SAP R/3 BASIS

Training
User &
Authorization
USER Concept(1)
One of the basic part of R/3 Security is user concept .
After installation of R/3 and client creation, one of the first step is
create users in the new client.
It must be noted that Users are Client dependent
User in one client is not be a user of another client.
They are valid for only the client they were created or assigned.
User Name and user attributes comprises the User Master Records
By default SAP comes with two super users
SAP*
DDIC
These two super users are available for every client in R/3 system when a new
client is created. But the nature of these two super user are slightly different.
SAP* has all the authorization
DDIC is authorized to administer the R/3 repository.

 Transaction code for User Maintenance  SU01

 Navigation On menu

Tools --> Administration --> User Maintenance --> Users

User Master Record(1)
A User Master Record consists of following information:
User Name
Assigned Client
Password (Changeable in future)
Company Address
User Type
Start Menu
Logon Language
Personal Printer Setting
Time Zone
Activity Groups
Authorizations
Expiration Date
Default Parameter Setting
User master record maintain through the transaction code SU01.

An user can be assigned to many activity groups & an activity group
can be assign to many users.
Password Restriction(1)
Password can not be word ‘sap’ or ‘pass’ .

Password can not begin with any sequence of three characters

contained in the user-id like FREDSMITH user can not set password
starts with FRE ,RED,EDS ,SMI .

Password can not begin with 3 identical characters. I.e. aaamy or bbbt.

When a user changes his password ,he may not use any of the last
five passwords.
Password Restriction(2)
Minimum password length can be set by the by the parameter
login/min_password_lng (value 3 ).
Administrator can set the password expiration date by the parameter
login/password_expiration_time (no of days) .
Number of incorrect logons allowed for a user master record until
the logon procedure is terminated , can be set by the parameter
login/fails_to_session_end (value 3 ).
Number of incorrect logons allowed for a user master record until
logon is rejected for this user, can be set by login/fails_to_user_lock
(value 3 ). The lock is released at midnight.

rdisp/gui_auto_logout (in seconds) parameter sets automatically logout

if user not uses sapgui defined time.if set 0 then never automatically
logout.
User sap* & DDIC (1)
SAP R/3 system includes in the default installation two super users
‘DDIC’ & ‘SAP*’ .
sap* user created with the password ‘06071992’ .
DDIC user created with the password ‘19920706’ .
EARLYWATCH user created with the password ‘SUPPORT’ .
In new client sap* created with default password ‘pass’ with unlimited

access right .
Sap* is the only super user, who does not require any user master
record , because its authorization given by system code.But DDIC
maintains user master record .
It is better to deactivate the user sap* (not delete) .
User DDIC (for data dictionary) is the maintenance user for certain
installation & setup tasks .
•EARLYWATCH user is used by Sap's EARLYWATCH experts.
User sap* & DDIC(2)
Default users coming after new installation

SAP* 000 ,001,066

DDIC 000, 001
EARLYWATCH 066
Create User Step 1

Use The Transaction Code SU01 for user maintenance .

Choosethis
Choose thisbutton
button
forcreate
for createnew
newuser
user
Create User Step 2
EnterUser
Enter UserInfo
Info
Create User Step 3
Enterthese
Enter these
importantdata
important data
Create User Step 4 ChooseRole
Choose Rolefrom
from
themenu
the menu
Create User Step 5 Corresponding
Corresponding
profilewill
profile willcome
come
automatically
automatically
Create User Step 6 Usercan
User canset
set
USER-Parameters
USER-Parameters

After entering all data choose save button

Create User Step 7 Userwill
User willcreated
created&&
‘Lastchanged
‘Last changedby’by’
alsomodified
also modified

USER CREATION COMPLETE NOW .

Activity Group(1) or ROLE
•A role or activity group is a collection of R/3 transactions
,authorizations and additional objects .
•Administrator can create ,display ,change ,copy & transport a Role .

•Transaction code PFCG used to maintain Role.

Composite Activity Group or Role
•Composite activity groups are made up of a collection of activity groups.
•Users assigned to a composite activity are automatically added to the
activity groups during a user comparison.
•Composite activity groups themselves do not contain any authorization
data .

USER Assignment
Users can be assigned to a single activity groups or to composite activity
groups which mostly represent job roles .
Users that assign to an activity group may execute the transactions,
reports , or any other task in the activity group with the corresponding
Authorizations.
Create Role Step 1
 Use Transaction code PFCG to maintain role /activity group

Choosethe
Choose the
optionCreate
option Create
Create Role Step 2
Now to create the role choose menu
2.Choosethe
2.Choose the
optionMENU
option MENU

1.EnterThe
1.Enter The
Description
Description

Createduser
Created user
namewill
name will
display
display
Create Role Step 3
We can choose any one or all option at a time.

Tocreate
To createROLE
ROLE
Chooseany
Choose anyone
one
Create Role Step 4
We choose according our Requirement from ‘SAP MENU’.
Wechoose
We choose
three from
three fromthe
the
menu. .
menu
 Create Role Step 5
Our three selected menu appeared on Role menu .

1.Ourchosen
1.Our chosen
threewill
three willcome
come
onrole
on rolemenu
menu 2.Againwe
we
2.Again
choose
choose
Transaction
Transaction
Create Role Step 6
Assignthe
Assign the
transactioncodes
transaction codes
usingthe
using thebutton
button
AssignTransaction
Assign Transaction
 Create Role Step 7

Thenchosen
Then chosen
transaction code
transaction code
appeared on
appeared on
RoleMenu
Role Menu
Create Role Step 8

1.Choose
1.Choose
Authorizations
Authorizations
fromTAB
from TAB

2.Choosethe
2.Choose the button
button
‘Changeauthorization
‘Change authorizationdata’
data’
Create Role Step 9
1.Choose
1.Choose
Rangeofofvalues
Range values
Or
Or
FullAuthorization
Full Authorization
Create Role Step 10
Theseauthorization
These authorizationwill
will
comeon
come onthe
theROLE
ROLE
Create Role Step 11 Changethe
the
Change
authorizations&&save
authorizations save
Colorhave
Color havechanged
changed

Savethe
Save theprofile
profilegive
givethe
the
nameofofthe
name theprofile
profile
Create Role Step 12

Getthe
Get themessage
message
‘Profilescreated’
‘Profiles created’
 Create Role Step 13
Choosethe
Choose theoption
option
‘USERCOMPARE’
‘USER COMPARE’

Assignthe
Assign the‘USER’
‘USER’
Towhom
To whomthis thisrole
role
havetotoassign
have assign

Choosethe
Choose theoption
option
‘Completecompare’
‘Complete compare’
Create Role Step 14
Openthe
Open theuser
usertoto
whomthe
whom therole
role have
havetoto
assign
assign
Create Role Step 15
Assignedprofile
Assigned profile
appearedon
appeared onthe
theuser
user
Profilelist
Profile list
Create Role Step 16
 Again create role from other created role using PFCG

Choosethe
Choose theoption
option
‘FromOther
‘From Otherrole’
role’
Create Role Step 17

Chooseone
Choose onerole
rolefrom
from
‘Beforecreated
‘Before createdororsap
sap
definedrole’
defined role’
Create Role Step 18

Choosethe
Choose the
optionsfrom
options from
thelist
the list
 Create Role Step 19
 Again create role from area menu using PFCG

2.2.Now
Nowchoose
choose
1.Chosenmenu
menu ‘FromArea
‘From AreaMenu’
Menu’
1.Chosen
Comestotothe
Comes the

rolemenu
role menu
Create Role Step 20

Chooseone
Choose onePC14
PC14
Create Role Step 21

Choosethe
Choose theoption
option
‘Payroll’
‘Payroll’
Create Role Step 22

Chosenoption
Chosen option
‘Payroll’will
‘Payroll’ willcome
come

Now perform the step 8

CREATE ROLE USING SPRO –Step 1

Choose
Choose
GOTOProject
GOTOProject
Management
Management

Use Transaction Code SPRO to create a new project

CREATE ROLE USING SPRO –Step 2

Choose
Choose
Tocreate
To createnew
newproject
project

Choose
All created project will show . Choose
Givenew
newname
name
Give
CREATE ROLE USING SPRO –Step 3
Enterthe
Enter theDATE
DATE
here
here
 CREATE ROLE USING SPRO –Step 4
Specifythe
Specify thescope
scopeofof
theproject
the project

Selectthe
themodules
modules Choosethe
Choose thebutton
button
Select
whichare
which arerequired
required
CREATE ROLE USING SPRO –Step 5

1.1.Select
Selectthe
theoption
option
GenerateProject
Generate ProjectIMG
IMG

3.Projectcreation
3.Project creationstart
start
ininbackground.
background. 2.2.Choose
Choosethis
thisoption
option
CREATE ROLE USING SPRO –Step 6

PROJ_TEST
ProjectPROJ_TEST
Project
createdininbackground
created background
CREATE ROLE USING SPRO –Step 7
Use the transaction code  PFCG to assign the
authorizations related to a particular project.

Choosecreate
Choose createoption
option
fornew
for newrole
role
CREATE ROLE USING SPRO –Step 8

1.Choosethe
1.Choose thenavigation
navigation
Utilities CustomizingAuth
UtilitiesCustomizing Auth

2.2.This
Thisscreen
screenwill
willappear
appear

3.3.Choose
Choose‘Add’
‘Add’

4.4.This
Thisscreen
screenappears
appears
Choose‘IMG
Choose ‘IMGPROJECT’
PROJECT’
CREATE ROLE USING SPRO –Step 9

Chooseone
Choose oneproject
projectfrom
fromthe
thelist
list
e.g.PROJ_TEST
e.g. PROJ_TEST
CREATE ROLE USING SPRO –Step 10

Alltransaction
All transactioncode
coderelated
relatedtoto
theproject
the projectPROJ_TEST
PROJ_TESTwill will
appear
appear

Now follow the method of role creation.

After that Z_NEW_AG_SPRO will be created
Use the transaction code SU53(1)
One user ,tring to Work on transaction code IL08 .But he is
not authorized to doing that job .

Thismessage
This messagewill
will
come,IfIfthe
come, theuser
userhave
have
noauthorization
no authorization for
forthe
the
TC
TC
Use the transaction code SU53(2)
Using the transaction code SU53 we can find which
authorization need to perform the task .

Thisisisthe
This themissing
missing
authorizations
authorizations

Thisare
This arethe
theavailable
available
authorizations
authorizations
Authorization structure(1)
User Master
Record

Authorization Composite
Profile Profile

Authorization
Authorizations Profile/
Object
Composite
Profile

Authorization
Fields
Authorization(1)
Authorization system of sap R/3 system is the general term which
groups all the technical & management elements for granting access
privileges to users to enforce the R/3 system security.

By entering some authorization profile to a user, mainly administrator

give to user some access on sap particular sap object.

Authorization profile are group of authorizations .Instead of giving

each authorization to a user ,administrator gives authorization profile to
a user.

Authorization profiles can be simple or composite .composite profiles

contain other profiles.

Authorization profile uses an activation method.When authorization or

profiles are created or modified ,they must be activated to become
effective.

Profiles are assigned to users in the user master record.

Authorization(2)
The Authorizations determine which activities a user can perform .
The system administrator cannot decide which business authorization
user needs because it is up to the user department to decide the kind of
permissions the user should be given to carry out his business tasks.The
user department decide which authorization need the user.The system
administrator assigns that authorization to the user as per the user
department request.
Each authorization is based on authorization object.
Authorization object consists of authorization fields and possible
values.
Because of the vastness of the R/3 system and its functional range,the
authorization objects are further divided into areas called as Object
class.
An Authorization allows to carry out an R/3 task based on a set of field
values in an authorization object
Authorizations allow to determine the number of specific values or
value ranges for a field.
ACTVT is an authorization field which present almost all authorization
object
Activities : Meaning
01 : Create or Generate 42 : Convert to DB
02 : Change 43 : Release
03 : Display 50 : Move
05 : Lock 51 : MM : Initialize pe
06 : Delete 59 : Distribute
07 : Activate, Generate 60 : Import
08 : Display change documents 64 : Generate
11 : Change number range status 65 : Reorganize
13 : Initialize number levels 70 : Administer
16 : Execute 71 : Analyze
17 : Maintain number range object 75 : Remove
21 : Transport 78 : Assign
22 : Enter, Include, Assign 90 : Copy
23 : Maintain A6 : Read with filter
24 : Archive A7 : Write with filter
33 : Read A8 : Process mass data
34 : Write DL : Download
36 : Extended maintenance UL : Upload
37 : Accept P0 : Accept CCMS CSM
data
40 : Create in DB P1 : Edit CCMS CSM data
41 : Delete in DB P2 : Maintain CCMS CSM
methods
12 : Maintain & generate change documents 68 : Model
*  all possible values
Authorization(3)
We can assign authorization values to these fields .The values of the
field decide what data would access by the user to whom this object
assigned.

FIELD VALUE

Customer type(CUSTTYPE) *

Activity(ACTVT) 02

*  all possible values , 02  display only

Authorization profile(1)
An authorization profile consists group of authorization object .I.e a
group of access privileges.
User authorizations are not directly assigned to the user master
records.Instead these authorizations are assigned as authorization
profiles.
Changing the contents of the authorizations inside a profile affects all
users that are given that profile when this is activated.
A users authorizations are loaded into the user buffer only when they
logon.
Changes affect all users to whom this profile is assigned and take
effect only when the user logs on.
Number of profiles generated depends on the number of
authorizations in each activity group .
A maximum 150 authorizations fit into a profile .If there are more than
150 authorizations,an additional profile is generated.
Authorization profiles beginning with a T ,like T-SM-NEW1.When more
than profile created then the name will be T-SM-NEW1_1 ,T-SM-
NEW1_2
Composite profile(1)
Composite profiles are sets of authorization profiles both simple &
composite.

A composite profile can contain an unlimited number of profiles.

Composite profiles are suitable for users who have different

responsibilities or job tasks in the system

Making modification to any of the profiles in the list of composite

profiles directly affects the access privileges of all users having that
composite profile in the user master record.
Authorization Object field(1)

Authorization fields represent values for individual system elements which are
supposed to undergo authorization checking to verify a user's authorization.

The activity field in an authorization object defines the possible actions which could
be performed over a particular application object.

An authorization field can be for example a user group, a company code,a
purchasing group , a development class or an application area or an activity.

For example activity 03 always Display . If an authorization contains two fields such
as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT
is 03 ,then a user containing this authorization can only display all company codes.
Not all authorization objects have the ACTVT authorization field.
Authorization Object(1)
An authorization object can contain a maximum of 10 authorization
fields.
Users are permitted to perform a system function only after passing the
test for every field in the authorization object.
Authorization objects are grouped in object classes belonging to
different application areas which are used to limit the search for
objects,thus making it faster to navigate among the many R/3 system
objects.
SAP predefined authorization objects should not be modified or
deleted,except if instructed by the SAP support personnel.
Deleting or changing standard authorization objects can cause severe
errors in the programs that check those objects.
For example ,

MM_E stands for the object class Materials Management-Purchasing

There is an authorization object M_BEST_EKG for die ordering .

M_BEST_EKG object consists of 2 authorization fields

1. ACTVT to define user activity with values ’02’ ,’03’
2. EKGR to define purchasing group with values ‘xyz’ ,’abc’ .
If actvt have values 02 for change ,03 for display and, user can maintain
only purchasing group ‘xyz’ ,’abc’ can not create new purchasing group.
FIND USERS BY ADDRESS DATA
Use Transaction code  S_BCE_68001393
Navigation Path
Tools Administration User Maintenance Information System Users By
Address Data
Restricting Password String
To avoid the use of passwords which start with similar words .
Use Transaction code  SM30  Maintain
 Table USR40
Where ‘*’ substitutes a group of characters & ‘?’ a single character .

Usercan
User cannot
notuse
usethese
thesestring
string
asaapassword
as password
Role assigned to Which Users(1)
Use Transaction code: SE38  Program :RSUSR070
Navigation Path
Tools Administration User Maintenance Information System 
Roles By Role Name
Role assigned to Which Users(2)
After Entering the Role we get the following screen

We get USER ASSIGNMENT , PROFILE ASSIGNMENT, TRANSACTION CODE

list which assigned to the Role.
Role assigned to Which Users(3)
List of users Which assigned to the Particular Role
Role assigned to Which Users(4)
List of Profiles assigned to the particular Role
Role assigned to Which Users(5)
List of Transaction codes assigned to the particular Role
Maintaining the Object Class
Using the transaction code SU03 User can maintain the
object class
Available authorizations of the logon user(1)
Using the transaction code SU56 we get the ‘authorization’
& ‘authorization object’ assigned to a user.

DoubleClick
Double Clickon
onthethe
Authorizationobject
Authorization object
totoget
getthe
thedetails
details. .
Available authorizations of the logon user(2)

Authorizationfields
Authorization fields
correspondingtotothe
corresponding the
AuthorizationObject.
Authorization Object.

DoubleClick
Double Clickon onthe
the
‘permittedvalues’
‘permitted values’toto
getthe
get thedetails
details. .
Available authorizations of the logon user(3)

DoubleClick
Double Clickononthe
the
Authorizationstotoget
Authorizations get
thedetails
the details. .
To get the details of an Authorization Object(1)
Use Transaction Code  SE38 then Use program : RSUSR040
Consider an Authorization object  S_DEVELOP
To get the details of an Authorization Object(2)

AuthorizationObject
Authorization Object
&&corresponding
corresponding
Object Class.
Object Class.
To get the details of an Authorization Object(3)

AuthorizationFields
Authorization Fields
Associatedwith
Associated withthe
the
Authorizationobject
Authorization object

Doubleclick
Double clickon
on
PermittedActivities
Permitted Activities
To get the details of an Authorization Object(4)
Use Transaction Code  SU03

Doubleclick
Double clickon object
onobject
classBC_C
class BC_C
To get the details of an Authorization Object(4)
Use Transaction Code  SU03
Important Authorization profiles

SAP_ALL All authorization in R/3 system

SAP_NEW To create new objects
S_A.CUSTOMIZ  Customizing (for all system setting activity)
S_A.DEVELOP Developers with all authorizations to work in ABAP WB.
S_A.SHOW Basis :Display authorization only
S_A.USER  System Administrator
S_ABAP_ALL  All authorizations for ABAP
S_ADMI_SPO_A spool :all administration authorization
S_ADMI_SPO_D spool :device administration
S_ADMI_SPO_E spool :extended administration
S_ADMI_SPO_J  spool :job administration for all clients
S_ADMI_SPO_T  spool :Device type administration
SOME IMPORTANT TABLES
USR01  Contains the runtime data of the user master
records
USR02  The table containing logon information such as the
password
USR03  Includes the users' address information
USR04  Contains users' authorizations
USR05  It is the users' parameter ID table
USR09  Contains user menus
USR10  It is the table for user authorization profiles
USR11  Contains the descriptive texts for profiles
USR12  It the user master authorization values table
USR13  Contains the descriptive short texts for
authorizations
USR14  Contains the logon language versions per user
USR30  Includes additional information for user menus
TOBJ  Authorization objects table containing the authorization fields for each.
TACT  Contains the list of standard activities in the system.
TACTZIs the table which defines the relationship between the authorization
objects and the activities in those objects containing the Activity
authorization field.
TSTC Is the transaction code table where authorization
objects and values
Create a super user(1)

It is sap recommended do not use sap* ,create one super user .
•SAP_ALL is only profile defining that user can create one super user &
with the authorization of creation of a new object.
•SAP_NEW is the profile which gives the permission to create a new
object
Profile Generator

•Profile generator(PG) tool helps the authorization administrator

create,generate ,and assign authorization profiles.
•It is available from SAP r/3 version 3.1G
•Check the parameter auth/no_check_in_some_cases =Y using the TC
RZ11 ,setting before using first time profile generator .