CA940-Development Authorization Concept

ADM940 SAP Authorization Concept
ADM940
SAP Authorization
Concept
Appendix:
Development of Authorization Elements
© SAP Región Sur SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20
SAP Región Sur

Argentina • Bolivia • Chile • Paraguay • Uruguay
2 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Apendix. Development of Authorization Elements
Appendix: Development of Authorization Elements
Appendix Content:
Authorization Elements Overview.
Authorization Fields.
Authorization Object.
Organization Level for Profile Generator.
Authority Checks.
Authorization Profile.
Access to Individual Tables and Views.
User Adminitrators.
Glossary.
 SAP AG 2003
Development of Authorization Elements

Appendix Content_______________________________________________________ 3
Authorization Elements Overview ___________________________________________ 5
Important Authorization Element Relationships ........................................................................... 6
Authorization Fields______________________________________________________ 8
Authorization Fields: Initial Screen............................................................................................... 9
Authorization Fields: Create ...................................................................................................... 11
Authorization Object ____________________________________________________ 12
Authorization Object: Authorization Object Class...................................................................... 13
Authorization Object: Initial Screen of List of Object.................................................................. 14
Authorization Object: Create...................................................................................................... 15
Authorization Object: Create Documentation Object................................................................. 16
Authorization Object: Defining Permitted Activities.................................................................... 17
Organizational Level for Profile Generator____________________________________ 18
Organization Level Fields .......................................................................................................... 19
Before Maintain ......................................................................................................................... 20
After Maintain ............................................................................................................................ 21
Maintain: Transaction SUPO_PREPARE and SUPO ..................................................................... 22
Maintain: Program PFCG_ORGFIELD_CREATE.......................................................................... 23
Authority Checks..______________________________________________________ 24
Authority Check: Overview ........................................................................................................ 25
Authority Check: Assign Objects to Transactions ...................................................................... 27
Authority Check: The ABAP Statement ..................................................................................... 28
© SAP Región Sur 3

Authorization Profile ____________________________________________________ 30

Authorization Profiles: Superuser.............................................................................................. 31
Authorization Profiles: End Users.............................................................................................. 33
Access to Individual Tables and Views ______________________________________ 35
Parameter Transaction (using SM30)......................................................................................... 36
Necessary Authorizations to Access.......................................................................................... 37
Parameter Transaction (using SE16)......................................................................................... 38
Necessary Authorizations to Access.......................................................................................... 39
User Administrators_____________________________________________________ 40
User Groups .............................................................................................................................. 41
Auxiliary User for User Groups SUPER...................................................................................... 42
Glossary_____________________________________________________________ 43

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Important Authorization Element Relationships

SE38 SE11 (Database table)
ABAP Program
Database Table
PFCG (Menu), SE43 (Report)
use a Parameter
SE93, using Report transaction;
transaction with
PFCG (Menu), SE43 use Parameter
START_REPORT
transaction with START_REPORT)
SU01 (Roles), SU10 (Roles)
SE43, PFCG (Menu) SE93, PFCG (Menu → Report) SE11 ( V i e w )
SE43, PFCG
PFCG (User) (Menu)
Menu Area Transaction View
SE93
PFCG PFCG
(Using Parameter
(Menu) SE43 (Description
transaction with
for Derived
SE93 SE16 or SM30)
Role) SE11 (View s )
(Using
SU01, SU10 PFCG
parameter
SU01 (Roles) ,
transaction)
SU10 (Roles)
USER ROLE
PFCG
(Description for Derived Role;
PFCG (User) Roles for Composite Role )
PFCG
(Authorization)
SU01 (Roles), SU10 (Roles)
PFCG (Authorization) PFCG_ORGFIELD_CREATE
PFCG (User) Authorization Organizational

Profile Level Field
PFCG
(Authorization)
SU01 (Profiles), SU10 (Profiles)
PFCG_ORGFIELD_CREATE
PFCG (Authorizaton) SU21 (List of Objects) SU20

SU21
Authorization (List of Objects) Authorization
Authorization
PFCG Object Field
(Authorization for
authomatic use of SU21
SU20
table s U S O B X _ C (List of Objects)
and U S O B T _ C ,
SU21 (List of objetc classes) SE11 (Data type)
and for manually
insertion )
Authorization Data Element
Object Class
SE11 (Data type)
Direct relationship SE11 (Domain)

Undirect relationship
Domain
© SAP Región Sur
n IMPORTANT TRANSACTIONS:
For additional information, see transactions SU*, PF*, SM*.
PFCG Role maintenance1
PFUD User Master Data Reconciliation: Schedule
PFCG_TIME_DEPENDENCY
RZ10 Maintenance of Profile Parameters
SA38 ABAP Reporting
SE11 ABAP/4 Dictionary Maintenance
SE12 ABAP/4 Dictionary Display
SE13 Technical Settings
SE16 Data Display/Maintenance (Data Browser)
SE38 ABAP Editor
SE43 Maintain Area Menu
1
In older releases, this description is Profile Generator or Activity Group Maintenance.

SE54 Maintenance View

SE84 R/3 Repository Information System
SE93 Maintain Transaction Codes
SM30 Enhanced Data Display
ST01 System Trace
SU01 User maintenance
SU01D User Display
SU02 Maintain Authorization Profiles
SU03 Maintain Authorizations
SU10, SU12 User mass maintenance
SU20 Maintain Authorization Fie lds
SU21 Maintain Authorization Objects
SU53 Display Check Values
SU56 Analyze User Buffer
SUGR Maintain User Groups
SUIM User Information System
n IMPORTANT TABLES:
For additional information, use transaction SE11.
TACT Activities
TACTZ Valid activities for each authorization object
TBRG Authorization group (for tables and views)
TDDAT Maintenance Areas for Tables
TPGP ABAP/4 Authorization Groups
USOBT_C Relation Transaction / Auth. Object (Customer)
USOBX_C Check Table for Table USOBT_C
USR40 Table for Illegal Passwords
n IMPORTANT REPORTS:
For additional information about SAP Authorization Concept, use transaction SE38. (See reports RSUSR*,
PFCG*).
PFCG_ARGFIELD_CREATE Create Organizational Level Field for Profile Generator
PFCG_TIME_DEPENDENCY User Master Data Reconciliation
RSPARAM Profile Parameter Overview

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Authorization Field: Initial Screen
n In authorization objects, authorization fields represent the values to be tested during authorization checks.
n The authorization field are content into R/3’ transparent table AUTHX. This table is cross-client. Thus, the
authorization field must be unique in the system because the must be unique in that table.
n To maintain authorization fields, choose Tools→ ABAP Workbench→ Development→ Other Tools→
Authorization Objects→ Fields, or execute Transaction SU20. The initial screen show:
• A tool bar include the follow buttons to maintain authorization fields:
ð Create :
To add a new authorization field to the table AUTHX.
ð Display:
To display data of an existing authorization field;
ð Find :
To search an authorization field in the list Authorization check fields;
ð Change:
To change data of an existing authorization field.
ð Delete :
To delete an existing authorization field. You cannot delete an authorization field get used in an
authorization object.
• The list Authorization check fields:

This list displays all authorization fields in the system, always in alphabetical order.

Authorization Field: Create
n To create an authorization field press the Create button in the previous screen. Then, in the above screen:
• Enter the name of the field (Field name ):
Field names must be unique. SAP recommend that this name begin with the letter Y or Z.
• Assign a data element from the ABAP Dictionary to the field (Data element):
The data element contribute to authorization field with a display description and a domain. For this reason,
SAP recommend create a special data element for a new authorization field. Pressing enter appears the
domain of linked to the entered data element.
• If desired, enter a Check Table, Value Table or Search Help for the possible entries (field Table Name
under the Maintenance Dialog for Authorization Values section). The connection provides possible field
values. Values ranges can also be defined using the domain with which a field is associated.
• Finally, press the Save button and exit with the Back button.
n In the initial screen, you can to find a new authorization field using the Find button.

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Authorization Object: Authorization Object Class
n For documentation purpose, the Authorization Object are classify in Authorization Object Class (or simply
Object Class). Each Authorization Object must be assigned to an Object Class when it is created.
n To maintain Object Class and Authorization Object choose Tools→ ABAP Workbench→ Development→
Other Tools→ Authorization Objects→ Objects , or use Transaction SU21. Then, the system displays a list of
existing object classes (see the background screen above).
• Object classes are organized according to the components of the system. Before you can create a new
authorization object, you must define the object class for the component in which you are working. If you
do so, select class names that begin with Y or Z to avoid conflicts with SAP names.
• The authorization class is cross-client.
• To create a new authorization class, press the Create button. The above front windows appear. Here you
must define:
ð An authorization class ID (Object class);
ð A description (Text).
• To save, press the Save button.
• To display the list of authorization object of a specific authorization class, in the List of Object Classes
screen select that authorization class (or double clicking).

Authorization Object: Initial Screen of List of Objetc
2
n For each authorization class, a list of authorization object is displayed :
• To create a new authorization object, press the Create button;

• To change an old authorization object, press the Change button;
• To delete an old authorization object, press the Delete button;
• To display the data of an old authorization object, press the Display button;
• To see the Where-used list of an old authorization object, press the Where-used list button;
• To maintain documentation object of an old authorization object, press the Documentation button;
• Moreover, to regenerate the standard profile SAP_ALL, press the Regenerate SAP_ALL button.
2
In our example (screen above), this list is empty because ZUSR is a new authorization class.

Authorization Object: Create
n CREATING AND CHANGING AUTHORIZATION OBJECTS:

To create authorization object, in the previous screen you must press the Create button. Then, a new modal
window appears: Create authorization object. The follow information must be entered:
• Object:
This is the Authorization Object Id (or Technical Name). An authorization object is cross-client; thus, the
name must be unique in the whole system.
• Text:
This is simply a description of the object3 .
• Authorization fields:
Here you must to specific the field of the new object. This field can be created using the Transaction
SU20 or in addition, you can to use standard authorization fields. Note that when creating authorization
objects, the structure of the object must be planned exactly. Changes to the structure are very
complicated4 .
3
In same cases, SAP recommends to refer the technical name in any position of this description because some report (as
Transaction SU02 for manual authorization profile management) only displays this description and not the technical
name.
4
If you want to remove fields from the object, the whole authorization object must be deleted and recreated; you can add
authorization fields to the object if the object is no longer used. Only then can the corresponding fields accept data.
Authorization Object: Create Documentation Object
n You can create detailed documentation of the authorization object. In the previous screen, press the Create
object documentation button and the above screen will appear.
• In this screen you can to:

ð Describe where the authorization object is used and its meaning.
ð Describe each authorization field.
ð Describe the permitted values for every authorization field.
ð Document the permitted activities if you are using the authorization field ACTVT.
ð Add a reference to the authorization objects to your application documentation.
• To active the new documentation, press the Active button, and the Back button to exit.
If you want to change authorization fields for an object, this is only possible after all authorizations the object uses and
all calls of the AUTHORITY-CHECK language commands have been deleted.

Authorization Object: Defining Permitted Activities
n Permitted activities button:

If you add the Activity authorization field (ACTVT), the Permitted activities button appears. In this step, you
specify which activities are permitted for the ACTVT field in the authorization object. These activities are
then offered as possible entries during creation of the authorizations.
To maintain permitted activities, press the Permitted activities button and mark the activities in the new front
screen Define Values. In our example, the values “01” (Create or generate ), “02” (Change), “03” (Display)
and “06” (Delete) are permitted.
n Automatic conversion checkbox:
If the authorization object includes a setting permitting automatic conversion, the conversion will be executed
when authorization data is entered that matches the conversion attributes of the corresponding authorization
field.
This means that when creating authorizations, a number can be entered directly (instead of “0003”, you can
just enter “3”, for example). When the authorizations are saved, the number is automatically converted to
“0003”. This is necessary, as the language command AUTHORITY-CHECK checks the value “0003”5 .
6
n To save, press the Save button .
5
This property is applicable to any alphanumeric authorization field, not only to ACTVT (Activity) authorization field.

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003
6
In some system, is possible that the modal window Create authorization object remain in the front of the screen. Press
Cancel button and this window will disappear.
But in the List of object of the authorization class, not will be displayed the new authorization object (ZUSERNAME, in
our example). This is because the Transaction SU21 has not automatic refresh. Restart the Transaction SU21, and select
the ZUSR object class again, and now, the ZUSERNAME will appear in the list so above screen.

Organization Level Fields
 SAP AG 2003
n The current maintenance status of the authorizations at the various levels is shown by Traffic Lights:
Green All fields below this level have been supplied with values. Check whether the values given are
appropriate.
Yellow Below this level, there is at least one field (but not an organizational level) for which no data has been
entered.
Red Below this level, there is at least one field for which no organizational level has been maintained.
n Sometimes, is necessary to convert common authorization fields into Organizational Field, called,
Organizational Levels Fields.

Before Maintain
 SAP AG 2003

After Maintain
 SAP AG 2003

Maintain: Transactions SUPO_PREPARE and SUPO
 SAP AG 1999

Maintain: Program PFCG_ORGFIELD_CREATE
 SAP AG 2003

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Authority Check: Overview

System runtime
ABAP Program
Is the transaction NO
code valid?
(Check of table TSTC ) Does the user has the
corresponding
Yes authorization?
(The ABAP statement
AUTHORITY-CHECK is
Is the transaction used here with any
locked by the system YES
administrator?
ERROR Yes
authorization object)
No
(Check of table TSTC )
No
Is the user authorized

ERROR
to start the NO
transaction?
(Authorization object
S_TCODE is used here) Warning
Yes
R/3 Transaction
Does the user has the
Is an authorization
necessary NO Continue
object assigned to the Yes
authorization?
transaction code?
(Any authorization object
(Check of table TSTCA)
can used here)
No Yes
n When a transaction is started, a system program executes various checks to ensure the user has the correct
authorizations 7 :
• Is the transaction code valid ?
The system check of table TSTC: if the answer is negative, the check fails.
• Is the transaction locked by the system administrator8 ?
The system check of table TSTC: if the answer is now positive, the check fails.
• Is the user authorized to start the authorization?
The authorization object S_TCODE (Transaction start) contains the field TCD (Transaction code). The
user must have an authorization containing a value for the transaction code: if not, the check fails.
• Is an authorization object assigned to the transaction code? If yes, is the user authorized?
If the user has not an authorization for the corresponding authorization object, the check fail;
7
All checks are executed internally with the ABAP statement AUTHORITY-CHECK.
8
To Lock/Unlock transactions in the entire system use Transaction SM01.

n If one of the above checks fails, the transaction is not started, and the system displays an error message.
n If none of the above checks fails, the transaction is started, and an ABAP program is usually called by the
transaction to make other authorization checks triggered by the statement AUTHORITY-CHECK. In the
program, in each authority check, the programmer can specify the following:
• The authorization object used and the required values for each authorization field;
• The reaction of the program if detects an authorization fault.

Authority Check: Assign Objects to Transactions
n To assign Authorization Object to Transaction use the transaction SE93 or choose Tools→ ABAP
9
Workbench→ Development→ Other Tools→ Transactions . In the above screen:
• You must enter the object ID in the Authorization object field.

• Pressing the Values button, the modal windows Values of Check Object appear: here you can define a
unique value for each authorization field 10 .
• To save, press the Save button.
9
If you are creating a new transaction, enter the transaction name and press the Create button; in the appearing windows
Create Transaction, enter the required information and press the Continue Enter button. Then the above window will
appear.
10
In this example, an user will be authorized to start the transaction ZUSERNAME only if his user master record has an
authorization using the object ZUSERNAME with the field USERNAME defined as “USERNAME” and the field Activity
(ACTVT) equal to “03” (Display).

Authority Check: The ABAP Statement
n To maintain an ABAP Program user Transaction SE38 or choose Tools → ABAP

Workbench→ Development→ User interface→ ABAP Editor .
11
n In the above screen, the report ZUSERNAME will could to show two possible message:
• “You are not authorized to display your USERNAME”:

if the user has not the necessaries authorization to display his own username, this is, if has not an
authorization as demand the AUTHORITY-CKECK statement.
• “Your USERNAME is MASTER”:
If the user MASTER has an authorization to display his own username.
11
If you are creating a new ABAP program, enter the program name press the Create button; in the appearing windows
ABAP Program attribute enter the required information and press the Save Enter button. Then the above window will
appear.
n The statements AUTHORITY-CHECK checks whether a user has appropriate authorization. To do this, it
searches in the specified authorization profile in the user master record to see whether the user has
authorization for the authorization object specified in the command.
12
n If the authorization is found and it contains the correct values, the check is successful .
12
In this program, an user is authorized to display his own username only if his user master record content an authorization
based on the object ZUSERNAME with the field USERNAME defined as his own username (this is, the sy-uname value)
and the field Activity (ACTVT) equal to “03” (Display).

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Authorization Profile: Superuser
n The SAP System contains predefined profiles for superuser:
• SAP_NEW:
You assign this profile to users who are to have access to all currently unprotected components. The
SAP_NEW profile assures upward compatibility of authorizations. The profile ensures that users are not
inconvenienced when a release or update includes new authorization checks for functions that were
previously unprotected.
• SAP_ALL:
You assign this profile to users who are to have all SAP authorizations, including superuser authorization.
After setting up an authorization object, or after updating your system, you can regenerate profile
SAP_ALL. Thus, this profile will have full authorization for all authorization objects in the entire system.

n If a user only has a SAP_ALL profile, when execute the Transaction ZUSERNAME is possible that a message
error (like “Authorization Failed”) will be displayed. This happens because the SAP_ALL only has full
authorization of each standard authorization object of the system, and not to customer authorization object as
ZUSERNAME (see ZUSERNAME Transaction in the previous page). To repair this position, you must
regenerate SAP_ALL.
n To regenerate SAP_ALL, in the initial screen of Transaction SU21, or in the List of Object screen of some
object class (as the above screen), press button Regenerate SAP_ALL, and next, press the Yes button in the
next windows Generate SAP_ALL profile .
n After regenerate, a new full authorization of the object ZUSERNAME was added to SAP_ALL profile.

Authorization Profile: End Users
n Is not recommendable that an end user has a profile like SAP_ALL or SAP_NEW. SAP recommend creating
specific profile for each activity assigned to user, and that, to create a new profile, use the Profile generator.
To use this tool, execute the Transaction PFCG or Tools→ Administration→ User Maintenance→ Role
Administration→ Roles.
13
n In the above screen , the definition of a authorization profile are showed with its two authorization, each one
of an specific authorization object as 14 :
• S_TCODE:
This authorization permits start the transaction ZUSERNAME to any user.
• ZUSERNAME:
This authorization can be compiled as two independent authorizations:
ð With the value “USERNAME” in the field User name and “03” in the field Activity :
Permits start the transaction ZUSERNAME to any end user due that this object is assigned to this
transaction. Too, permit to user with username USERNAME (if this exits) to see his own username
through the ABAP program ZUSERNAME.
13
To display the above window, in the initial screen of Profile Generator, enter the Role’ name; in the appearing windows,
select the Authorization tab, and press the Expert mode for profile generation button.
14
Assume that the Transaction ZUSERNAME call to ABAP program ZUSERNAME agree previous pages.

ð With the value “JUNIOR” in the field User Name and the value “03” in the field Activity :
Grant to the user JUNIOR to see his own username using the ABAP program ZUSERNAME.

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Parameter Transactions (using SM30)
 SAP Región Sur

Necessary Authorizations to Access
 SAP Región Sur

Parameter Transactions (using SE16)
 SAP Región Sur

Necessary Authorizations to Access
 SAP Región Sur

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Users Groups
SUPER
VHYA2HWR
SAP*
DDIC
…
VHYA2HWR
SAP*
ADM
ADMGR1
ADMGr1 ADMGR2 ADMGRx
…
ADMGRx
GR1 GRx
FI_01 HR_01
FI_02 HR_02
… ... …
FI_## HR_##
 SAP AG 2003
n User Group SUPER for super user or special users
• Only super users (profile SAP_ALL),

• System administrator
• Communication user (by example SAPCPIC, user for CUA or TMS).
• Any critical user (by example, auxiliary user for user group SUPER).
n User Group ADM for administrator users.
• Authorization Administrators.
• Users Administrators
Only can maintain end users (not in user group SUPER or ADM).
• Roles/Profile Administrators
ð Only can display or maintain not user administrator profiles/roles.
ð Only can assign not administration profiles/roles to end users only.
n Others User Groups for not critical users.

Auxiliary User for User Group SUPER
SUPER
VHYA2HWR
SAP*
DDIC
…
VHYA2HWR
SAP*
ADM
ADMGR1
ADMGr1 ADMGR2 ADMGRx
…
ADMGRx
GR1 GRx
FI_01 HR_01
FI_02 HR_02
… ... …
FI_## HR_##
 SAP AG 2003
n Any person can to lock a super user as SAP* or DDIC.

• Why? Because are a knew names;
• How? Simple, trying to enter with these users.
n Solution: Create an Auxiliary user for unlock purpose. For this user:
• User ID:
Any unknown cryptically name. Example VHYA2HWR.
• Profile:
ð Permit start transaction SU10 or SU01 only (using authorization object S_TCODE)
ð to Block, Unlock, Change Initial Password only for super users (Activity 05 and User group SUPER in
authorization object S_USER_GRP).

Appendix Content:
Authority Checks.
User Adminitrators.
Glossary.
 SAP AG 2003

Glossary
Glossary Content:
Commonly Terms Used under the contex
of this course.
Further information: in your SAP system
choosing Help→ Glossary.
ABCD
EFGHI
JKLM
NOPQ
RSTUV
WXYZ
 SAP AG 2003
n ABAP Advanced Business Application Programming.

Programming language of the R/3 System.
n ABAP Dictionary Central storage facility containing metadata (data about data)
for all objects in the R/3 System.
The ABAP Dictionary describes the logical structure of
application development objects and their representation in
the structures of the underlying relational database. All
runtime environment components such as application
programs or the database interface get information about these
objects from the ABAP Dictionary.
The ABAP Dictionary is an active data dictionary and is fully
integrated into the ABAP Workbench.
n ABAP Workbench SAP’s integrated graphical programming environment.
The ABAP Workbench supports the development of and
changes to R/3 client/server applications written in ABAP.
You can use the tools of the ABAP Workbench to write
ABAP code, design screens, create user interfaces, use
predefined functions, get access to database information,

control access to development objects, test applications for

efficiency, and debug applications.
n Activation Process that makes a runtime object available. The effect of
activation is to generate runtime objects, which are accessed
by application programs and screen templates.
n Activity Group Role.
n Authorization Authority to execute a particular action in the SAP System.
Each authorization references one authorization object and
defines one or more permissible values for each authorization
field listed in the authorization object.
Authorizations are combined in profiles, which are entered in
a user's master record.
n Authorization Fields In authorization objects, authorization fields represent values
for individual system elements which are supposed to undergo
authorization checking to verify a user's authorization.
n Authorization Objects Are structures of the SAP Repository that protect actions and
the access to data in the SAP system. The authorization
objects are delivered by SAP and are in SAP systems. To
provide a better overview, authorization objects are divided
into various object classes.
Authorization objects allow complex checks that involve
multiple conditions that allow a user to perform an action. The
condit ions are specified in Authorization Fields for the
authorization objects and are AND linked for the check. An
authorization object can include up to 10 authorization fields.
Authorization objects and their fields have descriptive and
technical names.
n Authorization Profile An authorization profile gives users access to the system. A
profile contains individual authorizations, which are identified
by the authorization name and one or more authorization
objects.
If a profile is specified in a user master record, the user has all
the authorizations defined in this profile.
n Client From a commercial law, organizational, and technical
viewpoint, a closed unit within an R/3 System with separate
master records within a table.
n Client-Dependent Specific only to one client. Settings in client-dependent tables
relate only to the client that was accessed during the logon
process. Such tables contain the client number in the table’s
primary key. Client-dependent is a formerly used synonym for
client-specific.
n Cross-Client Relevant for all clients in an R/3 System. Cross-client is
synonymous with the formerly used term client-independent.

n CUA Central User Administration.

n Customer Development Additions to the standard, delivered SAP software using the
ABAP Workbench. Customer developments involve creating
customer-specific objects using the customer’s name range
and namespace.
n Customizing Adjusting the R/3 System to specific customer requirements
by selecting variants, parameter settings, etc.
n DEV Development System
System in a system landscape where development and
Customizing work is performed.
DEV contains the SAP standard clients, a development and
Customizing Client (CUST), a Sandbox Client (SAND), and
Test Client (TEST). Since the Test Client usually does not
contain realistic application data, only unit tests can be
conducted in this client.
n Development Class A grouping of R/3 Repository objects belonging to a common
area. Unlike the objects in a change request, the grouping is
logical rather than temporal.
The development class is assigned a transport layer to ensure
that all objects have the same consolidation route.
n Local Change Request Change request that cannot be transported to other R/3
Systems.
n Local Object A Repository object assigned to a local development class
such as the development class $TMP.
Local objects are local to the R/3 System on which they are
created and cannot be transported.
n Master Data Master data is a type of application data that changes
infrequently, but is required for the completion of most
business transactions.
Examples of master data include lists of customers, vendors,
and materials, and even the company’s chart of accounts.
n Namespace Set of all names that satisfy the specific properties of the
namespace.
A namespace is defined by a prefix SAP provides to the
customer or complementary software partner.
n Nametab A Nametab is the runtime object of a table.
The runtime object contains all the information stored in the
ABAP Dictionary in a format that is optimized for the
application programs.
n PRD Production System.
System that contains an enterprise’s active business processes.

This is where “live” production data is entered.

PDR usually contains only the Production Client (PROD) and
the SAP standard clients.
n Profile Generator Automatically generates an authorization profile based on the
activities in an activity group. Use transaction code PFCG.
n QAS Quality Assurance System.
System in which final testing is carried out. Tested, stable
development objects and Customizing settings are transported
into the quality assurance system from the development
system at times defined for final testing. After verification and
sign-off, development objects and Customizing settings are
delivered to the production system.
QAS includes a Test Client (QTST) and a Training Client
(TRNG).
n R/3 Real-time, Version Three.
Consists of a central instance offering the services DVEBMGS
(Dialog, Update, Enqueue, Background Processing, Message,
Gateway, Spool), a database instance, optional dialog
instances offering the service D (Dialog), and optional PC
front ends.
n R/3 Repository Central storage facility for all development objects in the
ABAP Workbench.
These development objects include ABAP programs, screens,
and documentation.
n R/3 Runtime Environment Set of programs that must be available for execution at
runtime.
The ABAP interpreters in the runtime environment do not use
the original of an ABAP program. Rather, they use a copy
generated once only during runtime (early binding).
Runtime objects, such as programs and screens, are
automatically regenerated (late binding) when a time stamp
comparison between the object and the ABAP Dictionary
detects a difference.
n Release The process by which the owner of a change request or task
indicates that the contents of the change request or task have
been unit tested. Release of a change request of either type
Transportable or Customizing initiates the export process.
n Return Code Value that indicates whether a tool (either within R/3 or on
the operating system level) ran successfully, with warnings, or
with errors.
n Role Collection of activities that cover a specific work area. For
example, the activity group "accounts payable accounting"
contains all the transactions and reports that accountants need

to perform their daily tasks.

You can create a user menu for an activity group (role). You
assign transactions, reports, and Internet/intranet links to the
user menu. This menu is displayed when users assigned the
activ ity group log on to the system.
Authorizations are automatically granted for the activities
included in the activity group. These authorizations can be
changed.
n SAP AS SAP Application Server.
n SAP BW SAP Business Information Warehouse.
n SAP CRM Customer Relationship Management.
n SAP EP SAP Enterprise Portal.
SAP EP is the component that brings all of these various
components together. Via the portal, the end user has access
to the backend systems using a single user interface, the Portal
Client.
n SAP ITS SAP Internet Transaction Server.
Gateway between the R/3 System and the World Wide Web.
n SAP Web AS SAP Web Application Server.
The SAP Web AS is a “normal” application server that has
been extended with a protocol handler called the Internet
Communication Manager that processes the HTTP requests.
n System Landscape The R/3 Systems and clients required for a company’s
implementation and maintenance of R/3.
For example, a common system landscape consists of a
development system, a quality assurance system, and a
production system.
n Transaction Code Succession of alphanumeric characters used to name a
transaction, that is, a particular ABAP program in the R/3
System.
For example, Transaction VA01 (create customer order).
n User Master Data Logon and authorization information for R/3 users.
Only users who have a user master record can log on to a
client in an R/3 System and use specific transactions.
n View Virtual table simultaneously displaying data from several real
tables in the ABAP Dictionary.
When you create a table, you assign a key to it. However, the
fields in the key may be inadequate for solving some
problems, so you can generate a view from several tables or
parts of tables.

n Workbench Change Request Change request for recording and transporting R/3 Repository
objects and changed system settings from cross-client tables
(Client-Independent Customizing).

SAP Región Sur

Argentina • Bolivia • Chile • Paraguay • Uruguay

CA940-Development Authorization Concept

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CA940-Development Authorization Concept

Transféré par

Droits d'auteur :

Formats disponibles

ADM940 SAP Authorization Concept

SAP Región Sur

2 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Appendix: Development of Authorization Elements

Development of Authorization Elements

© SAP Región Sur 3

Authorization Profile ____________________________________________________ 30

4 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Appendix: Development of Authorization Elements

© SAP Región Sur 5

Important Authorization Element Relationships

PFCG (User) Authorization Organizational

PFCG (Authorizaton) SU21 (List of Objects) SU20

SE11 (Data type)

Direct relationship SE11 (Domain)

6 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

SE54 Maintenance View

© SAP Región Sur 7

Appendix: Development of Authorization Elements

8 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Authorization Field: Initial Screen

© SAP Región Sur 2001

• The list Authorization check fields:

10 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Authorization Field: Create

© SAP Región Sur 2001

© SAP Región Sur 11

Appendix: Development of Authorization Elements

12 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Authorization Object: Authorization Object Class

© SAP Región Sur 2001

© SAP Región Sur 13

Authorization Object: Initial Screen of List of Objetc

© SAP Región Sur 2001

• To create a new authorization object, press the Create button;

14 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Authorization Object: Create

© SAP Región Sur 2001

n CREATING AND CHANGING AUTHORIZATION OBJECTS:

Authorization Object: Create Documentation Object

© SAP Región Sur 2001

• In this screen you can to:

16 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Authorization Object: Defining Permitted Activities

© SAP Región Sur 2001

n Permitted activities button:

© SAP Región Sur 17

Appendix: Development of Authorization Elements

18 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Organization Level Fields

© SAP Región Sur 19

20 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

© SAP Región Sur 21

Maintain: Transactions SUPO_PREPARE and SUPO

22 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Maintain: Program PFCG_ORGFIELD_CREATE

© SAP Región Sur 23

Appendix: Development of Authorization Elements

24 SAP R/3 Enterprise 4.7 • SAP Web Application Server 6.20

Authority Check: Overview

Is the user authorized

© SAP Región Sur 2001

© SAP Región Sur 25