Solution 1: Create and Implement an Authorization Concept

____________________
a) “VA01”,
“VA02”,
“VA03”,
“V.01”.

Task 4: Define the Roles for the Enterprise Areas

In the following steps (step 1- 5), define the roles for the enterprise areas:
● Financial Accounting (FI)
● Sales and Distribution (SD)
● Materials Management (MM)

Then, assign transactions to these roles. If you are not experienced in the areas in question,
and you are not sure which transactions to use, use the solution as a guideline.
The following table contains the solutions to steps 1- 5:

Table 1: Sample Authorization Concept

Business area>>> FI SD SD MM
Work Place Description>>> AccRec SDClerk SDMan Whouse
SAP R/3 Links: Scope Scope Scope Scope
T Code

MM01
MM02
MM03 x x x x
MM19 x x x x
MM04 x x x x

FD01 x x
FD02 x x
FD03 x x
VD01 x x
VD02 x x
VD03 x x

VA21 x x
VA22 x x
VA23 x x
VA25 x x

VA01 x x

© Copyright. All rights reserved. 7

Unit 1: Authorizations in General

Business area>>> FI SD SD MM
Work Place Description>>> AccRec SDClerk SDMan Whouse
SAP R/3 Links: Scope Scope Scope Scope
T Code

VA02 x x
VA03 x x
V.01 x x

MB1C x
MB90 x
VL21 x

F-18 x
F-26 x
F-28 x

1. Create the FI Enterprise Area.

Create the job role for an Accounts Receivable Accountant (AccRec, FI).
a) Enter FI in the column header for Business area and AccRec as a job role name on the
Work Place Description worksheet.

b) Assign all transactions of the Manual Incoming Payments business process to the
accounts receivable accountant by placing an “x” for these transactions in the AccRec
column. The accounts receivable accountant should also be able to maintain the
accounting views of the accounts receivable master.

2. Create the SD Enterprise Area.

Define a job role for a Sales and Distribution clerk (SDClerk, SD).
a) Enter SD in the column header for Business area and SDClerk as a job role name on
the Work Place Description worksheet.

b) Assign all transactions of the Sales Order Processing (Standard) business process as
well as transactions for overall maintenance of the SD views of the accounts receivable
master records to this role.

3. Create the SD Enterprise Area.

Define a job role for the Sales and Distribution manager (SDMan, SD).
a) Enter SD in the column header for Business area and SDMan as a job role name on the
Work Place Description worksheet.

b) Assign all transactions of the Sales Order Processing (Standard) business process as
well as transactions for overall maintenance of all (accounting and sales and
distribution) views of the accounts receivable master to this role.

4. Create the MM Enterprise Area.

Define a job role for a Warehouse Supervisor (Whouse, MM) for the MM enterprise area.

© Copyright. All rights reserved. 8

 Solution 1: Create and Implement an Authorization Concept

a) Enter MM in the column header for Business area and Whouse as a job role name on the
Work Place Description worksheet.

b) Assign the transactions of the Goods Receipt Processing business process to this role.

5. Add transactions MM03, MM04, and MM19 for displaying material master data for all job
roles.
a) Place an “x” for these transactions in the respective columns of all job roles.

Task 5: Generate an Overview of the Transactions and Roles

Switch to the Microsoft Excel list on the second worksheet T Codes for each Role. Generate an
overview of the transactions and roles by pressing the appropriate button. Do you remember
them?

1. How many transactions were chosen for the individual roles:

AccRec: ____________ Transactions
SDClerk ____________ Transactions
SDMan ____________ Transactions
Whouse ____________ Transactions

a) Switch to the Microsoft Excel list on the second worksheet T Codes for each Role.

b) Choose Generate to generate an overview of the transactions and roles.

AccRec: 9 Transactions
SDClerk 14 Transactions
SDMan 17 Transactions
Whouse 6 Transactions

Task 6: Combine the Transactions into Meaningful Roles

Now combine these transactions into meaningful roles to ensure that these single roles can
be reused in several composite roles.

Hint:
There are several ways to do this.
Do not worry if your solution is not the same as your neighbor's. The solutions
will vary from group to group.

Go back to the first worksheet “Roles Design - scope”.

1. Combine several transactions into roles in such a way that these single roles can be
reused in several composite roles. To do this, you can color code the roles or draw a
border around them.
a) There are several solutions to this task.
Model solution as a sample authorization concept.

© Copyright. All rights reserved. 9

Unit 1: Authorizations in General

2. Give the roles meaningful names and enter the associated transactions in the following
table. Compare the names that you have given the roles with the suggestions in the
solution. Which naming convention do you use in your company?
Name of the Role Transactions for this Role

a) The following table shows the role names in accordance with the example
authorization concept, which you will use in later exercises. The example authorization
concept is then shown graphically.
Name of the Role Transactions for this Role

GR##_MM_MAT_ANZ MM03, MM04, MM19

GR##_FI_ACCREC_MAINT FD01, FD02, FD03
GR##_SD_CUST_MAINT VD01, VD02, VD03
GR##_SD_SALES VA21, VA22, VA23, VA25, VA01, VA02, VA03,
V.01
GR##_MM_IM_POST MB1C, MB90, VL21
GR##_FI_IP_POST F-18, F-26, F-28

Sample Authorization Concept (role distribution)

© Copyright. All rights reserved. 10

 Unit 2
Exercise 2
Display Authorization Information of the
Authorization Concept (ABAP)

Business Example

Task 1: Display the Master Record of User ADM940-##.

Display the master record of user ADM940-##.

1. Are roles assigned to the user? If yes, which ones?

______________________ ,
______________________ ,
______________________ ,
______________________ .

2. Is an authorization profile assigned to the user? If yes, which one/s?

______________________ ,
______________________ ,
______________________ ,

Task 2: Display the Details for an Authorization Profile

1. Display the details for the authorization profile for role ADM940_PLUS.

Hint:
Double-click the profile name to go to the detail screen of the authorization
profile.

Expand the tree structure of the authorization profile.

Do you have authorizations for the following authorization objects?
- F_BKPF_BUK? _____
- PLOG? _____
- S_TCODE? _____
- S_USER_GRP? _____
From the detail screen of the authorization profile, go back to the display of the user
master record.
Exit the transaction.

2. Which authorization fields does the object S_USER_GRP consist of?

____________________________________

© Copyright. All rights reserved. 11

Unit 2: Basic Terminology of Authorizations

____________________________________

3. Which authorization values do you have for the authorization object S_USER_GRP?
Authorization combination 1:
Field 1) ___________________ Field 2) ___________________
Authorization combination 2:
Field 1) ___________________ Field 2) ___________________

Task 3: Analyze Authorization Objects Using the User Information System

Display various authorization information in the User Information System.

1. Navigate to the User Information System in the SAP Menu.

2. Select the authorization object S_USER_GRP.

3. To which authorization object class is the authorization object S_USER_GRP assigned?

4. Display the documentation for this authorization object and find out in which transactions
the authorization object is checked, and what activities are possible.
In which transactions is the authorization object checked?
_______________________; _______________________; _______________________;
_______________________; _______________________; _______________________;
What activities are possible?
___________; ___________; ___________; ___________; ___________; ___________;
___________; ___________; ___________; ___________;

5. Search for authorization whose names begin with S_USER?

6. How many authorization objects have a name that begins with S_USER?
____________________

7. Find out about the authorization object S_USER_TCD by displaying the documentation.
What is controlled with this authorization object?
_________________________________________________________
_________________________________________________________
_________________________________________________________
Which authorization field(s) does the object consist of?
____________________

Task 4: Analyze the Role ADM940_SD_SALES Using the User Information System

1. Navigate to the User Information System in the SAP Menu.

2. Use Report Roles by Complex Selection Criteria node → By Role Name with the role
ADM940_SD_SALES.

3. Display the transaction assignment for the role.

Do these roles allow you to start transactions that start with “X”?
____________________
Does this role provide authorization to call transaction VA03?

© Copyright. All rights reserved. 12

 Exercise 2: Display Authorization Information of the Authorization Concept (ABAP)

____________________
Does this role provide authorization to call transaction MM03?
_____________________

© Copyright. All rights reserved. 13

 Unit 2
Solution 2
Display Authorization Information of the
Authorization Concept (ABAP)

Business Example

Task 1: Display the Master Record of User ADM940-##.

Display the master record of user ADM940-##.

1. Are roles assigned to the user? If yes, which ones?

______________________ ,
______________________ ,
______________________ ,
______________________ .
a) SAP Menu: Tools → Administration → User Maintenance → Users, “SU01”.
Enter ADM940-## and choose Display (F7).

b) Select the Roles tab page.

Yes:
ADM940_DEMO_MENU
ADM940_DISPLAY
ADM940_PLUS
ADM940_USER

2. Is an authorization profile assigned to the user? If yes, which one/s?

______________________ ,
______________________ ,
______________________ ,
a) Choose the Profiles tab page.
Yes:
Profile for role ADM940_DISPLAY (many)
Profile for role ADM94_PLUS
Profile for role ADM94_USER

Task 2: Display the Details for an Authorization Profile

1. Display the details for the authorization profile for role ADM940_PLUS.

© Copyright. All rights reserved. 14

 Solution 2: Display Authorization Information of the Authorization Concept (ABAP)

Hint:
Double-click the profile name to go to the detail screen of the authorization
profile.

Expand the tree structure of the authorization profile.

Do you have authorizations for the following authorization objects?
- F_BKPF_BUK? _____
- PLOG? _____
- S_TCODE? _____
- S_USER_GRP? _____
From the detail screen of the authorization profile, go back to the display of the user
master record.
Exit the transaction.
a) Double-click the profile name to go to the detail screen of the authorization profile.
Expand the tree structure of the authorization profile.
Authorization for authorization object:
- F_BKPF_BUK? No.
- PLOG? No.
- S_TCODE? Yes.
- S_USER_GRP? Yes.

2. Which authorization fields does the object S_USER_GRP consist of?

____________________________________
____________________________________
a) Authorization fields for the authorization object S_USER_GRP:
ACTVT Activity
CLASS User group in user master maintenance

3. Which authorization values do you have for the authorization object S_USER_GRP?
Authorization combination 1:
Field 1) ___________________ Field 2) ___________________
Authorization combination 2:
Field 1) ___________________ Field 2) ___________________
a) Authorization values for the authorization object S_USER_GRP:
Authorization combination 1) :
Field 1: ACTVT: 05, Field 2: CLASS: Z*.
Authorization combination 2) :
Field 1: ACTVT: 03, 08, Field 2: CLASS: *.

© Copyright. All rights reserved. 15

Unit 2: Basic Terminology of Authorizations

b) From the detail screen of the authorization profile, go back to the display of the user
master record.

c) Exit the transaction.

Task 3: Analyze Authorization Objects Using the User Information System

Display various authorization information in the User Information System.

1. Navigate to the User Information System in the SAP Menu.

a) SAP Menu: → Tools → Administration → User Maintenance → Information System
folder.

2. Select the authorization object S_USER_GRP.

a) Expand the structure for the Authorization Objects node, and select the report
Authorization Objects - By Object Name, Text by double-clicking it.

b) Enter S_USER_GRP in the Authorization Object field.

c) Choose Execute (F8).

d) Double click Object S_USER_GRP.

3. To which authorization object class is the authorization object S_USER_GRP assigned?

a) You are in the pop up: Display Authorization Object. Which content has the field Class?
The Authorization object class for authorization object S_USER_GRP is: BC_A, Basis
Administration.

4. Display the documentation for this authorization object and find out in which transactions
the authorization object is checked, and what activities are possible.
In which transactions is the authorization object checked?
_______________________; _______________________; _______________________;
_______________________; _______________________; _______________________;
What activities are possible?
___________; ___________; ___________; ___________; ___________; ___________;
___________; ___________; ___________; ___________;
a) Select the authorization object and choose the Display Object Documentation button.

b) Transactions with integrated check of S_USER_GRP:

“SU01”, “SU10”, “SU12”, “PFCG”, “SUUM”, “SUUMD”.

c) Possible values for the Activity field:

01: Create
02: Change
03: Display
05: Lock, Unlock
06: Delete
08: Display Change Documents
22: Add Users to Roles
24: Archive

© Copyright. All rights reserved. 16