Maintaining Authorizations and Their Values

Creating Authorizations

1. Start the authorization maintenance by choosing  Tools  Administration  User Maintenance  Manual Maintenance  Edit Authorizations Manually . Alternatively, you can maintain the authorizations on the profiles maintenance screen.

2. Select an authorization object using its class and description.

3. Add a new authorization, or select one of the existing authorizations.

   A new authorization name only needs to be unique among the authoriizations for the same authorization object. You cannot maintain generated authorizations manually.

Entering Values

1. Define or change individual values or ranges of values for all fields of the object.

   A user with these values can perform the corresponding action. The system automatically displays the fields for which you need to define values, and the descriptions of the fields.

2. To display the documentation or the input options for a field, place the cursor on the relevant field and choose Enter Values or Field Documenation.

   If you enter values, a dialog box appears. The input help shopws which values you can enter here.

Rules for Entering Values

• Enter single values only in From fields. Do not enter any values in the To field.

• Use the following formats to specify ranges:

  From	To	Authorization
  1	3	The values 1, 2, and 3
  S_USER*	Not applicable	All character strings that start with S_USER
  AB	C*	All values that start with AB, AC..., or B or C
  0	9*	Any numeric value

• To exclude a value, specify multiple range values that do not contain the value. For example, the following areas allow access to all values except for values that start with the character string S_U for S_USER_ (user maintenance).

  From	To	Authorization
  A	S_T*	Values with start letters from A to S_T
  S_V	Z*	Values with start letters S_V to Z

• You can allow a user to leave a field empty. To do this, enter the following: ' ' (a space in quotation marks, or in shorter fields ', or simply ').

• For many fields, you can display the permissible values using the input help button.

  Note

  System-independent value ranges: If your system has a heterogeneous environment, you should specify numbers and letters as two separate ranges. For example: A to Z and 0 to 9. This is necessary, since the values are sorted differently, depending on the character set used. For example, to include all numbers and letters in one value range, you need to define differnt ranges in ASCII and EBCDIC systems:

  • For ASCII systems, the value range 0 to Z* includes all numbers and letters and some other displayable characters.

  • For EBCDIC systems, the value range A to 9* includes all numbers and letters.

The authorization for the object users groups permits a user to display all user master records that start with the letter S.

Activating Authorizations

For new or changed authorizations to become available in the system, you need to activate these authorizations. During the activation, the maintenance version of an authorization is copied to the active version. An activated authorization takes effect immediately in all active profiles that contain it. The authorization even affects users that are logged on to the system at the time of the activation.

To activate an authorization, choose  Authorization  Activate .

If an active version exists, the system displays the active and maintenance versions, so that you can check the changes that have been made. If you discover errors when checking the changes, you can cancel the activation.

Naming Conventions for SAP Authorizations

You can use the user and authorization information system to display the authorizations delivered with the SAP system. Otherwise, the description for the use of profiles available in Predefined Profiles: Naming Convention also applies for predefined authorizations.