On the Profiles tab page, you assign manually created authorization profiles and therefore authorizations to a user. The generated profiles of the roles assigned to the user are also displayed here.
Never enter the generated profiles directly on the Profiles tab page, as transaction PFUD deletes these assignments if there is no entry for them on the Roles tab page. When you assign a role to a user on the Roles tab page, the profile generated for this role is automatically entered on the Profiles tab page (see Assigning a Role and Comparing Profiles in the User Master Record with Roles).
You can assign 300 authorization profiles to a user (see SAP Note 410993).
You can manually maintain profiles by choosing Tools ® Administration® User Maintenance ® Manual Maintenance ® Edit Profiles Manually (see Creating and Maintaining Authorizations and Profiles Manually); however, we recommend that you use the Profile Generator instead, and generate the profiles automatically. You can enter composite profiles (a combination of several profiles) in the user master records when manually maintaining profiles.
The SAP system contains predefined profiles, the most important of which are explained below:
· SAP_ALL: To assign all authorizations that exist in the SAP system to users, assign the profile SAP_ALL.
· SAP_NEW: Composite profile to bridge the differences in releases in the case of new or changed authorization checks for existing functions, so that your users can continue to work as normal. This composite profile contains very extensive authorizations, as, for example, organizational levels are assigned with the full authorization asterisk (*).
Temporarily assign either the composite profile SAP_NEW, suitably adjusted beforehand, or the relevant single profile SAP_NEW_<Release> contained in the composite profile. You require all single profiles between the old release and the new release. For example, if you are upgrading from SAP R/3 4.5B to SAP R/3 4.6C, you require the following SAP_New profiles: SAP_NEW_4.6A, SAP_NEW_4.6B und SAP_NEW_4.6C. The simplest way to make these assignments is to delete all other single profiles from SAP_NEW and to assign SAP_NEW. Once you have incorporated the new authorization checks in your authorization concept, delete the SAP_NEW profile to avoid assigning authorizations that are too extensive.
You must add the new authorizations to manually generated profiles
· SAP_APP: This profile contains all application authorizations. It is not included in the standard SAP system, however you can generate it with the report REGENERATE_SAP_APP. You can decide when executing this report whether authorizations for the SAP NetWeaver and HR areas should be included.
If you are using Central User Administration with the field distribution setting Global for the Profiles field (transaction SCUM), the Profiles tab page in the central system has the following special features:
· The additional column System that specifies the system in which the manually generated profile is valid
· The additional pushbutton Text Comparison, with which you can make the profile and role names of the child systems known to the central system
· The profiles generated by the assignment of roles are no longer displayed (these profiles are only displayed in the child systems in which they are valid)