Creating Authorizations
Start the authorization maintenance by choosing
. Alternatively, you can maintain the authorizations on the profiles maintenance screen.Select an authorization object using its class and description.
Add a new authorization, or select one of the existing authorizations.
A new authorization name only needs to be unique among the authoriizations for the same authorization object. You cannot maintain generated authorizations manually.
Entering Values
Define or change individual values or ranges of values for all fields of the object.
A user with these values can perform the corresponding action. The system automatically displays the fields for which you need to define values, and the descriptions of the fields.
To display the documentation or the input options for a field, place the cursor on the relevant field and choose Enter Values or Field Documenation.
If you enter values, a dialog box appears. The input help shopws which values you can enter here.
Rules for Entering Values
Enter single values only in From fields. Do not enter any values in the To field.
Use the following formats to specify ranges:
From |
To |
Authorization |
---|---|---|
1 |
3 |
The values 1, 2, and 3 |
S_USER* |
Not applicable |
All character strings that start with S_USER |
AB |
C* |
All values that start with AB, AC..., or B or C |
0 |
9* |
Any numeric value |
To exclude a value, specify multiple range values that do not contain the value. For example, the following areas allow access to all values except for values that start with the character string S_U for S_USER_ (user maintenance).
From |
To |
Authorization |
---|---|---|
A |
S_T* |
Values with start letters from A to S_T |
S_V |
Z* |
Values with start letters S_V to Z |
You can allow a user to leave a field empty. To do this, enter the following: ' ' (a space in quotation marks, or in shorter fields ', or simply ').
For many fields, you can display the permissible values using the input help button.
System-independent value ranges: If your system has a heterogeneous environment, you should specify numbers and letters as two separate ranges. For example: A to Z and 0 to 9. This is necessary, since the values are sorted differently, depending on the character set used. For example, to include all numbers and letters in one value range, you need to define differnt ranges in ASCII and EBCDIC systems:
For ASCII systems, the value range 0 to Z* includes all numbers and letters and some other displayable characters.
For EBCDIC systems, the value range A to 9* includes all numbers and letters.
The object shown below controls actions that the users that belong to a user group can perform.
Object |
Field |
Value |
---|---|---|
User groups |
User master maintenance: user group |
S* |
Not applicable |
Action |
03 (Display) |
The authorization for the object users groups permits a user to display all user master records that start with the letter S.
Activating Authorizations
For new or changed authorizations to become available in the system, you need to activate these authorizations. During the activation, the maintenance version of an authorization is copied to the active version. An activated authorization takes effect immediately in all active profiles that contain it. The authorization even affects users that are logged on to the system at the time of the activation.
To activate an authorization, choose
.If an active version exists, the system displays the active and maintenance versions, so that you can check the changes that have been made. If you discover errors when checking the changes, you can cancel the activation.
Naming Conventions for SAP Authorizations
You can use the user and authorization information system to display the authorizations delivered with the SAP system. Otherwise, the description for the use of profiles available in Predefined Profiles: Naming Convention also applies for predefined authorizations.
We recommend in any case that you no longer manually maintain profiles and authorizations, but rather that you create them with the Profile Generator (transaction PFCG).