Академический Документы
Профессиональный Документы
Культура Документы
Training
User &
Authorization
USER Concept(1)
One of the basic part of R/3 Security is user concept .
After installation of R/3 and client creation, one of the first step is
create users in the new client.
It must be noted that Users are Client dependent
User in one client is not be a user of another client.
They are valid for only the client they were created or assigned.
User Name and user attributes comprises the User Master Records
By default SAP comes with two super users
SAP*
DDIC
These two super users are available for every client in R/3 system when a new
client is created. But the nature of these two super user are slightly different.
SAP* has all the authorization
DDIC is authorized to administer the R/3 repository.
An user can be assigned to many activity groups & an activity group
can be assign to many users.
Password Restriction(1)
Password can not be word ‘sap’ or ‘pass’ .
Password can not begin with 3 identical characters. I.e. aaamy or bbbt.
When a user changes his password ,he may not use any of the last
five passwords.
Password Restriction(2)
Minimum password length can be set by the by the parameter
login/min_password_lng (value 3 ).
Administrator can set the password expiration date by the parameter
login/password_expiration_time (no of days) .
Number of incorrect logons allowed for a user master record until
the logon procedure is terminated , can be set by the parameter
login/fails_to_session_end (value 3 ).
Number of incorrect logons allowed for a user master record until
logon is rejected for this user, can be set by login/fails_to_user_lock
(value 3 ). The lock is released at midnight.
if user not uses sapgui defined time.if set 0 then never automatically
logout.
User sap* & DDIC (1)
SAP R/3 system includes in the default installation two super users
‘DDIC’ & ‘SAP*’ .
sap* user created with the password ‘06071992’ .
DDIC user created with the password ‘19920706’ .
EARLYWATCH user created with the password ‘SUPPORT’ .
In new client sap* created with default password ‘pass’ with unlimited
access right .
Sap* is the only super user, who does not require any user master
record , because its authorization given by system code.But DDIC
maintains user master record .
It is better to deactivate the user sap* (not delete) .
User DDIC (for data dictionary) is the maintenance user for certain
installation & setup tasks .
•EARLYWATCH user is used by Sap's EARLYWATCH experts.
User sap* & DDIC(2)
Default users coming after new installation
Choosethis
Choose thisbutton
button
forcreate
for createnew
newuser
user
Create User Step 2
EnterUser
Enter UserInfo
Info
Create User Step 3
Enterthese
Enter these
importantdata
important data
Create User Step 4 ChooseRole
Choose Rolefrom
from
themenu
the menu
Create User Step 5 Corresponding
Corresponding
profilewill
profile willcome
come
automatically
automatically
Create User Step 6 Usercan
User canset
set
USER-Parameters
USER-Parameters
USER Assignment
Users can be assigned to a single activity groups or to composite activity
groups which mostly represent job roles .
Users that assign to an activity group may execute the transactions,
reports , or any other task in the activity group with the corresponding
Authorizations.
Create Role Step 1
Use Transaction code PFCG to maintain role /activity group
Choosethe
Choose the
optionCreate
option Create
Create Role Step 2
Now to create the role choose menu
2.Choosethe
2.Choose the
optionMENU
option MENU
1.EnterThe
1.Enter The
Description
Description
Createduser
Created user
namewill
name will
display
display
Create Role Step 3
We can choose any one or all option at a time.
Tocreate
To createROLE
ROLE
Chooseany
Choose anyone
one
Create Role Step 4
We choose according our Requirement from ‘SAP MENU’.
Wechoose
We choose
three from
three fromthe
the
menu. .
menu
Create Role Step 5
Our three selected menu appeared on Role menu .
1.Ourchosen
1.Our chosen
threewill
three willcome
come
onrole
on rolemenu
menu 2.Againwe
we
2.Again
choose
choose
Transaction
Transaction
Create Role Step 6
Assignthe
Assign the
transactioncodes
transaction codes
usingthe
using thebutton
button
AssignTransaction
Assign Transaction
Create Role Step 7
Thenchosen
Then chosen
transaction code
transaction code
appeared on
appeared on
RoleMenu
Role Menu
Create Role Step 8
1.Choose
1.Choose
Authorizations
Authorizations
fromTAB
from TAB
2.Choosethe
2.Choose the button
button
‘Changeauthorization
‘Change authorizationdata’
data’
Create Role Step 9
1.Choose
1.Choose
Rangeofofvalues
Range values
Or
Or
FullAuthorization
Full Authorization
Create Role Step 10
Theseauthorization
These authorizationwill
will
comeon
come onthe
theROLE
ROLE
Create Role Step 11 Changethe
the
Change
authorizations&&save
authorizations save
Colorhave
Color havechanged
changed
Savethe
Save theprofile
profilegive
givethe
the
nameofofthe
name theprofile
profile
Create Role Step 12
Getthe
Get themessage
message
‘Profilescreated’
‘Profiles created’
Create Role Step 13
Choosethe
Choose theoption
option
‘USERCOMPARE’
‘USER COMPARE’
Assignthe
Assign the‘USER’
‘USER’
Towhom
To whomthis thisrole
role
havetotoassign
have assign
Choosethe
Choose theoption
option
‘Completecompare’
‘Complete compare’
Create Role Step 14
Openthe
Open theuser
usertoto
whomthe
whom therole
role have
havetoto
assign
assign
Create Role Step 15
Assignedprofile
Assigned profile
appearedon
appeared onthe
theuser
user
Profilelist
Profile list
Create Role Step 16
Again create role from other created role using PFCG
Choosethe
Choose theoption
option
‘FromOther
‘From Otherrole’
role’
Create Role Step 17
Chooseone
Choose onerole
rolefrom
from
‘Beforecreated
‘Before createdororsap
sap
definedrole’
defined role’
Create Role Step 18
Choosethe
Choose the
optionsfrom
options from
thelist
the list
Create Role Step 19
Again create role from area menu using PFCG
2.2.Now
Nowchoose
choose
1.Chosenmenu
menu ‘FromArea
‘From AreaMenu’
Menu’
1.Chosen
Comestotothe
Comes the
rolemenu
role menu
Create Role Step 20
Chooseone
Choose onePC14
PC14
Create Role Step 21
Choosethe
Choose theoption
option
‘Payroll’
‘Payroll’
Create Role Step 22
Chosenoption
Chosen option
‘Payroll’will
‘Payroll’ willcome
come
Choose
Choose
GOTOProject
GOTOProject
Management
Management
Choose
Choose
Tocreate
To createnew
newproject
project
Choose
All created project will show . Choose
Givenew
newname
name
Give
CREATE ROLE USING SPRO –Step 3
Enterthe
Enter theDATE
DATE
here
here
CREATE ROLE USING SPRO –Step 4
Specifythe
Specify thescope
scopeofof
theproject
the project
Selectthe
themodules
modules Choosethe
Choose thebutton
button
Select
whichare
which arerequired
required
CREATE ROLE USING SPRO –Step 5
1.1.Select
Selectthe
theoption
option
GenerateProject
Generate ProjectIMG
IMG
3.Projectcreation
3.Project creationstart
start
ininbackground.
background. 2.2.Choose
Choosethis
thisoption
option
CREATE ROLE USING SPRO –Step 6
PROJ_TEST
ProjectPROJ_TEST
Project
createdininbackground
created background
CREATE ROLE USING SPRO –Step 7
Use the transaction code PFCG to assign the
authorizations related to a particular project.
Choosecreate
Choose createoption
option
fornew
for newrole
role
CREATE ROLE USING SPRO –Step 8
1.Choosethe
1.Choose thenavigation
navigation
Utilities CustomizingAuth
UtilitiesCustomizing Auth
2.2.This
Thisscreen
screenwill
willappear
appear
3.3.Choose
Choose‘Add’
‘Add’
4.4.This
Thisscreen
screenappears
appears
Choose‘IMG
Choose ‘IMGPROJECT’
PROJECT’
CREATE ROLE USING SPRO –Step 9
Chooseone
Choose oneproject
projectfrom
fromthe
thelist
list
e.g.PROJ_TEST
e.g. PROJ_TEST
CREATE ROLE USING SPRO –Step 10
Alltransaction
All transactioncode
coderelated
relatedtoto
theproject
the projectPROJ_TEST
PROJ_TESTwill will
appear
appear
Thismessage
This messagewill
will
come,IfIfthe
come, theuser
userhave
have
noauthorization
no authorization for
forthe
the
TC
TC
Use the transaction code SU53(2)
Using the transaction code SU53 we can find which
authorization need to perform the task .
Thisisisthe
This themissing
missing
authorizations
authorizations
Thisare
This arethe
theavailable
available
authorizations
authorizations
Authorization structure(1)
User Master
Record
Authorization Composite
Profile Profile
Authorization
Authorizations Profile/
Object
Composite
Profile
Authorization
Fields
Authorization(1)
Authorization system of sap R/3 system is the general term which
groups all the technical & management elements for granting access
privileges to users to enforce the R/3 system security.
FIELD VALUE
Customer type(CUSTTYPE) *
Activity(ACTVT) 02
Authorization fields represent values for individual system elements which are
supposed to undergo authorization checking to verify a user's authorization.
The activity field in an authorization object defines the possible actions which could
be performed over a particular application object.
An authorization field can be for example a user group, a company code,a
purchasing group , a development class or an application area or an activity.
For example activity 03 always Display . If an authorization contains two fields such
as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT
is 03 ,then a user containing this authorization can only display all company codes.
Not all authorization objects have the ACTVT authorization field.
Authorization Object(1)
An authorization object can contain a maximum of 10 authorization
fields.
Users are permitted to perform a system function only after passing the
test for every field in the authorization object.
Authorization objects are grouped in object classes belonging to
different application areas which are used to limit the search for
objects,thus making it faster to navigate among the many R/3 system
objects.
SAP predefined authorization objects should not be modified or
deleted,except if instructed by the SAP support personnel.
Deleting or changing standard authorization objects can cause severe
errors in the programs that check those objects.
For example ,
Usercan
User cannot
notuse
usethese
thesestring
string
asaapassword
as password
Role assigned to Which Users(1)
Use Transaction code: SE38 Program :RSUSR070
Navigation Path
Tools Administration User Maintenance Information System
Roles By Role Name
Role assigned to Which Users(2)
After Entering the Role we get the following screen
DoubleClick
Double Clickon
onthethe
Authorizationobject
Authorization object
totoget
getthe
thedetails
details. .
Available authorizations of the logon user(2)
Authorizationfields
Authorization fields
correspondingtotothe
corresponding the
AuthorizationObject.
Authorization Object.
DoubleClick
Double Clickon onthe
the
‘permittedvalues’
‘permitted values’toto
getthe
get thedetails
details. .
Available authorizations of the logon user(3)
DoubleClick
Double Clickononthe
the
Authorizationstotoget
Authorizations get
thedetails
the details. .
To get the details of an Authorization Object(1)
Use Transaction Code SE38 then Use program : RSUSR040
Consider an Authorization object S_DEVELOP
To get the details of an Authorization Object(2)
AuthorizationObject
Authorization Object
&&corresponding
corresponding
Object Class.
Object Class.
To get the details of an Authorization Object(3)
AuthorizationFields
Authorization Fields
Associatedwith
Associated withthe
the
Authorizationobject
Authorization object
Doubleclick
Double clickon
on
PermittedActivities
Permitted Activities
To get the details of an Authorization Object(4)
Use Transaction Code SU03
Doubleclick
Double clickon object
onobject
classBC_C
class BC_C
To get the details of an Authorization Object(4)
Use Transaction Code SU03
Important Authorization profiles
It is sap recommended do not use sap* ,create one super user .
•SAP_ALL is only profile defining that user can create one super user &
with the authorization of creation of a new object.
•SAP_NEW is the profile which gives the permission to create a new
object
Profile Generator