ABAP USR relationships ABAP USR relationships

Client Client
User User
Dialog
Service
Reference
Background
Communication
Dialog
Service
Reference
Background
Communication
Group Group
Administrator
(A User)
Administrator
(A User)
Manages
group of user
Single
Role
Single
Role
M:N
Authorization
profile
Authorization
profile
1:1
Object
Class
Object
Class
Auth. object Auth. object
Auth. field Auth. field
1:n
1:n
1:10
1:1
Belong to a
Transactions Transactions
1:n
Types of users
Composite
Roles
Composite
Roles
n 1
n
m
Can belong to
a group
1:n
This applies only
when using SAP predefined profiles
PFCG Role
SUGR User Group
SU01 User
SU10 User Mass Maintenance
SUIM User Information System
SPRO Implementation Guide
SE93 - Copy transaction, create
transaction,
SU24 Authorization maintenance
SU25
PFUD User Master comparison
SUPC Mass generation of profiles
SAP user creation
Role creation
(PFCG)
Assign Transaction
(Menu tab)
Assign Transaction
(Menu tab)
Auth Values by
1) Choice list
2) Spro
3) F1
4) SU03
5) Help.sap.com,
sdn.sap.com,
service.sap.com
6) Google
7) Business User
User Creation
(SU01)
Change Auth Data
SU01 User creation
PFCG - Role creation
SU03 - Maintain Auth profiles said to be replaced by pfcg
Auto gen Auth.
Profile name
(Auth tab)
Set Org. Values
Set Auth vales
Generate
Assign User(s)
(User tab)
User Comparison
SU24
Can be used to preset what auth
object should be checked and what
values go in the default auth object
field values. Not used much in
client locations.
Role creation
(PFCG)
Copy SAP* role to
Z/Y role and edit
the copy
Auth Values by
1) Choice list
2) Spro
3) F1
4) SU03
5) Help.sap.com,
sdn.sap.com,
service.sap.com
6) Google
7) Business User
User Creation
(SU01)
Change Auth Data
SU01 User creation
PFCG - Role creation
SU03 - Maintain Auth profiles said to be replaced by pfcg
Auto gen Auth.
Profile name
(Auth tab)
Set Org. Values
Set Auth vales
Generate
Assign User(s)
(User tab)
User Comparison
Typical USR creation
At customer location
SU24
Can be used to preset what auth
object should be checked and what
values go in the default auth object
field values. Not used much in
client locations.
SUPC
For mass generation of
authorization profile. This was
used in older versions predating
PFCG
At the start of PFCG
make the following
setting to be able to
see the Org. Mgt
button.
Role creation
(PFCG)
Copy SAP* role to
Z/Y role and edit
the copy
Change Auth Data
SU01 User creation
PFCG - Role creation
SU03 - Maintain Auth profiles said to be replaced by pfcg
SU24 Authorization management
SUPC Mass generation of authorization profile
SU53 - The last authorization error
ST01 Trace authorization check
Auto gen Auth.
Profile name
(Auth tab)
Set Org. Values
Set Auth vales
Generate
Click Org . Mgmt.
(User tab)
Click on create
assignment
Authorization using HR Organization structure
Select Org. level
entity
( Ex. Position, job)
Click on indirect
assignment
User comparison .
The user
assigned to the
position/job in
HR will be
assigned the
current role.
PFCG Assigning users by reference using Organizational Management
- Position exists,
- person assigned to position
NO
- Infotype/subtype (105/0001)
- SAP User Id
- Position exists,
- Person assigned to position
- 105/0001 defined ( using PA 30 )
NO
- SAP User Id
- Position exists,
- Person assigned to position
- 105/0001 defined ( using PA 30 )
- SAP User Id defined (SU01)
HR & Basis transaction auth check disablement is not allowed when using SU24,
But allowed to change auth field values.
Duplicate Auth Objects cannot be added. To do this PFCG, manual entry has to be used.
When using SU24 to uncheck auth object check
( S_TRANSL),for PA30.
Structural Authorization to mange persons info
types
Review Org. Struct
(PPROME)
OOAC -> OOAW -> OOSP -> OOSB
Set Struct Auth.
Check to 1
(OOAC)
Review Evaluation
Paths
(OOAW)
Create struct. Auth
profile
(OOSP)
Look up the SAP
user id
(105/0001 )
(PA30)
Create
105/0001 , if non-
existent
(PA30)
Create/validate SAP
user defined in
PA30 (105/0001)
(SU01)
Associate user to
Auth profile
(OOSB)
Create profile for
user , add PA30 and
SU53
(PFCG)
Login as the new
user and test PA30
Run PA30 with ST01
trace on and check for
required authorization
objects
Set the required Auth
Objects using PFCG in
the new profile
Run SU53, apply required
authorization, run PA30,
SU53. Until no auth errors
occur.
Assign user by
assigning role to the
Org. Unit of the user
Exclude user from
modifying own HR data
(P_PERNR Auth. object)
Should not have any other P_PERNR other
than the one above
<Dummy> in SU53 = *
SAP Library on Structured auth.
Structural Authorization Additional Info: PPOME
OOAC -
If you w
main sw
combina
are poss
Evaluate
Evaluate
Never ev
Never ev
O
Click here
and check
id to be
displayed
Status codes are
1) Active
2) Planned
3) Submitted
4) Approved
5) rejected
Periods are
D Key Date
M Current month
Y Current year
P - Past
F - Future
Flag for Excluded Structural Profiles
If not set - NCERTO, can view org unit
50004515 and 3 levels lower in the
hierarchy. List shown when I is pressed
and personnel not assigned to any org
unit will be displayed in PA30. NCERTO
will be included in the list.
If set The list shown when I is pressed
will be excluded when using PA30, and
personnel not assigned to any org unit .
NCERTO will be included.
Clicking in i, should bring a
finite/small list.. If All is in the
auth profile column, the user does
not have infotype 105/0001
defined, or SAP user has not been
created (SU01)
OOSP
OOSB
Structural Authorization Additional Info OOSP, OOSB
Addition filtering of
result set can be
controlled by custom
function (ABAP,JAVA)
Sequence number.
Can have more than
one row for the Auth
profile.
Evaluation defined in
OOAW transaction
Object Type defines
the number
entered in Object I
Sign if + depth value applies below object. Type ,
If sign - it applies above.
Default is +
Make sure the start date
and end date are as
required
OOSP
Depth of 3 covers only the department employees..
Need to understand this better.
The number given does not correspond to Org. Levels, in testing
The auth. Check for
PA30 failed
The green tick should show for authorization checks. The HR stuct
check can show failure to reflect the personals excluded by the
structural auth defined in OOSP and OOSB( the exclude flag)
Structural Authorization Additional Info PA30 and SU53
The key transactions and programs to keep handy when working with structural profiles are OOAC
(activate structural authorization checks -- this is configuration and transportable), OOSP (create
structural profiles -- also transportable), OOAW (create evaluation paths, which are used by
structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in
each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position
assignments, the holders of those positions, and the usernames associated with those holders,
ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB
(checks which users have which profiles -- but not recommended as a way of directly assigning
them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and
RHBAUS00 (create indexes for users with large structural authorizations, for performance
reasons), and RHSTRU00 (display structures via evaluation path, for testing and development
purposes).
Transaction OOSP - Definition of Authorization Profiles (Table T77PR):
Create the structural authorizations that you then assign to the administrator
users in transaction OOSB.
See: Definition of Structural Authorizations
Transaction OOSB Assignment of Profile to Users (T77UA):
Assign the authorization profiles from transaction OOSP to the administrator
users.
See: Assignment of Structural Authorizations
Add all personals
not associated to a
org. unit.
Structural Authorization Filters in the process
Master list - all
personnel in client
AC_AW_SP_SB -> OOAC, OOAW, OOSP, OOSB
In OOSB is exclude
check box checked
A List included A list excluded
Filter down to list defined
in OOSP/OOSB
( A list)
( when i is clicked )
Not checked
checked
Auth Object
P_PERNER field
value
User of PA 30
included
User of PA 30
excluded
???
???
Allow editing based
the check made in
OOSP
Filter 1
Filter 2
Filter 3
Default
addition
Cost Center
Personnel
Area
Sub-Area
Organizational
Unit
Business
Area
Person /
Employee
Position
(VP of..)
Job
(VP)
Org. Key
Work Center
Credit
Control Area
Info type
(105 -
Communication)
Sub-Info type
(0001 - usr id.)
Profit
Centers
Line of
business
Company
Code
HR Entity
relations
Legal Person
n
Company
n
Client
1
n
n
m
Functional
Areas
Employee
Group
Employee
Sub-Group
n
n
n
n
n
n
SPRO - Implementation guide
PA30 - Maintain HR Master
PPOME Change Org. and staffing
n
Obj. Type Key
Org. Units O
Jobs C
Positions S
Cost centers K
Persons P
Does
holds
is a
Position another prespective
User Creation
(SU01)
Super User creation
Out of the box clients and users
Client User Description
000 Sap* Is used during install. But its password is not pass
subsequently .
If the User Sap* is deleted. We can login again with
SAP* and passwd pass.
Deactivate the special properties of SAP*, set the
system profile ( NEED TO CHECK THIS OUT ONCE
MORE)parameter login/no_automatic_user_sapstar t
o a value greater than zero. If the parameter is set,
then SAP* has no special default properties. If there is
no SAP* user master record, then SAP* cannot be
used to log on.
001 Ddic Maintainer to data dictionary and software logistics
Do not delete. Manage the password.
066 Earlywatch Used in earlywatch functions performance and
monitoring
Do not delete. Manage the password.
Type Purpose
Dialog Individual, interactive system access.
System Background processing and
communication within a system (such as
RFC users for ALE, Workflow, TMS, and
CUA).
Communication Dialog-free communication for external
RFC calls.
Service Dialog user available to a larger,
anonymous group of users.
Reference General, non-person related users that
allows the assignment of additional
identical authorizations, such as for
Internet users created with transaction
SU01. No logon is possible.
ABAP User Types
http://help.sap.com/saphelp_nw04/helpdata/EN/52/67119e
439b11d1896f0000e8322d00/frameset.htm
Central User Administration
Central
system
Central
system
Child
system
Child
system
ALE Application link enabling
Application Link Enabling (ALE) is a technology
to create and run distributed applications.
The IDoc interface exchanges business data
with an external system.
The IDoc interface consists of the definition of
a data structure, along with processing logic
for this data structure.
You need the IDoc interface in the following
scenarios:
Electronic data exchange (EDI)
Connect other business application
systems (e.g. PC applications, external
Workflow tools) by IDoc
Application Link Enabling (ALE).
Central User Administration (CUA) system. With active Central User
Administration, you can only delete or create child system users in the
central system. You can change users that already exist in the child
system, if the settings that you choose for the distribution of the data
(transaction SCUM) allow this.
User Management Engine
Java
UME
SAP
ERP
CRM SRM SCM
Accounting Logistics HR
Financial
accounting
Controlling
SAP
SAP for
Banking
SAP for Retail
SAP for
Automotive
SAP for
Chemical
SAP for
Chemical
SAP for Health
care
PLM IS
BI
BW
SAP Solutions
Solution
Manager IT
management
This is the
user id
This is a warning
message. Press
Enter to ignore the
warning
PA30 - Creating info type 105, subtype 0001 ( userid)