ABAP – USR relationships

Client
Group

Can belong to Manages

Belong to a
Dialog a group group of user
Service 1:1
Reference Types of users
Background
Communication
m
User Administrator
(A User)

n M:N

Composite n 1 Single 1:n Transactions

Roles Role
1:1
1:n
This applies only
when using SAP predefined profiles

PFCG – Role Authorization

SUGR – User Group profile
SU01 – User
SU10 – User Mass Maintenance 1:n Object
SUIM – User Information System Class
SPRO – Implementation Guide
SE93 - Copy transaction, create 1:n Auth. object
transaction,
SU24 – Authorization maintenance 1:10 Auth. field
SU25
PFUD – User Master comparison
SUPC – Mass generation of profiles
 SAP user creation

User Creation Role creation Assign Transaction

(SU01) (PFCG) (Menu tab)

Assign Transaction
Change Auth Data (Menu tab)

Auto gen Auth.

Set Org. Values Profile name
(Auth tab)
SU24
Can be used to preset what auth Set Auth vales
object should be checked and what
values go in the default auth object
field values. Not used much in
client locations. Generate
Auth Values by

Assign User(s) 1) Choice list

(User tab) 2) Spro
3) F1
4) SU03
5) Help.sap.com,
User Comparison sdn.sap.com,
SU01 – User creation
service.sap.com
PFCG - Role creation 6) Google
SU03 - Maintain Auth profiles – said to be replaced by pfcg 7) Business User
 Typical USR creation
At customer location
Copy SAP* role to
User Creation Role creation
Z/Y role and edit
(SU01) (PFCG)
the copy

Auto gen Auth.

Change Auth Data Profile name
(Auth tab)
SU24
Can be used to preset what auth
object should be checked and what Set Org. Values
values go in the default auth object
field values. Not used much in
client locations. Set Auth vales

SUPC
For mass generation of
Generate
authorization profile. This was used
in older versions predating PFCG Auth Values by

Assign User(s) 1) Choice list

(User tab) 2) Spro
3) F1
4) SU03
5) Help.sap.com,
SU01 – User creation User Comparison sdn.sap.com,
PFCG - Role creation service.sap.com
6) Google
SU03 - Maintain Auth profiles – said to be replaced by pfcg 7) Business User
 Authorization using HR Organization structure

Copy SAP* role to

Role creation
Z/Y role and edit
(PFCG)
the copy

Auto gen Auth. At the start of PFCG

make the following
Change Auth Data Profile name setting to be able to
(Auth tab) see the “Org. Mgt”
button.

Click Org . Mgmt.

Set Org. Values
(User tab)

Set Auth vales The user

Click on create assigned to the
assignment position/job in
HR will be
Generate assigned the
current role.
Select Org. level
entity
( Ex. Position, job)

SU01 – User creation

PFCG - Role creation Click on indirect
SU03 - Maintain Auth profiles – said to be replaced by pfcg assignment
SU24 – Authorization management
SUPC – Mass generation of authorization profile
SU53 - The last authorization error
User comparison ….
ST01 – Trace authorization check
PFCG – Assigning users by reference using Organizational Management

- Position exists,
- person assigned to position
NO
- Infotype/subtype (105/0001)
- SAP User Id

- Position exists,
- Person assigned to position
- 105/0001 defined ( using PA 30 )
NO
- SAP User Id

- Position exists,
- Person assigned to position
- 105/0001 defined ( using PA 30 )
- SAP User Id defined (SU01)
HR & Basis transaction auth ‘check’ disablement is not allowed when using SU24,
But allowed to change auth field values.
Duplicate Auth Objects cannot be added. To do this PFCG, manual entry has to be used.

When using SU24 to uncheck auth object check

( S_TRANSL),for PA30.
Structural Authorization – to mange person’s info OOAC -> OOAW -> OOSP -> OOSB
types

Look up the SAP Create Create/validate SAP

Review Org. Struct user id 105/0001 , if non- user defined in PA30
(PPROME) (105/0001 ) existent (105/0001)
(PA30) (PA30) (SU01)

Create profile for Run PA30 with ST01

Set the required Auth Assign user by
user , add PA30 and trace on and check for
Objects using PFCG in assigning role to the
SU53 required authorization
the new profile Org. Unit of the user
(PFCG) objects

Run SU53, apply required

Set “Struct Auth. Review Evaluation
Login as the new authorization, run PA30,
Check” to 1 Paths
user and test PA30 SU53…. Until no auth errors
(OOAC) (OOAW)
occur.
<Dummy> in SU53 = *

Create struct. Auth Associate user to Exclude user from

profile Auth profile modifying own HR data
(OOSP) (OOSB) (P_PERNR Auth. object)

SAP Library on Structured auth.

Should not have any other P_PERNR other
than the one above
Structural Authorization – Additional Info: PPOME

Click here
and check
‘id’ to be
displayed

OOAC -
If you w
main sw
combin
are pos

Evaluat
Evaluat
Never e
Never e
 Depth of 3 covers only the department employees..
Structural Authorization – Additional Info OOSP, OOSB Need to understand this better.
The number given does not correspond to Org. Levels, in testing
Sign if ‘+’ depth value applies below ‘object. Type ,
If sign ‘-’ it applies above.
Evaluation defined in
OOAW transaction
Default is ‘+’
OOSP

Status codes are

1) Active Periods are
Object Type defines 2) Planned D – Key Date Addition filtering of
the number entered 3) Submitted
Sequence number. M – Current month result set can be
in ‘Object I’ 4) Approved
Can have more than Y – Current year controlled by custom
5) rejected P - Past
one row for the Auth function (ABAP,JAVA)
F - Future
profile.
OOSP

Make sure the start date

and end date are as
required
OOSB

Flag for Excluded Structural Profiles

If not set - NCERTO, can view org unit
50004515 and 3 levels lower in the
hierarchy. List shown when ‘I’ is pressed
and personnel not assigned to any org
unit will be displayed in PA30. NCERTO
will be included in the list.
If set – The list shown when ‘I’ is pressed
will be excluded when using PA30, and
personnel not assigned to any org unit .
NCERTO will be included.
Clicking in ‘i’, should bring a
finite/small list.. If ‘All’ is in the
auth profile column, the user does
not have infotype 105/0001
defined, or SAP user has not been
created (SU01)
Structural Authorization – Additional Info PA30 and SU53

The auth. Check for

PA30 failed

The green tick should show for authorization checks. The HR stuct
check can show failure to reflect the personals excluded by the
structural auth defined in OOSP and OOSB( the exclude flag)
 The key transactions and programs to keep handy when working with structural profiles are OOAC
(activate structural authorization checks -- this is configuration and transportable), OOSP (create
structural profiles -- also transportable), OOAW (create evaluation paths, which are used by
structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in
each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position
assignments, the holders of those positions, and the usernames associated with those holders,
ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB
(checks which users have which profiles -- but not recommended as a way of directly assigning
them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and
RHBAUS00 (create indexes for users with large structural authorizations, for performance
reasons), and RHSTRU00 (display structures via evaluation path, for testing and development
purposes).

Transaction OOSP - Definition of Authorization Profiles (Table T77PR):

Create the structural authorizations that you then assign to the administrator
users in transaction OOSB.
See: Definition of Structural Authorizations
Transaction OOSB – Assignment of Profile to Users (T77UA):
Assign the authorization profiles from transaction OOSP to the administrator
users.
See: Assignment of Structural Authorizations
Structural Authorization – Filters in the process AC_AW_SP_SB -> OOAC, OOAW, OOSP, OOSB

Master list - all

personnel in client

Filter down to list defined Filter 1

in OOSP/OOSB
( ‘A’ list)
( when ‘i’ is clicked ) Filter 2

In OOSB is ‘exclude’ checked

Not checked
check box checked

Default
‘A’ List included addition ‘ A’ list excluded
Add all personals
not associated to a
org. unit.

Filter 3
Auth Object
???
??? ‘P_PERNER’ field
value ‘ ‘
User of PA 30
User of PA 30 excluded
included
Allow editing based
the check made in
OOSP
 HR – Entity
relations Company
n n
n Functional
Company
Client Areas
Code m
Work Center
1 Line of
n
business
Profit Credit
Centers Control Area Business
n Org. Key
Area

Cost Center
n Personnel n Organizational
Area Unit Legal Person
n is a
n

Job Does Person / Employee

Sub-Area
(VP) Employee Group

holds n

Info type
Position (105 Employee
(VP of..) -Communication) Sub-Group
n Obj. Type Key
SPRO - Implementation guide
Org. Units O
PA30 - Maintain HR Master Sub-Info type Jobs C
PPOME – Change Org. and staffing (0001 - usr id.) Positions S
Cost centers K
Persons P
Position – another prespective
Super User creation

User Creation
(SU01)
 Out of the box clients and users
Client User Description
000 Sap* Is used during install. But its password is not ‘pass’
subsequently .
If the User Sap* is deleted. We can login again with
SAP* and passwd “pass”.
Deactivate the special properties of SAP*, set the
system profile ( NEED TO CHECK THIS OUT ONCE
MORE)parameter login/no_automatic_user_sapstar t
o a value greater than zero. If the parameter is set,
then SAP* has no special default properties. If there is
no SAP* user master record, then SAP* cannot be
used to log on.
001 Ddic Maintainer to data dictionary and software logistics
Do not delete. Manage the password.

066 Earlywatch Used in earlywatch functions – performance and

monitoring
Do not delete. Manage the password.
 ABAP User Types
 

Type Purpose
Dialog Individual, interactive system access.
System Background processing and
communication within a system (such as
RFC users for ALE, Workflow, TMS, and
CUA).
Communication Dialog-free communication for external
RFC calls.
Service Dialog user available to a larger,
anonymous group of users.
Reference General, non-person related users that
allows the assignment of additional
identical authorizations, such as for
Internet users created with transaction
SU01. No logon is possible.

http://help.sap.com/saphelp_nw04/helpdata/EN/52/67119e
439b11d1896f0000e8322d00/frameset.htm
 Central User Administration Central User Administration (CUA) system. With active Central User
Administration, you can only delete or create child system users in the
central system. You can change users that already exist in the child
system, if the settings that you choose for the distribution of the data
Central (transaction SCUM) allow this.
system

ALE – Application link enabling

The IDoc interface exchanges business data
with an external system.
Child
The IDoc interface consists of the definition of
system
a data structure, along with processing logic for
this data structure.

Application Link Enabling (ALE) is a technology

to create and run distributed applications.
You need the IDoc interface in the following
scenarios:
·        Electronic data exchange (EDI)
·        Connect other business application
systems (e.g. PC applications, external
Workflow tools) by IDoc
User Management Engine
– Java
UME
 SAP Solutions
SAP
SAP for
Banking
SAP SAP for Retail
CRM SCM SRM PLM IS
ERP
SAP for
Automotive
SAP for
Accounting Logistics HR Chemical
SAP for
Chemical
Financial
Controlling SAP for Health
accounting BI
care

BW

Solution
Manager – IT
management
PA30 - Creating info type – 105, subtype 0001 ( userid)

This is the
user id

This is a warning
message. Press
‘Enter’ to ignore the
warning