erdci user authorization

8/18/2019 ERDCI USER Authorization

1/79

SAP R/3 BASIS

TrainingUser &

Authorization


2/79

USER Concept(1)

One of the basic part of R/3 Security is user concept .

After installation of R/3 and client creation, one of the first step is

create users in the new client.

It must be noted that Users are Client dependent

User in one client is not be a user of another client.

They are valid for only the client they were created or assigned.

User Name and user attributes comprises the User aster Records

!y default SA" comes with two super users

SA"#

$$IC

These two super users are available for every client in R/3 system when a new

client is created. But the nature of these two super user are slightly different.

S!" has all the authori#ation

$$%& is authori#ed to administer the R/3 repository.

Transaction coe !or User "aintenance SU#1 $a%igation n 'enu

Tools --> Administration --> User Maintenance --> Users


3/79

User "aster Recor(1)

User Master Record consists of following information'

User Name

ssigned &lient

!assword (&hangeable in future)

&ompany ddress

User Type

Start *enu

+ogon +anguage

!ersonal !rinter Setting

Time ,one

ctivity -roups

uthori#ations

piration $ate

$efault !arameter Setting

User master record maintain throu%h the transaction code SU&'.

An user can be assi%ned to many acti(ity %roups ) an acti(ity %roup

can be assi%n to many users.


4/79

Passor Restriction(1)

"assword can not be word *sap+ or *pass+ .

"assword can not be%in with any seuence of three characterscontained in the user-id lie R0$SI12 user can not set password

starts with R0 ,R0$,0$S ,SI .

"assword can not be%in with 3 identical characters. I.e. aaamy or bbbt.

hen a user chan%es his password ,he may not use any of the lastfi(e passwords.


5/79

Passor Restriction()

inimum password len%th can be set by the by the parameter

lo%in/min4password4ln% 5value 3 6.

Administrator can set the password e7piration date by the parameter

lo%in/password4e7piration4time 5no of days6 .

8umber of incorrect lo%ons allowed for a user master record until

the lo%on procedure is terminated , can be set by the parameter

lo%in/fails4to4session4end 5value 3 6.

8umber of incorrect lo%ons allowed for a user master record untillo%on is re9ected for this user, can be set by lo%in/fails4to4user4loc

5value 3 6. 1he loc is released at midni%ht.

rdisp/%ui4auto4lo%out 5in seconds6 parameter sets automatically lo%out

if user not uses sap%ui defined time.if set & then ne(er automaticallylo%out.


6/79

User sap* & ++IC (1)

SA" R/3 system includes in the default installation two super users

*$$IC+ ) *SA"#+ .

sap# user created with the password *&:&;'


7/79

User sap* & ++IC()

SAP* 000 ,001,066DDIC 000, 001

EARLYWATCH 066

+e!au,t users co'ing a!ter ne insta,,ation


8/79

Create User Step 1

Use The Transaction Code SU01 or !ser "aintenance #

Choose this $!tton

or create ne% !ser

Choose this $!tton

or create ne% !ser


9/79

Create User Step 2

Enter User InoEnter User Ino


10/79

Create User Step 3

Enter these

i"&ortant data

Enter these

i"&ortant data


11/79

Create User Step 4Choose Ro'e ro"

the "en!

Choose Ro'e ro"

the "en!


12/79


13/79

Create User Step 6User can set

USERPara"eters

User can set

USERPara"eters

Ater enterin( a'' data choose sa+e $!tton


14/79


15/79

Acti%it 2roup(1) or R-E

0A role or acti(ity %roup is a collection of R/3 transactions,authori@ations and additional ob9ects .

0Administrator can create ,display ,chan%e ,copy ) transport a Role .01ransaction code "CB used to maintain Role.

Composite Acti(ity Broup or Role

0Composite acti(ity %roups are made up of a collection of acti(ity %roups.

0Users assi%ned to a composite acti(ity are automatically added to the

acti(ity %roups durin% a user comparison.

0Composite acti(ity %roups themsel(es do not contain any authori@ation

data .

US0R Assi%nment

Users can be assi%ned to a sin%le acti(ity %roups or to composite acti(ity

%roups which mostly represent 9ob roles .

Users that assi%n to an acti(ity %roup may e7ecute the transactions,

reports , or any other tas in the acti(ity %roup with the correspondin%

Authori@ations.


16/79

Create Role Step 1

Use Transaction code "CB to maintain role /activity group

Choose theo&tion Create

Choose the

o&tion Create


17/79

Create Role Step 2

1#Enter The

Descri&tion

1#Enter The

Descri&tion

.#Choose the

o&tion "E$U

.#Choose the

o&tion "E$U

/o% to create the ro'e choose 'enu

Created !ser

na"e %i''dis&'a)

Created !ser

na"e %i''

dis&'a)


18/79

Create Role Step 3

To create RLEChoose an) oneTo create RLEChoose an) one

We can choose an) one or a'' o&tion at a ti"e#


19/79

Create Role Step 4

We choose

three ro" the"en! #

We choose

three ro" the"en! #

We choose accordin( o!r Re!ire"ent ro" -SAP "E$U0#


20/79

Create Role Step 5

!r three se'ected "en! a&&eared on Ro'e "en! #

1#!r chosenthree %i'' co"e

on ro'e "en!

1#!r chosenthree %i'' co"e

on ro'e "en!.#A(ain %e

choose

Transaction

.#A(ain %e

choose

Transaction


21/79

Create Role Step 6Assi(n the

transaction coes

!sin( the $!tton

Assign Transaction

Assi(n the

transaction coes

!sin( the $!tton

Assign Transaction


22/79

Create Role Step 7

Then chosen

transaction code

a&&eared on

Ro,e "enu

Then chosen

transaction code

a&&eared on

Ro,e "enu


23/79

Create Role Step 8

1#Choose

Authorizationsro" TA2

1#Choose

Authorizationsro" TA2

.#Choose the $!tton

-Change authorization ata0

.#Choose the $!tton

-Change authorization ata0


24/79

Create Role Step 91#Choose

Range o! %a,ues

r

u,, Authorization

1#Choose

Range o! %a,ues

r

u,, Authorization


25/79

Create Role Step 10These a!thori3ation %i''

co"e on the RLE

These a!thori3ation %i''

co"e on the RLE


26/79

Create Role Step 11Chan(e the

a!thori3ations sa%e

Co,or ha%e change

Chan(e the

a!thori3ations sa%e

Co,or ha%e change

Sa+e the &roi'e (i+e the

na"e o the &roi'e

Sa+e the &roi'e (i+e the

na"e o the &roi'e


27/79

Create Role Step 12

4et the "essa(e

-Pro!i,es create0

4et the "essa(e

-Pro!i,es create0


28/79

Create Role Step 13

Assi(n the -USER5To %ho" this ro'e

ha+e to assi(n

Assi(n the -USER5

To %ho" this ro'eha+e to assi(n

Choose the o&tion

-USER C"PARE0

Choose the o&tion

-USER C"PARE0

Choose the o&tion

-Co'p,ete co'pare0

Choose the o&tion

-Co'p,ete co'pare0


29/79

Create Role Step 14

&en the !ser to

%ho" the ro'e ha+e to

assi(n

&en the !ser to

%ho" the ro'e ha+e to

assi(n


30/79

Create Role Step 15

Assi(ned &roi'e

a&&eared on the !ser

Proi'e 'ist

Assi(ned &roi'e

a&&eared on the !ser

Proi'e 'ist


31/79


32/79

Create Role Step 17

Choose one ro'e ro"

-Be!ore create or sap

e!ine ro,e0

Choose one ro'e ro"

-Be!ore create or sap

e!ine ro,e0


33/79

Create Role Step 18

Choose the

o&tions ro"

the 'ist

Choose the

o&tions ro"

the 'ist


34/79

Create Role Step 19

1#Chosen "en!

Co"es to the

ro'e "en!

1#Chosen "en!

Co"es to the

ro'e "en!

.# /o% choose

-ro' Area "enu0

.# /o% choose

-ro' Area "enu0

gain create role from area menu using "CB

C l S 20


35/79

Create Role Step 20

Choose one PC14Choose one PC14


36/79

Create Role Step 21

Choose the o&tion-Pa)ro''5Choose the o&tion-Pa)ro''5


37/79

Create Role Step 22

Chosen o&tion

-Pa)ro''5 %i'' co"e

Chosen o&tion

-Pa)ro''5 %i'' co"e

$o per!or' the step 5


38/79

CREATE R-E USI$2 SPR 6Step 1

Choose2T

Pro7ect

"anage'ent

Choose2T Pro7ect

"anage'ent

Use Transaction Coe SPR to create a ne pro7ect


39/79

CREATE R-E USI$2 SPR 6Step

A,, create pro7ect i,, sho 8

ChooseTo create ne pro7ect

ChooseTo create ne pro7ect

Choose

2i%e ne na'e

Choose2i%e ne na'e


40/79


Enter the +ATE

here

Enter the +ATE

here


41/79


S&eci) the scope o

the &roect

S&eci) the scope o

the &roect

Se'ect the "od!'es

%hich are re!ired

Se'ect the "od!'es

%hich are re!ired

Choose the $!ttonChoose the $!tton


42/79


1# Se'ect the o&tion4enerate Proect I741# Se'ect the o&tion4enerate Proect I74

.# Choose this o&tion.# Choose this o&tion8#Proect creation start

in $ac9(ro!nd#

8#Proect creation start

in $ac9(ro!nd#


43/79

CREATE R-E USI$2 SPR 6Step :

ProectPR;


44/79

CREATE R-E USI$2 SPR 6Step =

Use the transaction code P:C4 to assi(n the

a!thori3ations re'ated to a &artic!'ar &roect#

Choose create o&tion

or ne% ro'e

Choose create o&tion

or ne% ro'e


45/79


1#Choose the na+i(ation

Uti,ities Custo'izing Auth

1#Choose the na+i(ation

Uti,ities Custo'izing Auth

.# This screen %i'' a&&ear .# This screen %i'' a&&ear

8# Choose >A08# Choose >A0

;# This screen a&&ears

Choose -I"2 PR;ECT0

;# This screen a&&ears

Choose -I"2 PR;ECT0


46/79

CREATE R-E USI$2 SPR 6Step ?

Choose one &roect ro" the 'ist

e#(# PR;


47/79

CREATE R-E USI$2 SPR 6Step 1#

A'' transaction code re'ated to

the &roect PR;


48/79

Use the transaction coe SU93(1)One user ,tring to Work on transation o!e "#08 $%ut &e isnot aut&ori'e! to !oing t&at (o) $

This "essa(e %i''

co"e, I the !ser ha+e

no a!thori3ation or the

TC

This "essa(e %i''

co"e, I the !ser ha+e

no a!thori3ation or theTC


49/79


50/79

Authorization structure(1)

User 7aster

Record

User 7aster

Record

Co"&osite

Proi'e

Co"&osite

Proi'eA!thori3ation

Proi'e

A!thori3ation

Proi'e

A!thori3ation

$ect

A!thori3ation

$ectA!thori3ationsA!thori3ations

A!thori3ation

:ie'ds

A!thori3ation

:ie'ds

Proi'e>

Co"&osite

Proi'e

Proi'e>

Co"&osite

Proi'e

A h i i (1)


51/79

Authorization(1)

Authori@ation system of sap R/3 system is the %eneral term which%roups all the technical ) mana%ement elements for %rantin% accesspri(ile%es to users to enforce the R/3 system security.

!y enterin% some authori@ation profile to a user, mainly administrator%i(e to user some access on sap particular sap ob9ect.

Authori@ation profile are %roup of authori@ations .Instead of %i(in%each authori@ation to a user ,administrator %i(es authori@ation profile to

a user.

Authori@ation profiles can be simple or composite .composite profilescontain other profiles.

Authori@ation profile uses an acti(ation method.hen authori@ation orprofiles are created or modified ,they must be acti(ated to becomeeffecti(e.

"rofiles are assi%ned to users in the user master record.

A th i ti ()


52/79

Authorization()

1he Authori@ations determine which acti(ities a user can perform .

1he system administrator cannot decide which business authori@ation

user needs because it is up to the user department to decide the ind ofpermissions the user should be %i(en to carry out his business tass.1heuser department decide which authori@ation need the user.1he systemadministrator assi%ns that authori@ation to the user as per the userdepartment reuest.

0ach authori@ation is based on authori@ation ob9ect.

Authori@ation ob9ect consists of authori@ation fields and possible(alues.

!ecause of the (astness of the R/3 system and its functional ran%e,the

authori@ation ob9ects are further di(ided into areas called as Ob9ectclass.

An Authori@ation allows to carry out an R/3 tas based on a set of field(alues in an authori@ation ob9ect

Authori@ations allow to determine the number of specific (alues or(alue ran%es for a field.

AC11 is an authori@ation field which present almost all authori@ationob9ect

A ti iti " i


53/79

Acti%ities @ "eaning01 : Create or Generate 42 : Convert to DB02 : Change 43 : Release03 : Display 50 : Move05 : Lock 51 : MM : nitiali!e pe0" : Delete 5# : Distri$%te0& : 'ctivate( Generate "0 : )port0* : Display change +oc%)ents "4 : Generate11 : Change n%)$er range stat%s "5 : Reorgani!e13 : nitiali!e n%)$er levels &0 : '+)inister1" : ,-ec%te &1 : 'naly!e

1& : Maintain n%)$er range o$.ect &5 : Re)ove21 : /ransport &* : 'ssign22 : ,nter( ncl%+e( 'ssign #0 : Copy23 : Maintain '" : Rea+ ith lter24 : 'rchive '& : rite ith lter33 : Rea+ '* : rocess )ass +ata34 : rite DL : Donloa+3" : ,-ten+e+ )aintenance L : ploa+3& : 'ccept 0 : 'ccept CCM CM+ata40 : Create in DB 1 : ,+it CCM CM +ata41 : Delete in DB 2 : Maintain CCM CM)etho+s

12 : Maintain 6 generate change +oc%)ents "* : Mo+el # all possible (alues

A th i ti (3)


54/79

Authorization(3)

e can assi%n authori@ation (alues to these fields .1he (alues of thefield decide what data would access by the user to whom this ob9ectassi%ned.

IE-+ A-UEIE-+ A-UE

Customer type5CUS11?"06 #

Acti(ity5AC116 &=

# all possible (alues , &= display only

A th i ti !i, (1)


55/79

Authorization pro!i,e(1)

An authori@ation profile consists %roup of authori@ation ob9ect .I.e a%roup of access pri(ile%es.

User authori@ations are not directly assi%ned to the user masterrecords.Instead these authori@ations are assi%ned as authori@ationprofiles.

Chan%in% the contents of the authori@ations inside a profile affects allusers that are %i(en that profile when this is acti(ated.

A users authori@ations are loaded into the user buffer only when they

lo%on.Chan%es affect all users to whom this profile is assi%ned and taeeffect only when the user lo%s on.

8umber of profiles %enerated depends on the number ofauthori@ations in each acti(ity %roup .

A ma7imum 'D& authori@ations fit into a profile .If there are more than

'D& authori@ations,an additional profile is %enerated.

Authori@ation profiles be%innin% with a 1 ,lie 1-S-80'.hen morethan profile created then the name will be 1-S-80'4' ,1-S-80'4=

C it !i, (1)


56/79

Co'posite pro!i,e(1)

Composite profiles are sets of authori@ation profiles both simple )composite.

A composite profile can contain an unlimited number of profiles.

Composite profiles are suitable for users who ha(e differentresponsibilities or 9ob tass in the system

ain% modification to any of the profiles in the list of compositeprofiles directly affects the access pri(ile%es of all users ha(in% thatcomposite profile in the user master record.

A th i ti .7 t !i ,(1)


57/79

Authorization .7ect !ie,(1)

authorization fields represent values for individual system elements which are

supposed to undergo authorization checking to verify a user's authorization.

The activity field in an authorization object defines the possible actions which could

be performed over a particular application object.

An authorization field can be for example a user group, a company code,a

purchasing group , a development class or an application area or an activity.

or example activity !" always #isplay . $f an authorization contains two fields such

as %&(A)* %+ A%T-T, again values in company code is values in A%T-T

is !" ,then a user containing this authorization can only display all company codes.

)ot all authorization objects have the A%T-T authorization field.

Authorization .7ect(1)


58/79

Authorization .7ect(1)An authori@ation ob9ect can contain a ma7imum of '& authori@ationfields.

Users are permitted to perform a system function only after passin% thetest for e(ery field in the authori@ation ob9ect.

Authori@ation ob9ects are %rouped in ob9ect classes belon%in% todifferent application areas which are used to limit the search forob9ects,thus main% it faster to na(i%ate amon% the many R/3 systemob9ects.

SA" predefined authori@ation ob9ects should not be modified ordeleted,e7cept if instructed by the SA" support personnel.

$eletin% or chan%in% standard authori@ation ob9ects can cause se(ereerrors in the pro%rams that chec those ob9ects.

or e7ample ,

40 stands for the ob9ect class aterials ana%ement-"urchasin%

1here is an authori@ation ob9ect 4!0S140EB for die orderin% .

4!0S140EB ob9ect consists of = authori@ation fields

'. AC11 to define user acti(ity with (alues +&=+ ,+&3+

=. 0EBR to define purchasin% %roup with (alues *7y@+ ,+abc+ .

If act(t ha(e (alues &= for chan%e ,&3 for display and, user can maintainonly purchasin% %roup *7y@+ ,+abc+ can not create new purchasin% %roup.

I$+ USERS B A++RESS +ATA


59/79

I$+ USERS B A++RESS +ATAUse Transaction coe S


60/79

g g

Use Transaction coe S"3# "aintain Ta.,e USR4#

here >*0 su.stitutes a group o! characters & >0 a sing,e character 8

To a%oi the use o! passors hich start ith si'i,ar ors 8

User can not !se these strin(

as a &ass%ord

User can not !se these strin(

as a &ass%ord

Ro,e assigne to hich Users(1)


61/79


Use Transaction coe? SE35 Progra' @RSUSR#=#$a%igation Path

Too,s A'inistration User "aintenance In!or'ation Sste'

Ro,es B Ro,e $a'e

Ro,e assigne to hich Users()


62/79

Ro,e assigne to hich Users()

Ater Enterin( the Ro'e %e (et the o''o%in( screen

We (et USER ASSI2$"E$T , PRI-E ASSI2$"E$TD TRA$SACTI$ C+E

'ist %hich assi(ned to the Ro,e#



63/79


-ist o! users hich assigne to the Particu,ar Ro,e



64/79


-ist o! Pro!i,es assigne to the particu,ar Ro,e



65/79


-ist o! Transaction coes assigne to the particu,ar Ro,e

"aintaining the .7ect C,ass


66/79

"aintaining the .7ect C,assUsing t&e transation o!e SU03 User an -aintain t&e

o)(et lass

A%ai,a.,e authorizations o! the ,ogon user(1)


67/79

A%ai,a.,e authorizations o! the ,ogon user(1)Using t&e transation o!e SU56 *e get t&e .aut&ori'ation/ .aut&ori'ation o)(et/ assigne! to a user$

Do!$'e C'ic9 on the

Authorization o.7ect

to (et the detai's #

Do!$'e C'ic9 on the

Authorization o.7ect

to (et the detai's #

A%ai,a.,e authorizations o! the ,ogon user()


68/79

g ( )

Do!$'e C'ic9 on the

-per'itte %a,ues0 to

(et the detai's #

Do!$'e C'ic9 on the

-per'itte %a,ues0 to

(et the detai's #

Authorization !ie,s

corres&ondin( to the

A!thori3ation $ect#

Authorization !ie,s

corres&ondin( to theA!thori3ation $ect#



69/79


Do!$'e C'ic9 on the

Authorizations to (et

the detai's #

Do!$'e C'ic9 on the

Authorizations to (et

the detai's #

To get the etai,s o! an Authorization .7ect(1)


70/79


Use Transaction Code SE35 then Use &ro(ra" ? RSUSR#4#

Consider an A!thori3ation o$ect S


71/79

To get the etai,s o! an Authorization .7ect()

Authorization .7ect

& corres&ondin(

.7ect C,ass#

Authorization .7ect

& corres&ondin(

.7ect C,ass#


72/79



73/79


Use Transaction Code SU#3

+ou.,e c,ic on o.7ectc,ass BC


74/79

o get t e eta s o a ut o at o .7ect( )

Use Transaction Code SU#3

I'portant Authorization pro!i,es


75/79

p p

SA"4A>> All authori@ation in R/3 system

SA"480 1o create new ob9ects

S4A.CUS1OIF Customi@in% 5for all system settin% acti(ity6

S4A.$00>O" $e(elopers with all authori@ations to wor in A!A" !.

S4A.S2O !asis G$isplay authori@ation only

S4A.US0R System Administrator

S4A!A"4A>> All authori@ations for A!A"

S4A$I4S"O4A spool Gall administration authori@ation

S4A$I4S"O4$ spool Gde(ice administration

S4A$I4S"O40 spool Ge7tended administration

S4A$I4S"O4H spool G9ob administration for all clients

S4A$I4S"O41 spool G$e(ice type administration

S"E I"PRTA$T TAB-ES


76/79

USR01 Contains t&e runti-e !ata o t&e user -aster

reor!s

USR02 &e ta)le ontaining logon inor-ation su& as t&e

pass*or!

USR03 "nlu!es t&e users a!!ress inor-ation

USR04 Contains users aut&ori'ations

USR05 "t is t&e users para-eter " ta)le

USR09 Contains user -enus

USR10 "t is t&e ta)le or user aut&ori'ation pro+les

USR11 Contains t&e !esriptie tets or pro+les

USR12 "t t&e user -aster aut&ori'ation alues ta)le

USR13 Contains t&e !esriptie s&ort tets or

aut&ori'ations

USR14 Contains t&e logon language ersions per user

USR30 "nlu!es a!!itional inor-ation or user -enus

TB; Authorization o.7ects ta.,e containing the authorization !ie,s !or each8

C Contains t&e list o stan!ar! atiities in t&e sste-$

TACTF

Is the ta.,e hich e!ines the re,ationship .eteen the authorization

o.7ects an the acti%ities in those o.7ects containing the Acti%it

authorization !ie,8

SC "s t&e transation o!e ta)le *&ere aut&ori'ation

o)(ets an! alues

Create a super user(1)


77/79

p ( )

It is sap recommended do not use sap# ,create one super user .

0SA"4A>> is only profile definin% that user can create one super user )with the authori@ation of creation of a new ob9ect.

0SA"480 is the profile which %i(es the permission to create a newob9ect

Pro!i,e 2enerator


78/79

0"rofile %enerator5"B6 tool helps the authori@ation administrator

create,%enerate ,and assi%n authori@ation profiles.0It is a(ailable from SA" r/3 (ersion 3.'B

0Chec the parameter auth/no4chec4in4some4cases ? usin% the 1CRF'' ,settin% before usin% first time profile %enerator .

Centra, User A'inistration


79/79

" a sste- group onsists o !ierent R3 sste-s *it&-ultiple lient t&en t&eSa-e users an )e reate! seeral ti-es in eer lient an!

assigne! to atiitgroups $Central User !-inistration is !esigne! to arr outt&ese tasks in a entral sste- !istri)ute t&e !ata to allsste-s in t&e sste- group $

erdci user authorization

Documents