Authorization Management

In this section, you determine which functions users can execute in the SAP System using the SAP authorization concept.

To do so, you must define authorizations and assign these profiles to individual users viaProfiles.

Authorizations are made for objects, which are predefined by SAP. You can group authorizations belonging to a specific area into a profile, and can also group these profiles together into composite profiles.

For the users who work with the SAP System, you must

create user master records

create authorizations for authorization objects

group the authorizations for the authorization objects together into authorization profiles

assign one or more profiles to the user master records for individual employees

For this you need to decide

who is responsible for creating the user master records in your company

who defines and manages the authorizations for the authorization objects

who assigns authorizations to profiles and assigns these profiles to the users

which authorizations the users should receive for other SAP components

Requirements

To maintain users, you must have the authorization for the following authorization objects:

S_USER_AGR (Maintain Activity Groups)

This authorization object controls the access to activity groups and activities.

You need authorization for this object if you want to create or change a user in the R/3 System.

S_USER_TCD (Assign Transactions to Activity Groups)

This authorization object controls the access to a transaction code.

You need authorization for this object if you want to assign a transaction to an activity group.

S_USER_GRP (Maintain user master data: User Groups)

This authorization object controls the access to authorization groups and activities.

You need authorization for this object if you want to create or edit users in the R/3 system.

S_USER_PRO (Maintain user master data: authorization profile)

This authorization object controls the access to authorization profiles and activities.

You need authorization for this object if you want to edit profiles or assign profiles to users.

S_USER_AUT (Maintain user master data: authorizations)

This authorization object controls the access to authorization object, authorization name and activity.

You need authorization for this object if you want to maintain authorizations or group authorizations in profiles.

Authorization Objects

The individual functions of the authorization objects listed below are defined in the standard. When a function is called up, the associated authorization object is tested.

Functions for...	authorization object

Responsibility area		K_PCA
Delete transaction data		K_PCAB_DEL
Transfer actual data		K_PCAI_UEB
Transfer FI data		K_PCAF_UEB
Transfer MM data		K_PCAM_UEB
Transfer SD data		K_PCAS_UEB
Generate ledger		K_PCAL_GEN
Maintain planning hierarchy		K_PCAP_SET
Transfer plan data		K_PCAP_UEB
Standard reports		K_PCAR_SRP
Summary and line-item reports		K_PCAR_REP
Profit center maintenance		K_PCAS_PRC
Assessment/distribution in actual/plan
K_PCAD_UM
Transfer prices		K_TP_VALU Transfer prices

Standard settings

Authorizations are predefined for all authorization objects in applications delivered as standard in the R/3 system.

Both maintenance and display authorizations can be defined.

The authorizations provided apply for all organizational units.

Further notes

By choosing Utilities -> Documentation you can obtain further information on authorization objects (such as definition, defined fields).

Authorization profiles

Aprofile contains authorization objects for a restricted task area.

A composite profile contains several profiles.

By using profiles and composite profiles, you can structure and manage authorizations simply.

By entering a profile or a composite profile in the user master data, a user receives all authorizations contained in them.

Standard settings

Two standard profiles have been created for Profit Center Accounting:

Profile K_PCA_ALL (entered as a composite profile in SAP_ALL) contains the following profiles

G_BASE_ALL (all general ledger basic authorizations)

Rollup and database transactions GB01, GB11, GD13/23/33/43, GP12, GP22/13/23 and GL15

G_PLAN_ALL

GPxx - Transactions

G_RW_ALL (all authorizations in the Report Writer)

Report, parallel report, library, standard layout and report group

G_SETS_ALL (all authorizations for sets)

Set and Variable

G_SUBST_ALL

(Speciale ledgers - Substitution: All authorizations)

K_PCA_AL1 (see below)

Profile K_PCA_AL1, the actual profit center profile for own profit center transactions. The profile contains the ALL authorizations for the following authorization objects:

EC-PCA: Delete transaction data

EC-PCA: Actual data transfer

EC-PCA: FI data transfer

EC-PCA: MM data transfer

EC-PCA: Generate and activate ledger

EC-PCA: Planning hierarchy

EC-PCA: Plan data transfer

EC-PCA: Standard reports and datasets

EC-PCA: Profit center

EC-PCA: Summary and line-item reports

EC-PCA: Assessment/distribution

Number range maintenance

Table maintenance (for example, using transaction "SM31")

Archiving

These objects are used in the following functions:

EC-PCA: Profit Center

Fields: Controlling area, Activity

Create/change profit center master data (KE51 - 54)

Activity: 01, 02, 03, 04

Copy cost centers (2KEV)

Activity: 01

Create dummy profit center (1KE2 and KE59)

Activity: 01

PrCtr/Customizing - delete master data

Activity: 06

Time-dependent fields (0KE7)

Activity: 02

Master data index (KE5X)

Activity: 03

Transport of customizing settings (0KEP-0KEV)

Activity: 21

Conversion of reports, line item and summary record files 2.x -> 3.0 (OKEW, OKEX, OKEY, OKEZ)

Activity: 42

EC-PCA: Summary and line item reports

Fields: Company code, profit center, cost type, activity

This object, in addition to the object "EC-PCA: Profit Center", is checked during master data maintenance. In this way, master data maintenance can be restricted to individual profit centers.

Activity: 01, 02, 03, 06

Protection of reporting: Report writer reports and the display of line items (KE5Y, KE5Z) and summary records (2KEE) can be restricted to individual profit centers and cost elements.

Actual postings: The entry of profit center documents and statistical key figures can be restricted to individual profit centers and company codes.

Activity: 76

EC-PCA: Planning hierarchy

Fields: Controlling area, activity

Maintain profit center hierarchies

Activity: 02, 03

Copy cost center groups

Activity: 01

Add, change, display and delete planning sets used via object G_800S_GSE

Activity: 01, 02, 03, 34

EC-PCA: Standard reports and datasets

Fields: Ledger (not currently taken account of in the authorization check), activity

Multiple selection (02), generation (07), issuing and selection of standard reports (16), conversion (42), import (60) and export (61) of reports and datasets. Used with KE5A-KE5L, KE6A-KE6L, 0KEC-0KEF, OKEA, OKEB.

Aktivity: 02, 07, 16, 42, 60, 61

The customer can assign the sets 8A-ALL-PRCTR, 8A-SAP-GKR, 8A-KOKRS001 to an authorization group. In this way, only users who have entered an authorization for the object G_800S_GSE, activity 03 in their user master data can user the standard hierarchy.

When actual and plan line item displays are called up, the system checks that authorization exists for the object G_GLIP with the fields ACTIVI 03, GLRLDNR (ledger), GLRRCTY (record type) and GLAVERS (version of line item).

EC-PCA: Actual data transfer

Field: Controlling area

Data transfer program for PrCtr invoice actual data (1KEA)

Data transfer program for statistical key figures (1KED, 1KEE)

EC-PCA: FI data transfer

Field: Company code

FI data transfer to Profit Center Accounting (1KE8)

EC-PCA: MM data transfer

Field: Activity

Data transfer from MM to Profit Center Accounting (1KEC)

Activity: 90

EC-PCA: SD data transfer

Field: Activity

Data transfer from SD to Profit Center Accounting (1KE9)

Activity: 90

EC-PCA: Plan data transfer

Fields: Controlling area, version and business year.

Plan data transfer to Profit Center Accounting. During data transfer, data which has already been posted will be deleted, via the program RGUDEL00, object S_ADMI_FCD FIELD 'RSET', system administrator function.

EC-PCA: Delete transaction data

Field: Ledger

Customizing PrCtr delete transaction data (0KE1)

EC-PCA: Generate and activate ledger

Fields: Controlling area, activity

Analysis of settings (1KE1)

Activity: 03

Activate profit center ledger

Activity: 63

Regenerate ledger

Activity: 64

EC-PCA: Assessment/distribution

Fields: Activity, record type

Actual assessment/distribution (3KE1 - 6, 4KE1 - 6)

Record type: 2

Activity: 01, 02, 03, 06, 16

Plan assessment/disribution

Record type: 3

Activity: 01, 02, 03, 06, 16

Number range maintenance

The profile K_PCA_AL1 contains the authorization COPCA_ALL. This authorization has been created for the number range objects NR_NKPRIN and COPCA_PHNR.

Table maintenance (for example, using the transaction 'SM31')

The profile K_PCA_AL1 contains the authorization K_PCA_ALL. This authorization has been created for the table authorization groups GC, KCS, KE1C and KKB1 (authorization to maintain all EC-PCA tables and views.

Archiving

Fields: Application class, archiving object, activity

Create, delete, restore and manage archive (KE71 - KE74)

Archiving object: PCA_Object

Activity: 01

Further notes

The following are frequently used activity codes:

01 Add or create

02 Change

03 Display

06 Delete

07 Activate, generate

10 Post

16 Execute

17 Maintain number range object

21 Transport

42 Convert to database

60 Import

61 Export

62 Create ledger

63 Activate

64 Generate

90 Transfer