To create authorizations for your SAP System:
Procedure |
Optional |
If your company uses various applications, you must liaise with the various departments to decide which workplaces to define in each department, and which authorizations the staff is to be given. Each workplace should be defined (in writing). The authorization managers need to know which employees can access which data, call which transactions and programs, etc. |
|
|
X |
Install the system administrator for authorization maintenance. See Organizing User and Authorization Maintenance. See also Security in system networks. |
|
If the profile generator is active, an authorization check is only executed it is in the source code of a transaction and is not explicitly excluded from the check. SAP supplies proposals for check indicator and authorization field values, which you must copy. You can then edit these copied defaults. Copy the SAP check indicator and field values in step 1 in the transaction SU25. Then change the check indicator if necessary. You also use check indicators to control which objects are not to be checked, which appear in the Profile Generator and which field values are displayed there for editing before the authorization profiles are generated automatically. You can also globally deactivate authorization objects in the transaction SU25 (item 5). |
X |
See Create roles. |
|
|
|
See Create and maintain user master records or Global User Manager functions. |
|
This is only necessary if you make indirect assignments of users to roles in Organization management (HR-Org) or time-dependent assignments of roles to users. You cannot restrict the validity of authorization profiles in a user master record by time. But you can assign roles to a user master record for a time period. You must periodically compare these profiles with the corresponding roles in the user master record to ensure that they are up-to-date. Use the program PFCG_TIME_DEPENDENCY. You should check regularly as administrator whether background job errors have occurred in the job log of the program PFCG_TIME_DEPENDENCY. Resolve such errors manually. |
|
You can specify which table types can be maintained by which employees. Choose Edit ® Assign Authorizations ® Manual entry and enter the object "S_TABU_DIS" in the Profile generator authorization maintenance (transaction PFCG, Authorization tab, "Change authorization data"). The selected object is inserted in the authorization maintenance hierarchy display with its authorizations and fields (activity and authorization group). Each table or view can be assigned to an authorization group. SAP delivers authorization groups and assignments of tables/views to groups. You can also assign row-orientes authorizations for tables. See Row-oriented authorizations. |
|
You can prevent users from choosing passwords that you do not want to allow. To prohibit the use of a password, enter it in table USR40. |
X |
See
Security in system networks.