transfer button
DELETION
• When a role is deleted, all the assignments associated with the role are also deleted.
This includes all the authorizations generated for the role and the user assignments
• Before deletion create a change request and it should not be released before the
deletion of the role
configuration
• If we have multiple roles to be deleted we can enter all the roles in the change
request and we can delete the roles one by one
• Click on the transport icon before deletion, it will take us to the object screen
where we should not select the user assignment object and select
personalization object and hit enter
• Then in the next screen click create request icon and specify a description for the
role to be deleted and press enter, we will see the message at the bottom saying data
entered in the change request
• Now we can go ahead and delete the role
• The role which is marked for transport can be seen in SE10/SE09. as soon as you
enter this screen make sure that modifiable box is checked, then select display we
can see the roles which we deleted is ready for transport. Select the roles and hit
transport icon
COMPOSITE ROLE
• Composite roles are a collection of single roles. In composite roles, you cannot
assign transaction directly. Transactions are assigned to single roles and single roles
are in turn assigned to composite roles
• Composite roles provide an efficient method for administrating user access to
complex functionality spanning several methods
CREATION
Transaction PFCG
• Enter a role name and click on the composite role button, naming convention is very
important that is it should be distinguished from single role
Role tab
• Click on the role tab button and enter the single roles which you want to bring under
this composite role
• At this point an entry is made in AGR_AGRS table ( for every single role that makes
up a composite role)
Menu tab
• We can see there is no option for us to enter any transaction or report to a
composite role
• If we click on the read menu button, it will display one node for each role that was
included in the roles tab
• We can expand the nodes of the single role and we can see the transactions that are
present in the single role
User tab
• Click on the user tab and assign the composite roles to the user id's
• Click on the user comparison button, the master record for single roles is adjusted
and the composite role gets assigned to the users
SU01
• If you check the UMR for the user id with composite role we can see the composite
role as well as the single role that belongs to the composite role
• Single roles are displayed in blue color and composite role with double bullet in
the type column
• Select the composite role which you want to delete, if the role contains the single
roles then we can delete the composite role it will error out saying that it still contains
single roles
• Go to the roles tab and delete all the single roles in the composite role
• Click on the transport icon before deletion, it will take us to the object screen
where we should not select the user assignment object and select
personalization object and hit enter
• Then in the next screen click create request icon and specify a description for the
role to be deleted and press enter, we will see the message at the bottom saying data
entered in the change request
• Now we can go ahead and delete the role
• The role which is marked for transport can be seen in SE10/SE09. as soon as you
enter this screen make sure that modifiable box is checked, then select display we
can see the roles which we deleted is ready for transport. Select the roles and hit
transport icon
• Create one transport request for all the roles in source system (say in the
development system) using the mass transport option
• Delete all the roles entered in the transport one by one from the development
system
• Release the change request. SAP flags the transport entry as a delete if it cannot
find the records when you release the transport
• Import the transport in the remaining systems and the roles will be deleted from
those system
DERIVED ROLE
• A derived role is a role which is created using some other role as reference. The
derived role will inherit the t-codes, and the authorizations of the referenced role
• It is basically a duplication of an existing role
• Derived role come into picture where the organization have offices and users across
the world, because there will be positions with similar job responsibilities in every
location. In such a situation only the organizational levels may change but the activities
remains the same
• Duplication of a role can be done in 2 ways:
o Copying an existing role - but it will act as an independent role after that
o By deriving a new role based on the existing role
• Once the derived role is created and if we go to the parent role we can see
an new icon saying generate derived role nearer to the generate icon
• Drawback:
o the manually inserted authorization objects in the parent role are not
reflected into the derived role automatically as the transaction do
o If you want to bring the objects from the parent role to the derived role we
have to generate the derived role in the parent role
o When any changes done in derived role is not reflected in the parent role
CREATION
• Project IMG can be created using the transaction SPRO_ADMIN or using the path
SPRO - in IMG screen GOTO - Project Management
• Object related to this is S_PROJECT
• Once we are done with creating a role it is not possible to add any transactions to
the role but can be deleted
CREATION
IMG Project
IMG Role
• After the project IMG is created, we can now use it to create the IMG configuration
role
• Execute the transaction PFCG
• Go to the menu tab and follow the menu path Utilities - Customizing
Authorization
• We will get the customizing authorization box, select the add icon. we will be
taken to insert customizing activities box, select IMG project button
• Select the project IMG from the list, the one you created and select continue icon
• We can see the node with all the sub nodes in the menu tab screen and we can no
longer add any transaction codes into this role in the menu tab
• Specify the required values in the authorizations tab and generate the role
To see the values for the org levels go to IMG through SPRO and in there select
Enterprise structure - Assignment
If authorization object names are not displayed then goto Utilities- technical names on
or utilities- settings to display the technical names (authorization class) of the
authorization objects and the field names
Transaction codes are inserted in the authorization object S_TCODE, the start transaction
code object
Field value with "$" at the beginning in the organization level screen indicates that it is
a plan version
technically yes we can delete a role directly from the production system but should not,
because of 2 reasons
o Synchronization (system go out of sync)
o Trail ( transport says where the object originated)
Change request should not be released before the deletion of the role
When we delete the roles, the related entries from tables such as AGR_DEFINE,
AGR_USERS (if users are assigned to the roles), AGR_TCODES etc are also deleted
When a role is deleted a flag is set on the role saying that the role is deleted, based on that
it is deleted from the remaining systems
We can see a delete button in the menu tab screen, if we delete a role and if we refresh
it, it will appear again since the menu is read from the single roles
In PFCG, if you want to give access only to the user menu and not the SAP menu how to do
that?
Sol: to hide SAP menu for all users we need to enter the transaction SM30 and edit table
SSM_CUST and set SAP_MENU_OFF to YES
To hide the SAP menu for individual users, enter transaction SM30 and maintain tables
USERS_SSM
Change request should not be released before the deletion of the role
When a role is deleted a flag is set on the role saying that the role is deleted, based on that
it is deleted from the remaining systems
Do not delete any objects , deactivate the objects because the deleted objects pops up
when you enter again (adding or deleting t-codes)
Apart from the 4 object status there is another status "NEW", it can be seen when we enter
into a created role with any modifications. At most cases we make sure that the old status
remains.
For example: if an object exists twice with old and new value for the fields generally we
keep the old object and deactivate the new ones
Note: if the newly existed object has more authorization values than the old one then make
sure what the role is about and deactivate the unnecessary object
S_BTCH_JOB
S_BTCH_ADM
S_BTCH_NAM
Are the objects that controls the transaction code SM37