Editing Authorizations 

Suppose you have created an activity group based on a selection of menu functions.

You can generate authorizations for this activity group automatically. Most of the fields for these authorizations are filled with SAP-assigned default values. However, you can add missing values, change default values and also add additional authorizations from SAP templates or profiles.

Generating Authorization Profiles

To create authorizations for an activity group, choose Authorizations on the activity group maintenance screen.

The Authorizations tab displays creation and change information as well as information on the authorization profile (including the profile name, profile text and status).

There are open as well as default authorizations for the transactions you assign to the activity group. You can change this authorization data by choosing Change authorization data in Authorizations. Finally, you can use the Profile Generator to create an authorization profile based on this data. The authorization profile generated in this way is added to the authorization profiles of the users in the activity group after the user master records are compared.

If you choose Expert mode for profile generation, you can choose the option with which you want to maintain the authorization values. This option is automatically set correctly in normal mode.

The Authorizations tab index displays whether or not the corresponding authorization profile is current. The profile is not current if the display is red or yellow. The profile status text displayed on the tab explains the status of the profile in more detail. This helps you determine why the profile is not current.

Choose Change authorization data and then proceed as follows:

  1. Maintain organizational levels by choosing Org. levels.

    2. Organization levels can be plants, company codes and business areas, for example. For each field that displays an organizational level, you determine the global values for these activity groups.

    Save these entries.

    The system only displays the dialog box if the selected authorization data contains organizational levels.

  2. Check or change the default authorizations in the hierarchy view displayed.

The following example of a hierarchy view contains the various levels and their processing status:

The legend explains the various hierarchy levels and the symbols used.

Choose Open, Changed or Maintained to display open, changed or maintained authorizations, respectively.

Choose Org. levels to maintain the organizational levels. Organization levels can be plants, company codes and business areas, for example.

The status line displays information on the open organizational levels and fields as well as the status of the authorization profile: Unchanged, Saved, Changed or Generated.

The authorization object classes represent the highest levels of the hierarchy. Underneath are the associated authorization objects, authorizations and authorization fields. Their field contents are largely predefined by the system.

If you expand a hierarchy level, the system displays the subordinate levels. If you then click on the minus sign, the browser view collapses.

You can edit the display elements using icons in the hierarchy level and icons in the toolbar. The traffic lights display the maintenance status of authorizations.

The Status Text for Authorizations displays their maintenance status.

To set any of the following display options, choose Utilities:

· Show or hide icons in the browser view

· Show or hide technical names

· Activate / deactivate confirmation prompts

Editing Authorizations

Edit the default authorization values from the browser view. Use the icons in the hierarchy levels and the toolbar.

The current status of organizational units and authorizations is indicated in the status (header) line and at the various tree levels using red, yellow and green traffic lights.

You should also check the values of the authorization fields marked with a green traffic light.

Maintain the organizational levels before you edit field values.

Missing organizational levels are indicated by a red traffic light. Each authorization field representing an organizational level is filled with a maintained organizational level. Organization levels can be plants, company codes and business areas, for example.

Maintain missing values for organizational levels by choosing Org. levels.

Specify a global value for this activity group for each field representing an organizational level. If, for example, the organizational level PLANTS appears in several authorizations, you only need to maintain the plant values once on the organizational level screen.

You can display a list of all existing organizational levels using Transaction SUPO.

Authorization objects and authorizations have associated texts. As a rule, the authorization text is the same as the object text. Changes to texts may be lost if you delete, recreate or compare them.

If you double-click an authorization object or an authorization field, the system displays a help text.

If you double-click the contents of an authorization field, you can change the authorization text (Edit ® Authorization text).

Maintaining Authorization Field Values

You maintain authorization field values by double-clicking the contents of an authorization field, by clicking on an empty field, or by choosing Maintain.

Maintain the values in the dialog box.

To assign full authorization (*), do one of the following :

Check the browser view for errors in the authorization assignment, and correct these. For example, you must enter a context-appropriate value in the Authorization Group field. If you are unsure as to the correct value, assign full authorization (*) for the fields where no value has been entered. You can change this value later.

Adding Authorizations

Add authorizations by choosing Edit ® Add authorization. This gives you the option to:

Authorizations from composite profiles cannot be added.

Deactivating Authorization Objects

To deactivate an authorization object, choose:
Deactivated authorization objects are ignored when profiles are generated.

Deactivating and Deleting Authorizations

To deactivate an authorization, choose:
Deactivated authorizations are ignored when profiles are generated.

To delete an authorization, choose:

This deletes the authorization and it is no longer displayed. To enable / disable the confirmation prompt, choose Utilities ® Confirmation prompt on / off.

You can reactivate the inactive authorization by double-clicking Inactive.

Summarizing Authorization Field Contents

You can summarize identical authorization field contents of an authorization object by choosing Utilities ® Summarize auths.

Reorganizing Technical Names of Authorizations

The technical names of authorizations within each object are made up of the name of the activity profile plus two final digits in the number range 00...99:
T_<Activity_group>nn, example: T_5002995604.

Display the technical names by choosing Utilities ® Technical names on.

To avoid problems with number assignment, you should reorganize the numbers nn from time to time.

Choose Utilities ® Reorganize.

This restarts number assignment at 00.

Whenever you generate a new authorization profile, the system automatically takes this reorganization into account.

You should only generate profiles after the users of the activity group you want to edit have logged off the system. If the users are logged on during the profile generation, they will have to log off and log back on to activate the authorization changes.