ABAP USR relationships

Client
Can belong to a group

Group
Manages group of user 1:1

Dialog Service Reference Background Communication

Belong to a

Types of users

User
m n M:N

Administrator (A User)

Composite Roles

Single Role
1:1

1:n

Transactions
1:n This applies only when using SAP predefined profiles

PFCG Role SUGR User Group SU01 User SU10 User Mass Maintenance SUIM User Information System SPRO Implementation Guide SE93 - Copy transaction, create transaction, SU24 Authorization maintenance SU25 PFUD User Master comparison SUPC Mass generation of profiles

Authorization profile
1:n

Object Class
1:n

Auth. object
1:10

Auth. field

SAP user creation

User Creation (SU01) Role creation (PFCG) Assign Transaction (Menu tab)

Change Auth Data

Assign Transaction (Menu tab) Auto gen Auth. Profile name (Auth tab)

Set Org. Values SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations. Set Auth vales

Generate
Auth Values by

Assign User(s) (User tab)

1) 2) 3) 4) 5)

SU01 User creation PFCG - Role creation SU03 - Maintain Auth profiles said to be replaced by pfcg

User Comparison
6) 7)

Choice list Spro F1 SU03 Help.sap.com, sdn.sap.com, service.sap.com Google Business User

Typical USR creation At customer location

User Creation (SU01) Role creation (PFCG) Copy SAP* role to Z/Y role and edit the copy

Change Auth Data SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations. SUPC For mass generation of authorization profile. This was used in older versions predating PFCG Generate Set Org. Values

Auto gen Auth. Profile name (Auth tab)

Set Auth vales

Auth Values by

Assign User(s) (User tab)

1) 2) 3) 4) 5)

SU01 User creation PFCG - Role creation SU03 - Maintain Auth profiles said to be replaced by pfcg

User Comparison
6) 7)

Choice list Spro F1 SU03 Help.sap.com, sdn.sap.com, service.sap.com Google Business User

Authorization using HR Organization structure

Role creation (PFCG) Copy SAP* role to Z/Y role and edit the copy Auto gen Auth. Profile name (Auth tab) Click Org . Mgmt. (User tab)
At the start of PFCG make the following setting to be able to see the Org. Mgt button.

Change Auth Data

Set Org. Values

Set Auth vales Click on create assignment Generate Select Org. level entity ( Ex. Position, job) SU01 User creation PFCG - Role creation SU03 - Maintain Auth profiles said to be replaced by pfcg SU24 Authorization management SUPC Mass generation of authorization profile SU53 - The last authorization error ST01 Trace authorization check Click on indirect assignment

The user assigned to the position/job in HR will be assigned the current role.

User comparison .

PFCG Assigning users by reference using Organizational Management

- Position exists, - person assigned to position NO - Infotype/subtype (105/0001)

- SAP User Id

- Position exists, - Person assigned to position - 105/0001 defined ( using PA 30 )

NO - SAP User Id

- Position exists, - Person assigned to position - 105/0001 defined ( using PA 30 )

- SAP User Id defined (SU01)

HR & Basis transaction auth check disablement is not allowed when using SU24, But allowed to change auth field values. Duplicate Auth Objects cannot be added. To do this PFCG, manual entry has to be used.

When using SU24 to uncheck auth object check ( S_TRANSL),for PA30.

Structural Authorization to mange persons info types

Review Org. Struct (PPROME) Look up the SAP user id
(105/0001 )

OOAC -> OOAW -> OOSP -> OOSB

(PA30)

Create 105/0001 , if nonexistent (PA30)

Create/validate SAP user defined in PA30 (105/0001) (SU01)

Create profile for user , add PA30 and SU53 (PFCG)

Run PA30 with ST01 trace on and check for required authorization objects

Set the required Auth Objects using PFCG in the new profile

Assign user by assigning role to the Org. Unit of the user

Login as the new user and test PA30

Run SU53, apply required authorization, run PA30, SU53. Until no auth errors occur.
<Dummy> in SU53 = *

Set Struct Auth. Check to 1 (OOAC)

Review Evaluation Paths (OOAW)

Create struct. Auth profile (OOSP)

Associate user to Auth profile (OOSB)

Exclude user from modifying own HR data (P_PERNR Auth. object)

SAP Library on Structured auth.

Should not have any other P_PERNR other than the one above

Structural Authorization Additional Info: PPOME

Click here and check id to be displayed

O
OOAC If you w main sw combina are poss Evaluate Evaluate Never ev Never ev

Structural Authorization Additional Info OOSP, OOSB

Evaluation defined in OOAW transaction

Depth of 3 covers only the department employees.. Need to understand this better. The number given does not correspond to Org. Levels, in testing Sign if + depth value applies below object. Type , If sign - it applies above. Default is +

OOSP

Sequence number. Can have more than one row for the Auth profile.

Object Type defines the number entered in Object I

Status codes are 1) Active 2) Planned 3) Submitted 4) Approved 5) rejected

Periods are D Key Date M Current month Y Current year P - Past F - Future

Addition filtering of result set can be controlled by custom function (ABAP,JAVA)

OOSP
Make sure the start date and end date are as required

OOSB

Flag for Excluded Structural Profiles If not set - NCERTO, can view org unit 50004515 and 3 levels lower in the hierarchy. List shown when I is pressed and personnel not assigned to any org unit will be displayed in PA30. NCERTO will be included in the list. If set The list shown when I is pressed will be excluded when using PA30, and personnel not assigned to any org unit . NCERTO will be included.

Clicking in i, should bring a finite/small list.. If All is in the auth profile column, the user does not have infotype 105/0001 defined, or SAP user has not been created (SU01)

Structural Authorization Additional Info PA30 and SU53

The auth. Check for PA30 failed

The green tick should show for authorization checks. The HR stuct check can show failure to reflect the personals excluded by the structural auth defined in OOSP and OOSB( the exclude flag)

The key transactions and programs to keep handy when working with structural profiles are OOAC (activate structural authorization checks -- this is configuration and transportable), OOSP (create structural profiles -- also transportable), OOAW (create evaluation paths, which are used by structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position assignments, the holders of those positions, and the usernames associated with those holders, ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB (checks which users have which profiles -- but not recommended as a way of directly assigning them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and RHBAUS00 (create indexes for users with large structural authorizations, for performance reasons), and RHSTRU00 (display structures via evaluation path, for testing and development purposes).

Transaction OOSP - Definition of Authorization Profiles (Table T77PR): Create the structural authorizations that you then assign to the administrator users in transaction OOSB. See: Definition of Structural Authorizations Transaction OOSB Assignment of Profile to Users (T77UA): Assign the authorization profiles from transaction OOSP to the administrator users. See: Assignment of Structural Authorizations

Structural Authorization Filters in the process

Master list - all personnel in client Filter down to list defined in OOSP/OOSB ( A list) ( when i is clicked )
Filter 1

AC_AW_SP_SB -> OOAC, OOAW, OOSP, OOSB

Filter 2

Not checked

In OOSB is exclude check box checked

checked

A List included

Default addition

A list excluded

Add all personals not associated to a org. unit.

Filter 3 ???

Auth Object P_PERNER field value

???

User of PA 30 included Allow editing based the check made in OOSP

User of PA 30 excluded

HR Entity relations
n n

Company
n

Company Code
1

Client
m

Functional Areas Work Center

n

Profit Centers

Credit Control Area Cost Center

Line of business Org. Key

Business Area

Personnel Area
n

Organizational Unit
n is a

Legal Person

Sub-Area

Job (VP)

Does

Person / Employee
n

Employee Group

holds

Position (VP of..) SPRO - Implementation guide PA30 - Maintain HR Master PPOME Change Org. and staffing

Info type
(105 Communication)
n

Employee Sub-Group
Obj. Type Org. Units Jobs Positions Cost centers Persons Key O C S K P

Sub-Info type
(0001 - usr id.)

Position another prespective

Super User creation

User Creation (SU01)

Out of the box clients and users

Client 000 User Sap* Description Is used during install. But its password is not pass subsequently . If the User Sap* is deleted. We can login again with SAP* and passwd pass. Deactivate the special properties of SAP*, set the system profile ( NEED TO CHECK THIS OUT ONCE MORE)parameter login/no_automatic_user_sapstar t o a value greater than zero. If the parameter is set, then SAP* has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on. Maintainer to data dictionary and software logistics Do not delete. Manage the password. Used in earlywatch functions performance and monitoring Do not delete. Manage the password.

001

Ddic

066

Earlywatch

ABAP User Types

Type Dialog System

Purpose Individual, interactive system access. Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA). Dialog-free communication for external RFC calls. Dialog user available to a larger, anonymous group of users. General, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01. No logon is possible.

Communication Service Reference

http://help.sap.com/saphelp_nw04/helpdata/EN/52/67119e 439b11d1896f0000e8322d00/frameset.htm

Central User Administration

Central system
Central User Administration (CUA) system. With active Central User Administration, you can only delete or create child system users in the central system. You can change users that already exist in the child system, if the settings that you choose for the distribution of the data (transaction SCUM) allow this.

ALE Application link enabling

Child system

The IDoc interface exchanges business data with an external system. The IDoc interface consists of the definition of a data structure, along with processing logic for this data structure. Application Link Enabling (ALE) is a technology to create and run distributed applications. You need the IDoc interface in the following scenarios: Electronic data exchange (EDI) Connect other business application systems (e.g. PC applications, external Workflow tools) by IDoc Application Link Enabling (ALE).

User Management Engine Java

UME

SAP Solutions

SAP SAP for Banking

SAP ERP

CRM

SCM

SRM

PLM

IS

SAP for Retail SAP for Automotive

Accounting

Logistics

HR

SAP for Chemical SAP for Chemical

Financial accounting

Controlling

BI BW

SAP for Health care

Solution Manager IT management

PA30 - Creating info type 105, subtype 0001 ( userid)

This is the user id

This is a warning message. Press Enter to ignore the warning