First Installation Procedure  

To create authorizations for your SAP System:

Procedure

Optional

  1. Get an overview of the various tasks of your staff.

If your company uses various applications, you must liaise with the various departments to decide which workplaces to define in each department, and which authorizations the staff is to be given. Each workplace should be defined (in writing). The authorization managers need to know which employees can access which data, call which transactions and programs, etc.

  
  1. Install the Central User Administration. (This step is optional and depends on how many clients and system users must be maintained. You should use the Central User Administration if more than one system with several users is used).

See Installing Central User Administration.

   X

  1. Organize the management tasks.

Install the system administrator for authorization maintenance.

See Organizing User and Authorization Maintenance. See also Security in system networks.

  
  1. Reduce the extent of authorization checks if possible, before using the profile generator.

If the profile generator is active, an authorization check is only executed it is in the source code of a transaction and is not explicitly excluded from the check.

SAP supplies proposals for check indicator and authorization field values, which you must copy. You can then edit these copied defaults.

Copy the SAP check indicator and field values in step 1 in the transaction SU25.

Then change the check indicator if necessary. You also use check indicators to control which objects are not to be checked, which appear in the Profile Generator and which field values are displayed there for editing before the authorization profiles are generated automatically.

You can also globally deactivate authorization objects in the transaction SU25 (item 5).

See Reduce extent of authorization checks.

   X

  1. Create roles in the development system (of the child systems).

See Create roles.

  
  1. Define test user and assign roles to them according to their job descriptions. Test the defined jobs in the quality assurance system with the help of the departments concerned (in the child systems). Make any corrections which may be necessary during the test.

See Create and maintain user master records.

  
  1. Create the users in the production or central system and assign them their roles. If you use the central user management, compare the systems or migrate first in the Global User Manager.

See Create and maintain user master records or Global User Manager functions.

  
  1. Update the validity of the profiles in the user master record.

This is only necessary if you make indirect assignments of users to roles in Organization management (HR-Org) or time-dependent assignments of roles to users.

You cannot restrict the validity of authorization profiles in a user master record by time.

But you can assign roles to a user master record for a time period.

You must periodically compare these profiles with the corresponding roles in the user master record to ensure that they are up-to-date. Use the program PFCG_TIME_DEPENDENCY.

You should check regularly as administrator whether background job errors have occurred in the job log of the program PFCG_TIME_DEPENDENCY.

Resolve such errors manually.

  
  1. Assign table maintenance authorizations

You can specify which table types can be maintained by which employees.

Choose Edit ® Assign Authorizations ® Manual entry and enter the object "S_TABU_DIS" in the Profile generator authorization maintenance (transaction PFCG, Authorization tab, "Change authorization data").

The selected object is inserted in the authorization maintenance hierarchy display with its authorizations and fields (activity and authorization group).

Each table or view can be assigned to an authorization group.

SAP delivers authorization groups and assignments of tables/views to groups.

You can also assign row-orientes authorizations for tables. See Row-oriented authorizations.

  
  1. Define not-allowed passwords.

You can prevent users from choosing passwords that you do not want to allow. To prohibit the use of a password, enter it in table USR40.

See Specifying Impermissible Passwords.

   X

See Security in system networks.