Access control in SAP is composed of several concepts:
Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field
Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:
ACTIVITY: defines the type of activity the user is doing with the data. Possible values are
'DISPLAY', 'MODIFY', 'DELETE', etc.
COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')
Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.
Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:
FIELD VALUE
ACTIVITY *
COMPANY_CODE *
Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]
Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations. It sounds complicated, but once you start working with authorizations, it's pretty easy.
What are authorizations required?
Administrators who use the Profile Generator require authorization for the following authorization objects: S_USER_AGR Authorization Check for Activity Groups
S_USER_TCD Transaction Assignment of Transactions to Activity Groups
S_USER_GRP User Master Maintenance: User groups
S_USER_PRO User Master Maintenance: Authorization Profile
S_USER_AUT User Master Maintenance: Authorizations
Check which authorization objects are checked within a tcode
1. Open two sessions
2. Execute transaction ST01 in one of the sessions
3. Select the authorisation checkbox, note the other traces you can perform (SQL, RFC, Table Buffer etc)
4. Click the ‘Trace On’ button
5. Within your other session execte the transaction/report you want to trace or get the user in question to do it
6. Return to the session where you turned the trace on and click on ‘Trace Off’ otherwise it will continue to record all athorisation checks
7. Click on the ‘Analysis’ button
8. Enter appropriate data into selection screen such as Username, type of trace records (i.e. Authorization check)
9. Click on the Execute button.
10. Report displaying trace results will now be displayed
Shortcut to created role with many tcodes and reports
Once I had couple of roles which where made just t hold reports. The number of reports where huge. Here is how I did it.
First create a CATT script with a dummy role and add one tcode. Make the role and T-code as variant. Once you have this you can add any number of tcode to any existing role. Icould resuse this tocreate another roles where I had to insert lot of T-codes
How to trouble shoot authorizations in sap R/3
When you encounter errors during testing of roles, you can use SU53 and ST01 to analyze the error.
- Ask the user to run SU53 to display the result of the last failed authorization. It is important the user run SU53 immediately after failed authorization check, as only the last object the failed the authorization check is saved.
- Authorization objects enable complex checks of an authorization, which allows a user to carry out an action. An authorization object can group up to 10 authorization fields that are checked in an AND relationship.
- For an authorization check to be successful, all field values of the authorization object must be maintained accordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should be regarded as system elements, such as infotypes, which are to be protected.
- You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations. The system checks these authorizations in OR relationships.
I want to create new user for SAP module. I am having user id as sap* (someone has said that this is super user id); when I login with this id and go to IMG for configurations. A message is displayed that I am not authorised to change the details with sap* user.
What is the procedure for creating new user which have all features define under SAP* user and which could allow me to make the configruations.
Creating new user with superuser authorizations.
1. Goto SU01 --
username : sapuser
|-->Create.
2. In default settings, give
:Mr
first name : sap
lastname : user
3. Goto next tab,
give initial password :1234
repeat password : 1234
4. Goto profiles.
type- sap_all (say enter)
sap_new (say enter)
Then save....
See the message in status bar, (user created successfully)
5. Login with the new user. change the password. now this user contains all superuser authorizations.
No comments:
Post a Comment