Monday, May 26, 2008

PFCG TOOL

Authorization means permission to perform a particular function in the SAP System. It is
achieved by assigning authorization profiles to users.

The various terms used in Authorizations are :

1. Authorization fields
Authorization fields identify the elements of the system that need to be protected.
These fields are associated with the data elements of the ABAP/4 Dictionary. For
example if you consider Sales order creation as an activity for which authorization is
required, the fields associated with this activity are :
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
These fields form the part of the standard ABAP/4 function call AUTHORITYCHECK.


2. Authorization object
Authorization object identifies an activity that needs to be protected in the SAP
system. For example Creation of a Sales Order is an activity. An object is made up of
authorization fields. A user can perform an activity only if they satisfy the
authorization check for each field in the authorization object.
Eg. V_VBAK_VKO is an object for Sales Area comprising of the following fields:
VKORG – Sales Organization
VTWEG – Distribution Channel
SPART – Division
ACTVT – Activity
Authorization objects are grouped into Object class depending up on the application
area.

3. Authorization
Authorization is used to define permitted values for the fields of an authorization
object. For example you want to define an authorization for displaying a sales order
for a Sales organization 3000, Distribution Channed 01 and Division 02, the
values that will be assigned to fields of the object V_VBAK_VKO are:
VKORG – 3000
VTWEG – 01
SPART – 02
ACTVT – 03 (Display)

4. Authorization profiles
As a rule authorizations are not directly assigned to a user. Instead these authorization
are clubbed in an authorization profile and are then assigned to the user master
records.


What is the Profile Generator?

SAP’s Profile Generator allows authorization administrators to automatically generate
and assign authorization profiles. Released with 3.1G, this tool accelerates R/3
implementation by simplifying the task of setting up the authorization environment. The
administrator needs only to configure the customer-specific settings; the Profile
Generator manages all the other tasks, such as selecting the relevant authorization objects
for consideration. The Profile Generator is fully integrated in R/3 and is available on all
R/3-supported platforms. The Profile Generator represents another improvement of
SAP’s tool-based support and a reduction in R/3 implementation time.
The Profile Generator is a new approach to defining the authorization environment. The
administrator no longer uses the authorization objects to define the authorizations for
various user groups; instead, authorization profiles are built around the functions to be
performed in R/3. Based on function selection, the Profile Generator selects the relevant
authorization objects and groups them in a new authorization profile.

Using functions to define authorization profiles:

• Speeds up the process
• Defines authorization profiles more reliably (because only the required authorizations
are granted)
• Simplifies administrator/user communication, allowing both the administrator and
users to use the same R/3 function terminology To generate an Authorization profile automatically you first need to create an Activity
Group.

What is an Activity Group?

The process of security implementation with the new PG is based on the creation
of activity groups or a collection of linked or associated activities, such as tasks, reports,
and transactions. An activity group is a data container for the PG to generate
authorization profiles and usually represents a job role in your company.
For example, to implement security for a buyer:

1. Create an activity group, Buyer
2. Include all of the business transactions Buyer can access
3. Generate the appropriate authorization profile for Buyer
4. Assign Buyer to a new user or a position in your system
5. Update the user master record for the user

The new user now has all the necessary access rights needed to work as a buyer in your
company.

Activity groups are user-defined and allow you to systematically organize and efficiently
maintain system activities. The SAP Session Manager, SAP Business Workflow, and
Personnel Planning and Development require activity information. Using an activity
group as an information database reduces data entry time. Select the criteria, such as
access rights, and divide the activities into appropriate groups. For example, you could
decide to group activities by subject matter, such as personnel, payroll, or budgeting. Or,
you could group activities by job classes, such as translation activities, computer
programmer activities, or secretarial activities. You could also set up a combination of
subject matter and job-oriented activity groups. Activity groups are created and
maintained in the activity group maintenance transaction, PFCG. After setting up activity
groups, you may assign them to various R/3 objects.

Activity Group Assignments

• R/3 Users
An R/3 user is an individual who is recognized by the R/3 System and is allowed to
logon. For the system to recognize users, their names must be entered in the user
master record of the Basis component.

• Jobs
A job represents a general classification of work duties, such as secretary, computer
programmer, instructor, etc. Many employees in your company may hold the same
job classification. (For example, there might be 20 people whose job is secretary.)
Positions are usually based on jobs. Anyone who holds a job automatically inherits
the infotype settings, attributes, and properties of the job. Unless the activity groups
grants general access rights such as the rights needed to work with SAPoffice, be
careful when assigning activity groups to jobs.

• Positions
A position represents a unique, individual employee assignment within a company
(for example, marketing secretary, sales manager, etc.) Positions should not be
confused with jobs. You can handle authorization management in an almost
completely position-oriented fashion. All the access rights are then linked to the
position, so it does not matter who fills this position. Once a user changes positions
after the user master record is updated, the authorization profile automatically
changes.

• Organizational units
Organizational units represent any organizational entity that performs a specified set
of functions within a company. For example, organizational units represent
subsidiaries, divisions, departments, groups, special project teams, etc. Identify the
organizational structure at your firm by creating organizational units and identifying
the relationships among the units. Anyone who is assigned to an organizational unit
automatically inherits the infotype settings, attributes, and properties of this
organizational unit.

Steps for Implementing Profile Generator

SETTING UP PROFILE GENERATOR SAP R/3 4.0B

1. Logon to Client = ‘xxx’ with SAP_ALL
2. Enter transaction code RZ10. Set system parameter ‘ auth/no_check_in_some_cases
= Y ’ in the instance profile. This setting is required for proper functioning of the
Automatic Profile Generator. Activate the instance profile.
3. Stop and restart the designated R/3 instance now
4. Logon to the same client as in step 1 with SAP_ALL
5. Make sure the parameter set in step 2 is active by running RSPARAM report using
transaction SA38
6. Go to the Implementation Guide by entering the transaction SPRO. Within the IMG
go to the option Basis components => System Admin => Users and Authorizations
=> Maintain Authorizations and Profiles using profile generator => Execute next to
Activate profile generator.
7. You get “ Choose Activity ” screen
a) Maintain System Profile Parameter ( Done in step 2 – 5 )
b) Set active plan version. (Transaction OOAP). Plan version is set to 01 if not set
it.
c) Set up PD transport connection (Transaction OOCR). No value in Value abbr.,
indicates that automatic transport connection is active

8. Enter transaction SPRO => F5 => Basis components => System Admin => Users
and Authorizations => Maintain Authorizations and Profiles using profile generator
=> Execute next to Work on SAP check indicators and field values
9. You get “ Choose Activity ” screen
a) Create development class. (Transaction OY08). Hit enter at ‘ The table is client-
independent ’ message screen. Click New Entries and create new development
class with following details:
Development Class: ZDEV
Description: Development class for security
Transport Layer: ZDEV
Person Responsible: Enter user name
Check the box ‘ Link to Workbench Organizer ’
Save

b) Copy SAP checks Ids field values (Transaction SU25). Click the icon next to
initially fill the customer tables. Got an information message box. Enter. Step
performs successfully in few minutes.
Click the icon next to 3. Transport the customer tables. Enter at information box.
Step will be performed successfully in few minutes.

c) Change check indicator. (Transaction SU24). This transaction helps to deactivate
the authority check against authorization objects. No changes were set in during
this setup. Defaults were chosen.

Note : SU25 while configuring first time on the m/c we got a information saying that

“PROFGEN_INFO_TEXT does not exists “
this may be because of the first time .


Enter transaction SPRO => F5 => Basis components => System Admin => Users and
Authorizations => Maintain Authorizations and Profiles using profile generator =>
Generate company menu => Execute. Alternatively use transaction SSM1.

10. Make sure that English is present in the choose languages section
11. Click execute for 1.
SAP standard menu generation. Click enter at information box.
Takes few minutes and completes successfully.
12. Click execute next to 2a.
Company menu generation. Click enter at information box.
Takes few minutes and completes successfully.
13. Click Activate next to 2c.
Activate company menu. Click yes at confirmation for
activating the company menu.
14. Create an activity group using transaction PFCG to test the setup of profile generator.

SETUP OF SAMPLE ACTIVITY GROUP

1. Enter transaction code PFCG
2. Screen ‘ Edit Activity Group’ is shown
3. Enter activity group name. Do not use an _ in the second character. It is reserved for
SAP.
4. Example activity group name: Z:MKTDIRCT
5. Click create icon
6. At ‘Do you want to allow responsibilities for activity groups’? screen choose NO
7. Activity Group Basic Data: Create screen is shown
8. Enter a descriptive text in the NAME field eg: Activity group for market director
9. Click Menu push button
10. Enter at change request # popup box
11. Menu tree is displayed
12. Find the transaction codes needed by position in question by Edit => find
13. Choose the transactions by clicking
in the box next red traffic light eg: VD02
transaction
14. Likewise choose all transactions needed
15. When done save your work by clicking save button
16. Click enter at change request number
17. Go back
18. Click authorizations push button
19. At define organizational levels screen choose select values or put a * in all of them.
Organizational level includes fields like Company code, Sales Organization,
Controlling area etc.
20. Save
21. This will take you to authorization screen
22. Expand the tree by clicking on the + sign
23. Choose all the needed authorizations by clicking besides it
24. When done click save icon
25. Accept the default profile name and enter
26. Accept the change request # and enter
27. Click activate button after saving your work
28. At generate profile screen click generate
29. Click enter at change request #
30. Go back and notice the authorization push button is active
31. Next click agents push button
32. You will get ‘Maintain Agent Assignment’
33. Click user icon
34. Enter user name and click enter
35. Enter at change request number box
36. Click icon update user master data records
37. User master data reconciliation screen is shown
38. Click execute
39. This step completes the assignment of the activity group (authorization profiles to be
precise) to the user master records.
Methods of correcting Profiles

Through Company Menu : Here if a user wants to execute a menu function, the
authorization for this can be added by using the Menu option of transaction PFCG.
• Manual Method : Authorization objects can be manually added to the profiles
generated using Profile Generator. If a user gets a Authorization failure while
executing a transaction, the object required and the necessary values that needs to be
defined for the fields of the object for executing that transaction can be obtained by
using the transaction SU53. This object can be added to the existing profiles by
executing PFCG => Authorization => Edit old data => Edit => Insert Auth => Insert
manually. You can also insert existing profiles and templates using the same menu.
Templates are nothing but a set of authorization objects having blank values in their
respective authorization fields. These templates can be included in the profiles and
necessary values assigned.

SU53 authorization Check
Question: If there is a message in SU53 saying "T-DV76526201 Exists in user buffer" for the role T-DV76526201, and then below I would find the list of the transaction codes affected, does that mean that there was an error or is it just an informational message?

Are all messages appearing in SU53 just error messages or even infomational messages?

Answer:
SU53 records the last authorisation failure for a user. The first block shows the system's authorisation requirement and the list below shows the authorisations present for that object for a particular user.

Answer:
I have seen the message you are talking about. The SU53 actually states something about an authorization existing in the user buffer but it still fails. I have found this is a throwback to pre-4.5 where the user must log off and back on again and it will usually work then. give it a shot.




S_USER_ALL
Question:
Hi...

I am about to administrate users and roles on a SAP system. Previously I was always given SAP_ALL, but this time I wanted more adequate access rights. I therefore requested the profile S_USER_ALL (All Authorizations for user and authorization maintenance).

But... only to find out that it did not include any value for TDC (transaction code) or the authorization object S_USER_VAL (which gives access to change values in PFCG).

Anybody with experience in this ares

What profiles/roles are you guys using for user/role administration

Thanks for any reply


Answer:
Requirements will depend on your segregation of duties for user and role/profile adminsitration.

We developed our own and did not depend on the SAP provided Roles.

Assign your self SAP_ALL in a test client, set up a trace and run through your actions to see what auths and values you need.


S_TRANSPRT VS S_CTS_ADMI
Question: We're trying to restrict rights to release transports (DTRA); one role has most activities for S_TRANSPRT but not 43 (release). However, one user with this role managed to release a transport. The same role has S_CTS_ADMI with activity * (all activities); is this effectively "overriding" the restrictions in S_TRANSPRT ?

Can't find any info on this elsewhere... tried SAP, SDN...

thanx...

Answer:
look into Su24 and Su21 and from there into the documentation, this will give the requested info

Answer:
The SAP documentation is (as often is the case) very opaque, to say the least. I think we have a decent idea of the relation between these objects, even though we haven't found a clear, logically structured explanation on exactly what are the limitations and interoperability of the two objects. Probably never will...

Answer:
Tronds,

I guess the generic problem here is that values were granted
for the activity field based on the principle "ALL - except (43)".
I advocate the 'need-to-have'.

Check whether activity 75 is in. This allows you to release
other users' objects.

No comments: