Assigning Profiles Procedure

Assigning Profiles Procedure

Choose Profiles to assign authorization profiles to a user.

You can assign a large number of authorization profiles to a user (about 150).

Profiles issue users with various authorizations.

You should maintain your profile using the Profile Generator unless you have to edit profiles that were created manually.

You can manually maintain profiles by choosing Tools ® Administration, User maintenance ® Profiles (see Creating and Maintaining Authorizations and Profiles Manually). You can also enter composite profiles (a combination of several profiles) in the user master records when manually maintaining profiles.

If you choose automatic maintenance, the Profile Generator generates an authorization profile on the basis of an activity group.

From the user maintenance, you can select Environment ® Maintain act. group to branch into the functions for maintaining activity groups and generating profiles. Further details on this topic are contained in: Generating Authorization Profiles Automatically with the Profile Generator

You assign activity groups to a user by choosing Activity groups. This simultaneously assigns the appropriate authorization profiles to the user. For further details, see Assigning Activity Groups and Comparing Profiles in the User Master Record with Activity Groups.

Never insert profiles that you generated using the Profile Generator directly into the user master record. The profiles are automatically transferred to your user master record after a user comparison in the Profile Generator.

The R/3 System contains predefined profiles:

SAP_ALL: You assign this profile to users who are to have all R/3 authorizations, including superuser authorization.

SAP_NEW: You assign this profile to users who are to have access to all currently unprotected components.

The SAP_NEW profile is a composite profile that contains a single profile, SAP_NEW_<Release> with new authorizations for each new Release or upgrade level, such as SAP_NEW_45A. SAP_NEW is included in every SAP delivery.

The SAP_NEW profile grants unrestricted access to all existing functions for which additional authorization checks have been introduced. Users can therefore continue to work uninterrupted with functions which are subject to new authorization checks which were not previously executed. This ensures upwards compatibility.

For this reason you should assign SAP_NEW to all user master records.

As system administrator, you decide which users should receive the new authorizations following a Release upgrade.

You need to add the new authorizations to manually generated profiles
Following a Release or upgrade you need to regenerate all authorization profiles which have been generated using the Profile Generator. In the activity group maintenance (Transaction SU25), choose Environment ® Installation/Upgrade.

If you have skipped releases or upgrades, when you execute this operation you need to take into account all authorizations which have come into the system in the meantime.

Once you have carried out these tasks, delete the single SAP_NEW_<release> profiles from the SAP_NEW profile.