SAP R/3 BASIS

Training
User &
Authorization

USER Concept(1)
One of the basic part of R/3 Security is user concept .
After installation of R/3 and client creation, one of the first step is
create users in the new client.
It must be noted that Users are Client dependent
User in one client is not be a user of another client.
They are valid for only the client they were created or assigned.
User Name and user attributes comprises the User Master Records
By default SAP comes with two super users
SAP*
DDIC
These two super users are available for every client in R/3 system when a new
client is created. But the nature of these two super user are slightly different.
SAP* has all the authorization
DDIC is authorized to administer the R/3 repository.

Transaction code for User Maintenance SU01

Navigation On menu
Tools --> Administration --> User Maintenance --> Users

User Master Record(1)

A User Master Record consists of following information:
User Name
Assigned Client
Password (Changeable in future)
Company Address
User Type
Start Menu
Logon Language
Personal Printer Setting
Time Zone
Activity Groups
Authorizations
Expiration Date
Default Parameter Setting
User master record maintain through the transaction code SU01.
An user can be assigned to many activity groups & an activity group
can be assign to many users.

Password Restriction(1)
Password can not be word sap or pass .
Password can not begin with any sequence of three characters
contained in the user-id like FREDSMITH user can not set password
starts with FRE ,RED,EDS ,SMI .
Password can not begin with 3 identical characters. I.e. aaamy or bbbt.
When a user changes his password ,he may not use any of the last
five passwords.

Password Restriction(2)
Minimum password length can be set by the by the parameter
login/min_password_lng

(value 3 ).

Administrator can set the password expiration date by the parameter

login/password_expiration_time (no of days) .
Number of incorrect logons allowed for a user master record until
the logon procedure is terminated , can be set by the parameter
login/fails_to_session_end (value 3 ).
Number of incorrect logons allowed for a user master record until
logon is rejected for this user, can be set by login/fails_to_user_lock
(value 3 ). The lock is released at midnight.
rdisp/gui_auto_logout (in seconds) parameter sets automatically logout
if user not uses sapgui defined time.if set 0 then never automatically
logout.

User sap* & DDIC (1)

SAP R/3 system includes in the default installation two super users
DDIC & SAP* .
sap* user created with the password 06071992 .
DDIC user created with the password 19920706 .
EARLYWATCH user created with the password SUPPORT .
In new client sap* created with default password pass with unlimited
access right .
Sap* is the only super user, who does not require any user master
record , because its authorization

given by system code.But DDIC

maintains user master record .

It is better to deactivate the user sap* (not delete) .
User DDIC (for data dictionary) is the maintenance user for certain
installation & setup tasks .
EARLYWATCH user is used by Sap's EARLYWATCH experts.

User sap* & DDIC(2)

Default users coming after new installation

SAP*

000 ,001,066

DDIC

000, 001
066

EARLYWATCH

Create User Step 1

Use The Transaction Code SU01 for user maintenance .

Choosethis
thisbutton
button
Choose
forcreate
createnew
newuser
user
for

Create User Step 2

EnterUser
UserInfo
Info
Enter

Create User Step 3

Enterthese
these
Enter
importantdata
data
important

Create User Step 4

ChooseRole
Rolefrom
from
Choose
themenu
menu
the

Create User Step 5

Corresponding
Corresponding
profilewill
willcome
come
profile
automatically
automatically

Create User Step 6

Usercan
canset
set
User
USER-Parameters
USER-Parameters

After entering all data choose save button

Create User Step 7

Userwill
willcreated
created&&
User
Lastchanged
changedby
by
Last
alsomodified
modified
also

USER CREATION COMPLETE NOW .

Activity Group(1) or ROLE

A role or activity group is a collection of R/3 transactions
,authorizations and additional objects .
Administrator can create ,display ,change ,copy & transport a Role .
Transaction code

PFCG used to maintain Role.

Composite Activity Group or Role

Composite activity groups are made up of a collection of activity groups.
Users assigned to a composite activity are automatically added to the
activity groups during a user comparison.
Composite activity groups themselves do not contain any authorization
data .

USER Assignment
Users can be assigned to a single activity groups or to composite activity
groups which mostly represent job roles .
Users that assign to an activity group may execute the transactions,
reports , or any other task in the activity group with the corresponding
Authorizations.

Create Role Step 1

Use Transaction code PFCG to maintain role /activity group

Choosethe
the
Choose
optionCreate
Create
option

Create Role Step 2

Now to create the role choose menu
2.Choosethe
the
2.Choose
optionMENU
MENU
option
1.EnterThe
The
1.Enter
Description
Description

Createduser
user
Created
namewill
will
name
display
display

Create Role Step 3

We can choose any one or all option at a time.

Tocreate
createROLE
ROLE
To
Chooseany
anyone
one
Choose

Create Role Step 4

We choose according our Requirement from SAP MENU.
Wechoose
choose
We
three from
fromthe
the
three
menu. .
menu

Create Role Step 5

Our three selected menu appeared on Role menu .
1.Ourchosen
chosen
1.Our
threewill
willcome
come
three
onrole
rolemenu
menu
on

2.Againwe
we
2.Again
choose
choose
Transaction
Transaction

Create Role Step 6

Assignthe
the
Assign
transactioncodes
codes
transaction
usingthe
thebutton
button
using
AssignTransaction
Transaction
Assign

Create Role Step 7

Thenchosen
chosen
Then
transaction code
code
transaction
appeared on
on
appeared
RoleMenu
Menu
Role

Create Role Step 8

1.Choose
1.Choose
Authorizations
Authorizations
fromTAB
TAB
from

2.Choosethe
the button
button
2.Choose
Changeauthorization
authorizationdata
data
Change

Create Role Step 9

1.Choose
1.Choose
Rangeofofvalues
values
Range
Or
Or
FullAuthorization
Authorization
Full

Create Role Step 10

Theseauthorization
authorizationwill
will
These
comeon
onthe
theROLE
ROLE
come

Create Role Step 11

Changethe
the
Change
authorizations&&save
save
authorizations
Colorhave
havechanged
changed
Color

Savethe
theprofile
profilegive
givethe
the
Save
nameofofthe
theprofile
profile
name

Create Role Step 12

Getthe
themessage
message
Get
Profilescreated
created
Profiles

Create Role Step 13

Choosethe
theoption
option
Choose
USERCOMPARE
COMPARE
USER
Assignthe
theUSER
USER
Assign
Towhom
whomthis
thisrole
role
To
havetotoassign
assign
have

Choosethe
theoption
option
Choose
Completecompare
compare
Complete

Create Role Step 14

Openthe
theuser
usertoto
Open
whomthe
therole
role have
havetoto
whom
assign
assign

Create Role Step 15

Assignedprofile
profile
Assigned
appearedon
onthe
theuser
user
appeared
Profilelist
list
Profile

Create Role Step 16

Again create role from other created role using PFCG

Choosethe
theoption
option
Choose
FromOther
Otherrole
role
From

Create Role Step 17

Chooseone
onerole
rolefrom
from
Choose
Beforecreated
createdor
orsap
sap
Before
definedrole
role
defined

Create Role Step 18

Choosethe
the
Choose
optionsfrom
from
options
thelist
list
the

Create Role Step 19

Again create role from area menu using PFCG

1.Chosenmenu
menu
1.Chosen
Comestotothe
the
Comes
rolemenu
menu
role

Nowchoose
choose
2.2.Now
FromArea
AreaMenu
Menu
From

Create Role Step 20

Chooseone
onePC14
PC14
Choose

Create Role Step 21

Choosethe
theoption
option
Choose
Payroll
Payroll

Create Role Step 22

Chosenoption
option
Chosen
Payrollwill
willcome
come
Payroll

Now perform the step 8

CREATE ROLE USING SPRO Step 1

Choose
Choose

GOTOProject
GOTOProject
Management
Management

Use Transaction Code SPRO to create a new project

CREATE ROLE USING SPRO Step 2

Choose
Choose

Tocreate
createnew
newproject
project
To

All created project will show .

Choose
Choose

Givenew
newname
name
Give

CREATE ROLE USING SPRO Step 3

Enterthe
theDATE
DATE
Enter
here
here

CREATE ROLE USING SPRO Step 4

Specifythe
thescope
scopeofof
Specify
theproject
project
the

Selectthe
themodules
modules
Select
whichare
arerequired
required
which

Choosethe
thebutton
button
Choose

CREATE ROLE USING SPRO Step 5

Selectthe
theoption
option
1.1.Select
GenerateProject
ProjectIMG
IMG
Generate

3.Projectcreation
creationstart
start
3.Project
background.
ininbackground.

Choosethis
thisoption
option
2.2.Choose

CREATE ROLE USING SPRO Step 6

ProjectPROJ_TEST
PROJ_TEST
Project
createdininbackground
background
created

CREATE ROLE USING SPRO Step 7

Use the transaction code PFCG to assign the
authorizations related to a particular project.

Choosecreate
createoption
option
Choose
fornew
newrole
role
for

CREATE ROLE USING SPRO Step 8

1.Choosethe
thenavigation
navigation
1.Choose
UtilitiesCustomizing
CustomizingAuth
Auth
Utilities
Thisscreen
screenwill
willappear
appear
2.2.This

ChooseAdd
Add
3.3.Choose
Thisscreen
screenappears
appears
4.4.This
ChooseIMG
IMGPROJECT
PROJECT
Choose

CREATE ROLE USING SPRO Step 9

Chooseone
oneproject
projectfrom
fromthe
thelist
list
Choose
e.g.PROJ_TEST
PROJ_TEST
e.g.

CREATE ROLE USING SPRO Step 10

Alltransaction
transactioncode
coderelated
relatedtoto
All
theproject
projectPROJ_TEST
PROJ_TESTwill
will
the
appear
appear

Now follow the method of role creation.

After that Z_NEW_AG_SPRO will be created

Use the transaction code SU53(1)

One user ,tring to Work on transaction code IL08 .But he is
not authorized to doing that job .

Thismessage
messagewill
will
This
come,IfIfthe
theuser
userhave
have
come,
noauthorization
authorization for
forthe
the
no
TC
TC

Use the transaction code SU53(2)

Using the transaction code SU53 we can find which
authorization need to perform the task .

Thisisisthe
themissing
missing
This
authorizations
authorizations
Thisare
arethe
theavailable
available
This
authorizations
authorizations

Authorization structure(1)
User Master
Record

Authorization
Profile

Authorizations

Authorization
Object

Authorization
Fields

Composite
Profile

Profile/
Composite
Profile

Authorization(1)
Authorization system of sap R/3 system is the general term which
groups all the technical & management elements for granting access
privileges to users to enforce the R/3 system security.
By entering some authorization profile to a user, mainly administrator
give to user some access on sap particular sap object.
Authorization profile are group of authorizations .Instead of giving
each authorization to a user ,administrator gives authorization profile to
a user.
Authorization profiles can be simple or composite .composite profiles
contain other profiles.
Authorization profile uses an activation method.When authorization or
profiles are created or modified ,they must be activated to become
effective.
Profiles are assigned to users in the user master record.

Authorization(2)
The Authorizations determine which activities a user can perform .
The system administrator cannot decide which business authorization
user needs because it is up to the user department to decide the kind of
permissions the user should be given to carry out his business tasks.The
user department decide which authorization need the user.The system
administrator assigns that authorization to the user as per the user
department request.
Each authorization is based on authorization object.
Authorization object consists of authorization fields and possible
values.
Because of the vastness of the R/3 system and its functional range,the
authorization objects are further divided into areas called as Object

class.

An Authorization allows to carry out an R/3 task based on a set of field

values in an authorization object
Authorizations allow to determine the number of specific values or
value ranges for a field.
ACTVT is an authorization field which present almost all authorization
object

Activities : Meaning
01 : Create or Generate
42 : Convert to DB
02 : Change
43 : Release
03 : Display
50 : Move
05 : Lock
51 : MM : Initialize pe
06 : Delete
59 : Distribute
07 : Activate, Generate
60 : Import
08 : Display change documents
64 : Generate
11 : Change number range status
65 : Reorganize
13 : Initialize number levels
70 : Administer
16 : Execute
71 : Analyze
17 : Maintain number range object
75 : Remove
21 : Transport
78 : Assign
22 : Enter, Include, Assign
90 : Copy
23 : Maintain
A6 : Read with filter
24 : Archive
A7 : Write with filter
33 : Read
A8 : Process mass data
34 : Write
DL : Download
36 : Extended maintenance
UL : Upload
37 : Accept
P0 : Accept CCMS CSM
data
40 : Create in DB
P1 : Edit CCMS CSM data
41 : Delete in DB
P2 : Maintain CCMS CSM
methods
12 : Maintain & generate change documents
68 : Model
* all possible values

Authorization(3)
We can assign authorization values to these fields .The values of the
field decide what data would access by the user to whom this object
assigned.

FIELD

VALUE

Customer type(CUSTTYPE)

Activity(ACTVT)

02

* all possible values , 02 display only

Authorization profile(1)
An authorization profile consists group of authorization object .I.e a
group of access privileges.
User authorizations are not directly assigned to the user master
records.Instead these authorizations are assigned as authorization
profiles.
Changing the contents of the authorizations inside a profile affects all
users that are given that profile when this is activated.
A users authorizations are loaded into the user buffer only when they
logon.
Changes affect all users to whom this profile is assigned and take
effect only when the user logs on.
Number of profiles generated depends on the number of
authorizations in each activity group .
A maximum 150 authorizations fit into a profile .If there are more than
150 authorizations,an additional profile is generated.
Authorization profiles beginning with a T ,like T-SM-NEW1.When more
than profile created then the name will be T-SM-NEW1_1 ,T-SMNEW1_2

Composite profile(1)
Composite profiles are sets of authorization profiles both simple &
composite.
A composite profile can contain an unlimited number of profiles.
Composite profiles are suitable for users who have different
responsibilities or job tasks in the system
Making modification to any of the profiles in the list of composite
profiles directly affects the access privileges of all users having that
composite profile in the user master record.

Authorization Object field(1)

authorization fields represent values for individual system elements which are
supposed to undergo authorization checking to verify a user's authorization.

The activity field in an authorization object defines the possible actions which could
be performed over a particular application object.

An authorization field can be for example a user group, a company code,a

purchasing group , a development class or an application area or an activity.

For example activity 03 always Display . If an authorization contains two fields such
as COMPANY CODE & ACTVT, again values in company code is * & values in ACTVT
is 03 ,then a user containing this authorization can only display all company codes.
Not all authorization objects have the ACTVT authorization field.

Authorization Object(1)
An authorization object can contain a maximum of 10 authorization
fields.
Users are permitted to perform a system function only after passing the
test for every field in the authorization object.
Authorization objects are grouped in object classes belonging to
different application areas which are used to limit the search for
objects,thus making it faster to navigate among the many R/3 system
objects.
SAP predefined authorization objects should not be modified or
deleted,except if instructed by the SAP support personnel.
Deleting or changing standard authorization objects can cause severe
errors in the programs that check those objects.
For example ,

MM_E stands for the object class Materials Management-Purchasing

There is an authorization object M_BEST_EKG for die ordering .

M_BEST_EKG object consists of 2 authorization fields

1.
2.

ACTVT to define user activity with values 02 ,03

EKGR

to define purchasing group with values xyz ,abc .

If actvt have values 02 for change ,03 for display and, user can maintain
only purchasing group xyz ,abc can not create new purchasing group.

FIND USERS BY ADDRESS DATA

Use Transaction code S_BCE_68001393
Navigation Path
Tools Administration User Maintenance Information System Users By
Address Data

Restricting Password String

To avoid the use of passwords which start with similar words .
Use Transaction code SM30 Maintain
Table USR40
Where * substitutes a group of characters & ? a single character .

Usercan
cannot
notuse
usethese
thesestring
string
User
asaapassword
password
as

Role assigned to Which Users(1)

Use Transaction code: SE38 Program :RSUSR070
Navigation Path
Tools Administration User Maintenance Information System
Roles By Role Name

Role assigned to Which Users(2)

After Entering the Role we get the following screen

We get USER ASSIGNMENT , PROFILE ASSIGNMENT, TRANSACTION CODE

list which assigned to the Role.

Role assigned to Which Users(3)

List of users Which assigned to the Particular Role

Role assigned to Which Users(4)

List of Profiles assigned to the particular Role

Role assigned to Which Users(5)

List of Transaction codes assigned to the particular Role

Maintaining the Object Class

Using the transaction code SU03 User can maintain the

object class

Available authorizations of the logon user(1)

Using the transaction code SU56 we get the authorization
& authorization object assigned to a user.

DoubleClick
Clickon
onthe
the
Double
Authorizationobject
object
Authorization
getthe
thedetails
details. .
totoget

Available authorizations of the logon user(2)

Authorizationfields
fields
Authorization
correspondingtotothe
the
corresponding
AuthorizationObject.
Object.
Authorization

DoubleClick
Clickon
onthe
the
Double
permittedvalues
valuestoto
permitted
getthe
thedetails
details. .
get

Available authorizations of the logon user(3)

DoubleClick
Clickon
onthe
the
Double
Authorizationstotoget
get
Authorizations
thedetails
details. .
the

To get the details of an Authorization Object(1)

Use Transaction Code SE38 then Use program : RSUSR040
Consider an Authorization object S_DEVELOP

To get the details of an Authorization Object(2)

AuthorizationObject
Object
Authorization
corresponding
&&corresponding
Object Class.
Class.
Object

To get the details of an Authorization Object(3)

AuthorizationFields
Fields
Authorization
Associatedwith
withthe
the
Associated
Authorizationobject
object
Authorization

Doubleclick
clickon
on
Double
PermittedActivities
Activities
Permitted

To get the details of an Authorization Object(4)

Use Transaction Code SU03

Doubleclick
clickon
onobject
object
Double
classBC_C
BC_C
class

To get the details of an Authorization Object(4)

Use Transaction Code SU03

Important Authorization profiles

SAP_ALL All authorization in R/3 system
SAP_NEW To create new objects
S_A.CUSTOMIZ Customizing (for all system setting activity)
S_A.DEVELOP Developers with all authorizations to work in ABAP WB.
S_A.SHOW Basis :Display authorization only
S_A.USER System Administrator
S_ABAP_ALL All authorizations for ABAP
S_ADMI_SPO_A spool :all administration authorization
S_ADMI_SPO_D spool :device administration
S_ADMI_SPO_E spool :extended administration
S_ADMI_SPO_J spool :job administration for all clients
S_ADMI_SPO_T spool :Device type administration

SOME IMPORTANT TABLES

USR01 Contains the runtime data of the user master
records
USR02 The table containing logon information such as the
password
USR03 Includes the users' address information
USR04 Contains users' authorizations
USR05 It is the users' parameter ID table
USR09 Contains user menus
USR10 It is the table for user authorization profiles
USR11 Contains the descriptive texts for profiles
USR12 It the user master authorization values table
USR13 Contains the descriptive short texts for
authorizations
USR14 Contains the logon language versions per user
USR30 Includes additional information for user menus
TOBJ Authorization objects table containing the authorization fields for each.
TACT Contains the list of standard activities in the system.
TACTZIs the table which defines the relationship between the authorization
objects and the activities in those objects containing the Activity
authorization field.
TSTC Is the transaction code table where authorization
objects and values

Create a super user(1)

It is sap recommended do not use sap* ,create one super user .
SAP_ALL is only profile defining that user can create one super user &
with the authorization of creation of a new object.
SAP_NEW is the profile which gives the permission to create a new
object

Profile Generator
Profile generator(PG) tool helps the authorization administrator
create,generate ,and assign authorization profiles.
It is available from SAP r/3 version 3.1G
Check the parameter auth/no_check_in_some_cases =Y using the TC
RZ11 ,setting before using first time profile generator .

Central User Administration

If a system group consists of different R/3 systems with
multiple client then the
Same users can be created several times in every client and
assigned to activity
groups .Central User Administration is designed to carry out
these tasks in a central system & distribute the data to all
systems in the system group .