Prerequisites
You are using the SD and MM applications but not HR or HR-ORG.
You are not using warehouse management within materials management.
Your company has five plants and you want to create material master data for them. A separate employee is responsible for each plant, who must not be able to change the data for other plants.
In order to understand this scenario and to be able to adapt it for your own purposes, you will need a basic knowledge of the SAP authorization concept, authorization objects, authorizations and authorization profiles.
The following assumes that none of the predefined user roles satisfies your requirements.
Procedure
Preparation
Activate the Profile Generator and permit authorization checks to be suppressed
The system parameter
auth/no_check_in_some_cases must be set to the value 'Y'. This is the case for new installations.Check the setting in your system using report RSPARAM.
Copy SAP default settings for check indicators and authorization field values
Copy the SAP default check indicator settings for the authorization objects in transactions and the authorization field values for the Profile Generator using Transaction SU25.
You can then edit the default check indicators using Transaction SU24.
For more information, see
Preparatory Steps.Creating and Maintaining an Authorization Profile for a User
Create a user-specific menu with appropriate authorizations.
The user needs to be able to:
The user needs a range of authorizations to be able to do this. These are grouped together in an authorization profile.
To create an authorization profile for a user, do the following:
These steps are described in detail below.
1. Create a role and generate an authorization profile
You use roles to define the functions (transactions) for which a user receives authorizations.
Corresponding to our scenario, you would need to enter the following values (each time in the From field):
– Company code: 0001
– Warehouse number / complex (no entry since there is no warehouse management.
– Sales organization: * (all)
– Distribution channel: * (all)
– Plant: 0001
Choose Enter.
Expand a few levels of the hierarchy. By choosing Color legend, you can display an explanation of the colors used in the authorization component hierarchy.
At the lowest level for example are the authorization field values: most fields have default values, either from SAP, or your organizational level values.
The traffic lights indicate whether there are fields whose values you have not yet maintained.
Red - You have not maintained the organizational levels.
Yellow: - You have not assigned values to fields (not organizational levels).
There are now no more red traffic lights, since no active authorizations with unmaintained organizational levels remain.
You can display help as follows:
By double-clicking the text of an authorization object
By double-clicking the text of an authorization field
To assign full authorization (*), click on the star symbol next to an authorization field.
You can assign full authorization for all unmaintained (empty, open) fields in an organizational level by clicking on the traffic light. Once you have confirmed the operation, full authorization (*) is assigned for all empty fields in the subordinate levels of the hierarchy. Note how the traffic light reacts.
You can display detailed information on the individual icons by choosing Color legend.
2. Assign roles and authorization profiles to a user
Assign role MATST_0001 to users by entering names in the lists displayed under the Users tab. These users have the proper authorizations to execute the role transactions. See the online documentation for more information on assigning users in Users.
The generated profile is not entered in the user master record until the user master records have been compared. To do this, choose Compare users.
You can also assign a role to a user in the user maintenance transaction (SU01) in Roles. For more information, see
Log onto the system again with the user name that you have entered. The user should now have all of the authorizations necessary to maintain material masters in plant 0001 / company code 0001. It should also be possible to display data for all plants. This does not yet work.
3. Change the role (optional)
You change a role as follows:
Some new authorizations have been added to the group because new functions have been added. These are marked as New. Some of these will already contain values, others will need to be maintained manually (yellow traffic light). The warehouse management authorization is still inactive. New authorizations (for the period closing program, for example) may already be filled if they only affect organizational levels that already contain values.
If you also want to assign authorization to display data for all plants, proceed as follows:
Note that when you change an organizational level by choosing Org. Levels, this affects all fields in the organizational level. Exception fields whose status have changed.
If, on the other hand, you maintain an organizational level by choosing the maintain field icon, the changes only apply to the field. The field then has the status Changed.
4. Change the check indicator defaults (optional)
You will have noticed that you need to maintain the warehouse management data in order to set the red and yellow traffic lights to green. You can avoid this by changing the transaction defaults.
Select all transactions, set the check indicator in the top line to P and choose Save. All transactions are set to P. Save the data.
It is sensible to change the defaults whenever several roles are affected, whether they already exist (and must as such then be compared) or you will create in the future.
5. Copy the general authorizations from SAP defaults (optional)
Notice that the generated profile does not give users general authorizations such as those required for printing. It does not make sense to copy general authorizations to each transaction with the check indicator CM.
Instead, you can do either of the following:
Then compare the user master records.
In the authorization data maintenance, choose Edit
If you want to create your own templates, choose Edit templates in Transaction SU24. You need the authorization User master maintenance: User groups, S_USER_GRP. You can create your own templates or you can copy the SAP templates and edit them. Unlike changes to defaults, changes to templates are not passed on when you compare roles. Your own templates must not begin with S.
6. Regenerate the Authorization Profile Following Changes
Regenerate the authorization profile so that your changes take effect in the system.
7. Check the authorization profile
Test your generated authorization profile
If any authorizations are missing or superfluous, you have two options:
If an authorization check fails during a transaction, you can see which authorization is missing by choosing System
Test this example until you are happy with the result and the user can perform exactly the correct action in the plant/company code 0001. Change the organizational level to plant 0002 and company code 0002 and generate the authorization profile. You can then assign this role to the users who are to execute material master maintenance for plant 0002.
Installing a new module
Suppose you later want to install warehouse management. You need to undo all the changes you have made that affect authorization object M_MATE_LGN.
You should then check whether the functions in your role are still correct. Is the menu selection still current, for example? Always compare your authorization data.