Unit 3

Solution 4
Maintain and Evaluate User Data

Business Example
Almost all companies use PCs and software programs to support their employees in their
daily work. However, to work with this technology, the users require access and
authorizations to call the programs. A control method in an SAP system is the user master
record and its roles and profiles.

Task 1: Create a user group

Create a new user group ZGR## with a description of your choice.

1. Start transaction Maintain User Groups (SUGR).

a) SAP Menu: → Tools → Administration → User Maintenance → User Groups,
(transaction code SUGR).

b) Enter ZGR## in the User group field.

c) Choose Create user group (F8).

d) Enter a description in theText field and choose Save (Ctrl+S).

Task 2: Create a User Master Record

Create a user master record for a dialog user GR##-ADM.

1. Start transaction User Maintenance (SU01).

a) Choose SAP Menu: → Tools → Administration → User Maintenance → Users,
(transaction code SU01).

b) Enter GR##-ADM in the User field and choose Create (F8).

c) Select the Address tab page.

Enter Admuser## in the Last name field.
Enter your choice of data in the other fields.

d) Select the Documentation tab page.

Enter User for Group ## in the Description field.
Enter ADM940-## in the Person Responsible field.

2. Enter an initial password of your choice and assign the user to user group ZGR##.
Initial password: Init1234
a) Select the Logon Data tab page.
Enter Init1234 in the New Password and the Repeat Password field.
Enter ZGR## in the User group field.

3. Assign the log-on language that you have used yourself for logging on.

© Copyright. All rights reserved. 27

Unit 3: User Settings

a) Select the Defaults tab page.

Enter the log-on language of your choice in the Logon Language field.

4. Save your user master record.

a) Choose Save (Ctrl+S).

b) Go back to the SAP Easy Access menu.

Task 3: Assign a Predefined Work Center Example to Your New User Master Record
Assign a predefined work center example ADM940_BC_ADMIN to your new user master
record by choosing the Other Menu button on the SAP Easy Access initial screen.

1. Choosing the Other Menu button on the SAP Easy Access initial screen (on the application
toolbar: [Shift+F5]).
a) In the SAP Easy Access menu, press the button Other Menu (Shift+F5).

b) Enter ADM940_* in the Single Role field.

c) Choose Start Search.

d) Select role ADM940_BC_ADMIN and choose Copy.

The role ADM940_BC_ADMIN is shown in the SAP Easy Access initial screen

2. Assign your new user GR##-ADM to the role ADM940_BC_ADMIN.

a) Choose the Assign users button on the SAP Easy Access initial screen.

b) Enter your user ID: GR##-ADM.

c) Choose Add Users.

Task 4: Check the User Master Record

Switch from the Other menu display back to the SAP menu display.
Check the user master record of your user GR##-ADM.

1. Switch from the Other menu display back to the SAP menu display.
a) Choose SAP Menu (Ctrl+F11).

2. Check whether a role is assigned to your user GR##-ADM.

Assigned role:
____________________
a) Start transaction User Maintainance (SU01)
SAP Menu: → Tools → Administration → User Maintenance → Users, (transaction
code SU01).

b) Enter GR##-ADM in the User field and choose Change (Shift + F6).

c) Select theRoles tab page.

Answer: YES. A role is assigned on the Roles tab page: ADM940_BC_ADMIN.

3. Link your user with another role. Choose the role ADM940_PLUS.
a) On the Roles tab, enter ADM940_PLUS in the Role column and press Enter.

If you are in “display mode”, then change to “change mode” (Shift+F7).

4. Are authorization profiles assigned to your user?

© Copyright. All rights reserved. 28

 Solution 4: Maintain and Evaluate User Data

Which authorization profile(s)?

___________________;
___________________.
a) Select the Profiles tab page.
Assigned authorization profiles:
- Profile for role ADM940_BC_ADMIN
- Profile for role ADM940_PLUS.

5. Save your user master record.

a) Choose Save (Ctrl+S).

6. Go back to the SAP Easy Access menu.

Task 5: Display the Change Documents for a User

Display the change documents for your user GR##-ADM by calling up the information system
for users and authorizations and selecting the report For Users under Change Documents for
users and authorizations.

1. Display the change documents for your user GR##-ADM by calling up the information
system for users and authorizations and selecting the report For Users under Change
Documents for users and authorizations.
a) SAP Menu: → Tools → Administration → User Maintenance → Information
System → Change Documents → Users
Select the report: For Users.

b) Enter GR##-ADM in the User field.

c) Choose Select All on the User Attributes tab page in the Selection Criteria area.

d) Choose Select All on the Roles/Profiles tab page in the Selection Criteria area.

e) Choose Execute (F8).

2. Does the list tell you that creating the user master record and assigning the user to roles
were separate steps?
______________________________________________
a) Analyze the values in the Time column.
Yes. The different time stamps and the numbering tell you that the changes were
made in different steps/lines and one after another.

Task 6: Log On to the System with the Credentials of the Created User
Try to log on to the system as user GR##-ADM without Language information.

1. Start SAP Logon and log on to the system as user GR##-ADM.

a) Start SAP Logon.

b) Select system T41 and choose Log On.

c) Enter GR##-ADM in the User field.

d) Enter the initial password Init1234 in the Password field.

e) Leave the Language field empty.

© Copyright. All rights reserved. 29

Unit 3: User Settings

f) Choose Enter.

g) Enter a password of your choice, for example Welcome1 in the New Password and the
Repeat Password fields.

h) Choose Transfer (Enter).

i) Choose Continue (Enter).

2. Do you need to enter a log-on language?

____________________
a) No, the log-on language is set in the user master record.

3. Check the user menu (Ctrl+F10):

If you want to see the transaction codes in the user menu, select on the top menu
Extras → Settings and select Display Technical Name.
Which functions does it contain? List some examples.
______________________________________________
______________________________________________
a) The user menu contains transaction codes for:
- Users (SU01)
- Display users (SU01D)
- User mass maintenance (SU10)
- Maintain user groups (SUGR)
- Analyze user buffers (SU53) and
- Analyze user buffers (SU56) and
- Analyze user buffers (SUIM) and
- An additional submenu Information System with other entries.

4. Check the user buffer by calling the Analyze User Buffer transaction.
How many authorizations exist?
____________________
For which authorization objects? List some examples.
______________________________________________
______________________________________________
a) Start transaction SU56 in your user menu or in the SAP menu.
SAP Menu: → Tools → Administration → Monitor → User Buffer, (transaction code
SU56).

b) The number of authorization objects is shown in the Number of Authorizations field.

Number of Authorizations: 20

c) List of authorization objects:

- S_RFC
- S_TCODE (twice)

© Copyright. All rights reserved. 30

 Solution 4: Maintain and Evaluate User Data

- S_SECPOL
- S_TABU_DIS
- S_USER_AGR (three times)
- S_USER_AUT (twice)
- S_USER_GRP (three times)
- S_USER_PRO (twice)
- S_USER_SAS
- S_DEVELOP (twice)
- S_OC_SEND
- PLOG

5. Log off as user GR##-ADM and log on again as user ADM940-##.

a) In the session for user GR##-ADM, choose System → Log Off in the menu.

b) Start/Choose SAP Logon.

c) Select system T41 and choose Log On.

d) Log on with user ADM940-##.

Task 7: Create Users Using the User Mass Maintenance Transaction

Create additional user master records using the User Mass Maintenance transaction.

1. Start the User Mass Maintenance transaction.

a) SAP Menu:
→ Tools → Administration → User Maintenance → User Mass Maintenance,
(transaction code SU10).

2. Create the following six user names.

User Name

GR##-FI1
GR##-FI2
GR##-SD1
GR##-SD2
GR##-MM1
GR##-MM2

a) In the User column, enter the user names listed in the table and choose the Create (F8)
icon.

3. Assign the user group ZGR## to all users.

a) Select the Logon Data tab page.
Enter ZGR## in the User group field.

4. Assign the log-on language that you have used yourself for logging on.

© Copyright. All rights reserved. 31

Unit 3: User Settings

a) Select the Defaults tab page.

Enter the log-on language of your choice in the Logon Language field.

5. Save your user master record.

a) Choose Save (Ctrl+S) to save your result and to create the users.

6. Check the result in the change log for a given user entry.
You can copy the generated initial passwords into the tables in the exercise section.

Hint:
Passwords of 40 characters in length are automatically generated. If you
want, you can copy the generated passwords from the log to the following
table, or change them directly for future tasks in transaction SU01 when
required, using the Change Password button (Shift+F8).

User name Generated Password

GR##-FI1
GR##-FI2
GR##-SD1
GR##-SD2
GR##-MM1
GR##-MM2

a) The result including the generated password is shown in the Mass User Changes
protocol.

Hint:
Another option is to copy the log information to the SAP Business
Workplace area using the Export/Office function, from where it can be
called again at any time (SBWP), into “Private Folders” with a free Title.

7. You can copy the generated initial passwords into the tables in the exercise section.

© Copyright. All rights reserved. 32

 Unit 4
Exercise 5
Maintain Role and Standard Roles

Business Example
This role maintenance exercise deals with “basic maintenance” using Role Maintenance
(Goto / Settings in the menu). The following tasks should familiarize you with the basic role
maintenance functions and the automatic generation of SAP Easy Access user menus for
various work centers and the associated authorizations, profiles, and user assignments. If you
are attending SAP course ADM940, the next two lessons deal with special role types and the
subtleties of authorization maintenance.
Prerequisites

Note:
In the prerequisites of this exercise, you familiarize yourself with the authorization
concept that you implement in this and the following exercises. You do not create
all the roles at once. This is done in the course for the individual subtasks.

When you see “Use the transactions in accordance with the example authorization concept”,
you need to refer to the following tables: distribution of roles for transaction codes and
distribution of job roles for roles.

Name of the Role Transactions for this Role

GR##_MM_MAT_ANZ MM03, MM04, MM19

GR##_FI_ACCREC_MAINT FD01, FD02, FD03
GR##_SD_CUST_MAINT VD01, VD02, VD03
GR##_SD_SALES VA21, VA22, VA23, VA25, VA01, VA02, VA03, V.01
GR##_MM_IM_POST MB1C, MB90, VL21
GR##_FI_IP_POST F-18, F-26, F-28

Role/Transaction Distribution (Table 1: Example Authorization Concept)

Business area>>> FI SD SD MM
Work Place Description>>> AccRec SDClerk SDMan Whouse
SAP R/3 Links: Scope Scope Scope Scope
T Code

MM01
MM02
MM03 x x x x

© Copyright. All rights reserved. 33

Unit 4: Working with the Role Maintenance

Business area>>> FI SD SD MM
Work Place Description>>> AccRec SDClerk SDMan Whouse
SAP R/3 Links: Scope Scope Scope Scope
T Code

MM19 x x x x
MM04 x x x x

FD01 x x
FD02 x x
FD03 x x
VD01 x x
VD02 x x
VD03 x x

VA21 x x
VA22 x x
VA23 x x
VA25 x x

VA01 x x
VA02 x x
VA03 x x
V.01 x x

MB1C x
MB90 x
VL21 x

F-18 x
F-26 x
F-28 x

Job Role/Roles (Table 2: Example Authorization Concept)

Task 1: Create a Role to Display a Material Master

Create a role GR##_MM_MAT_ANZ to display a material master.

1. Start the Role Maintenance transaction and create the predefined role. Enter a short
description, and save.

2. Add the corresponding transactions in accordance with the sample authorization concept
(Roles for Transaction Codes table from the prerequisites of this exercise).

© Copyright. All rights reserved. 34

 Exercise 5: Maintain Role and Standard Roles

A brief extract from the table in the prerequisites is provided here to make the task more
comprehensible.

Name of the Role Transactions for this Role

GR##_MM_MAT_ANZ MM03, MM04, MM19

3. Create a folder with the name WWW Links and add a Web address with the name SAP and
the URL http://www.sap.com to this folder.

4. Maintain Authorizations - Maintain authorization values for the organizational levels.

5. Maintain Authorizations - Check the traffic light symbol status.

For which authorization object class are all authorization field contents maintained?
Authorization object class:
_________________________________________________
For which authorization objects of the object class MM_G do you have to supply
authorization values?
Authorization Objects:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________

6. Maintain Authorizations - Set the authorization for the maintenance status in the
authorization object M_MATE_STA to full authorization.
What is the status of the authorization after your change?
_________________________________________________

7. Maintain Authorizations - Set all open authorization values to full authorization.

Set all open authorization values to full authorization (top set of traffic lights).
What happens to the traffic light symbol for object class MM_G after you have assigned
values to all open fields?
_________________________________________________

8. Maintain Authorizations - Generate the authorization profile for your role.

9. Check the status of your authorization profile in the information section of the
Authorizations tab and complete the maintenance of this role and return to the initial
screen of transaction PFCG.
What is the status of your authorization profile?
_________________________________________________

Task 2: Create a Role with Authorizations for a Warehouse Supervisor

Create a role GR##_MM_IM_POST with authorizations for a warehouse supervisor.

1. Start the role maintenance transaction and create the predefined role. Enter a short
description, and save.

© Copyright. All rights reserved. 35

Unit 4: Working with the Role Maintenance

2. Add the corresponding transactions in accordance with the sample authorization concept
(Roles for Transaction Codes table from the prerequisites of this exercise).

3. Maintain Authorizations - Maintain authorization values for the organizational levels.

4. Maintain Authorizations - Add the authorization values 561 and 562 to the authorization
values for the Movement Type field of the authorization object M_MSEG_BWA.

5. Maintain Authorizations - Set all open authorization values to full authorization.

6. Maintain Authorizations - Generate the authorization profile for your role.

7. Complete the maintenance of this role and return to the initial screen of transaction PFCG.

Task 3: Copy a Role

The following exercise is optional.
Use the role GR##_MM_IM_POST as a template to create the role GR##_MM_IM_POST1020.
To do this, choose the Copy Role icon and copy all settings from the template.

1. Create the role GR##_MM_IM_POST1020 as a copy of the role GR##_MM_IM_POST.

2. Maintain Authorizations - Check the status of the authorization profile.

Check the status of the authorization profile in the information section of the tab page.
What is the status of the authorization profile?
_________________________________________________

3. Maintain Authorizations - Check the authorization values of the authorization profile.

Did the system copy the authorizations of the copy template?
_________________________________________________

4. Maintain Authorizations - Assign only the value 1200 to the organizational level Plant.

5. Maintain Authorizations - Generate the authorization profile for your role and check the
status of the authorization profile.
What is the status of the authorization profile?
_________________________________________________

6. Complete the maintenance of this role and return to the initial screen of transaction PFCG.

Task 4: Create a Role and Assign it to All Users

Create a role GR##_BC_PORTALS. The content of the role should be copied by choosing
From Other Role on the "Menu" tab page. This role should then be assigned to all “GR##*”
users and contain functions of general interest.

1. Start the role maintenance transaction and create the predefined role. Enter a short
description, and save.

2. Go to the Menu tab page and copy the menu from the predefined role
SAP_BC_SRV_USER by selecting all transactions.

3. Maintain Authorizations - Set all open authorization values to full authorization.

4. Maintain Authorizations - Generate the authorization profile for your role.

5. Assign the role to all users.

What is the status of the User tab page?

© Copyright. All rights reserved. 36