Show TOC

 Role Administration: Tips and TricksLocate this document in the navigation structure

Limiting Activities by Time

Even if you are not using organizational management, you can still take advantage of the option to assign roles to users for a limited period of time. This is useful, for example, for your end of year procedure, where inventory activities should only be permitted for a limited time.

Choose Tools → Administration → User maintenance → Roles.

On the User tab page, you can set the validity period for the assignment.

Note

To put a time-limited assignment of a role profile to a user master record into effect, you must first execute a comparison.

The authorization profile is only entered in or deleted from the user master record automatically if you have scheduled the relevant report for the comparison to run periodically as a background job.

Job scheduling is also important for ensuring role consistency after an import.

We recommend that you schedule background program PFCG_TIME_DEPENDENCY for these cases.

User Assignment

Never insert generated profiles directly into the user master record (Transaction SU01). Assign the role to the user in the Roles tab in transaction SU01 or choose the User tab page in role administration (PFCG) and enter the user to whom you want to assign the role or profile.

If you then compare the user master records, the system inserts the generated profile in the user master record.

Do not assign any authorizations for modules you have not yet installed

If you intend to gradually add modules to your system, do not assign any authorizations for those modules you have not yet installed. This ensures that you cannot accidentally change data in your production system you may need at a later stage.

Leave the corresponding authorizations or organizational levels open. Do not set the Check Indicator in Transaction SU24 to No check.

Initial authorization assignment

You want to create a user in your test system with authorization to do 'almost anything'. Normally, users with this level of authorization may not create user master records or change authorization profiles.

The fastest way to set up this user is as follows:

  1. Create a role.
  2. On the Authorizations tab page, choose Change authorization dataand then Edit →Insert →Full authorization.
  3. Expand theBasis administration object class. This contains the authorization objects generally regarded as critical.
  4. Deactivate all authorizations which begin with user master maintenance and any others which you regard as critical. Note the authorizations required for transaction SU24 (see Preparatory Steps).
  5. Generate the profile and assign the authorizations to a user on the User tab page.
  6. In user administration, assign the role you have just created to users entering them on the Role tab page.