Académique Documents
Professionnel Documents
Culture Documents
Client
Can belong to a group
Group
Manages group of user 1:1
Belong to a
Types of users
User
m n M:N
Administrator (A User)
Composite Roles
Single Role
1:1
1:n
Transactions
1:n This applies only when using SAP predefined profiles
PFCG Role SUGR User Group SU01 User SU10 User Mass Maintenance SUIM User Information System SPRO Implementation Guide SE93 - Copy transaction, create transaction, SU24 Authorization maintenance SU25 PFUD User Master comparison SUPC Mass generation of profiles
Authorization profile
1:n
Object Class
1:n
Auth. object
1:10
Auth. field
Assign Transaction (Menu tab) Auto gen Auth. Profile name (Auth tab)
Set Org. Values SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations. Set Auth vales
Generate
Auth Values by
1) 2) 3) 4) 5)
SU01 User creation PFCG - Role creation SU03 - Maintain Auth profiles said to be replaced by pfcg
User Comparison
6) 7)
Choice list Spro F1 SU03 Help.sap.com, sdn.sap.com, service.sap.com Google Business User
Change Auth Data SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations. SUPC For mass generation of authorization profile. This was used in older versions predating PFCG Generate Set Org. Values
Auth Values by
1) 2) 3) 4) 5)
SU01 User creation PFCG - Role creation SU03 - Maintain Auth profiles said to be replaced by pfcg
User Comparison
6) 7)
Choice list Spro F1 SU03 Help.sap.com, sdn.sap.com, service.sap.com Google Business User
Set Auth vales Click on create assignment Generate Select Org. level entity ( Ex. Position, job) SU01 User creation PFCG - Role creation SU03 - Maintain Auth profiles said to be replaced by pfcg SU24 Authorization management SUPC Mass generation of authorization profile SU53 - The last authorization error ST01 Trace authorization check Click on indirect assignment
The user assigned to the position/job in HR will be assigned the current role.
User comparison .
HR & Basis transaction auth check disablement is not allowed when using SU24, But allowed to change auth field values. Duplicate Auth Objects cannot be added. To do this PFCG, manual entry has to be used.
(PA30)
Run PA30 with ST01 trace on and check for required authorization objects
Set the required Auth Objects using PFCG in the new profile
Run SU53, apply required authorization, run PA30, SU53. Until no auth errors occur.
<Dummy> in SU53 = *
Should not have any other P_PERNR other than the one above
O
OOAC If you w main sw combina are poss Evaluate Evaluate Never ev Never ev
Depth of 3 covers only the department employees.. Need to understand this better. The number given does not correspond to Org. Levels, in testing Sign if + depth value applies below object. Type , If sign - it applies above. Default is +
OOSP
Sequence number. Can have more than one row for the Auth profile.
Periods are D Key Date M Current month Y Current year P - Past F - Future
OOSP
Make sure the start date and end date are as required
OOSB
Flag for Excluded Structural Profiles If not set - NCERTO, can view org unit 50004515 and 3 levels lower in the hierarchy. List shown when I is pressed and personnel not assigned to any org unit will be displayed in PA30. NCERTO will be included in the list. If set The list shown when I is pressed will be excluded when using PA30, and personnel not assigned to any org unit . NCERTO will be included.
Clicking in i, should bring a finite/small list.. If All is in the auth profile column, the user does not have infotype 105/0001 defined, or SAP user has not been created (SU01)
The key transactions and programs to keep handy when working with structural profiles are OOAC (activate structural authorization checks -- this is configuration and transportable), OOSP (create structural profiles -- also transportable), OOAW (create evaluation paths, which are used by structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position assignments, the holders of those positions, and the usernames associated with those holders, ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB (checks which users have which profiles -- but not recommended as a way of directly assigning them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and RHBAUS00 (create indexes for users with large structural authorizations, for performance reasons), and RHSTRU00 (display structures via evaluation path, for testing and development purposes).
Transaction OOSP - Definition of Authorization Profiles (Table T77PR): Create the structural authorizations that you then assign to the administrator users in transaction OOSB. See: Definition of Structural Authorizations Transaction OOSB Assignment of Profile to Users (T77UA): Assign the authorization profiles from transaction OOSP to the administrator users. See: Assignment of Structural Authorizations
Filter 2
Not checked
checked
A List included
Default addition
A list excluded
???
User of PA 30 excluded
HR Entity relations
n n
Company
n
Company Code
1
Client
m
Profit Centers
Business Area
Personnel Area
n
Organizational Unit
n is a
Legal Person
Sub-Area
Job (VP)
Does
Person / Employee
n
Employee Group
holds
Position (VP of..) SPRO - Implementation guide PA30 - Maintain HR Master PPOME Change Org. and staffing
Info type
(105 Communication)
n
Employee Sub-Group
Obj. Type Org. Units Jobs Positions Cost centers Persons Key O C S K P
Sub-Info type
(0001 - usr id.)
001
Ddic
066
Earlywatch
Purpose Individual, interactive system access. Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA). Dialog-free communication for external RFC calls. Dialog user available to a larger, anonymous group of users. General, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01. No logon is possible.
http://help.sap.com/saphelp_nw04/helpdata/EN/52/67119e 439b11d1896f0000e8322d00/frameset.htm
Child system
The IDoc interface exchanges business data with an external system. The IDoc interface consists of the definition of a data structure, along with processing logic for this data structure. Application Link Enabling (ALE) is a technology to create and run distributed applications. You need the IDoc interface in the following scenarios: Electronic data exchange (EDI) Connect other business application systems (e.g. PC applications, external Workflow tools) by IDoc Application Link Enabling (ALE).
UME
SAP Solutions
SAP ERP
CRM
SCM
SRM
PLM
IS
Accounting
Logistics
HR
Financial accounting
Controlling
BI BW