Contents

OBJECTIVE OF THE DOCUMENT...................................................................................................................5

SCOPE OF THE DOCUMENT.........................................................................................................................5
TARGET AUDIENCE......................................................................................................................................5
SAP Authorization Concept..........................................................................................................................6
Why Is Security Necessary?.....................................................................................................................6
Types of user administration..................................................................................................................6
PFCG - ROLE MAINTENANCE........................................................................................................................8
BASIC PROCESS OF ROLE ADMINISTRATION..............................................................................................12
AUTHORIZATION OBJECT SETTINGS..........................................................................................................13
Before working on pfcg,we need to know the authorization objects responsible in PFCG...................14
S_USER_AUT..........................................................................................................................................15
Definition...........................................................................................................................................15
Defined fields.....................................................................................................................................15
Example.............................................................................................................................................16
S_USER_GRP..........................................................................................................................................16
Definition...........................................................................................................................................16
Defined fields.....................................................................................................................................16
Example.............................................................................................................................................17
S_USER_PRO..........................................................................................................................................17
Definition...........................................................................................................................................17
Defined fields.....................................................................................................................................18
Example.............................................................................................................................................18
S_USER_SAS...........................................................................................................................................19
S_USER_TCD..........................................................................................................................................19
Definition..........................................................................................................................................19
Defined Fields..................................................................................................................................19
S_USER_VAL.......................................................................................................................................19
Defined Fields..................................................................................................................................20

2
Lets discuss every icon/tab in detail..!!.....................................................................................................21
CREATING A ROLE BY COPYING IT..........................................................................................................21
To delete a role:.....................................................................................................................................24
TRANSPORT OF ROLES...........................................................................................................................25
To see which roles use a particular transaction.....................................................................................27
To get the information...........................................................................................................................28
To change the mode to CHANGE :.........................................................................................................29
TYPES OF ROLES.........................................................................................................................................30
VIEWS : It segregates the views of the roles made in the system based on the criterias specified..........33
CREATION OF A SINGLE ROLE.................................................................................................................34
DESCRIPTION.........................................................................................................................................34
MENU TAB.............................................................................................................................................36
Authorizations Tab:...............................................................................................................................41
LEGENDE................................................................................................................................................43
Adding Transactions..........................................................................................................................44
Removing Transactions......................................................................................................................45
Combining Authorizations.................................................................................................................45
USER TAB:..............................................................................................................................................48
MINI APPS..............................................................................................................................................50
Personalization......................................................................................................................................52
TO MAKE A DERIVED ROLE:...................................................................................................................53
To make a composite role........................................................................................................................55
TABS IN THE MENU BAR............................................................................................................................61
ROLE......................................................................................................................................................61
ENVIRONMENT......................................................................................................................................62
SYSTEM..................................................................................................................................................63
UTILITIES................................................................................................................................................64
MASS GENERATION...........................................................................................................................65
ROLE COMPARISON...........................................................................................................................66
FLOWCHART 1 : SETTING UP ACTIVITY CODES.........................................................................................68
FLOWCHART 2:FIND PERMITTED ACTIVITIES IN AN OBJECT......................................................................69

3
APPENDIX A : SECURITY TABLES...............................................................................................................70
APPENDIX B: Additional information.........................................................................................................73
APPENDIX C: SECURITY SCENARIOS..........................................................................................................75

4
 DATE AUTHOR VERSION CHANGE/REMAR
KS
April 18,2011 Shruti Kishore 1.01 First Version
April 20,2011 Shruti Kishore 1.02 Second Version

REVIEWER DESIGNATION BUSINESS UNIT

Puneet Gupta Consultant HCL AXON

OBJECTIVE OF THE DOCUMENT

5
The purpose of this document is to provide an introduction to the
beginners working in security and provide the usability of the profile
generator.This is a brief outline as to what and how a transaction PFCG
in SAP works.

SCOPE OF THE DOCUMENT

This document provides the various functionalities in PFCG .It covers

the various screens and tabs of the same, the creation of a role is taken
into detail and the authorizations needed and reports run are discussed
here.

TARGET AUDIENCE

 SAP SECURITY ADMINISTRATORS

 SAP BASIS ADMINISTRATORS

6
SAP Authorization Concept

The SAP authorization concept protects transactions, programs, and services in SAP systems
from unauthorized access. On the basis of the authorization concept, the administrator assigns
authorizations to the users that determine which actions a user can execute in the SAP System,
after he or she has logged on to the system and authenticated himself or herself.

To access business objects or execute SAP transactions, a user requires corresponding

authorizations, as business objects or transactions are protected by authorization objects. The
authorizations represent instances of generic authorization objects and are defined depending on
the activity and responsibilities of the employee. The authorizations are combined in an
authorization profile that is associated with a role. The user administrators then assign the
corresponding roles using the user master record, so that the user can use the appropriate
transactions for his or her tasks.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the
demands on security are also on the rise. When using a distributed system, you need to be sure
that your data and processes support your business needs without allowing unauthorized
access to critical information. User errors, negligence, or attempted manipulation on your
system should not result in loss of information or processing time. These demands on security
apply likewise to the SAP NetWeaver platform. To assist you in securing your SAP NetWeaver
platform and products, we provide this SAP NetWeaver Security Guide.

When we form a system,then security and authorization concept is applied at various levels such
as :

 Authorization at R/3 Level

 Communication level:Between two or more systems
 Database level
 Access protection
 Keeping the database backup
 Integrity check

We are here to discuss the authorization concept and role administration for users in SAP.

Types of user administration:

CLIENT SPECIFIC USER: Users are created in each client providing them with
technically,commercially and organizationally separate working environment and access.

7
Central User Administration

An SAP system group consists of several R/3 Systems with several clients. The same
users are frequently created and assigned to roles in each client. The central user
administration performs these tasks in a central system and distributes the data to the
systems in the system group.

Global User Manager

From Release 4.6A the system administrator can get an overview of the users, existing
user groups, the systems in the system group and the roles, in the Global User
Manager, based on the central user administration. The system administrator can make
changes in the overview using drag and drop. These changes take affect after being
distributed to the dependent systems.

Previously, user data had to be maintained in every client in every system. With the introduction
of central user administration, this can all be maintained in a central system. User groups can be
used to reduce the administration overhead required for maintaining user data, as authorization
data then only has to be maintained once for each user group

EG: When a person has to do some changes in material master data,concept of SAP can be
applied as:

A
O
H
T
U
S
E
C
A
E
C
T
S O
T
A
Z
I
R
O
A
M
R
E
T
C
'
A
H
N
E
G
I
L
A
'
N
O
I
T
C
A
P
M
A Y
N
S N
E
C
C
A
S
N
R
T O
I
T
T
C
E
J
B
O
D

8
 PFCG - ROLE MAINTENANCE

We can use the role maintenance to manage roles and authorization data. The tool for
role maintenance, the Profile Generator automatically creates authorization data based
on selected menu functions. These are then presented for fine-tuning.

We recommend that you use the role maintenance functions and the profile generator
(transaction PFCG) to maintain your roles, authorizations, and profiles. Although you
can continue to create profiles manually, you need detailed knowledge of all SAP
authorization components.

The role maintenance functions support you in performing your task by automating
various processes and allowing you more flexibility in your authorization plan. You can
also use the central user administration functions to centrally maintain the roles
delivered by SAP or your own, new roles, and to assign the roles to any number of
users.

9
The roles (previously: activity groups), which are based on the organizational plan of
your company, form the structure for the Profile Generator. These roles are the
connection between the user and the corresponding authorizations. The actual
authorizations and profiles are stored in the SAP system as objects.

With the roles, you assign to your users the user menu that is displayed after they log
on to the SAP System. Roles also contain the authorizations with which users can
access the transactions, reports, Web-based applications, and so on that are contained

in the menu.

10
This is the display screen.

11
t
a
C
in
le
o
r
g
c
f
p
BASIC PROCESS OF ROLE ADMINISTRATION

12
 AUTHORIZATION OBJECT SETTINGS

When we try to access PFCG,the following authorizations are checked:

 Authorization object S_TCODE should have the value of the field TCD set to be PFCG
 Authorization object S_USER_AGR should have activity level ACTVT set to 01.

Correspondingly,every activity level should be set for enabling and providing access to every tab
present in pfcg.

13
FE
G
D
TC
U
S_
O
R
LP
A
V
Before working on pfcg,we need to know the authorization objects responsible in PFCG.

14
S_USER_AUT

Definition

Authorization object, which is checked during authorization maintenance.

The check is made in the following authorization maintenance transactions ( Tools ->
Administration -> User maintenance).

 SU03 - maintenance of authorizations

 SU02 - allocate authorization to a profile

Defined fields

This object is defined with the following three fields:

 Authorization object: The authorization objects, for which the authorization

administrator may maintain, delete, etc., authorizations, must be entered here.

 Authorization name: With this field, the authorization administrator can be given a
limited name space for the assignment of authorization names.

It makes sense to do this when there are several adminstrators, so that the
authorizations are not maintained reciprocally or possible internal naming conventions
are adhered to.

 Activity: This field can be used to limit what the administrator may do with the
authorization.

Possible values:

o 01 = create

o 02 = change

o 03 = display

o 06 = delete

o 07 = activate

15
 o 08 = display change documents

o 22 = assign authorization profiles

o 24 = archive

Example
Field Values

Authorization object S*

Authorization name *

Activity 01 - 06

With this authorization, the authorization administrator can create, change, delete, and display
authorizations of any name for all objects beginning with S (Basis authorization objects). The
administrator can not, however, activate the authorizations or display the change documents

S_USER_GRP

Definition

Authorization object which is checked during user maintenance.

The check is made in the following user maintenance transactions (Tools -> Administration ->
User maintenance ).

 SU01 (Maintain users)

 SU10 (Delete/add a profile for all users)

 SU12 (Delete all users)

Defined fields

The object is defined with the following two fields:

 User group: This field can be used to specify that a user administrator maintains one or
more user groups. This makes sense if there is to be more than one user administrator.

16
 It must then be ensured that every user is assigned to a user group in the maintenance.
Users that are not assigned to a group can be maintained by all user administrators.

 Activity: This field can be used to limit what the administrator is allowed to do with the
authorization.

Possible values:

o 01: Create

o 02: Change

o 03: Display

o 05: Lock, unlock

o 06: Delete

o 08: Display change documents

o 24: Archive

Example
Field Values

User group SUPER

Activity 01 - 03, 06

This authorization allows the user administrator to create, maintain, delete and display users in
the SUPER group or users not assigned to a group. However, he may not lock/unlock the users
or display change documents

S_USER_PRO

Definition

Authorization object, which is checked during authorization maintenance.

The check is made in the following profile maintenance transactions ( Tools -> Administration
-> User maintenance).

17
  SU02 (Maintain profiles)

 SU01 (Assign profile to user)

 SU10 (Assign or delete profile to all users)

Defined fields

The object is defined with the following fields:

 Authorization profile: In this field, you must enter the authorization profiles that an
authorization administrator may maintain or that a user administrator may assign to his
users.

 Activity: In this field, you can limit what the administrator is allowed to do with the
profile.

Possible values:

o 01: Create

o 02: Change

o 03: Display

o 06: Delete

o 07: Activate

o 08: Display change documents

o 22: Assign profile to users / Remove assignment

o 24: Archive

Example
Field Values

Profile name *

Activity 01 - 06

18
This authorization allows the authorization administrator to create, maintain, delete and display
profiles at will. However, he may not activate profiles or display change documents.

S_USER_SAS
User master maintenance: System-specific assignments
The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG,
and PFUD when you assign roles, profiles, and systems to users. It represents a
development of the authorization objects S_USER_GRP, S_USER_AGR,
S_USER_PRO, and S_USER_SYS, which the system previously checked when users
made assignments. If you do not activate the authorization object S_USER_SAS using
the Customizing switch, the previously-used authorization objects are checked.
To activate authorization object S_USER_SAS, use transaction SM30 to create the
Customizing switch CHECK_S_USER_SAS with the value YES in the table
PRGN_CUST. All authorization checks for the objects S_USER_AGR, S_USER_PRO,
S_USER_GRP, and S_USER_SYS with the activity assign are replaced by
authorization checks for the object S_USER_SAS.

S_USER_TCD

Definition

Authorization objects control the transactions that system administrators can assign to
an activity group, as well as the transactions for which they can assign transaction code
authorization (object S_TCODE).
Note that in the Profile Generator, you can only maintain intervals of transactions if you
have full authorization for S_USER_TCD for authorization object S_TCODE. Otherwise
you can only maintain individual values for the object S_TCODE.

Defined Fields

TCD

 Transactions that administrators may assign to activity groups and for which they
may assign authorization to start a transaction in the Profile Generator.

S_USER_VAL

Field value authorization for activity groups

This authorization object allows you to restrict the values an administrator is allowed to
add or change for an activity group in the Profile Generator.

19
The authorization object refers to all field values except the values of the object
S_TCODE.

 The authorization to add transactions to an activity group or change the

transaction start authorization in an activity group is granted using the
authorization object S_USER_TCD.

Defined Fields

OBJECT

 Specification of the authorization object

 Note
If a user wants to maintain organizational levels in an activity group, the user
must have the complete authorization ("*") for this authorization field.

AUTH_FIELD

 Specification of the authorization field to be protected

AUTH_VALUE

 The permitted values for the field in this object. These are the values the user is
allowed to add or change in the activity group.

 Note
If a user is to be allowed to maintain intervals or use generic entries (a value with
"*" at the end), the user must have the full authorization ("*") for this authorization
field.

20
 Lets discuss every icon/tab in detail..!!

CREATING A ROLE BY COPYING IT

You want to send the learning map to a group of users with the same business role, e.g. to all
accountants in your company, or to the purchasing department. You copy existing business
roles in the Solution Manager, or create new ones.
You need authorization for the authorization object PLOG, to be able to create roles.

SIGNIFICANCE OF PLOG : Authorization object that is used to check the authorization

for specific fields in the Personnel Management components (Organizational
Management, Personnel Development, Training and Event Management, ...).Following
are the fields of object PLOG :

 The PLVAR field specifies which plan version(s) the user is authorized to access.
 The OTYPE field specifies which object types the user is authorized to access.
 The INFOTYP field specifies which infotypes the user is authorized to access.

21
 Infotypes are also called information types and are pre-defined templates to enter sensible
related information for an employee or applicant. for eg an address infotype would have fields
like street & house no, city, pin code.This infotype is unique and is represented by an infotype
number eg address has infotype no 0006.

There other infotypes like

0000 - Actions (to capture employee movement info in the orgnization)

0001 - Organizational Assignment (to capture employee positioning in the organization)
0002 - Personal Data
0006 - Address
0007 - Planned Working Time (Store planned working hours for the employee.)
0008 - Basic Salary
0009 - Bank Details
0014 - Recurring Payment
0015 - Additional payment
0016 - Contract Elements
2006 - Absence Quotas

 The SUBTYP field specifies which subtypes of given infotypes the user is
authorized to access.
 The ISTAT field specifies the planning status in which the user is authorized to
access information.
 The PPFCODE field specifies the processing mode for which the user has
authorization (Display, Change and so on).

22
Copy all will copy the whole role.

Copy selectively will copy selective objects.It opens the next screen : user assignment or
personalization.

User Assignment: The new role created should be assigned to the users who are assigned the
original role.

Personalization: The objects mentioned in the Personalization tab are copied in the new role
created .

23
To delete a role:

When we delete a role,subsequent changes are done in the tables wherever that role is anyhow
connected to it.

24
TRANSPORT OF ROLES:

We can transport the roles made in the system.This is known as transport of roles.

For this RFC should be enabled.STMS configuration should be enabled to get the datafiles and
cofiles generated simultaneously for the import else a local TR is generated.We then have to
paste the manually generated datafiles and cofiles in the target system for the import.

Steps:

1. Go to PFCG, type role name in case of single role

transport and click on "execute".
or if you want to transport more than one roles,
a) go to Utilities->Mass Transport.
b) Click on Multiple Selection button, list the role
names that you want to transport and click on "Execute".
2. Click on "Transport" button (Truck icon).
3. It will ask for transport request number, then click on
"Create Request"

25
4. Give details of transport i.e. ticket number(if any),
name of requester of transport, date on which you are going
to release the transport request and then finally click
"continue".
5. now message will be displayed showing what all is added
into the transport request i.e. contents of this transport.
6. Then goto SE10/SE01 and select option "Modifiable" in
Section 'Transport requests', uncheck option "Released" and
click on "Display".This will show the transport request that
you have just created.
7. Expand the request and it will show you the task which is
under the request.Click on that task an press "Transport"
button (Truck icon). At the bottom line, it will show u
status of the task i.e. task is released or not.
8. Then click on Request no. and transport it. Hereby, your
transport request is released and roles have been transported.
In case of test systems, transports are automatic (varies
from project to project) and for Production system, they
aremanaged by BASIS team.
In case of auto-transport, you can login to test system and check
time interval by which "auto-import" job gets
triggered (this can be done in SM37). after it gets released in
nearest time interval (usually its between 15-30 min),your
transport request will be imported to that system and hereby your
roles will be transported to that system

Roles can be transported in bulk also.go to UTILITIES >MASS TRANSPORT.

26
To see which roles use a particular transaction

This shows which transaction is used in which roles.

27
To get the information :

We get the information for doing various tasks within the transactions by pressing the I tab.

It gives the stepwise description of performing the operation.

28
To change the mode to CHANGE :

To change the mode to display,we click on the specks nearby.Then we cant make any
changes,just see the authorizations mentioned.

29
R
G
N
D
M
C
E
IT
S
O
V
L
P
role we want to make.
TYPES OF ROLES

Single Role : Single role tab helps to create a single role.We need to enter the name of the new

Composite Role : They consist of single roles. Users who are assigned a composite role are
automatically assigned the associated single roles during the compare. Composite roles do not
themselves contain authorization data.

Setting up composite roles are useful for example if some of your staff need authorization for
several roles. You can create a composite role and assign it to the users instead of putting each
user in each required single role

Derived Role : The derived role is inherited from a parent role.Once a derived role is made,we
need to generate it from the parent to give it proper authorizations.

30
31
Composite Role : It comprises of various roles in one composite role.

Composite roles can simplify the user administration.

They consist of single roles. Users who are assigned a composite role are automatically assigned
the associated single roles during the compare. Composite roles do not themselves contain
authorization data.

Setting up composite roles are useful for example if some of your staff need authorization for
several roles. You can create a composite role and assign it to the users instead of putting each
user in each required single role.

32
VIEWS : It segregates the views of the roles made in the system based on the criterias
specified.

33
 CREATION OF A SINGLE ROLE

Enter the name of the delivered standard role in the Role field .
 Copy the standard role by choosing Copy role and enter a name from the customer
namespace.
Do not change the delivered standard roles (SAP_), but rather only the copies of these
roles  (Z_). Otherwise, the standard roles that you have modified will be overwritten by
newly delivered standard roles during a later upgrade or release change. 

DESCRIPTION

This has the following information:

Administration information: Here the information of the user who created and changed the
authorizations of that role are mentioned.

34
Long text: It enables us to give the detailed description of the role we are working on.We can
even add the local file and save the description as a local file.These files are in the .TXT format.

Transaction Inheritence: Here we can derive a role from an existing role.

 This is possible if we havent assigned any transactions to the role yet.The parent role then
imparts all its transactions to the derived role.
 We cannot enter the transactions directly into the derived role.It gets the transactions
solely from the imparting role.
 Inheritence refers only to menu,not the authorizations.
 We can reset the definition of the imparting role by deleting the inheritence relationship.
 Authorizations are not passed on immediately.However they can be copied to the dreived
Role.To make changes,choose Authorizations->Modify Derived ON THE CHANGE
ROLE :Authorization screen.
Inheritence Hierarchy
Find which (master) Roles have derived roles:-
In PFCG click on the Inheritance Hierarchy icon.

A list of Roles will be displayed. Those Roles with a little 'plus' box indicate that they

35
 have Roles derived from them. Click on the 'plus' to expand and a list of the Roles that
have been derived from this master will be presented.

 We can also find derived roles also using AGR_DEFINE table.

After naming the role,we have to save the new role made to make any changes in the same.Next
we traverse to the Menu Tab.

MENU TAB

Here we can add Transactions,reports,web addresses in the particular role.

On the top right we have the following tabs:

Delete a node,delete it totally,Switch on technical names,print,find,menu stats,and information

regarding the concerned tab.

Menu stats show the :

36
Hierarchy level,Nodes(number of folders,transaction,reports and transactions of other types) and
node texts.

We can also distribute the texts and menu.

We can COPY THE MENUS from :

 SAP MENU
 Other Role:We choose other role and copy the transactions and other elements from the
same.
 AREA MENU:It can be created by transaction SE43. You want to create a new Area
Menu and assign it to a user or user group as a new menu or submenu.
 IMPORT FROM FILE:Format of the file uploaded is in the format mentioned in OSS
NOTE 3897675 .

We can do additional activites:

Translate a node:Selecting a particular cursor and then translating a particular node is done.

37
To add a transaction:

38
To add a report:

39
Even OTHERS like web addresses,crystal reports,etc can be added.Various elements can be
seen from the following snapshot that can be added to a role.

40
Authorizations Tab:

On the Authorizations tab choose Change authorization data.

This is to set the activity levels in each of the objects .

To see which object under which transaction should be changed,it can be seen as :

41
Generation of profile from a role.

T stands for torso.Ladt 2 numbers act as counter.It is a 10 digit profile name.

42
LEGENDE:It shows the all color coding and all symbols displayed on the SAP GUI.

43
Now when we click on CHANGE AUTHORIZATION DATA:

Adding Transactions

When you include transactions in the role menu, this has the following effect on the
authorizations.

        If the authorization default values contain objects that were previously did not exist or only
had authorizations in the status Changed or Manual, the program adds new standard
authorizations for these objects.

        If there were already authorizations in the status Maintained (active or inactive) or Inactive
Standard  before the merge, the program compares the values and the maintenance status of all
authorization fields to determine whether new standard authorizations must be extended. A new
standard authorization is not included if the authorization fields contain identical authorizations
in the status Standard in both authorizations, and the fields maintained in the old authorizations
are empty in the new standard authorization.

44
        If both criteria are fulfilled, the default values from the old and new authorization most
probably come from the same transaction. It is therefore not necessary to insert a new standard
authorization, because the data already exists

Removing Transactions

When you remove transactions from the role menu, this has the following effect on the
authorizations.

        A standard authorization for which the associated transaction was removed from the role
menu is removed during the merge, unless at least one other transaction that remains in the menu
uses the same authorization default value. This applies both for active and inactive standard
authorizations.

        Authorizations with the status Maintained are only deleted if the last transaction with
default values for the corresponding object has first been removed from the role menu.

        Authorizations in the statuses Changed  and Manual are not affected by the merge. They
are therefore always retained.

Combining Authorizations

It is not necessary to include a separate standard authorization in the authorization list for each
transaction contained in the menu, since a range of transactions have identical or at least very
similar authorization default values. It is therefore useful only to take into account the
authorizations that are actually required, to avoid the storage of unnecessary data in the role,
and the profile to be generated from it.

The profile generator contains a compression function for this reasons that combines
authorizations in accordance with the following rules:

        Authorizations must match both in their active status (Active or Inactive) and in their
maintenance status (Standard, Maintained, Changed, or Manual).

Exception:

Changed authorizations can be combined with manual authorizations if the active status is
identical.

        Two authorizations that fulfill the prerequisites in the above point are combined, if

         An authorization relating to all fields in the other is contained (This also includes
the identity as a special case.)

45
          The values of both authorizations differ in exactly one field, but are identical in all
others

Exception:

Authorizations that contain empty fields are not combined with others, unless the contents of all
fields are completely identical.

To set the activity codes,we need to click on the pencil mark.

Activity codes are standardised and are set in Table TACT and TACTZ.

Organizational levels are authorization fields which occur in a lot of authorizations (an
organizational level is, for example, a company code). If you enter a particular value in the
dialog box, die authorization fields of the role are maintained automatically.The authorizations
which are proposed automatically for the selected activities of the role are displayed in the
following screen. Some authorization have default values.

46
Wherever traffic lights appear in the tree display, you must adjust the authorization values
manually. You can maintain the authorization values by expanding the object classes and
clicking on the white fields to the right of the authorization field name.

When you have maintained the values, the authorizations count as manually modified and are not
overwritten when you copy more activities into the role and edit the authorizations again. You
can assign the complete authorization for the hierarchy level for all non-maintained fields by
clicking on the traffic lights.

Wherever there are red traffic lights, there are organizational levels with no values. You can
enter and change organizational levels with Org. levels

Selection critera:We can also add the authorization objects based on some selection criteria.They
are displayed as:

We can even add the authorization objects manually with the help of the tab present next to
selection criteria on the previous page.

47
USER TAB:

Here we can assign users to which a particular role is being assigned to.

USER COMPARISON :

PFCG does user master record comparison.

For example,
If u add tcode in a role, u have to do user comparision to reflect this changes to users.
Yellow light indicates user master record not compared properly.Please always Make
sure that green light should appear in PFCG. User Comparison will reconcile the
PROFILES within a user's account and make the necessary changes. This is especially
true when you've assigned specific Valid-To dates for the roles on an account. If the
Valid-To (expiry) date of a role has passed, the User Comparison will REMOVE the
profile/role from that account.
As mentioned above, if you see a red button in PFCG this means that a User
Comparison should be executed to help reconcile the profiles for the users. You can
also see this in SU01 if a specific role has a red button.

48
As a suggestion, SAP recommends running the report PFCG_TIME_DEPENDENCY
once a day to perform a User Comparison and help 'clean up' the User Master Record
for your system.
You can also do it manually using PFUD.

2 Ways to start the user comparison:

 To start a background job PFCG_TIME_DEPENDENCY(A report run in se38.Ajob can

however be designed by SM36),even after each import from the systems.
 PFUD can do the comparison of the user master data.Do complete comparison.It chekcs
that there are no errors while running the background job.

49
MINI APPS

We can link weblinks, calculator or any

application which we want to open through SAP Screen.

50
This shows various options:

Mini apps

Offline application

Personalization service.

51
Personalization

The purpose of a central repository for personalization data is to provide storage for
user-specific and role-specific data without having to create any additional database
tables. This data should be taken into consideration whenever users or roles are
changed.

Another aim was to integrate existing user-specific tables in the concept using a given
interface

The functionality includes a generic repository for user-specific and role-specific data
and for central access to this data by user and role maintenance. It also permits existing
tables containing user-specific data to be linked to the central access using a fixed
interface.

A key must be assigned for personalization data to be stored in the central repository.
This can be done with registration transaction PERSREG.

52
TO MAKE A DERIVED ROLE:

There are two possible reasons for deriving a role from an existing role:

 The role menus are identical but the authorizations for the menu actions are
different in the derived role.

 The menu and authorizations of the derived role are identical, but the
organizational levels are different in the derived role.

You need complete authorization for the authorization object S_USER_VAL and change
authorization for the derived roles to adjust the authorization data of derived roles.

To copy the authorizations to the derived role:

53
1. Change the role from which the authorizations are to be derived, in the role
maintenance. Choose the Authorizations tab and the Change authorization data
pushbutton.
2. Choose the menu entry Authorizations  Adjust derived  Generate derived
roles.

The authorization data is copied to the derived roles.

54
 To make a composite role

This definition stands same as the single role creation.

55
Here we can add the roles which we want in the one single composite role.

56
A child role will have the role menu of its parent role only.In case we change the menu,it’s a
standalone role and not in a parent child relationship anymore.

57
Here we can name the users to whom this role is to be assigned.

User comparison is done to update their buffer of updated roles and authorizations.

58
The personalizations done are here which are provided by SAP standard.This is basically the
user’s choice of how he wants to view the roles.

59
These are the various areas a person can take help from.Glossary,release notes,Market place.

60
 TABS IN THE MENU BAR
ROLE

Apart from all other options which are self explanatory enough,we will discuss the READ FROM
OTHER SYSTEM option.Created the single role in child system and not able to find the same in
CUA system so please let me know the process to push this role from child to CUA.

Perform an RFC read for the role from the cua system.
PFCG->Role->Read from other system by RFC->select the child system->Enter role name and
read the role.We can now find the role in the CUA system.

61
ENVIRONMENT

Text comparison for CUA CENTRAL SYSTEM : The Text Comparison in pfcg is the same as the
Text Comparison from Child System button in su01 on the Roles tab. This function pulls in lists
of all the available roles in the specified child systems. This allows you to use the role dropdown
when adding users to roles in the parent CUA system.

Check indicators show the type of auth object check:

U Unchecked
Check indicator is not set
PFCG does not propose the object for maintenance
N No Check
No active check
PFCG does not propose the object for maintenance
C CheckCheck is performed
PFCG does not propose the object for maintenance
CM Check/Maintain
Check is performed
PFCG proposes the object for maintenance

62
SYSTEM

Within the system Tab,we can have services also.They include:

Services,Quickviewer,table mainatainance—maintaining various tables in SAP,Batch input-

giving bulk input at one time.

63
UTILITIES

64
MASS GENERATION

Mass generation :It is to generate multiple profiles at one time.

Mass changes in user administration

Most changes which can be made for one user in the user management can also be
made for a set of users.

Logon data, constants, parameters, roles and profiles can be changed for a set of
users.

You select users in the user administration Infosystem. Users can be selected, for
example, according to address data or authorization data.

65
ROLE COMPARISON

Role comparison transaction : ROLE_CMP

You can compare and adjust roles between:

 two roles in a system

 two roles in different systems
 a role and its template
 a newly-delivered role and its previous customer version

RFC Destination must be maintained for this activity.

To read more on this,go to

http://help.sap.com/saphelp_banking463/helpdata/en/5c/deaa7dd3d411d3970a0000e82de14
a/content.htm

66
USER ASSIGNMENT OF ROLES

67
FLOWCHARTS

68
,fi
sjTV
u
D
rm
gSp
A
b
Fw
P
lo
kC
vyh
acti
n
e
it.G
ftt
ER
U
z:_
tti
d
q
3
9
1
0
FLOWCHART 1 : SETTING UP ACTIVITY CODES

69
FLOWCHART 2:FIND PERMITTED ACTIVITIES IN AN OBJECT

70
 APPENDIX

APPENDIX A : SECURITY TABLES

USR02 Logon data

71
USR04 User master authorization (one row per user)

UST04 User profiles (multiple rows per user)

USR10 Authorisation profiles (i.e. &_SAP_ALL)

UST10C Composit profiles (i.e. profile has sub profile)

USR11 Text for authorisation profiles

USR12 Authorisation values

USR13 Short text for authorisation

USR40 Tabl for illegal passwords

USGRP User groups

USGRPT Text table for USGRP

USH02 Change history for logon data

USR01 User Master (runtime data)

USER_ADDR Address Data for users

AGR_1016 Name of the activity group profile

AGR_1016B Name of the activity group profile

AGR_1250 Authorization data for the activity group

AGR_1251 Authorization data for the activity group

AGR_1252 Organizational elements for authorizations

AGR_AGRS Roles in Composite Roles

AGR_DEFINE Role definition

AGR_HIER2 Menu structure information - Customer vers

AGR_HIERT Role menu texts

72
AGR_OBJ Assignment of Menu Nodes to Role

AGR_PROF Profile name for role

AGR_TCDTXT Assignment of roles to Tcodes

AGR_TEXTS File Structure for Hierarchical Menu - Cus

AGR_TIME Time Stamp for Role: Including profile

AGR_USERS Assignment of roles to users

USOBT Relation transaction to authorization object (SAP)

USOBT_C Relation Transaction to Auth. Object (Customer)

USOBX Check table for table USOBT

USOBXFLAGS Temporary table for storing USOBX/T* chang

USOBX_C Check Table for Table USOBT_C

APPENDIX B: Additional information

1. TROUBLESHOOTING

In case we enter into some problems,then take help from SAP R/3 frontend notes.

 Quickly solve our problem

 Directly send the problem for first level customer processing

 For this contact your system administrator

73
2. SM01 transaction can use to lock the transactions,we can
lock one or many at a time in the system.

When a user starts a transaction, the system system checks

in table TSTC whether the transaction code is valid and
whether the system administrator has locked the
transaction.

Dynamic Authorization
It is used to maintain single roles and profiles for different end users.To get more details,and
stepwise process,click on :

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0f9f33c-0f17-2d10-d3a2-
ae52ccd00780?QuickLink=index&overridelayout=true

While upgrading a system,there we can have some objects obsolete in the newer versions or to
see the permitted activity levels,we have two options:

 Go to SU21 transaction,select the class and the required authorization object.

Double click on it.It displays the details of the authorization object.See the permitted activity
levels set.This shows the activity levels that can be set for that user.

 Go to SE16 and view the table TACTZ.Search the required object and then we can get
the various activity levels that are set.
 

74
 APPENDIX C: SECURITY SCENARIOS
 Problem discussion while updating values in SU24:

http://www.sapfans.com/forums/viewtopic.php?f=24&t=203249

Scenario 1:

Problem 1:

We have roles and users created in QA for training, now we want to move roles from
QA to Production with user assignment.

Users that are created in QA for training have also been created in Production, is it
possible to move the roles from QA to Production with the user assignment.

Solution:

When you create the transport from PFCG, there is a "Choose objects" pop-up. There is
a check box for "User assignment" and "Personalization". There you can choose the
user assigment checkbox to include user assigment in the transport which will move into
the target system.

Prior to that check the Customizing table PRGN_CUST if any entry has been set as
USER_REL_IMPORT with value NO, if it does then you need to remove that using

75
transaction SM30 for transporting user assignment along with roles.

But make sure all users assigned to a role in your QA are present in Production also,
any additional user in production having this role would lose the assigment once your
transport moves in.

Problem 2: Now when he saw there are no such values in the table,he created a
transport request MASS TRANSPORT REQUEST.

A local TR was generated.Even manual copying of datafiles and cofiles in target system
was not working.

Solution: This TR request are created in Local Change request only when you do not
specify a target system/group . All you need to do is specify the "Target" while creating
the TR in PFCG (subsequent screen after you hit Create request) and release your TR
via SE10. Once released, the TR would be added to the import queue of Production.
You/your Basis team can import it manually via STMS_IMPORT (Extras-->Other
requests-->Add TR and CTRL+F11 to import). If there are any errors please have Basis
team to review the transport logs.

Result: Finally uploaded and downloaded the roles from QA to Production and user
assignment was done manually in Production system.

Scenario 2:

EXAMPLE OF ROLE MAINTAINANCE :

You are using the SD and MM applications but not HR or HR-ORG.

You are not using warehouse management within materials management.

Your company has five plants and you want to create material master data for them. A
separate employee is responsible for each plant, who must not be able to change the
data for other plants.

http://help.sap.com/saphelp_sm32/helpdata/en/52/671571439b11d1896f0000e8322d00
/content.htm

76
 REFERENCES
 Book : Authorization made easy Release 4.6A/B
 Website http://help.sap.com/
 Website www.saptechies.com
 Forums on internet for sap fans http://forums.sdn.sap.com
 http://help.sap.com/saphelp_nw04/helpdata/en/f9/558f40f3b19920e10000000a1550b0/conte
nt.htm
 http://www.scribd.com/doc/27882203/SAP-Authorization-Concept

77