The following areas were extended:

• Role Maintenance

• Flexible user menus
• Composite roles
• Distribution of roles
• Read roles from other systems
• Link a role to Knowledge Warehouse documentation
• Comparison of roles

• User administration

• Central User Administration

• User groups
• Mass changes in user administration
• Alias names for users
• Reference user

The current Release contains more than 1200 single roles from all application areas. You can use the roles as they are delivered by SAP or you can copy and change them and assign them to users.

The delivered roles include:

In role maintenance (transaction PFCG), the administrator can construct the user menu for a role by adding transactions, reports, and Internet/intranet links to the menu. The structure and terminology for the functions contained can be specified as needed.

You can specify transactions to add to the user menus or choose transactions from the SAP menu. The company menu is no longer available as of Release 4.6A.

Along with the user menus, you can display a complete view of all functions delivered by SAP using the SAP menu. This complete view is only displayed if no user menus have been defined.

It is often necessary to define a work center using more than just a role and the menu structure, authorization data and user assignment information it contains. To simplify maintenance and improve the reusability of the information, a work center can also be modularized into several roles and then combined into one composite role.

Users assigned to a composite role are automatically assigned to the roles included in the composite activity group.

You can edit the complete menu structure that is the sum of the individual roles included in the composite role.

You can distribute roles into target systems from Release 4.6C provided that the target system also has Release 4.6C.

You can copy component system roles to the work center server by RFC. You can also read roles from earlier releases (down to Release 3.1H) into the work center, if you have the appropriate plug-in.

You can link a role to a document in the Knowledge Warehouse with Utilities ® Info object ® Assign in the role maintenance Change roles screen.

You can compare and adjust role menus across systems from Release 4.6C with the transaction ROLE_CMP.

You can derive roles from existing roles in the role maintenance. The role menu is copied into the derived roles. You can perform a mass generation of the derived roles in the authorization maintenance of the original role to copy the authorization data as well.

The organization level data is only copied the first time the authorization data is adjusted for the derived role. If organization level data is maintained in the derived role, it is not overwritten by subsequent adjustments.

An SAP system group consists of several R/3 Systems with several clients. The same users are frequently created and assigned to roles in each client. The central user administration performs these tasks in a central system and distributes the data to the systems in the system group.

From Release 4.6A the system administrator can get an overview of the users, existing user groups, the systems in the system group and the roles, in the Global User Manager, based on the central user administration. The system administrator can make changes in the overview using drag and drop. These changes take affect after being distributed to the dependent systems.

Previously, user data had to be maintained in every client in every system. With the introduction of central user administration, this can all be maintained in a central system. User groups can be used to reduce the administration overhead required for maintaining user data, as authorization data then only has to be maintained once for each user group.

From Release 4.6C, simple system landscapes can be setup with transaction SCUA.

If the Workplace server is the origin for the central user administration, the single roles and their profiles are automatically assigned to the component system user when you assign a composite role to a user. The composite role menu is called on the Workplace Server. Authorization checks are made in the component systems.

Previously, user groups were used to distribute user administration among several administrators. As of Release 4.6A, the User group category can be used to improve the distribution of users thus increasing the speed of user administration.

Most changes which can be made for one user in the user management can also be made for a set of users.

Logon data, constants, parameters, roles and profiles can be changed for a set of users.

You select users in the user administration Infosystem. Users can be selected, for example, according to address data or authorization data.

You can assign an alias to a user when you create it. This gives you 40 characters for user names which can be longer and more meaningful. The user can be identified by either the (12-character) user name or the (40-character) alias. The alias also identifies a dialog user in the internet.

A reference user can be assigned to each user when assigning roles. Reference users are an authorization enhancement. They are used to give internet users identical authorizations.