HI sundeep,

What are user groups and how can we use them?

Transaction SUGR - have a look. Purpose for example is to give certain system admin rights to unlock / change password only to a given user group. You assign user group to an user id via SU01.

User group can be used for different reasons and in different way.

In the latest versions of SAP, actually two types of usergroup exist, the authorization user group and the general user groups.

Naturally the main reason of user groups is to categorize user into a common denominator.

The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc...

The general user group can be used in conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group.

One of the Primary uses of user groups is to sort users into logical groups.

This allows users to be categorised in a method that is not dependent on roles/AG's/Responsibilities/Profiles etc.

User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.

The most important factor identified is that the lack of user groups is an indication that there may be problems with the user build process. This is very "fuzzy" but is a bit of a warning flag.

Derive Roles

Use

There are two possible reasons for deriving a role from an existing role:

The role menus are identical but the authorizations for the menu actions are different in the derived role.

The menu and authorizations of the derived role are identical, but the organizational levels are different in the derived role.

Prerequisites

Roles derived from another cannot have any additional menu entries.

Procedure

To create a reference to another role:

Create a role.

Enter a role description text.

Enter the name of the role from which all transactions including the menu structure are to be copied in the Derive from role field in the Description tab.

When you save, you have created a role whose menu is derived from another role.

To copy the authorizations to the derived role:

Change the role from which the authorizations are to be derived, in the role maintenance. Choose the Authorizations tab and the Change authorization data pushbutton.

Choose the menu entry Authorizations ® Adjust derived ® Generate derived roles.

The authorization data is copied to the derived roles.

The organization level data is only copied the first time the authorization data is adjusted for the derived role. If organization level data is maintained in the derived role, it is not overwritten by subsequent adjustments.

You need complete authorization for the authorization object S_USER_VAL and change authorization for the derived roles to adjust the authorization data of derived roles.

To delete the inheritance relationship between two roles, choose the Delete inheritance relationship pushbutton in the Description tab.

You can display an overview of the inheritance of roles by choosing Role ® Where-used list. You can go to another role by double-click.

You cannot derive functions from the delivered user roles in your own roles.

Creating Derived Roles and Copying Authorizations

Use

There are two possible reasons for deriving a role from an existing role:

● The role menus are identical but the authorizations for the menu actions are different in the derived role.

● The menu and authorizations of the derived role are identical, but the organizational levels are different in the derived role.

Prerequisites

Roles derived from another cannot have any additional menu entries.

Comparing User Master Records

You can set a time limit on the assignment of roles to user master records. As a result some data will become invalid on a particular day, whilst other data becomes valid.

You cannot set time limits for authorization profiles and their entry in user master records.

To ensure that only authorization profiles which are valid are contained in the user master record each day, you must execute a daily profile comparison.

So that changes in the user master record are effective, you should execute the comparison before the user logs on.

There are two ways to execute the comparison.

As a background job before the start of each day.

If report PFCG_TIME_DEPENDENCY is run every night, the authorization profiles in the user master will be current each morning (assuming that the job has run correctly). The best procedure is to schedule this as a periodic background job.

Report PFCG_TIME_DEPENDENCY must also have run after each import of roles from other systems.

Using Transaction PFUD, Compare User Master

As an administrator, it is recommended that you use this transaction regularly to check that no errors have occurred in the background job. Any such errors can then be corrected manually.

To ensure that the authorization profiles in the user master records are always current, you should always execute a complete comparison of all roles (by choosing Complete comparison).

Following the comparison the system displays a log which includes any errors that occurred (background processing log for background report).

You have the following options in Transaction PFUD:

Schedule or check job for the full comparison

Here you can start report PFCG_TIME_DEPENDENCY by specifying the time when the job is to start. The overview displays the status of jobs that have already been scheduled.

Manual profile selection

Before comparing the user master record, you can select the profiles that are to be compared. The system displays an overview of the user master records to which profiles have been added, or from which profiles have been removed, during the comparison. If you deselect the relevant checkbox, you can exclude the profiles that should not be included in the user master record comparison. You start the comparison by choosing User master comp.

To compare the user master records belonging to selected users, first position the cursor on a user name and then choose Select user. You execute the comparison by choosing User master comp.

The status display for the user master comparison is only set to green once the comparison is executed.

Complete comparison

With a complete comparison, all invalid authorization profiles are removed from the user master record and all new authorization profiles are inserted in the user master record.

The options Add new profiles, Delete expired authorization profiles and Output error messages are related to the actions described above.

You can also specify whether or not HR Organizational Management should be included in the comparison (Reconcile with HR Organizational Management).

Creating derived roles

1. Create a role.

2. Enter a role description text.

3. Enter the name of the role from which all transactions including the menu structure are to be copied in the Derive from role field in the Description tab page.

4. Save your entries to create a role whose menu was derived from another role.

If additional transaction codes are added to the menu of the original role, they are copied into the derived role.

Copying the Authorizations of the Original Role to the Derived Role

...

1. Change the original role from which the authorizations are to be derived, in the role administration tool. Choose the Authorizations tab and the Change authorization data button.

2. Choose Authorizations ® Adjust Derived ® Generate Derived Roles.

The authorization data is copied to the derived roles.

The organization level data is only copied the first time the authorization data is adjusted for the derived role. If data is maintained for the organizational levels in the derived role, and if you have maintained the organizational levels using the dialog box, the data is not overwritten by another conciliation (See SAP Note 314513).

More Information

To delete the inheritance relationship between two roles, choose the Delete inheritance relationship pushbutton in the Description tab.

You can display an overview of the inheritance of roles by choosing Role ® Where-used list. You can go to another role by double-click.

You cannot derive functions from the delivered user roles in your own roles.

thanks

karthik

Edited by: KARTIKEYA (EDS-VZG) on Apr 30, 2008 1:44 PM