Download SAP Business One Citrix Installation Guide
Installation Guide for MiniSAP 4.6D
MCOD tech Installation installation steps
SAP 4.7 Installation on UNIX installation steps
How to install SAPGUI SAP GUI 710 Installation Guide
Tuesday, May 27, 2008
Monday, May 26, 2008
Creating New Org values
Question: We are creating derived roles, a master role with individual derived roles.
As we know the only values that don't get pushed down are the org. values.
However we are controlling on values that are not org levels. So I would like to make them org levels, for instance company code.
I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?
If so do we have to go into every role or will a value be populated automatically from the role itself?
Is it possible to pick and chose which role you want the new org levels to adhere to?
Any help would be greatly appreciated!!!
Thanks!
Answer:
I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?
Yes
If so do we have to go into every role or will a value be populated automatically from the role itself?
IIRC Values in the fields will become populated as org levels without any further action required from you
Is it possible to pick and chose which role you want the new org levels to adhere to?
No. This is the downside to creating org levels. You can force individual fields in roles to ignore org level behaviour but this is on a role by role basis and not practical to maintain. If you find yourself needing to do this then your design does not suit creating additional org levels.
Answer:
If you create an org level from a field you have already used you may not get the desired results. If you have mixed values in different authorizations where they need to be descrete for different object, the creation of the org level will combine ALL the values into all the authorizations. So be careful and analyse the results of the report BEFORE commiting the results.
Answer:
Test mode
Create org level field KOSTL
Update authorization value proposals (SU24 data)
Conflicts (manual follow-up needed)
Values collected in role: SAP_CA_CL_MAINTAIN
Original values:
Authorization objectAuthorization Values
I_KOSTL T_P092043200
New org level values:
*
Values collected in role: SAP_ESSUSER
Original values:
Authorization objectAuthorization Values
P_TRAVL T_8000022406
P_TRAVL T_8000022407 *
New org level values:
*
Values collected in role: SAP_HR_REPORTING
Original values:
Authorization objectAuthorization Values
P_TRAVL T_P092020100 *
New org level values:
*
01
Thanks so much for your help!!!
Answer:
Looking at my last reply, I didn't get the entire message in.
What is in the last reply is the report that you run PFCG_ORGFIELDS_CREATE, and the results that I get.
My question is why does it say (manual follow up needed) for some of the roles.
All roles affected are at the end of the report. But it lists out conflicts above the list.
Creating new authorization object
Question: Hi all,
Is it possible to create new authorization object, fields for that and the values. If yes, please guide me regardint the same.
_________________
Regards,
Sailesh K
Answer:
New Authorisation object can be created using transaction SU21 and fields for that can be created in SU20. You need to assign a class for athorisation object
Creating customized authorization objects
Question: Hi
I am new to sap security can any body explain how to create customizing authorization objects , i know we can create through su21 any body explain briefly
Answer:
Read the documentation in SU21.
Note: First look for an appropriate SAP standard object before you create deviations from the standard.
Creating authorization profile
Question: Hi,
We normally use Role(PFCG) and authorization profiles are generated automatically .
I need to create Authorization profile in 3.1h .Both simple and Composite.
Can anyone guide me how to do?
Is it through su02? what has to be added in Object ? and in Authorization?
Thanks.
Answer:
You create and modify Authorization roles in SU02. The values assigned to each authorization object must be determined by members of each business unit. Either that or you asign no values to any of the parameters and let the users test each transaction assigned to the role and determine the different org levels and parameters through testing. It is a long process however if the business cannot help you define the roles it is the only other way to do it.
Answer:
And I assume you will need to create custom authorizations as well. That is done through SU03.
How to create authorization levels
Question: hello,
I found note that names a report that needs to be run so that I can
change a field and make it organizational level(done it). But when I look at that field within a certain object in the PFCG, its still yellow like before, and I cant find it under the button "organizatinal level"......do I have to somehow generate my new organizational level field? And in that case how, because the su24 and others are just for transactions.
grateful for some help
//Vinnie
Answer:
1. Did you run the reports in test mode and not change mode?
2. are you relying on the text name or the technical value of the field. The program PFCG_ORGFIELD_CREATE uses the techincal name and there are several fields that look the same in text but are not technically, Company code and Company come to mind.
Note that if you create the org level and then decide to remove it there is a bug in the PFCG_ORGFIELD_DELETE program that corrupts the SU24 entries the the customer adds that are not in the SAP source table. you will have to corrext these manually.
Answer:
Hello,
I managed to create a organizational level object running the report. But normally when you see standard organizational levels they appear red until they are filled in. When I look in the object containing the field I changed, and add it to a role, its still yellow. That is my problem, it doesnt really change and it does not show under the button organizational level. So what do I have to do to see it there, and also to see the field red in the object.
thank you in advance
Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.
Answer:
Was the object added by you in SU24 or was it SAP delivered?. GO to SU24 and remove the object from the tcode that is brining it in and readd and see if it correts itself.
Answer:
the object I used is ygo_sec_op and is not connected to any tcode......I checked that too..............more ideas please......maybe we can solve this:)
//Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.
Answer:
ygo_sec_op? the "Y" implies a customer developed object. The report that creates the org level manipulates the customer table in SU24 and then changes AGR_1251, but it your ygo_sec_op was not changed then the code may ignore MANUALY inserted objects (highly possible I did not pay attention to this part of the code). So it may be working as designed.
The best practice it to tie all required objects to a tcode and configure it in SU24 with the most restrictive access ( usually view if the tcode has to be shared between change and view) and the you ADD manual authorization to increase access with the priviso that you have a standard to support its inclusion in the role. If you have a manual ( there are some exceptions) without a standard, this would indiate to you that the tcode needing the access has been removed and the MANUAL should also be removed.
Try removing the object fromthe role, exit PFCG entirely and re-open the role and add it back ( the exit entirley may not be needed in all cases).
Answer:
thanks for your input, stupid me playing with y fields.
It works fine for the standard fields, but not for the customized ones, atleast it seems like. Just like you said.
thanks for your help
cheers
Vincent
Answer:
Custom Fields ot Objects? you can add the fields in the table and link your custome fieild to an SAP variable. Table USorg is the link between Field and variable in table USVAR. If you add a USVAR then you MUST transport talbe USVART to get it to work in the other systems ( you should take USVAR as well).
Did removing the object and re-add help or is it truely a 'Y' onject and new fields?
How to create an authorization object and assign a table
Question: How do I create an new auth group and assign a table to this group in S_TABU_DIS
Answer:
Tcode SUCU, The "group" does not have to exist but you can create one in SE54
Create Authorization object
Question: Hello,
I need to restrict access for a specific field of a table.
Can you tell me how to know the authorization object links to this field AND how to create a auth. object ?
Thanks.
Answer:
There is no easy way doing this. Auth Object(s) for standard tables are S_TABU_DIS, S_TABU_CLI. You can use this to restrict access to display only or client specific tables. However if that requirement is mandatory you need to create a custom t.code to display table restricting the field.
Answer:
What do you mean by the statement "restrict specific field of a table?"
Can you be a bit more specific in your problem?
_________________
Regards
Vijay
Answer:
One option could be S_TABU_LIN, but I think you are better off with a custom transaction
Answer:
Exact.
We find a solution by creating a specific transaction.
S_Tcode
S_TCODE with * Value
Question: Does anyone know the name of the report or how to find no standard Values such as ranges or * in the S_Tcode object. I think there is an SAP report but don't remember what it is.
Answer:
Look at report PFCG_AGRS_WITH_MANUAL_S_TCODE
Also use table AGR_TCODES and look for '*' by setting the selection option to "equals to" rather than blind entry of '*'
S_TCODE
Question: I need to be able to find all roles that have have a TCD value in S_TCODE of *.
How can I do that? Suim's logic seems to give all roles. I need the specific value to be a '*'.
Thanks for your help.
Answer:
Hi bluedevil,
I usually use SE16 on AGR_1251 table to get what you are looking for...
be sure about to use '=' single value selection option,
instead of '[*]' pattern selection option, in the tcode field.
S_TCODE not in change mode
Question: Hi All
we are working on 4.7x1.10 SR1.
when we tried to add some transactions in Authorization object S_TCODE
it is showing us only in display mode rather it should be in change mode.
Is there any parameter that we need to add in 4.7 or what is the procedure to make S_TCODE as change mode?
pls help me out ........thanks in advance
Answer:
If you are using PFCG then the tcode needs to be added to the MENU not the authorization. If you are in SU02, Profiles created from PFCG cannot be changed in SU02
S_TCODE
Question: Hi Guru's
How to allow user to see only Area Menu and SAp Menu but not the list of transactions asssigned to his role. I tried in 2 ways..
1. I blocked the User menu , which also blocks Area menu.
2. Deleted transaction code list from Menu of User role and generated the profile. So now in usermenu i can not see any transactions. It is worked.
Here problem is S_tcode is in Display mode only, so we can not add any additional transactions in future. I do not like to uncheck transaction codes in SE97.
Apart from these, is their any other ways to solve this.
Thanks in advance
Pranu
Answer:
Pranu
User menu vs Sap menu and restricting views of transaction ahve been discussed oin ths forum many times before. Usually in those discussions the question is asked "Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"
The display only status of S_TCODE has been disucssed a lot recently too. I'm not gonig to answer your question here, because the S_TCODE issue and the menu issue could both be answered by you using the search facility.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Answer:
"Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"
If you cannot trust your users enough to let them see the transactions they have access to, then your design should be changed to only give them the access that your risk profiling permits.
Security by obscurity is not proper security
Question: Does anyone know the name of the report or how to find no standard Values such as ranges or * in the S_Tcode object. I think there is an SAP report but don't remember what it is.
Answer:
Look at report PFCG_AGRS_WITH_MANUAL_S_TCODE
Also use table AGR_TCODES and look for '*' by setting the selection option to "equals to" rather than blind entry of '*'
S_TCODE
Question: I need to be able to find all roles that have have a TCD value in S_TCODE of *.
How can I do that? Suim's logic seems to give all roles. I need the specific value to be a '*'.
Thanks for your help.
Answer:
Hi bluedevil,
I usually use SE16 on AGR_1251 table to get what you are looking for...
be sure about to use '=' single value selection option,
instead of '[*]' pattern selection option, in the tcode field.
S_TCODE not in change mode
Question: Hi All
we are working on 4.7x1.10 SR1.
when we tried to add some transactions in Authorization object S_TCODE
it is showing us only in display mode rather it should be in change mode.
Is there any parameter that we need to add in 4.7 or what is the procedure to make S_TCODE as change mode?
pls help me out ........thanks in advance
Answer:
If you are using PFCG then the tcode needs to be added to the MENU not the authorization. If you are in SU02, Profiles created from PFCG cannot be changed in SU02
S_TCODE
Question: Hi Guru's
How to allow user to see only Area Menu and SAp Menu but not the list of transactions asssigned to his role. I tried in 2 ways..
1. I blocked the User menu , which also blocks Area menu.
2. Deleted transaction code list from Menu of User role and generated the profile. So now in usermenu i can not see any transactions. It is worked.
Here problem is S_tcode is in Display mode only, so we can not add any additional transactions in future. I do not like to uncheck transaction codes in SE97.
Apart from these, is their any other ways to solve this.
Thanks in advance
Pranu
Answer:
Pranu
User menu vs Sap menu and restricting views of transaction ahve been discussed oin ths forum many times before. Usually in those discussions the question is asked "Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"
The display only status of S_TCODE has been disucssed a lot recently too. I'm not gonig to answer your question here, because the S_TCODE issue and the menu issue could both be answered by you using the search facility.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Answer:
"Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"
If you cannot trust your users enough to let them see the transactions they have access to, then your design should be changed to only give them the access that your risk profiling permits.
Security by obscurity is not proper security
Question: With the upgrade version to 4.7 regular transactions, do not work the
same way anymore.
Example transaction VL10H on the Tab ‘General Data’ there is column
named OriginDoc. When you click on one of these fields, it calls the
transaction VA03 (In version 4.6C) but now it is calls VA02 (In Version
4.7).
Why and how can I fix that without giving new roles with transactions
they did not have before and that used to run in the background without
requesting any S_TCODE check?
I have many requests for this kind of problem but for different roles
calling different S_TCODE. If I find a way to fix, one I will know for
all the other roles that call other S_TCODE’s.
Someone told me I could use SE97 to skip S_TCODE check BUT! What if the
transaction really require another transaction to work I do not want to
skip it otherwise we will have another kind of problem? Or I am wrong.
Please help
Nancy
Answer:
Sorry I did not find the one I posted yesterday and I thought I did not saved it.
Sorry for the duplicate of S_TCODE check after upgrade to 4.7
Nancy
Answer:
Dear Nancy,
In higher releases of SAP they are cleaning up their navigation paths. Upgrading, when you business process used a path which has changed (it became stricter to click on), does not mean that the process is any different.
You can call anything what you want. E.g. You can use SE97 to MAINTAIN the check on the CALLED tcode based on which tcode is CALLING it. But if the user can switch their sy-tcode, then the relationship changes. Take a look at table TCDCOUPLES.
SAP also provides other confusing messages though, which might be the case here. SU53 says "no auth tcode" ? But this may be caused by your having "BACK"ed (the ESC or OK problem) or the abap didn´t react sufficiently to the check and met a second auth fail, but gave you a message from either the one, or the other and a SU53 from the last check failed... i.e. the last one before '/nsu53'... not necessarily the one which gave you a "message" or caused your navigation path to change.
The change of the called transaction you mentioned (i.e. from VA03 -> VA02) may also be having an implication based on an application auth object check at tcode start, and not the tcode itself. Check SE93 for VA02.
For this you need to look beyond the tcode and compensate for SAP´s max-confusion-strategy. SU53, PFCG, ST01 and the SoD tools loitering around SAP are fully integrated into this strategy.
Kind regards,
Verne
Answer:
The only thing I found in the table TCDCOUPLES is an entry for
TCODE CALLED
VL10H VA03
VL10 VA02
But I am really in VL10H and I keeps having the message
You are not authorize to use the transaction VA02 !!!
I went in SE97 I created a list of called transactions for VL10H
Do not check VA02
Check Warning VA03
Do I have something else to do after what I did or when I use the role everything will work whitout any other configation.
I really need to know how to configure VL10H to call VA03 instead of VA02. Even with the table TCDCOUPLES or SE97 I am not able to change this setting !!!!
Need help
Nancy
Answer:
You will need to,
1. Call SAP and report the problem, or
2. Search on OSS for a fix
3. Debug the code and see if it is configurable in a table ( probably is not and TDCOUPLES has nothing to do with your want, It must be in the code).
Answer:
The last person who called SAP got 335277 - VL10: VA03 instead of VA02 in display of orders
You will need to work together with your developer and application person for the area.
An afterthought: That is also why, when you have outsourced your development work and application consulting, you will need to get yourself a Miles-and-More card and learn at least one exotic foreign language.
S_TCODE
Question: Is there a way to insure that the values in S_TCODE are only the tcodes assigned to the role thru the menu tree? We are try to prohibit ranges and the value of * in the S_TCODE object.
Thanks,
Mark
Answer:
You can have a look through table AGR_TCODES, and look for * values. That's the way I usually do it
Answer:
This would have to be a manual process. Analyze the data under AGR_TCODES vs AGR_1251 S_TCODE,TCD.
Answer:
I beleive there is a report in SAP that gives you this the report is PFCG_AGRS_WITH_MANUAL_S_TCODE, you cannot prevent them for doing it just after the fact detec
PFCG TOOL
Authorization means permission to perform a particular function in the SAP System. It is
achieved by assigning authorization profiles to users.
The various terms used in Authorizations are :
1. Authorization fields
Authorization fields identify the elements of the system that need to be protected.
These fields are associated with the data elements of the ABAP/4 Dictionary. For
example if you consider Sales order creation as an activity for which authorization is
required, the fields associated with this activity are :
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
These fields form the part of the standard ABAP/4 function call AUTHORITYCHECK.
2. Authorization object
Authorization object identifies an activity that needs to be protected in the SAP
system. For example Creation of a Sales Order is an activity. An object is made up of
authorization fields. A user can perform an activity only if they satisfy the
authorization check for each field in the authorization object.
Eg. V_VBAK_VKO is an object for Sales Area comprising of the following fields:
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
ACTVT – Activity
Authorization objects are grouped into Object class depending up on the application
area.
3. Authorization
Authorization is used to define permitted values for the fields of an authorization
object. For example you want to define an authorization for displaying a sales order
for a Sales organization 3000, Distribution Channed 01 and Division 02, the
values that will be assigned to fields of the object V_VBAK_VKO are:
VKORG – 3000
VTWEG – 01
SPART – 02
ACTVT – 03 (Display)
4. Authorization profiles
As a rule authorizations are not directly assigned to a user. Instead these authorization
are clubbed in an authorization profile and are then assigned to the user master
records.
What is the Profile Generator?
SAP’s Profile Generator allows authorization administrators to automatically generate
and assign authorization profiles. Released with 3.1G, this tool accelerates R/3
implementation by simplifying the task of setting up the authorization environment. The
administrator needs only to configure the customer-specific settings; the Profile
Generator manages all the other tasks, such as selecting the relevant authorization objects
for consideration. The Profile Generator is fully integrated in R/3 and is available on all
R/3-supported platforms. The Profile Generator represents another improvement of
SAP’s tool-based support and a reduction in R/3 implementation time.
The Profile Generator is a new approach to defining the authorization environment. The
administrator no longer uses the authorization objects to define the authorizations for
various user groups; instead, authorization profiles are built around the functions to be
performed in R/3. Based on function selection, the Profile Generator selects the relevant
authorization objects and groups them in a new authorization profile.
Using functions to define authorization profiles:
• Speeds up the process
• Defines authorization profiles more reliably (because only the required authorizations
are granted)
• Simplifies administrator/user communication, allowing both the administrator and
users to use the same R/3 function terminology To generate an Authorization profile automatically you first need to create an Activity
Group.
What is an Activity Group?
The process of security implementation with the new PG is based on the creation
of activity groups or a collection of linked or associated activities, such as tasks, reports,
and transactions. An activity group is a data container for the PG to generate
authorization profiles and usually represents a job role in your company.
For example, to implement security for a buyer:
1. Create an activity group, Buyer
2. Include all of the business transactions Buyer can access
3. Generate the appropriate authorization profile for Buyer
4. Assign Buyer to a new user or a position in your system
5. Update the user master record for the user
The new user now has all the necessary access rights needed to work as a buyer in your
company.
Activity groups are user-defined and allow you to systematically organize and efficiently
maintain system activities. The SAP Session Manager, SAP Business Workflow, and
Personnel Planning and Development require activity information. Using an activity
group as an information database reduces data entry time. Select the criteria, such as
access rights, and divide the activities into appropriate groups. For example, you could
decide to group activities by subject matter, such as personnel, payroll, or budgeting. Or,
you could group activities by job classes, such as translation activities, computer
programmer activities, or secretarial activities. You could also set up a combination of
subject matter and job-oriented activity groups. Activity groups are created and
maintained in the activity group maintenance transaction, PFCG. After setting up activity
groups, you may assign them to various R/3 objects.
Activity Group Assignments
• R/3 Users
An R/3 user is an individual who is recognized by the R/3 System and is allowed to
logon. For the system to recognize users, their names must be entered in the user
master record of the Basis component.
• Jobs
A job represents a general classification of work duties, such as secretary, computer
programmer, instructor, etc. Many employees in your company may hold the same
job classification. (For example, there might be 20 people whose job is secretary.)
Positions are usually based on jobs. Anyone who holds a job automatically inherits
the infotype settings, attributes, and properties of the job. Unless the activity groups
grants general access rights such as the rights needed to work with SAPoffice, be
careful when assigning activity groups to jobs.
• Positions
A position represents a unique, individual employee assignment within a company
(for example, marketing secretary, sales manager, etc.) Positions should not be
confused with jobs. You can handle authorization management in an almost
completely position-oriented fashion. All the access rights are then linked to the
position, so it does not matter who fills this position. Once a user changes positions
after the user master record is updated, the authorization profile automatically
changes.
• Organizational units
Organizational units represent any organizational entity that performs a specified set
of functions within a company. For example, organizational units represent
subsidiaries, divisions, departments, groups, special project teams, etc. Identify the
organizational structure at your firm by creating organizational units and identifying
the relationships among the units. Anyone who is assigned to an organizational unit
automatically inherits the infotype settings, attributes, and properties of this
organizational unit.
Steps for Implementing Profile Generator
SETTING UP PROFILE GENERATOR SAP R/3 4.0B
1. Logon to Client = ‘xxx’ with SAP_ALL
2. Enter transaction code RZ10. Set system parameter ‘ auth/no_check_in_some_cases
= Y ’ in the instance profile. This setting is required for proper functioning of the
Automatic Profile Generator. Activate the instance profile.
3. Stop and restart the designated R/3 instance now
4. Logon to the same client as in step 1 with SAP_ALL
5. Make sure the parameter set in step 2 is active by running RSPARAM report using
transaction SA38
6. Go to the Implementation Guide by entering the transaction SPRO. Within the IMG
go to the option Basis components => System Admin => Users and Authorizations
=> Maintain Authorizations and Profiles using profile generator => Execute next to
Activate profile generator.
7. You get “ Choose Activity ” screen
a) Maintain System Profile Parameter ( Done in step 2 – 5 )
b) Set active plan version. (Transaction OOAP). Plan version is set to 01 if not set
it.
c) Set up PD transport connection (Transaction OOCR). No value in Value abbr.,
indicates that automatic transport connection is active
8. Enter transaction SPRO => F5 => Basis components => System Admin => Users
and Authorizations => Maintain Authorizations and Profiles using profile generator
=> Execute next to Work on SAP check indicators and field values
9. You get “ Choose Activity ” screen
a) Create development class. (Transaction OY08). Hit enter at ‘ The table is client-
independent ’ message screen. Click New Entries and create new development
class with following details:
Development Class: ZDEV
Description: Development class for security
Transport Layer: ZDEV
Person Responsible: Enter user name
Check the box ‘ Link to Workbench Organizer ’
Save
b) Copy SAP checks Ids field values (Transaction SU25). Click the icon next to
initially fill the customer tables. Got an information message box. Enter. Step
performs successfully in few minutes.
Click the icon next to 3. Transport the customer tables. Enter at information box.
Step will be performed successfully in few minutes.
c) Change check indicator. (Transaction SU24). This transaction helps to deactivate
the authority check against authorization objects. No changes were set in during
this setup. Defaults were chosen.
Note : SU25 while configuring first time on the m/c we got a information saying that
“PROFGEN_INFO_TEXT does not exists “
this may be because of the first time .
Enter transaction SPRO => F5 => Basis components => System Admin => Users and
Authorizations => Maintain Authorizations and Profiles using profile generator =>
Generate company menu => Execute. Alternatively use transaction SSM1.
10. Make sure that English is present in the choose languages section
11. Click execute for 1.
SAP standard menu generation. Click enter at information box.
Takes few minutes and completes successfully.
12. Click execute next to 2a.
Company menu generation. Click enter at information box.
Takes few minutes and completes successfully.
13. Click Activate next to 2c.
Activate company menu. Click yes at confirmation for
activating the company menu.
14. Create an activity group using transaction PFCG to test the setup of profile generator.
SETUP OF SAMPLE ACTIVITY GROUP
1. Enter transaction code PFCG
2. Screen ‘ Edit Activity Group’ is shown
3. Enter activity group name. Do not use an _ in the second character. It is reserved for
SAP.
4. Example activity group name: Z:MKTDIRCT
5. Click create icon
6. At ‘Do you want to allow responsibilities for activity groups’? screen choose NO
7. Activity Group Basic Data: Create screen is shown
8. Enter a descriptive text in the NAME field eg: Activity group for market director
9. Click Menu push button
10. Enter at change request # popup box
11. Menu tree is displayed
12. Find the transaction codes needed by position in question by Edit => find
13. Choose the transactions by clicking
in the box next red traffic light eg: VD02
transaction
14. Likewise choose all transactions needed
15. When done save your work by clicking save button
16. Click enter at change request number
17. Go back
18. Click authorizations push button
19. At define organizational levels screen choose select values or put a * in all of them.
Organizational level includes fields like Company code, Sales Organization,
Controlling area etc.
20. Save
21. This will take you to authorization screen
22. Expand the tree by clicking on the + sign
23. Choose all the needed authorizations by clicking besides it
24. When done click save icon
25. Accept the default profile name and enter
26. Accept the change request # and enter
27. Click activate button after saving your work
28. At generate profile screen click generate
29. Click enter at change request #
30. Go back and notice the authorization push button is active
31. Next click agents push button
32. You will get ‘Maintain Agent Assignment’
33. Click user icon
34. Enter user name and click enter
35. Enter at change request number box
36. Click icon update user master data records
37. User master data reconciliation screen is shown
38. Click execute
39. This step completes the assignment of the activity group (authorization profiles to be
precise) to the user master records.
Methods of correcting Profiles
• Through Company Menu : Here if a user wants to execute a menu function, the
authorization for this can be added by using the Menu option of transaction PFCG.
• Manual Method : Authorization objects can be manually added to the profiles
generated using Profile Generator. If a user gets a Authorization failure while
executing a transaction, the object required and the necessary values that needs to be
defined for the fields of the object for executing that transaction can be obtained by
using the transaction SU53. This object can be added to the existing profiles by
executing PFCG => Authorization => Edit old data => Edit => Insert Auth => Insert
manually. You can also insert existing profiles and templates using the same menu.
Templates are nothing but a set of authorization objects having blank values in their
respective authorization fields. These templates can be included in the profiles and
necessary values assigned.
SU53 authorization Check
Question: If there is a message in SU53 saying "T-DV76526201 Exists in user buffer" for the role T-DV76526201, and then below I would find the list of the transaction codes affected, does that mean that there was an error or is it just an informational message?
Are all messages appearing in SU53 just error messages or even infomational messages?
Answer:
SU53 records the last authorisation failure for a user. The first block shows the system's authorisation requirement and the list below shows the authorisations present for that object for a particular user.
Answer:
I have seen the message you are talking about. The SU53 actually states something about an authorization existing in the user buffer but it still fails. I have found this is a throwback to pre-4.5 where the user must log off and back on again and it will usually work then. give it a shot.
S_USER_ALL
Question: Hi...
I am about to administrate users and roles on a SAP system. Previously I was always given SAP_ALL, but this time I wanted more adequate access rights. I therefore requested the profile S_USER_ALL (All Authorizations for user and authorization maintenance).
But... only to find out that it did not include any value for TDC (transaction code) or the authorization object S_USER_VAL (which gives access to change values in PFCG).
Anybody with experience in this ares
What profiles/roles are you guys using for user/role administration
Thanks for any reply
Answer:
Requirements will depend on your segregation of duties for user and role/profile adminsitration.
We developed our own and did not depend on the SAP provided Roles.
Assign your self SAP_ALL in a test client, set up a trace and run through your actions to see what auths and values you need.
S_TRANSPRT VS S_CTS_ADMI
Question: We're trying to restrict rights to release transports (DTRA); one role has most activities for S_TRANSPRT but not 43 (release). However, one user with this role managed to release a transport. The same role has S_CTS_ADMI with activity * (all activities); is this effectively "overriding" the restrictions in S_TRANSPRT ?
Can't find any info on this elsewhere... tried SAP, SDN...
thanx...
Answer:
look into Su24 and Su21 and from there into the documentation, this will give the requested info
Answer:
The SAP documentation is (as often is the case) very opaque, to say the least. I think we have a decent idea of the relation between these objects, even though we haven't found a clear, logically structured explanation on exactly what are the limitations and interoperability of the two objects. Probably never will...
Answer:
Tronds,
I guess the generic problem here is that values were granted
for the activity field based on the principle "ALL - except (43)".
I advocate the 'need-to-have'.
Check whether activity 75 is in. This allows you to release
other users' objects.
achieved by assigning authorization profiles to users.
The various terms used in Authorizations are :
1. Authorization fields
Authorization fields identify the elements of the system that need to be protected.
These fields are associated with the data elements of the ABAP/4 Dictionary. For
example if you consider Sales order creation as an activity for which authorization is
required, the fields associated with this activity are :
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
These fields form the part of the standard ABAP/4 function call AUTHORITYCHECK.
2. Authorization object
Authorization object identifies an activity that needs to be protected in the SAP
system. For example Creation of a Sales Order is an activity. An object is made up of
authorization fields. A user can perform an activity only if they satisfy the
authorization check for each field in the authorization object.
Eg. V_VBAK_VKO is an object for Sales Area comprising of the following fields:
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
ACTVT – Activity
Authorization objects are grouped into Object class depending up on the application
area.
3. Authorization
Authorization is used to define permitted values for the fields of an authorization
object. For example you want to define an authorization for displaying a sales order
for a Sales organization 3000, Distribution Channed 01 and Division 02, the
values that will be assigned to fields of the object V_VBAK_VKO are:
VKORG – 3000
VTWEG – 01
SPART – 02
ACTVT – 03 (Display)
4. Authorization profiles
As a rule authorizations are not directly assigned to a user. Instead these authorization
are clubbed in an authorization profile and are then assigned to the user master
records.
What is the Profile Generator?
SAP’s Profile Generator allows authorization administrators to automatically generate
and assign authorization profiles. Released with 3.1G, this tool accelerates R/3
implementation by simplifying the task of setting up the authorization environment. The
administrator needs only to configure the customer-specific settings; the Profile
Generator manages all the other tasks, such as selecting the relevant authorization objects
for consideration. The Profile Generator is fully integrated in R/3 and is available on all
R/3-supported platforms. The Profile Generator represents another improvement of
SAP’s tool-based support and a reduction in R/3 implementation time.
The Profile Generator is a new approach to defining the authorization environment. The
administrator no longer uses the authorization objects to define the authorizations for
various user groups; instead, authorization profiles are built around the functions to be
performed in R/3. Based on function selection, the Profile Generator selects the relevant
authorization objects and groups them in a new authorization profile.
Using functions to define authorization profiles:
• Speeds up the process
• Defines authorization profiles more reliably (because only the required authorizations
are granted)
• Simplifies administrator/user communication, allowing both the administrator and
users to use the same R/3 function terminology To generate an Authorization profile automatically you first need to create an Activity
Group.
What is an Activity Group?
The process of security implementation with the new PG is based on the creation
of activity groups or a collection of linked or associated activities, such as tasks, reports,
and transactions. An activity group is a data container for the PG to generate
authorization profiles and usually represents a job role in your company.
For example, to implement security for a buyer:
1. Create an activity group, Buyer
2. Include all of the business transactions Buyer can access
3. Generate the appropriate authorization profile for Buyer
4. Assign Buyer to a new user or a position in your system
5. Update the user master record for the user
The new user now has all the necessary access rights needed to work as a buyer in your
company.
Activity groups are user-defined and allow you to systematically organize and efficiently
maintain system activities. The SAP Session Manager, SAP Business Workflow, and
Personnel Planning and Development require activity information. Using an activity
group as an information database reduces data entry time. Select the criteria, such as
access rights, and divide the activities into appropriate groups. For example, you could
decide to group activities by subject matter, such as personnel, payroll, or budgeting. Or,
you could group activities by job classes, such as translation activities, computer
programmer activities, or secretarial activities. You could also set up a combination of
subject matter and job-oriented activity groups. Activity groups are created and
maintained in the activity group maintenance transaction, PFCG. After setting up activity
groups, you may assign them to various R/3 objects.
Activity Group Assignments
• R/3 Users
An R/3 user is an individual who is recognized by the R/3 System and is allowed to
logon. For the system to recognize users, their names must be entered in the user
master record of the Basis component.
• Jobs
A job represents a general classification of work duties, such as secretary, computer
programmer, instructor, etc. Many employees in your company may hold the same
job classification. (For example, there might be 20 people whose job is secretary.)
Positions are usually based on jobs. Anyone who holds a job automatically inherits
the infotype settings, attributes, and properties of the job. Unless the activity groups
grants general access rights such as the rights needed to work with SAPoffice, be
careful when assigning activity groups to jobs.
• Positions
A position represents a unique, individual employee assignment within a company
(for example, marketing secretary, sales manager, etc.) Positions should not be
confused with jobs. You can handle authorization management in an almost
completely position-oriented fashion. All the access rights are then linked to the
position, so it does not matter who fills this position. Once a user changes positions
after the user master record is updated, the authorization profile automatically
changes.
• Organizational units
Organizational units represent any organizational entity that performs a specified set
of functions within a company. For example, organizational units represent
subsidiaries, divisions, departments, groups, special project teams, etc. Identify the
organizational structure at your firm by creating organizational units and identifying
the relationships among the units. Anyone who is assigned to an organizational unit
automatically inherits the infotype settings, attributes, and properties of this
organizational unit.
Steps for Implementing Profile Generator
SETTING UP PROFILE GENERATOR SAP R/3 4.0B
1. Logon to Client = ‘xxx’ with SAP_ALL
2. Enter transaction code RZ10. Set system parameter ‘ auth/no_check_in_some_cases
= Y ’ in the instance profile. This setting is required for proper functioning of the
Automatic Profile Generator. Activate the instance profile.
3. Stop and restart the designated R/3 instance now
4. Logon to the same client as in step 1 with SAP_ALL
5. Make sure the parameter set in step 2 is active by running RSPARAM report using
transaction SA38
6. Go to the Implementation Guide by entering the transaction SPRO. Within the IMG
go to the option Basis components => System Admin => Users and Authorizations
=> Maintain Authorizations and Profiles using profile generator => Execute next to
Activate profile generator.
7. You get “ Choose Activity ” screen
a) Maintain System Profile Parameter ( Done in step 2 – 5 )
b) Set active plan version. (Transaction OOAP). Plan version is set to 01 if not set
it.
c) Set up PD transport connection (Transaction OOCR). No value in Value abbr.,
indicates that automatic transport connection is active
8. Enter transaction SPRO => F5 => Basis components => System Admin => Users
and Authorizations => Maintain Authorizations and Profiles using profile generator
=> Execute next to Work on SAP check indicators and field values
9. You get “ Choose Activity ” screen
a) Create development class. (Transaction OY08). Hit enter at ‘ The table is client-
independent ’ message screen. Click New Entries and create new development
class with following details:
Development Class: ZDEV
Description: Development class for security
Transport Layer: ZDEV
Person Responsible: Enter user name
Check the box ‘ Link to Workbench Organizer ’
Save
b) Copy SAP checks Ids field values (Transaction SU25). Click the icon next to
initially fill the customer tables. Got an information message box. Enter. Step
performs successfully in few minutes.
Click the icon next to 3. Transport the customer tables. Enter at information box.
Step will be performed successfully in few minutes.
c) Change check indicator. (Transaction SU24). This transaction helps to deactivate
the authority check against authorization objects. No changes were set in during
this setup. Defaults were chosen.
Note : SU25 while configuring first time on the m/c we got a information saying that
“PROFGEN_INFO_TEXT does not exists “
this may be because of the first time .
Enter transaction SPRO => F5 => Basis components => System Admin => Users and
Authorizations => Maintain Authorizations and Profiles using profile generator =>
Generate company menu => Execute. Alternatively use transaction SSM1.
10. Make sure that English is present in the choose languages section
11. Click execute for 1.
SAP standard menu generation. Click enter at information box.
Takes few minutes and completes successfully.
12. Click execute next to 2a.
Company menu generation. Click enter at information box.
Takes few minutes and completes successfully.
13. Click Activate next to 2c.
Activate company menu. Click yes at confirmation for
activating the company menu.
14. Create an activity group using transaction PFCG to test the setup of profile generator.
SETUP OF SAMPLE ACTIVITY GROUP
1. Enter transaction code PFCG
2. Screen ‘ Edit Activity Group’ is shown
3. Enter activity group name. Do not use an _ in the second character. It is reserved for
SAP.
4. Example activity group name: Z:MKTDIRCT
5. Click create icon
6. At ‘Do you want to allow responsibilities for activity groups’? screen choose NO
7. Activity Group Basic Data: Create screen is shown
8. Enter a descriptive text in the NAME field eg: Activity group for market director
9. Click Menu push button
10. Enter at change request # popup box
11. Menu tree is displayed
12. Find the transaction codes needed by position in question by Edit => find
13. Choose the transactions by clicking
in the box next red traffic light eg: VD02
transaction
14. Likewise choose all transactions needed
15. When done save your work by clicking save button
16. Click enter at change request number
17. Go back
18. Click authorizations push button
19. At define organizational levels screen choose select values or put a * in all of them.
Organizational level includes fields like Company code, Sales Organization,
Controlling area etc.
20. Save
21. This will take you to authorization screen
22. Expand the tree by clicking on the + sign
23. Choose all the needed authorizations by clicking besides it
24. When done click save icon
25. Accept the default profile name and enter
26. Accept the change request # and enter
27. Click activate button after saving your work
28. At generate profile screen click generate
29. Click enter at change request #
30. Go back and notice the authorization push button is active
31. Next click agents push button
32. You will get ‘Maintain Agent Assignment’
33. Click user icon
34. Enter user name and click enter
35. Enter at change request number box
36. Click icon update user master data records
37. User master data reconciliation screen is shown
38. Click execute
39. This step completes the assignment of the activity group (authorization profiles to be
precise) to the user master records.
Methods of correcting Profiles
• Through Company Menu : Here if a user wants to execute a menu function, the
authorization for this can be added by using the Menu option of transaction PFCG.
• Manual Method : Authorization objects can be manually added to the profiles
generated using Profile Generator. If a user gets a Authorization failure while
executing a transaction, the object required and the necessary values that needs to be
defined for the fields of the object for executing that transaction can be obtained by
using the transaction SU53. This object can be added to the existing profiles by
executing PFCG => Authorization => Edit old data => Edit => Insert Auth => Insert
manually. You can also insert existing profiles and templates using the same menu.
Templates are nothing but a set of authorization objects having blank values in their
respective authorization fields. These templates can be included in the profiles and
necessary values assigned.
SU53 authorization Check
Question: If there is a message in SU53 saying "T-DV76526201 Exists in user buffer" for the role T-DV76526201, and then below I would find the list of the transaction codes affected, does that mean that there was an error or is it just an informational message?
Are all messages appearing in SU53 just error messages or even infomational messages?
Answer:
SU53 records the last authorisation failure for a user. The first block shows the system's authorisation requirement and the list below shows the authorisations present for that object for a particular user.
Answer:
I have seen the message you are talking about. The SU53 actually states something about an authorization existing in the user buffer but it still fails. I have found this is a throwback to pre-4.5 where the user must log off and back on again and it will usually work then. give it a shot.
S_USER_ALL
Question: Hi...
I am about to administrate users and roles on a SAP system. Previously I was always given SAP_ALL, but this time I wanted more adequate access rights. I therefore requested the profile S_USER_ALL (All Authorizations for user and authorization maintenance).
But... only to find out that it did not include any value for TDC (transaction code) or the authorization object S_USER_VAL (which gives access to change values in PFCG).
Anybody with experience in this ares
What profiles/roles are you guys using for user/role administration
Thanks for any reply
Answer:
Requirements will depend on your segregation of duties for user and role/profile adminsitration.
We developed our own and did not depend on the SAP provided Roles.
Assign your self SAP_ALL in a test client, set up a trace and run through your actions to see what auths and values you need.
S_TRANSPRT VS S_CTS_ADMI
Question: We're trying to restrict rights to release transports (DTRA); one role has most activities for S_TRANSPRT but not 43 (release). However, one user with this role managed to release a transport. The same role has S_CTS_ADMI with activity * (all activities); is this effectively "overriding" the restrictions in S_TRANSPRT ?
Can't find any info on this elsewhere... tried SAP, SDN...
thanx...
Answer:
look into Su24 and Su21 and from there into the documentation, this will give the requested info
Answer:
The SAP documentation is (as often is the case) very opaque, to say the least. I think we have a decent idea of the relation between these objects, even though we haven't found a clear, logically structured explanation on exactly what are the limitations and interoperability of the two objects. Probably never will...
Answer:
Tronds,
I guess the generic problem here is that values were granted
for the activity field based on the principle "ALL - except (43)".
I advocate the 'need-to-have'.
Check whether activity 75 is in. This allows you to release
other users' objects.
How to compare the Roles
How to compare the roles where created or defined in two different systems?
For role comparision both the roles must be in the same system, in same client
Transaction code SUIM -> Comparision-> Roles
If the roles are in different system, then tranport the role into one of the system and do comparision. If no transport connection defined then, you can use the upload and download option in the PFCG
Steps for Role Comparing:
1. Run the t-code SUIM
2. Go To Comparison and select the option of roles
3. Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.
4. If there is any difference b/wn the t-codes it will b in red colour otherwisein yellow.
Query About tcode PFCG
1. How to check the name of all users who has been authorised to use a particular transaction? I am trying to find through SUIM, but failing to find the name or total number of users of a particular t-code say SPRO.
2. I know that a particular transaction say SPRO is available in a particular role and I want to remove that t-code from that role. But I am unable to find that node through PFCG. If I am using the search for a t-code inside menu tab after putting the edit mode it is not coming in PFCG, but through SUIM its existence is coming in that role. That particular role contains a lot of t-code and reports, say about 2000.
1. Goto SUIM and select USER node, then select USERS BY COMPLEX SELECTION CRITERIA node then execute BY TRANSACTION AUTHORIZATION report then give the Tran. code and it will return you the number of users having that trans with relevatn details.
Follows these steps :-
- Go to SUIM .
- Choose Roles --> By Transaction assignment.
- Enter Transaction : "SPRO"
- Choose execute.
- Double click on a role in which you want to remove "SPRO" authorisation.
- Click on pen mark to change into change mode.
- Go to tab "Authorization"
- Choose change authorization data.
- Choose Utilities --> Technical names on .
- Choose --> cross application authorization objects-->
- Expand the selection for Object "s_tcode" , under the corresponding profile look the values maintained for "TCD" and remove value "SPRO" from the list to eliminate the authorization.
- Don't forget to regenerate profiles.
2. You should able to find this via menu tab otherwise try to do this in authorization tab --> change authorization data by search.
Sap Profile Generator Tables
---Original Message-----
Subject: Profile Generator tables?
From: Paul Ellis
We maintain profiles in a Development system using Profile Generator, but only transport the authorisation profile and not the activity group to Staging/Production.
We are about to refresh the Development system with a copy of Production. What tables do I need to export from Development prior to the refresh, and later re-import, to ensure that Profile Generator is able to maintain the activity groups created in Development?
Thanks in advance.
Paul Ellis
-----Reply Message-----
Subject: Re: Profile Generator tables? - more
From: Mike O'Carroll
oh, and maybe these tables for profile genrator stuff......
(from top include for PFCG)
000010 function-pool rhum.
000020
000030 tables: hrv1220, hrp1001, hrp1000.
000040 tables: pchdy, pphdx, p1000,
000050 pt1220, t77fc, t77fd.
000060 tables: *objec, objec, *p1000.
000070 tables: pdrhum, t77aw, t777o.
000080 tables: xu213.
000090 tables: t777e, usr05, tprprof.
and you may need to do the same with menu tables - I'm not sure which ones
-
(from top include from SSM1)
000010 function-pool smnu. "MESSAGE-ID ...
000020 *
000030 tables: indx, tstct, dsyax,
000040 smenca_new, smen_obnew, smen_conew,
000050 smenusenew, smenentnew,
000060 smen_dates, ssm_stat, ssm_start, ssm_langu,
000070 smensapt, smencust, smenentt,
000080 smensapnew, smencusnew,
000090 smenselect, t002t,
000100 ssm_rele, smenintnew, smenintt.
--------------------------------------------------------------------------------
Regards,
Mike O'Carroll
-----Reply Message-----
Subject: Re: Profile Generator tables? (Document link: Michael O'Carroll)
From: Michael O'Carroll/UK
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
activity groups are stored in table PLOGI along with loads of other object types. the activity groups are object type T.
You could export the table data with a manual transport request via SE01, using R3TR TABU and specify the keys to use for all objects of type T(ie all activity groups). Remember to include all clients in the selection.
OR, if you are using the client copy functions to refresh you DEV from PROD, then you could use the RSCCEXCT (see OSS note 70290) to list all these tables and exclude them from the copy, hence the corresponding original DEV tables should not be overwritten in DEV.
I suggest you export a transport request with with all these tables from DEV just in case, so you can re-import them again if it goes pear shaped.
In 3.x I don't think the activity group names involve client number or SID, but I've heard some differences in 4.6 - Guy Holchester has sent many notes to the list about it - have a look at the archives, but I think as long as you aren't copying between different versions (eg from Prod 4.6 to Dev 3.x, or vice versa) then it should be OK.
If you choose to re-import the tables from transport requests, you might want to run the sync tool in the target client (DEV) afterwards - ie run function module SUSR_SYNC_USER_TABLES, or run SU30, just to check for any dodgy links or inconsistencies.
Also, if you are re-importing user masters too, run RSSODELT and RSSOUSER to recreate all SAPOffice mailboxes and link them to the new user IDs in the target client.
hope this helps.
cheers,
Mike
-----Reply Message-----
Subject: Re: Profile Generator tables?
From: Kenneth Marquardt
I would use RHMOVE30 and create a transport of your activity groups. To be safe test import the activity groups to QAS prior to refreshing DEV with PRD. Then once you have completed the refresh import the transport you created. For more info on this look at the Authorization is made easy guide available online on page 11-6 release 4.0b.
Remember to run SUPC after you import to regenerate the profiles.
-----End of Reply Message-----
How to check missing authorizations for user
How to check the missing authorisation for the user not having the option "/nsu53 ?"
You can use the following procedures to determine which authorizations a user requires to carry out a transaction:
You can use Trace function, ST01, you can trace the user activity and from the log you can see the authorization missing.
Start an authorization trace using the ST01 transaction and carry out the transaction with a user who has full authorizations. On the basis of the trace, you can see which authorizations were checked.
This procedure generally works well. However, sometimes the result is very surprising because certain programs can and do ignore some authorization checks by using preliminary checks and buffered results. In such cases, these methods are not very effective. You can recognize these cases because certain fields of the corresponding programs are specified with * or DUMMY at some point of the authorization check.
Analyzing authorization problems in an unknown program
The most frequently used method to analyze authorization problems in an unknown program involves you setting the Debugger breakpoints to the AUTHORITY-CHECK and MESSAGE commands. Then execute the program and analyze its behavior.
Determining all the authorizations a user has for an authorization object
When troubleshooting, it is often helpful to find out all the authorizations a specified user has for a specific authorization object. A simple method of reading these authorizations as raw data from the user master record is to execute the GET_AUTH_VALUES function module in the SUSR function group. Use the SE37 transaction or SE80 in test mode to do so. The result table is not formatted for output, but is very compact and easy to understand for authorization experts.
Analyzing an authorization problem that occurs for only one user
It is often the case that a certain authorization problem occurs for only one specific user. This kind of authorization problem generally affects users with no Debugging authorization. If you want to assign a user Debugging authorization without changing the HR authorizations, you can add the S_A.DEVELOP authorization profile (if available) to the user’s authorization profiles. In production systems, note that changes such as these to authorizations enable users (with relevant knowledge of the development environment) to access any system data easily (especially in other clients).
For role comparision both the roles must be in the same system, in same client
Transaction code SUIM -> Comparision-> Roles
If the roles are in different system, then tranport the role into one of the system and do comparision. If no transport connection defined then, you can use the upload and download option in the PFCG
Steps for Role Comparing:
1. Run the t-code SUIM
2. Go To Comparison and select the option of roles
3. Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.
4. If there is any difference b/wn the t-codes it will b in red colour otherwisein yellow.
Query About tcode PFCG
1. How to check the name of all users who has been authorised to use a particular transaction? I am trying to find through SUIM, but failing to find the name or total number of users of a particular t-code say SPRO.
2. I know that a particular transaction say SPRO is available in a particular role and I want to remove that t-code from that role. But I am unable to find that node through PFCG. If I am using the search for a t-code inside menu tab after putting the edit mode it is not coming in PFCG, but through SUIM its existence is coming in that role. That particular role contains a lot of t-code and reports, say about 2000.
1. Goto SUIM and select USER node, then select USERS BY COMPLEX SELECTION CRITERIA node then execute BY TRANSACTION AUTHORIZATION report then give the Tran. code and it will return you the number of users having that trans with relevatn details.
Follows these steps :-
- Go to SUIM .
- Choose Roles --> By Transaction assignment.
- Enter Transaction : "SPRO"
- Choose execute.
- Double click on a role in which you want to remove "SPRO" authorisation.
- Click on pen mark to change into change mode.
- Go to tab "Authorization"
- Choose change authorization data.
- Choose Utilities --> Technical names on .
- Choose --> cross application authorization objects-->
- Expand the selection for Object "s_tcode" , under the corresponding profile look the values maintained for "TCD" and remove value "SPRO" from the list to eliminate the authorization.
- Don't forget to regenerate profiles.
2. You should able to find this via menu tab otherwise try to do this in authorization tab --> change authorization data by search.
Sap Profile Generator Tables
---Original Message-----
Subject: Profile Generator tables?
From: Paul Ellis
We maintain profiles in a Development system using Profile Generator, but only transport the authorisation profile and not the activity group to Staging/Production.
We are about to refresh the Development system with a copy of Production. What tables do I need to export from Development prior to the refresh, and later re-import, to ensure that Profile Generator is able to maintain the activity groups created in Development?
Thanks in advance.
Paul Ellis
-----Reply Message-----
Subject: Re: Profile Generator tables? - more
From: Mike O'Carroll
oh, and maybe these tables for profile genrator stuff......
(from top include for PFCG)
000010 function-pool rhum.
000020
000030 tables: hrv1220, hrp1001, hrp1000.
000040 tables: pchdy, pphdx, p1000,
000050 pt1220, t77fc, t77fd.
000060 tables: *objec, objec, *p1000.
000070 tables: pdrhum, t77aw, t777o.
000080 tables: xu213.
000090 tables: t777e, usr05, tprprof.
and you may need to do the same with menu tables - I'm not sure which ones
-
(from top include from SSM1)
000010 function-pool smnu. "MESSAGE-ID ...
000020 *
000030 tables: indx, tstct, dsyax,
000040 smenca_new, smen_obnew, smen_conew,
000050 smenusenew, smenentnew,
000060 smen_dates, ssm_stat, ssm_start, ssm_langu,
000070 smensapt, smencust, smenentt,
000080 smensapnew, smencusnew,
000090 smenselect, t002t,
000100 ssm_rele, smenintnew, smenintt.
--------------------------------------------------------------------------------
Regards,
Mike O'Carroll
-----Reply Message-----
Subject: Re: Profile Generator tables? (Document link: Michael O'Carroll)
From: Michael O'Carroll/UK
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
activity groups are stored in table PLOGI along with loads of other object types. the activity groups are object type T.
You could export the table data with a manual transport request via SE01, using R3TR TABU and specify the keys to use for all objects of type T(ie all activity groups). Remember to include all clients in the selection.
OR, if you are using the client copy functions to refresh you DEV from PROD, then you could use the RSCCEXCT (see OSS note 70290) to list all these tables and exclude them from the copy, hence the corresponding original DEV tables should not be overwritten in DEV.
I suggest you export a transport request with with all these tables from DEV just in case, so you can re-import them again if it goes pear shaped.
In 3.x I don't think the activity group names involve client number or SID, but I've heard some differences in 4.6 - Guy Holchester has sent many notes to the list about it - have a look at the archives, but I think as long as you aren't copying between different versions (eg from Prod 4.6 to Dev 3.x, or vice versa) then it should be OK.
If you choose to re-import the tables from transport requests, you might want to run the sync tool in the target client (DEV) afterwards - ie run function module SUSR_SYNC_USER_TABLES, or run SU30, just to check for any dodgy links or inconsistencies.
Also, if you are re-importing user masters too, run RSSODELT and RSSOUSER to recreate all SAPOffice mailboxes and link them to the new user IDs in the target client.
hope this helps.
cheers,
Mike
-----Reply Message-----
Subject: Re: Profile Generator tables?
From: Kenneth Marquardt
I would use RHMOVE30 and create a transport of your activity groups. To be safe test import the activity groups to QAS prior to refreshing DEV with PRD. Then once you have completed the refresh import the transport you created. For more info on this look at the Authorization is made easy guide available online on page 11-6 release 4.0b.
Remember to run SUPC after you import to regenerate the profiles.
-----End of Reply Message-----
How to check missing authorizations for user
How to check the missing authorisation for the user not having the option "/nsu53 ?"
You can use the following procedures to determine which authorizations a user requires to carry out a transaction:
You can use Trace function, ST01, you can trace the user activity and from the log you can see the authorization missing.
Start an authorization trace using the ST01 transaction and carry out the transaction with a user who has full authorizations. On the basis of the trace, you can see which authorizations were checked.
This procedure generally works well. However, sometimes the result is very surprising because certain programs can and do ignore some authorization checks by using preliminary checks and buffered results. In such cases, these methods are not very effective. You can recognize these cases because certain fields of the corresponding programs are specified with * or DUMMY at some point of the authorization check.
Analyzing authorization problems in an unknown program
The most frequently used method to analyze authorization problems in an unknown program involves you setting the Debugger breakpoints to the AUTHORITY-CHECK and MESSAGE commands. Then execute the program and analyze its behavior.
Determining all the authorizations a user has for an authorization object
When troubleshooting, it is often helpful to find out all the authorizations a specified user has for a specific authorization object. A simple method of reading these authorizations as raw data from the user master record is to execute the GET_AUTH_VALUES function module in the SUSR function group. Use the SE37 transaction or SE80 in test mode to do so. The result table is not formatted for output, but is very compact and easy to understand for authorization experts.
Analyzing an authorization problem that occurs for only one user
It is often the case that a certain authorization problem occurs for only one specific user. This kind of authorization problem generally affects users with no Debugging authorization. If you want to assign a user Debugging authorization without changing the HR authorizations, you can add the S_A.DEVELOP authorization profile (if available) to the user’s authorization profiles. In production systems, note that changes such as these to authorizations enable users (with relevant knowledge of the development environment) to access any system data easily (especially in other clients).
Authorizations
Authorization Concepts
Access control in SAP is composed of several concepts:
Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field
Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:
ACTIVITY: defines the type of activity the user is doing with the data. Possible values are
'DISPLAY', 'MODIFY', 'DELETE', etc.
COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')
Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.
Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:
FIELD VALUE
ACTIVITY *
COMPANY_CODE *
Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]
Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations. It sounds complicated, but once you start working with authorizations, it's pretty easy.
What are authorizations required?
Check which authorization objects are checked within a tcode
I want to create new user for SAP module. I am having user id as sap* (someone has said that this is super user id); when I login with this id and go to IMG for configurations. A message is displayed that I am not authorised to change the details with sap* user.
What is the procedure for creating new user which have all features define under SAP* user and which could allow me to make the configruations.
Creating new user with superuser authorizations.
1. Goto SU01 --
username : sapuser
|-->Create.
2. In default settings, give
:Mr
first name : sap
lastname : user
3. Goto next tab,
give initial password :1234
repeat password : 1234
4. Goto profiles.
type- sap_all (say enter)
sap_new (say enter)
Then save....
See the message in status bar, (user created successfully)
5. Login with the new user. change the password. now this user contains all superuser authorizations.
Access control in SAP is composed of several concepts:
Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field
Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:
ACTIVITY: defines the type of activity the user is doing with the data. Possible values are
'DISPLAY', 'MODIFY', 'DELETE', etc.
COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')
Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.
Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:
FIELD VALUE
ACTIVITY *
COMPANY_CODE *
Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]
Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations. It sounds complicated, but once you start working with authorizations, it's pretty easy.
What are authorizations required?
Administrators who use the Profile Generator require authorization for the following authorization objects: S_USER_AGR Authorization Check for Activity Groups
S_USER_TCD Transaction Assignment of Transactions to Activity Groups
S_USER_GRP User Master Maintenance: User groups
S_USER_PRO User Master Maintenance: Authorization Profile
S_USER_AUT User Master Maintenance: Authorizations
Check which authorization objects are checked within a tcode
1. Open two sessions
2. Execute transaction ST01 in one of the sessions
3. Select the authorisation checkbox, note the other traces you can perform (SQL, RFC, Table Buffer etc)
4. Click the ‘Trace On’ button
5. Within your other session execte the transaction/report you want to trace or get the user in question to do it
6. Return to the session where you turned the trace on and click on ‘Trace Off’ otherwise it will continue to record all athorisation checks
7. Click on the ‘Analysis’ button
8. Enter appropriate data into selection screen such as Username, type of trace records (i.e. Authorization check)
9. Click on the Execute button.
10. Report displaying trace results will now be displayed
Shortcut to created role with many tcodes and reports
Once I had couple of roles which where made just t hold reports. The number of reports where huge. Here is how I did it.
First create a CATT script with a dummy role and add one tcode. Make the role and T-code as variant. Once you have this you can add any number of tcode to any existing role. Icould resuse this tocreate another roles where I had to insert lot of T-codes
How to trouble shoot authorizations in sap R/3
When you encounter errors during testing of roles, you can use SU53 and ST01 to analyze the error.
- Ask the user to run SU53 to display the result of the last failed authorization. It is important the user run SU53 immediately after failed authorization check, as only the last object the failed the authorization check is saved.
- Authorization objects enable complex checks of an authorization, which allows a user to carry out an action. An authorization object can group up to 10 authorization fields that are checked in an AND relationship.
- For an authorization check to be successful, all field values of the authorization object must be maintained accordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should be regarded as system elements, such as infotypes, which are to be protected.
- You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations. The system checks these authorizations in OR relationships.
I want to create new user for SAP module. I am having user id as sap* (someone has said that this is super user id); when I login with this id and go to IMG for configurations. A message is displayed that I am not authorised to change the details with sap* user.
What is the procedure for creating new user which have all features define under SAP* user and which could allow me to make the configruations.
Creating new user with superuser authorizations.
1. Goto SU01 --
username : sapuser
|-->Create.
2. In default settings, give
:Mr
first name : sap
lastname : user
3. Goto next tab,
give initial password :1234
repeat password : 1234
4. Goto profiles.
type- sap_all (say enter)
sap_new (say enter)
Then save....
See the message in status bar, (user created successfully)
5. Login with the new user. change the password. now this user contains all superuser authorizations.
Subscribe to:
Posts (Atom)