topic Re: SAP User authorization in Application Development and Automation Discussions

SAP User authorization

Former Member — Tue, 10 Apr 2007 08:28:17 GMT

Hi,

I have a little problem with user authorization. I've been asked to limit the access over business partners for some users of the same client, as it follows: some users will be allowed only for view of bp (FPP3) and others will have full access (+FPP1, FPP2).

Now, I have approximately 8 month experience and i really have no clue from where to start and what to do. Can anyone guide me a little on how to make this authorization process. (this must work also for future users that will be created).

Thank you for your replies.

Message was edited by:

Daniel BALTA

Re: SAP User authorization

Former Member — Tue, 10 Apr 2007 08:35:19 GMT

Daneil,

look at the below SAP Helo link, this will explain you clearly about the creation of the user and the other stuff also

http://help.sap.com/saphelp_nw04s/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm

****************************

Try this..

GO to the transaction..PFCG

Give a role name..

Press create..

In the role menu add..VA01..VA02..VA03..

Generate the role...

Go to SU01..

Give the role name that you created in the role tab..

Save the user..

****************************

check below...

SU01 User Maintenance

SU01D User Display

SU02 Maintain Authorization Profiles

SU03 Maintain Authorizations

SU05 Maintain Internet Users

SU1 Maintain Own User Address

SU10 User Mass Maintenance

SU12 Mass Changes to User Master Records

SU2 Maintain Own User Parameters

SU20 Maintain Authorization Fields

SU21 Maintain Authorization Objects

SU22 Auth. Object Usage in Transactions

SU24 Auth. Obj. Check Under Transactions

SU25 Upgrade Tool for Profile Generator

SU26 Upgrade Tool for Profile Generator

SU3 Maintain Users Own Data

SU50 Maintain Own Fixed User Values

SU51 Maintain Own User Address

SU52 Maintain Own User Parameters

Don't forget to reward if useful

Re: SAP User authorization

Former Member — Tue, 10 Apr 2007 08:35:45 GMT

Put this question in Basis Era..

any way for creating the authorization objectes we will use SU24 transaction.

reward points i it is useful..

regards

raghu

Re: SAP User authorization

Former Member — Tue, 10 Apr 2007 08:36:30 GMT

Hi,

This Authorization concept is somewhat linked with BASIS people.

As a developer you may not have access to access SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

Take the help of the basis Guy and create and use.

In general different users will be given different authorizations based on their role in the orgn.

We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

USe SUIM and SU21 T codes for this.

Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

This means you have to allocate an authorization object in the definition of the transaction.

For example:

program an AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT <authorization object>

ID <authority field 1> FIELD <field value 1>.

ID <authority field 2> FIELD <field value 2>.

...

ID <authority-field n> FIELD <field value n>.

The OBJECT parameter specifies the authorization object.

The ID parameter specifies an authorization field (in the authorization object).

The FIELD parameter specifies a value for the authorization field.

The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

You program the authorization check using the ABAP statement AUTHORITY-CHECK.

AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

ID 'ACTVT' FIELD '02'

ID 'CUSTTYPE' FIELD 'B'.

IF SY-SUBRC <> 0.

MESSAGE E...

ENDIF.

'S_TRVL_BKS' is a auth. object

ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

Reward if useful

regards,

Anji

Message was edited by:

Anji Reddy Vangala

Re: SAP User authorization

Former Member — Tue, 10 Apr 2007 11:56:56 GMT

Unfortunately is not that easy. Since this transaction is already allowed by other standard/custom roles and modifications are not allowed on those, there's got to be another (ABAP/user-exits) way. If I create a role that restricts the access on one transaction, but another role already has allowed it, unfortunately, the condition is tested with "OR", not with "AND".

null

Re: SAP User authorization

Former Member — Tue, 10 Apr 2007 12:02:36 GMT

have u got the Objects ? if same objects in any other roles u have to deactivate that roles in this case no need of Customer Code.

Regards

Prabhu

Re: SAP User authorization

Former Member — Fri, 13 Apr 2007 23:31:25 GMT

Hello all,

If you have any material on user, role, autorization concept and how to test when put into use, plese send me.

Thank you,

Nanda

nandap@intelligroup.com