The development system
When the development system is first installed, the users are mainly the project team members, including developers and system administrators. Most users of a newly-installed SAP system initially have the authorization profile SAP_ALL in their user master record, which allows them to perform all tasks in the system. As the project progresses it is necessary to restrict user access. Development system users usually have greater access rights as quality assurance or production system users.
Authorization administrators should make themselves acquainted with the SAP authorization concept in this phase. We recommend that you use SAP_ALL as a template and first define the role or profile <company>_ALL without the superuser authorizations. To do this, proceed as follows:
Here you find the authorizations which are generally regarded as critical.
You can assign the role that you have just created to the relevant users in user maintenance. See Assigning roles .
This control ensures the integrity and stability of the system.
The Basis authorization objects are documented in the transaction AUTH_DISPLAY_OBJECTS. The authorization objects in the object class Basis - Administration are called S_USER_*. Place the cursor on an authorization object and choose Information.
For more information about Basis system and SAP work area authorizations, see Tools → AcceleratedSAP → Customizing → Edit project and choose the SAP Reference IMGbutton. Search for the entries Useror Authorization to call the authorization sections.
The authorization administrator creates the roles for end users in the development system. These roles are transported to the final test in the quality assurance system before being put in the production system. The user master records are usually created in the production system shortly before it goes live. The roles are assigned to the end users in the production system together with the transported authorization data, as required.
The authorization administrator must know which clients are to be created in the customer systems. Roles are not automatically copied when new clients are created. As users, roles, authorization profiles, and authorizations are client-specific, the client copy administrator must also know which user master records are to be copied.
The quality assurance system
The authorization administrator can start to transport the roles from the development system into the quality assurance system when it has been setup.
For example a member of the FI project team can check the following in the accounts payable accounting with a model user ID:
Whether the user has access to the transactions in the roles assigned to him or her
Whether these transactions correspond to the role defined by the company for the accounts payable accounting
Whether the model user ID has unallowed access authorization for certain transactions
The end users can logon in a test environment and simulate production processing to test the user authorizations.
A training client is usually created in the quality assurance system because it contains the newest configuration. Larger installations have a separate training system.
The production system
When the roles and authorization profiles have been completely tested in the quality assurance system and approved by the end users or project team, the roles can be transported into the production system. The user IDs can then be created.
You should never make changes to a production SAP system. You should therefore not assign following authorizations to users in a production system: