Friday, January 20, 2012
These instructions describe the procedure for creating simple roles.
Step 1
Enter a name for the role and choose Create Role.
You should note that the roles supplied by SAP begin with the pr
"SAP_". If you are creating your own user roles, do not use the
namespace.
Step 2
On the next screen, describe the functions that the role is to
include.
Step 3
Assign transactions to the role on the Menu tab page:
- By specifying the transactions directly
- By assigning menu branches from the SAP menu
The menu options selected in this step are displayed in the Session
Manager and on the "SAP Easy Access" logon screen as the User menu
for all users who are assigned to the role.
Step 4
On the Authorizations tab page, choose Change authorizationdata.
Depending on the transactions you have chosen, the system may
display a dialog box that asks you to maintain the organizational
levels. These are authorization fields that occur in several
authorizations at the same time and that can be maintained together,
An example is the company code, which occurs in several
authorization objects. When you assign values to the organizational
levels, you maintain the authorization fields for all authorizations
in the tree display that is displayed at the same time.
The system displays a tree display for all authorizations that are
proposed by SAP for the chosen transactions. The authorizations
already have some values.
- Yellow traffic light icons in the tree display indicate that you
need to manually postprocess authorization values. You enter
these values by clicking a white line next to the name of the
authorization field. Once you have maintained the values, the
authorizations are regarded as having been manually modified.
They are not overwritten if you include additional transactions
and reprocess the authorizations. By clicking the traffic light
icon, you can assign full authorization for the hierarchy level
for all unmaintained fields.
- Red traffic light icons indicate that there are organizational
levels that do not yet have values. You can enter or change
these values by choosing Org. levels....
- If you want additional functions in the tree display, such as to
copy or summarize authorizations, choose Utilities -> Settings
and select the appropriate option.
- Generate an authorization profile for the authorizations by
choosing Generate.
- Enter a name for the authorization profile in the next dialog
box, or use the valid name in the customer namespace that is
proposed.
- Exit the tree display once the profile is generated.
- If you change the menu selection and call up the menu display
for the authorizations again, the system tries to mix the
authorizations for the newly added transactions with the
existing authorizations. This may mean that the traffic light
icons turn yellow, as new incomplete authorizations appear in
the tree display. You need to either manually assign values to
these, or delete them.
- You can delete an authorization by first deactivating it and
then deleting it.
- General authorizations such as spool display and print are not
usually stored with transactions. For this purpose, you can add
authorization templates to the existing data. To do this, choose
Edit -> Insert authorizations -> From template... and choose one
of the templates (for example, SAP_USER_B Basis authorization
for application users or SAP_PRINT Print authorization).
Alternatively, you can create a separate role for these general
authorizations whereby the overview is much clearer.
Step 5
On the Users tab, assign the users to the role.
- The system displays the menu options for the role in the Session
Manager as the user menu for the users assigned.
- Otherwise, the generated authorization profiles are
automatically entered in the user master records when you
perform the User master record comparison . To do this, choose
Compare users on the Users tab page and choose Full comparison.
- If you do not restrict the period of the assignments and use the
default period (current date to 12.31.9999), no further action
is necessary. If you make any other time restrictions, you need
to schedule report PFCG_TIME_DEPENDENCY to run daily. This
report automatically updates the user master records. You must
also schedule this report if you are using Organization
Management.
Caution
Never enter the generated authorization profiles directly in the
user master records, as is the case with authorization profiles that
are created manually. You can only link generated profiles and users
by assigning the corresponding role to the users, and then
performing a user master record comparison. During the comparison of
the user master records, the profiles for the role are entered for
all users of the role.
Step 6
To transport the role to another system, you must enter the role in
a transport request.
- To do this choose Role -> Transport. You can now specify whether
or not the user assignment should also be transported.
- The authorization profiles are transported unless you have
explicitly specified that you do not want to transport the
explicitly specified that you do not want to transport the
profiles.
- After the import into the target system, you have to perform a
complete user master comparison again for hte imported roles.
You can start this comparison manually or use report
PFCG_TIME_DEPENDENCY to execute it automatically, if the report
is scheduled to run periodically in the target system.
0 comments:
Post a Comment
Your useful comments, suggestions are appreciated.Your comments are moderated.