Role creation and authorization objects in sap

Former Member · ‎11-27-2008

Hi

i want to know the full relationship between creation of roles , authorization objects ,authorizations in web as abap

Please explain the process in detail the use of PFCG and all its options and how to create Z roles

jurjen_heeck · ‎11-27-2008

SAP course ADM940 will provide you with all relevant information.

Former Member · ‎11-27-2008

how can i get it ?do you have any documentation for it

jurjen_heeck · ‎11-27-2008

> how can i get it ?

Go to your SAP education website and see when it is scheduled. It's a three day course.

>do you have any documentation for it

Nope. Course materials are copyrighted. Asking for it is already against the forum rules.

Former Member · ‎11-27-2008

Hi

I meant do you have any similar docuemntation on this

jurjen_heeck · ‎11-27-2008

>


> Hi
> I meant do you have any similar docuemntation on this

No, sorry, I'm always glad to help people with specific problems but teaching freshers is something I do not do for free. Please take the course at your nearest SAP training center.

[SAP ADM940 information|http://www.sap.com/services/education/catalog/netweaver/course.epx?context=%5b%5b%7cADM940%7c%7c%7c052%7cG%5d%5d%7c]

Former Member · ‎11-27-2008

Hi

Can anyone help with the full explanation document?

Thanks

Former Member · ‎11-27-2008

Hi Biswajit,

As Jurjen suggested to ask for such an document is against the forum rules. But, I would not want you to feel unhappy, hence I shall give you a brief step by step procedure for creating a single role.

1) Go to PFCG in the role name give any name say Z_BUYER and give a short description, chose create

2) Go to the menu tab, system will prompt you save first, do it.

3) click on transactions button and add the tcodes you wish to assign, say ME21N in this case

4) Go to authorizations tab, system will again ask you to save, do it.

5) Click on change button (pencil)

6) system will pop up the org levels window, you can enter the org levels here

7) If step 6 is done you will have auth objects which are either green or yellow else, you may also have red traffic lights for missing org level objects

😎 expand objects in each class and fill in the required values

9) once all objects are green you can save, system will prompt you to name a profile and may also suggest a default profile name

10) accept it and and then click on generate (red and white wheel)

11) step 10 generates teh profile and activates the authorizations in the profile

12) Click on back and assign a user name in the user tab and click in user comparison, this step will provide the neccessary authorizations to the user.(if the role is already assigned to teh user and you are just making changes in teh authorizations then user comparison is not required. simple generation of profile will be sufficient)

Rest is for you to explore and learn...All the best

Former Member · ‎11-27-2008

Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.

- Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.

- The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.

For e.g. If a user wants to create a PO we can restrict him on:

u2022 Activity : Create/Change/Display

u2022 Org elements like Company Code, Plant, Purchase Organization etc

u2022 Document type etc.

- Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).

- Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.

- An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile

- Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.

- Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.

Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

Former Member · ‎11-27-2008

Hi

Thanks for the brief introduction.But a step by step guide would be really helpful

Thanks

Former Member · ‎11-27-2008

Hi Biswajit Chatterjee,

We have had many such answers and there is a lot of information available which you can easily find with a simple search on help.sap.com, without having to fill the forums with duplicates of it.

Please put in a bit more effort with the search before asking questions.

I will assume this one closed now.

Thanks,

Julius