Scribd
Upload
25 views10 pages

Main Doc - User - Profile - Role - Auth - Concept

The document provides an overview of user management and authorization in SAP, detailing profiles, roles, and types of users. It explains how to create roles and users, as well as mass user maintenance processes. Key transaction codes (Tcodes) for various functions are also listed to facilitate user administration in SAP.

Uploaded by

Androhat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views10 pages

Main Doc - User - Profile - Role - Auth - Concept

The document provides an overview of user management and authorization in SAP, detailing profiles, roles, and types of users. It explains how to create roles and users, as well as mass user maintenance processes. Key transaction codes (Tcodes) for various functions are also listed to facilitate user administration in SAP.

Uploaded by

Androhat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Content

s
Profiles..............................................................................................................................................2
Definitions.........................................................................................................................................3
Authorization.................................................................................................................................3
Authorization Objects....................................................................................................................3
Organization Level.........................................................................................................................3
Field and field values.....................................................................................................................3
Roles..................................................................................................................................................3
How to Create Role in PFCG:.........................................................................................................4
Useful Tcodes:...............................................................................................................................4
Users In SAP......................................................................................................................................5
Dialog User....................................................................................................................................5
System User...................................................................................................................................5
Communication User:....................................................................................................................5
Service User:..................................................................................................................................5
Reference User:.............................................................................................................................5
DDIC and SAP*...............................................................................................................................5
How to Create a User Type in SAP.................................................................................................6
Useful Tcodes:...............................................................................................................................6
Mass User Maintenance:..................................................................................................................7
Mass Change..................................................................................................................................7
Mass User Lock..............................................................................................................................8
Mass unlock the users...................................................................................................................9
Delete Users..................................................................................................................................9
Profiles
Profile
In SAP, a profile is an object that stores authorization data.

Profiles are of 2 types:


1) Standard Profile: which comes along with the installation.
2) Generated Profile: Through roles.

 Standard profiles can be assigned to user directly.


 Generated profiles cannot be assigned to user directly.

SAP recommends NEVER ASSIGN STANDARD PROFILES to user directly. As they give extra
access to user.
Hence, we have to assign roles to user which in turn assign the generated profiles to user.

Generated profiles start with letter T.


Definitions
Authorization
An entry in the user master record as part of an authorization profile.

Authorization consists of full or generic values for the authorization fields in an


authorization object. The combination determines which activities a user can use to access
certain data.

Authorization Objects
Combinations of authorization fields, which represent data and activities, are used to grant
and check authorizations. Authorization objects are grouped together in authorization
object classes.

Organization Level
This defines actually the organizational elements in SAP for example Plant (SWERK, IWERK,
WERKS, BWKEY), Cost Center (KOSTL), Profit Centre (PRCTR), Purchasing Group (EKGRP),
Distribution Channel (VTVEG), Company Code (BUKRS, VKORG).

Field and field values


In order to restrict the access one can, control the values in the respective Authorization
Objects. (For example, Authorization object F_BKPF_BUK: Accounting Document:
Authorization for Company Codes, contains the relation between fields: BUKRS = Company
Code and ACTVT = Activity).

Roles
Roles: Roles are the means of assigning authorizations to the user.
Which contains group of T-codes and its related authorizations.
Type of roles in SAP
1) Single Role
2) Composite Role
3) Derived Role
4) Business Role
 SAP Single Role – A single role is a data container for a group of
transaction codes. SAP users are assigned the single roles for them to be
able to execute the transaction codes. The different approaches of
assigning access are referred to as the role methodology.

 Derived – A derived / parent role methodology is where the parent role


acts as a master role containing the transaction codes and is derived out
to cater for the various organisational levels (Company Code, Plant etc).

 SAP Composite Role – An SAP Composite role is a container for a group


of single roles. The Composite role can then be assigned to the users
who then inherit the access (transaction codes) contained in the single
roles.

 SAP Business Role – The Business Role is similar to an SAP Composite


Role but only exist in the IDM or Access Control solution, a virtual role
that can be managed through an SAP Access Risk tool. Business roles
have the added benefit of being a data container for SAP single roles
from multiple SAP systems, simplifying provisioning significantly.

How to Create Role in PFCG:


1. Enter Tcode PFCG
2. Enter the role name you want to create in the Role text box. Click on
Single Role to create single role. Execute the Transaction.
3. A Menu tab will appear(red). By clicking on add transaction(+ sign) we
can assign required tcode to user. After adding tcode it will turn red to
green.
4. Next click on Authorization tab and then change auth data and then org
levels.
5. Provide relevant org units/levels and save it and then generate the
profile.(auth tab turns red to green)
6. Click on User tab and you can assign user ids to these roles.

Refer: Blog
Useful Tcodes:
SU21 – See all the authorization objects.
SU24 – See authorization objects for Tcodes.
PFCG – Role Creation.

Users In SAP
There are five main types of users in SAP, including:
Dialog User
 Used for all types of logons.
 This user is used to logon using SAP GUI.
 User can change his/her password upon expiry.
 These users are used to carrying out standard transactions.
 Multiple logins are permitted(6).

System User
 These are non-interactive users and dialog logon not possible.
 They are used for background processing and internal communication in the system.
(RFC, CUA)
 End user cannot change their password only admin can change it.
 Multiple logins are permitted.

Communication User:
 Used for dialog-free communication and dialog logon not possible.
 End user can change their password.

Service User:
 Service users are designed for larger, anonymous group of users.
 Only admin can change their password.
 Highly restricted auth’s are given to this type of users.

Reference User:
 Dialogue logon is not possible.
 Reference user is used to only assign additional authorization.

DDIC and SAP*


DDIC is the maintenance user for the ABAP Dictionary and software logistics. DDIC is the
only user that is allowed to log on to the SAP System during an upgrade. To secure DDIC
against unauthorized use, you must change the initial password for the user in clients 000
and 001 in your R/3 System.
The SAP System superuser, SAP* has by default the password PASS, to secure SAP* against
misuse, you should at least change its password from the standard PASS. For security
reasons, SAP recommends that you deactivate SAP* and define your own superuser.

How to Create a User Type in SAP


 Select transaction code SU01.
 Enter the username you want to create and select the ‘Create’ icon.
 Navigate to the ‘Address’ tab and enter user details like first name, last name, email
ID, etc.
 Once directed to the ‘Logon Data’ tab, users will select the SAP system user type
from the drop-down list, including System, Service, Communication, Reference, and
Dialog users.
 Click ‘New Password’ and re-type the password in the ‘Repeat Password’ box to
create a new password.
 Once the password has been created and users are directed to the ‘Roles’ tab,
administrators can assign specific roles to each user.
 Navigate to the ‘Profiles’ tab and assign profiles to each user.
 Click ‘Save’ to confirm the user type has been created and roles and profiles have
been assigned.

Useful Tcodes:
SU01: Create Users, assign roles, Reset Password.
SU10: Mass User Maintenance and Creation, View locked Users.
Mass User Maintenance:
Tcode SU10
Mass Change
If you want to modify the details of the user, you can modify them all at once. On the user
field, update all the users that you want to mass change.

Now you modify the details of users, for example, let’s change decimal notation and date
format.
Mark the change option and change the decimal notation, date format, and time format.
Click on the save button to save the data, you get the notification about the mass change.
Press yes to continue.

Mass User Lock


Users can be locked by selecting the lock button (Ctrl+F5). Select all users and click on lock
option.
Below is the screenshot preview that users have been locked.

Mass unlock the users


Users can unlock it by selecting unlock button. Select the users and click on unlock option
(Ctrl+F4).
Similarly, you can change user address details and Authorization details like a user group,
role, Authorization object, and so on.

Delete Users
Bulk users can be deleted by selecting the delete button, after deleting the user no more
user id exists in SAP.
So mass user maintenance helps you to maintain the details of bulk users at a time.

You might also like