This document provides an overview of authorization profiles and the profile generator in SAP. It discusses how authorization profiles control user access to transactions and objects, and how the profile generator is used to generate and maintain authorization profiles through the use of activity groups, derived activity groups, company menus, and user assignments. The profile generator allows administrators to centrally define authorizations for users.
Report
Share
Report
Share
1 of 428
Download to read offline
More Related Content
1ux2y54tcwomq2gtx7pd
1. Authorizations Made Easy
Generating Authorization Profiles
Release 4.5A/B
SAP Labs, Inc.
Palo Alto, California
2. Copyright
1999 by SAP AG. All rights reserved.
Neither this documentation nor any part of it may be copied or reproduced in any form or by any means or
translated into another language, without the prior consent of SAP AG.
SAP AG makes no warranties or representations with respect to the content hereof and specifically disclaims
any implied warranties of merchantability or fitness for any particular purpose. SAP AG assumes no
responsibility for any errors that may appear in this document. The information contained in this document is
subject to change without notice. SAP AG reserves the right to make any such changes without obligation to
notify any person of such revision or changes. SAP AG makes no commitment to keep the information
contained herein up to date.
Trademarks
SAP, the SAP logo, R/2, R/3, ABAP, and other SAP related products mentioned herein are registered or
unregistered trademarks of SAP AG. All other products mentioned in this document are registered or
unregistered trademarks of their respective companies.
R/3 Simplification Group
SAP Labs, Inc.
3475 Deer Creek Road
Palo Alto, CA 94304
www.saplabs.com/simple
simplify-r3@sap.com
Printed in the United States of America.
ISBN 1-893570-23-1
This book uses EcoFLEX lay-flat binding. With this lay-flat feature—developed by
and exclusively available at Johnson Printing Service (JPS)—you can open this book
and keep it open without it snapping shut on you. You need not worry about
breaking the spine. EcoFLEX makes books like this one easier to use.
3. Contents at a Glance
Introduction ..................................................................................................... xiii
What’s New in 4.5................................................................................................... xxi
Chapter 1: R/3 System Security and the Authorization Concept ....................1–1
Chapter 2: Setting Up the Profile Generator ....................................................2–1
Chapter 3: User Administration ........................................................................3–1
Chapter 4: Working with Activity Groups .........................................................4–1
Chapter 5: Generating and Maintaining Authorization Profiles.......................5–1
Chapter 6: Special Cases..................................................................................6–1
Chapter 7: Structural Authorizations ...............................................................7–1
Chapter 8: Assigning Activity Groups and Users.............................................8–1
Chapter 9: Infosystem Authorizations..............................................................9–1
Chapter 10: Predefined Activity Groups and Authorization Profiles ...............10–1
Chapter 11: Using the Session Manager ..........................................................11–1
Chapter 12: Transporting ..................................................................................12–1
Chapter 13: Tips and Troubleshooting Management.......................................13–1
Chapter 14: Upgrades .......................................................................................14–1
Appendix A: Online Service System Notes ........................................................ A–1
Appendix B: Frequently Asked Questions.......................................................... B–1
Appendix C: Important System Profile Parameters........................................... C–1
Appendix D: Frequently Used Transactions ...................................................... D–1
Glossary .................................................................................................... G–1
Index ......................................................................................................I–1
Authorizations Made Easy iii
5. Detailed Table of Contents
Introduction ..................................................................................................... xiii
About this Guide .................................................................................................. xiv
Do You Need this Guide? .................................................................................... xiv
How to Use this Guide ......................................................................................... xiv
Special Icons.......................................................................................................... xv
Navigating the System......................................................................................... xvi
Terminology .......................................................................................................... xvi
Choose .................................................................................................................... xvi
Buttons and Icons ..................................................................................................... xvi
Menu Paths.............................................................................................................. xvii
Select...................................................................................................................... xvii
Typeface Styles .................................................................................................. xviii
What’s New in 4.5................................................................................................... xxi
Overview............................................................................................................... xxii
Activation of the Profile Generator ................................................................... xxii
Transporting ........................................................................................................ xxii
Transporting Activity Groups.................................................................................. xxii
Transporting Activity Group User Assignments ..................................................... xxii
Responsibilities and Derived Activity Groups................................................ xxiii
Customizing Authorization ............................................................................... xxiii
Globally Deactivating or Activating Authorization Checks ........................... xxiii
What’s New in Specific Modules ...................................................................... xxiv
Chapter 1: R/3 System Security and the Authorization Concept ....................1–1
Overview............................................................................................................... 1–2
Overview of the Authorization Concept............................................................ 1–3
Authorization Object .............................................................................................. 1–4
Authorization Object Fields ................................................................................... 1–4
Authorizations........................................................................................................ 1–5
Authorization Profiles ............................................................................................ 1–5
User Master Records ............................................................................................ 1–6
Authorization Checks ............................................................................................ 1–6
Activating and Deactivating Authorization Checks in Transactions...................... 1–6
SAP* and DDIC Users ......................................................................................... 1–7
What Is the Profile Generator? .......................................................................... 1–7
The Components of the Profile Generator ............................................................ 1–8
Activity Groups........................................................................................................ 1–8
Derived Activity Groups .......................................................................................... 1–8
Company Menu ...................................................................................................... 1–9
User Assignment .................................................................................................... 1–9
Authorizations Made Easy v
6. Detailed Table of Contents
Generating the Profiles.......................................................................................... 1–9
Requirements and Availability ............................................................................. 1–10
What Is an Activity Group? .............................................................................. 1–10
What Happened to Responsibilities?.............................................................. 1–11
Activity Group Assignments ............................................................................ 1–11
Purpose of Assigning Activity Groups to Objects................................................ 1–13
The Big Picture: Successful and Secure R/3 Implementation...................... 1–13
Case Study: Security Strategy in a Three-System Environment ................. 1–19
The Development System (DEV) ........................................................................ 1–19
The Quality Assurance System (QAS)................................................................ 1–21
The Training Client System (TRG)........................................................................1–21
The Production System (PRD) ............................................................................ 1–22
Authorization Administration Using the Profile Generator .......................... 1–23
Setting Up Security Administrators................................................................. 1–24
How the Three Administrators Work Together.................................................... 1–25
Policies and Procedures................................................................................... 1–26
User Administration ............................................................................................. 1–26
Policies ..................................................................................................................1–26
Procedures ............................................................................................................1–26
Roles and Responsibilities ....................................................................................1–27
System Security................................................................................................... 1–27
Policies ..................................................................................................................1–27
Procedures ............................................................................................................1–28
Roles and Responsibilities ....................................................................................1–29
Auditing Requirements ..................................................................................... 1–29
Naming Convention for Authorization Profiles.............................................. 1–29
Chapter 2: Setting Up the Profile Generator ....................................................2–1
Overview ............................................................................................................... 2–2
When to Use the Profile Generator.................................................................... 2–2
Activating the Profile Generator ........................................................................ 2–2
Displaying the Enterprise IMG............................................................................... 2–3
Setting the Required Instance Profile Parameter.................................................. 2–6
Running the RSPARAM Report and Checking the Instance Profile Parameter. 2–13
Working on SAP Check Indicator Defaults and Field Values ....................... 2–15
Initial Copying of SAP Defaults into the Customer Tables (SU25) ..................... 2–15
Reducing the Scope of Authorization Checks in R/3 (SU24)........................ 2–19
Deactivating Authorization Checks...................................................................... 2–19
How to Reduce the Scope of Authorization Checks ........................................... 2–20
Maintain Check Indicators for Transaction Codes ................................................2–22
Globally Changing Authorization Checks in the R/3 System ................................2–30
What Is Special About Parameter Transactions? ............................................... 2–35
Globally Deactivating or Activating Authorization Checks ....................................2–35
Generating the SAP Standard Menu and Company Menu............................ 2–39
Generating the SAP Standard Menu................................................................... 2–40
Generating the Company Menu .......................................................................... 2–41
Changing the Company Menu............................................................................. 2–44
Activating the Company Menu ............................................................................ 2–47
Getting Support from the Online Service System ......................................... 2–50
Accessing the Error Notes Database .................................................................. 2–50
vi Release 4.5A/B
7. Detailed Table of Contents
Printing Important Online Service System Notes................................................ 2–50
Applying Advance Corrections to Your R/3 System ..................................... 2–51
Chapter 3: User Administration ........................................................................3–1
Overview............................................................................................................... 3–2
System Users....................................................................................................... 3–2
External R/3 Users............................................................................................... 3–3
Internal R/3 Users................................................................................................ 3–3
Dialog .................................................................................................................... 3–3
Batch Data Communication (BDC or Batch Input)................................................ 3–3
Background ........................................................................................................... 3–3
CPIC ...................................................................................................................... 3–3
Special R/3 Users ................................................................................................ 3–4
SAP* ...................................................................................................................... 3–4
DDIC ...................................................................................................................... 3–4
EarlyWatch ............................................................................................................ 3–4
Creating Users ...................................................................................................... 3–4
User Groups......................................................................................................... 3–5
Authorizations and Authorization Profiles ....................................................... 3–5
Mass Operations ................................................................................................. 3–6
Creating a New User ........................................................................................... 3–6
Listing All Defined System Users.................................................................... 3–10
Changing a User’s Password........................................................................... 3–12
Password Requirements ..................................................................................... 3–13
Displaying a Generated Authorization Profile and its Authorizations ........ 3–14
Chapter 4: Working with Activity Groups .........................................................4–1
Overview............................................................................................................... 4–2
Starting Activity Group Maintenance (PFCG) .................................................. 4–3
Selecting Views in Activity Group Maintenance.................................................... 4–4
Basic Maintenance ................................................................................................. 4–4
Overview (Organization Management)................................................................... 4–4
Creating Activity Groups.................................................................................... 4–4
Providing Basic Details.......................................................................................... 4–5
Selecting Reports and Transactions ..................................................................... 4–6
Copying and Deriving Activity Groups ........................................................... 4–12
Basics About Duplicating Activity Groups ........................................................... 4–12
Copying Activity Groups ...................................................................................... 4–13
Deriving Activity Groups ...................................................................................... 4–18
Choosing the Correct Menu Path in Session Manager................................. 4–22
Selecting Workflow Tasks................................................................................ 4–27
What You Should Know About Workflow............................................................ 4–27
Sample Workflow for a Notification Absence ....................................................... 4–27
Displaying Activity Groups .............................................................................. 4–32
Changing Activity Groups................................................................................ 4–38
Deleting Activity Groups .................................................................................. 4–44
Important Information About Deleting ................................................................. 4–47
Transporting Activity Groups .......................................................................... 4–47
Authorizations Made Easy vii vii
8. Detailed Table of Contents
Chapter 5: Generating and Maintaining Authorization Profiles .......................5–1
Overview ............................................................................................................... 5–2
Generating the Authorization Profiles .............................................................. 5–2
Starting the Generation Process ........................................................................... 5–2
Maintaining Organizational Levels ........................................................................ 5–6
Postediting Authorizations and Organizational Levels........................................ 5–10
Option A ................................................................................................................5–10
Option B ................................................................................................................5–13
Displaying an Overview of Generated Profiles .............................................. 5–21
Displaying the Technical Names in the Tree List .......................................... 5–22
Regenerating Authorization Profiles After Making Changes ....................... 5–23
Elements and Symbols of the Hierarchy Display .......................................... 5–27
Icons in the Standard Toolbar ............................................................................. 5–28
The Traffic Lights ................................................................................................. 5–29
Status Text for Authorizations ............................................................................. 5–30
Icons in the Hierarchy.......................................................................................... 5–31
Using Utilities..................................................................................................... 5–32
Merge Authorizations........................................................................................... 5–32
Reorganizing Technical Names of Authorizations .............................................. 5–33
Customizing Authorizations............................................................................. 5–34
Assigning IMG Projects or Project Views to Activity Groups .............................. 5–34
Maintaining and Updating Customizing Authorizations....................................... 5–38
Chapter 6: Special Cases ..................................................................................6–1
Overview ............................................................................................................... 6–2
Manually Postmaintaining Authorizations........................................................ 6–2
Manually Including Authorizations......................................................................... 6–3
Manually Inserting Authorizations ...........................................................................6–3
Inserting Authorizations from a Template ...............................................................6–9
Inserting Authorizations from a Profile ..................................................................6–14
Inserting Full Authorizations: Profile “<YourCompany>-ALL ................................6–19
Assigning Transaction Codes to Reports ...................................................... 6–27
Adding Any Missing Transactions to the Company Menu Tree................... 6–30
Chapter 7: Structural Authorizations................................................................7–1
Working with Structural Authorizations in Personnel Development............. 7–2
Overview ................................................................................................................ 7–2
Maintain Structural Authorization Profiles ....................................................... 7–8
Assigning Structural Authorization Profiles .................................................. 7–17
Method I: Assigning Structural Profiles Manually................................................ 7–17
Method II: Populating Table T77UA Using Program RHPROFL0 ...................... 7–22
Integration: Linking Logon Names to Personnel Numbers and Positions . 7–26
Chapter 8: Assigning Activity Groups and Users .............................................8–1
Overview ............................................................................................................... 8–2
Assigning Users to Activity Groups.................................................................. 8–4
Assigning Activity Groups to Users................................................................ 8–10
Assigning PD Objects to Activity Groups ...................................................... 8–14
Assigning Activity Groups to PD Objects ...................................................... 8–19
viii Release 4.5A/B
9. Detailed Table of Contents
Transferring Users from an IMG Project to an Activity Group..................... 8–23
Updating Profiles in the User Master Records .............................................. 8–27
I. From Within Transaction PFCG ....................................................................... 8–27
II. Using Transaction PFUD ................................................................................ 8–29
II. Running Report PFCG_TIME_DEPENDENCY as a Background Job........... 8–32
Creating a Sample Organizational Plan .......................................................... 8–35
Chapter 9: Infosystem Authorizations..............................................................9–1
Overview............................................................................................................... 9–2
Displaying Information ....................................................................................... 9–2
Additional Reports and Transactions ............................................................... 9–5
Chapter 10: Predefined Activity Groups and Authorization Profiles ...............10–1
What Are Predefined Activity Groups............................................................. 10–2
Advantages of Predefined Activity Groups.................................................... 10–2
Which Activity Groups Are Predefined........................................................... 10–4
Financial Accounting (FI)..................................................................................... 10–4
Materials Management (MM) .............................................................................. 10–4
Sales and Distribution (SD)................................................................................. 10–5
Basis Administration (BC) ................................................................................... 10–5
Predefined Data for the Activity Groups......................................................... 10–6
Adapting the Predefined Activity Groups to Your Specific Needs.............. 10–6
Installing the Predefined Activity Groups ...................................................... 10–6
Copying the Predefined Data Files onto your System ........................................ 10–8
Importing Objects from the Transport Files into the Target Client.................... 10–10
Importing onto a UNIX-Server ............................................................................ 10–10
Chapter 11: Using the Session Manager ..........................................................11–1
Overview............................................................................................................. 11–2
Session Manager Benefits .................................................................................. 11–2
Menu Configuration ............................................................................................. 11–3
Platforms and Availability ................................................................................ 11–3
How to Work with the Session Manager Transaction SESS ........................ 11–3
How to Start Transactions from the Menu Tree in Transaction SESS ............... 11–5
How to Maintain a Favorites List in Transaction SESS ...................................... 11–6
Customizing the Session Manager ..................................................................... 11–9
Chapter 12: Transporting ..................................................................................12–1
Overview............................................................................................................. 12–2
Transports Between Clients............................................................................. 12–2
Transports Between R/3 Systems ................................................................... 12–3
Transporting Activity Groups .......................................................................... 12–3
Transporting Single Activity Groups Using the Activity Group Maintenance
Transaction ..................................................................................................... 12–3
Mass Transport of Activity Groups ...................................................................... 12–5
Automatic Recording of Personnel Planning and Development Data ................ 12–8
Transporting Check Indicators and Field Values .......................................... 12–8
Transporting the Company Menu.................................................................... 12–8
Transporting Authorization Templates......................................................... 12–10
Authorizations Made Easy ix ix
10. Detailed Table of Contents
Transporting User Master Records ............................................................... 12–10
Chapter 13: Tips and Troubleshooting Management ...................................... 13–1
Overview ............................................................................................................. 13–2
Tracing Authorizations with Transaction SU53 ............................................. 13–2
System Trace Using Transaction ST01........................................................... 13–4
Evaluating a Written Trace File ...................................................................... 13–11
Chapter 14: Upgrades ...................................................................................... 14–1
Overview ............................................................................................................. 14–2
Before Doing Any Upgrade ................................................................................. 14–2
Upgrade from a Release Before 3.1x to 4.5 .................................................... 14–3
Converting Existing Authorization Profiles for the Profile Generator .................. 14–3
Re-create the Authorization Profiles from Scratch Using the Profile Generator. 14–3
Upgrade from Release 3.0F to 4.5A or 4.5B.................................................... 14–4
Upgrade from Releases 3.1G, 3.1H, 3.1I to 4.5x ............................................. 14–7
Appendix A: Online Service System Notes ........................................................ A–1
Overview ...............................................................................................................A–2
Online Service System Notes.............................................................................A–3
Appendix B: Frequently Asked Questions.......................................................... B–1
Overview .............................................................................................................. B–2
Profile Generator Setup ..................................................................................... B–2
How Does the AUTHORITY-CHECK Work with the Profile Generator? ..............B–2
Do I Need to Shutdown and Restart the Instance After I Changed the System
Profile Parameter? ............................................................................................B–2
Working with the PG and Profiles..................................................................... B–3
Can I Include an Existing Profile in an Activity Group?.........................................B–3
Why Is Only One Profile Sometimes Generated?.................................................B–3
Can I Manually Change Generated Profiles?........................................................B–3
Can I Include Manual Profiles in the Profile Generator?.......................................B–3
Can I Manually Enter Generated Profiles in the User Master Record? ................B–3
Is it Possible to Change the Profile Name Later? .................................................B–4
Can I Copy an Activity Group, and Will this Procedure also Copy the Profile?....B–4
If I Generate a Profile that May Use a Previously Built Authorization, Will the
System Create a New One or Use the Existing One?......................................B–4
How Do I Restrict Activities by Specific Time Periods? ........................................B–4
Which Transactions Are Used by the PG to Maintain a Specific Authorization?..B–4
Authorization Checks (SU24) ............................................................................ B–5
What Do the Different Check Flags Stand For?....................................................B–5
Why Does the Profile Generator Maintain Authorizations for More Objects
Than You Can See?..........................................................................................B–5
How Do I Reduce the Scope of Authority Checks in R/3?....................................B–6
How Can a Customer Include Individual Authorization Checks in a
Transaction? .....................................................................................................B–6
When Starting Transactions, What Should I Know About the New
Authorization Check? ........................................................................................B–6
Including Transactions or Reports................................................................... B–7
How Can I Include Customer-Specific Transactions?...........................................B–7
x Release 4.5A/B
11. Detailed Table of Contents
How Can I Include Individual Authorization Checks in Transactions? .................B–7
How Can I Include Reports in the Profile Generator? Are the IS Solutions
Already Integrated? ..........................................................................................B–7
Missing Authorizations.......................................................................................B–8
What if an Authorization Is Still Missing for the Generated Profile, and the
User Gets a “No authorization...” Message? ....................................................B–8
User Administration ............................................................................................B–8
How Can You Set Up Remote User Administrators? ...........................................B–8
Session Manager.................................................................................................B–8
Where Can I Find More Documentation on the Session Manager?.....................B–8
Transporting ........................................................................................................B–9
Is There a Way to Transport Activity Groups?......................................................B–9
Does the Transport of Activity Groups Between Two Clients, in the Same
System, Work with Transaction SCC1? ...........................................................B–9
What if the Generated Profile Only Has Authorizations for Object S_TCODE?...B–9
Menu Generation .................................................................................................B–9
What Does the Checkbox “without company IMG filtering” (in the Company
Menu Generation SSM1) Mean?......................................................................B–9
Tables .................................................................................................................B–10
How Do I Display the Transaction Codes that Are Included in an Activity
Group? ............................................................................................................B–10
How Do I Display in Which Activity Group a Certain Transaction Code Is Being
Used?..............................................................................................................B–10
How Do I Display Which Activity Group Is Used by Which User? ......................B–10
How Do I Display Which User Is Assigned to Which Activity Group? ................B–11
Does the Authorization Object Allow Activities Not Maintained in Table
TACTZ?...........................................................................................................B–11
What Is the Structure of Table USOBX_C? ........................................................B–11
Examples ..............................................................................................................B–12
Infotypes.............................................................................................................B–12
How Do I Display Data Stored in an Infotype? ...................................................B–12
Appendix C: Important System Profile Parameters........................................... C–1
Incorrect Logons, Default Clients, and Default Start Menu............................C–2
Setting Password Length and Expiration.........................................................C–2
Specifying Impermissible Passwords...............................................................C–3
Securing SAP* Against Misuse..........................................................................C–3
Tracing Authorizations .......................................................................................C–3
Profile Generator and Transaction SU24..........................................................C–4
User Buffer ...........................................................................................................C–4
No Check on Object S_TCODE ..........................................................................C–4
No Check on Certain ABAP Objects .................................................................C–4
RFC Authority Check ..........................................................................................C–5
Appendix D: Frequently Used Transactions ...................................................... D–1
Overview...............................................................................................................D–2
Transaction Code Switches ...............................................................................D–2
Authorizations/User Administration Function .................................................D–2
Authorizations Made Easy xi xi
12. Detailed Table of Contents
Miscellaneous Transactions ............................................................................. D–4
Glossary ..................................................................................................... G–1
Index ...................................................................................................... I–1
xii Release 4.5A/B
13. Introduction
Contents
About this Guide ......................................................................................................xiv
Do You Need this Guide? ........................................................................................xiv
How to Use this Guide.............................................................................................xiv
Special Icons .............................................................................................................xv
Navigating the System ............................................................................................xvi
Terminology..............................................................................................................xvi
Typeface Styles ......................................................................................................xviii
Authorizations Made Easy xiii
14. Introduction
About this Guide
About this Guide
This guide is designed to help you set up the authorization environment in the customer
system using the Profile Generator (PG). It explains what you need to know to perform this
task and helps you use the standard tools provided with your system.
This guide refers to Release 4.5A/B of the SAP R/3 System. All screenshots are from Release
4.5A unless otherwise noted. This guide provides you with the following:
[ The big picture (security and the authorization concept in R/3)
[ Tasks you need to perform during and after installation of R/3 to facilitate the use of the
PG
[ Tasks you need to perform after an upgrade of the R/3 System
[ All the essential steps for security implementation using the PG
[ How to install and work with the predefined activity groups (PDAGs)
[ Information on the Session Manager implementation (transaction SESS)
[ Tasks to prepare for going live
[ Appendixes with the most important Online Service System notes about using the PG
and the most frequently asked questions.
[ PDAGs in transport files on a CD for Releases 4.5A and 4.5B
Do You Need this Guide?
This guide was designed for the following people using the PG either in an implementation
project or as an ongoing reference:
[ Basis Consultants who install R/3 and set up the security at customer sites
[ Application Consultants who want to start using the PG as the basis for their customer
security implementation
[ Customer IT and help desk personnel
How to Use this Guide
Depending on your general SAP and authorization concept specific knowledge, start with
the following sections:
[ If you have little or no knowledge concerning security and the authorization concept in
R/3, start with chapter 1, R/3 System Security and the Authorization Concept.
[ Everyone, even the experts, should read chapter 2, Setting Up the Profile Generator.
Familiarity with this chapter ensures a complete setup before you actually start working
with the PG.
xivxiv Release 4.5A/B
15. Introduction
Special Icons
[ If you have already used the PG in Release 3.0F/3.1G/3.1H/4.0A/4.0B we strongly
recommend that you read the chapter What’s New in 4.5 and the appropriate section in
chapter 14, Upgrades. In this chapter, we discuss the steps to be performed before you
continue working with the PG after an R/3 System upgrade. We provide information for
a smooth transition to your next release.
[ Read chapters 1–9 at least once for information related to the implementation of security
and using the Profile Generator. After that, you can browse the chapters on performing
specific tasks.
[ The PDAGs and authorization profiles provide a basis to further configure your specific
requirements. All of the predefinitions are easily adaptable to your needs, and standard
R/3 settings are also available. Chapter 10 describes how to start with the PDAGs and
adapt them to your needs.
[ Before transporting activity groups, read chapter 12, Transporting carefully.
[ Chapter 13, Tips and Trouble-Shooting Management, helps solve ongoing authorization
problem once you go live.
Certain terminology, user information, and special icons are used throughout this guide.
The following sections explain how to identify and use these helpful features.
Special Icons
Throughout this guide special icons indicate important messages. Below are brief
explanations of each icon:
Exercise caution when performing this task or step. An explanation of why you should be
careful is included.
This information helps you understand the topic in greater detail. It is not necessary to
know this information to perform the task.
These messages provide helpful hints and shortcuts to make your work faster and easier.
This icon indicates that you will find additional software included on a CD at the end of the
book or on the Simplification Group web page http://www.saplabs.com/auth.
Authorizations Made Easy xv
xv
16. Introduction
Navigating the System
Navigating the System
You may navigate the R/3 System by using either menu paths, transaction codes, or
shortcut and function keys. If you use transaction codes, remember that you can enter the
codes from the main SAP R/3 screen. But if you wish to jump from one transaction to
another, you must precede the transaction with either /n or /o, as follows:
/n<trans code> (for example, /nVA01) Use /n to exit the current transaction and
start a new transaction. Your current
transaction gets replaced by the new one.
/o<trans code> (for example, /oVA01) Use /o to open a new session (window).
Your current transaction is maintained,
while a new window opens with the new
transaction.
Before you use /n<transaction code>, make sure you have saved all information.
Otherwise, when you jump from one transaction to another, all unsaved information is
lost.
If you wish to review transactions side-by-side, use /o<transaction code>.
Terminology
The following sections explain the terminology used throughout this guide.
Choose
When you see the word “choose,” you will either perform certain actions by choosing particular buttons on
screen (using the mouse or a shortcut key, for example) or follow given menu paths.
Buttons and Icons
“Choose” is always used for actions
involving on-screen buttons or icons. 2
For example, the following phrases ask
you to choose an on-screen button. You
may either click with the mouse or use 3
shortcut keys to activate the function.
1. Choose Change. 1
2. Choose Back.
3. Choose possible entries.
Number callouts on the screenshot
help clarify the activity.
xvixvi Release 4.5A/B
17. Introduction
Terminology
Menu Paths
The word “choose” always appears
with menu paths. In some cases, a 1
menu path might lead you through
several screens. Either use your mouse
to select the menu item from the top of
your window or use shortcut keys. In
most cases, the direct transaction is
also provided.
Menu paths appear as follows:
1. On the Activity group maintenace
screen, choose Activity group →
Create.
2. In the Command field, enter
transaction PFCG and choose Enter
(or choose Tools → Administration
→ User maintenance → Activity
groups).
Select
The words “select” and “deselect” always appear in instructions for checkboxes and radio buttons. For
example:
1. Deselect Generate folders for
project documentation. 1
2. Select Generate Enterprise IMG. 2
Authorizations Made Easy xvii
xvii
18. Introduction
Typeface Styles
Sometimes “select” is used to select
a particular line. For example:
3. Select the line for S_A.System —
System administrator.
3
Typeface Styles
The steps that require “user input” (text to be entered into a field or after a command
prompt) are indicated with bold, courier font such as:
Enter 14287 in Personnel number.
Notice that “Personnel number” appears in Object style, which is italicized text that indicates
the word is an on-screen object, such as a:
[ Button
[ Field
[ Screen title
[ Book or chapter title
[ Screen text or messages
For example:
1. In the User Maintenance screen,
enter SAP* in User.
2. Choose Change password. 2
1
xviii Release 4.5A/B
xviii
19. Introduction
Typeface Styles
With the above examples, in the first step, whenever you see text in courier bold—user input style—
you know that information needs to be entered. Also in the first step, the words User Maintenance and User
are italicized because they refer to a screen title and an on-screen field.
The second step indicates that an action is required. Change password is italicized because it is an on-screen
button.
Authorizations Made Easy xix
xix
21. What’s New in 4.5
Contents
Overview ..................................................................................................................xxii
Activation of the Profile Generator .......................................................................xxii
Transporting ............................................................................................................xxii
Responsibilities and Derived Activity Groups....................................................xxiii
Customizing Authorization ...................................................................................xxiii
Globally Deactivating or Activating Authorization Checks ...............................xxiii
What’s New in Specific Modules ..........................................................................xxiv
Authorizations Made Easy xxi
22. What’s New in 4.5
Overview
Overview
This chapter provides a brief description of the new functionality of the Profile Generator
(PG) and other related changes in the R/3 Releases 4.5 A/B.
For step-by-step procedures and detailed information on specific topics, please see the
appropriate chapters, as referenced.
For the latest news, you should always check the release notes for 4.5.
Activation of the Profile Generator
If you install R/3 Release 4.5x new the Profile Generator (PG) is now already activated. If
you upgrade to 4.5x from an earlier release where you did not utilize (and therefore did not
activate) the PG needs to be activated.
For detailed information, see chapter 2, the section Activating Profile Generator.
Transporting
Transporting Activity Groups
When you transport activity groups, this action also transports the authorization profiles.
Unlike previous releases, the profiles no longer have to be regenerated in the target system
in transaction SUPC. However, you have to compare the user master records (user master
reconciliation) when you import activity groups into the target system.
Transporting Activity Group User Assignments
You can decide whether you would like to transport the user assignments together with the
activity groups.
You can lock the system against importing user assignment from activity groups. However
this needs to be done in the Customizing table PRGN_CUST, using transaction SM30.
Transporting the user assignments should only be done if the central user administration is
not being used.
For detailed information, see chapter 12, Transporting.
xxii Release 4.5A/B
xxii
23. What’s New in 4.5
Responsibilities and Derived Activity Groups
Responsibilities and Derived Activity Groups
Activity groups with responsibilities that were created in Releases 4.0A and 4.0B are
migrated now to separate activity groups in 4.5x that are derived from each other. As a
result of the migration, the new activity groups then receive the old activity groups’
transactions. For each responsibility, a derived activity group contains the authorization
data and user assignments.
With this new functionality, the old functionality is completely secured with additional
possibilities. For example with the old responsibility, which is now a true activity group,
you can assign users and authorization data.
For detailed information on derived activity groups, see chapter 4, the section Copying and
Deriving Activity Groups.
Customizing Authorization
With this option you can assign projects or views of the Implementation Guide (IMG)
projects to the activity group. The aim of this assignment is to generate authorizations for
and assign users to specific IMG activities. When you generate profiles, this also generates
the authorizations necessary to execute all activities in the assigned IMG projects/project
views. It is also possible to transfer users to an activity group, if users (resources) are
assigned to IMG projects in the project management.
For detailed information on how to Assign IMG Project/Project Views to Activity Groups and
how to Maintain/Update Customizing Authorization, see chapter 5, the section Customizing
Authorizations.
For detailed information on how to create user assignments with customizing
authorizations, see chapter 8, the section Transfering Users from an IMG Project to an Activity
Group.
Globally Deactivating or Activating Authorization Checks
It is now possible to switch off the check on individual authorization objects globally (using
transaction code auth_switch_objects).
For detailed information, see chapter 2, the section Globally Deactivating or Activating
Authorization Checks.
Authorizations Made Easy xxiii
xxiii
24. What’s New in 4.5
What’s New in Specific Modules
What’s New in Specific Modules
To see what is new in a specific module, please see the release notes:
To do this, select from the menu option: Help → Release Notes
Module Description
Treasury Loans/Basic Data has new authorizations related to credit
standing check per partner
Real Estate Management New authorization checks for Real Estate Management
Logistics-General Changes in authorization checks for Sales Price Calculation
Quality Management New authorization checks and PP/QM Master Recipe
authorization checks
Plant Maintenance New authorization checks
ArchiveLink New authorization checks
All Modules Authorization groups for output devices (printers, fax, etc.)
xxiv Release 4.5A/B
xxiv
25. Chapter 1: R/3 System Security and the
Authorization Concept
Contents
Overview ..................................................................................................................1–2
Overview of the Authorization Concept ...............................................................1–3
SAP* and DDIC Users .............................................................................................1–7
What Is the Profile Generator? ..............................................................................1–7
What Is an Activity Group? ..................................................................................1–10
What Happened to Responsibilities?..................................................................1–11
Activity Group Assignments................................................................................1–11
The Big Picture: Successful and Secure R/3 Implementation .........................1–13
Case Study: Security Strategy in a Three-System Environment .....................1–19
Authorization Administration Using the Profile Generator ..............................1–23
Setting Up Security Administrators ....................................................................1–24
Policies and Procedures ......................................................................................1–26
Auditing Requirements ........................................................................................1–29
Naming Convention for Authorization Profiles..................................................1–29
Authorizations Made Easy 1–1
26. Chapter 1: R/3 System Security and the Authorization Concept
Overview
Overview
This chapter informs you about the R/3 authorization concept and an authorization design
that meets requirements such as maximum security, sufficient privileges for end users to
fulfill their job duties, and easy user maintenance. The authorization concept defines the
functions to be carried out in various organizational units, by people in specific positions.
The concept also provides a little more detail than the R/3 documentation about the
authorizations and profiles required for the various enterprise areas.
Implementing a multilevel client/server environment over WANs provides great flexibility.
But, in this environment, highly sensitive data and programs are at a greater risk of being
lost, manipulated, and spied upon than in a conventional mainframe environment. Even
with local operation, this risk applies to all three layers (Presentation, Application, and
Database) and becomes even more acute than WANs.
The following graphic shows how R/3 covers the aspects of data protection and security:
R/3 Data Protection and Security
covered in Authorization
Concept in R/3 Data protection
Authorizations at database level
Made Easy
SAP SAP
Data backup
Access protection
Protection at
communication level
R Integrity check
R
To meet the high demands of data protection and security, SAP provides the following R/3
security mechanisms:
[ Access protection and authentication outside of R/3 (not discussed in this guide)
[ Authorization concept (this guidebook discusses an authorization design using Profile
Generator)
[ Secure network communication (not discussed in this guide)
[ Activity logging (not discussed in the guide)
Release 4.5A/B
1–2
27. Chapter 1: R/3 System Security and the Authorization Concept
Overview of the Authorization Concept
Overview of the Authorization Concept
The concept of authorizations inside the R/3 System includes such things as:
[ Profile Generator
[ Locking and unlocking transactions
[ Locked records
[ Structural authorizations
[ Data encryption
[ Locking system for changes
The R/3 authorization concept permits the assignment of general and/or finely detailed
user authorizations. These assignments can reach down to the transaction, field, and field
value level. These authorizations are centrally administered in user master records and most
allow the handling of certain R/3 components applicable to specific operations. Actions by a
user may require several authorizations. For example, to change a material master record,
authorizations are required for the:
[ Transaction “change”
[ Specific material
[ General authorization to work within the company code
The resulting relationships can become very complex. To meet these requirements, the R/3
authorization concept has been implemented as a form of pseudo-object-oriented concept
with complete authorization objects. Each authorization object is a combination of
authorization fields. An authorization always refers to an authorization object and can
contain intervals for the field values. Authorization checks protect the functions or objects
that you choose. Standard-delivered R/3 has these checks embedded in the program logic.
Programmers have to decide which aspects of their programmed functionality should be
checked and how the check should be conducted.
Authorization administrators create authorizations that are assigned to users in collections
called profiles. The Profile Generator (PG) usually generates authorizations and
authorization profiles, although authorizations can also be manually inserted into a profile.
The following graphic shows the authorization components and explains their relationship:
Authorizations Made Easy
1–3
28. Chapter 1: R/3 System Security and the Authorization Concept
Overview of the Authorization Concept
SAP Authorization Concept
Object Class Authorization Authorization Profile User
Object
- field generated
- field value from PG
John Example
- long text (SAP1234)
- techn. name - field
- field value
FI
- long text
- techn. name - field
- field value
- long text - field generated Amy Anywhere
HR
- techn. name - field value from PG (SAP3456)
Authorization Object
As you can see from the graphic “SAP Authorization Concept” above, objects allow
complex user authorization checks. An authorization object works as a template for a to-be-
defined authorization and contains a maximum of ten fields per object. Users may only
conduct an activity if they satisfy the authorization check for each field in the authorization
defined on a specific authorization object.
Authorization objects are grouped in an object class, such as Financial Accounting and
Materials Management. Authorization objects can be created manually by choosing Tools →
ABAP/4 Workbench → Development → Other Tools → Authorization Objs. → Objects. Because
authorization objects are client independent objects that are defined in the ABAP
Workbench, the Developers/Programmers/… are the ones that are most commonly
responsible for creating new authorization objects.
Changes are necessary only if you “modify” your system and want to include
AUTHORITY-CHECK calls or new authorization objects. You can only change or delete
authorization objects added by your company. R/3 authorization objects may not be deleted
or changed. If you wish to change an object, you must first delete all authorizations with
which it is associated.
Authorization Object Fields
Authorization fields for an object can be created manually by choosing Tools → ABAP/4
Development Workbench → Development → Other Tools → Authorization Objects → Fields.
The fields in an authorization object are linked to data elements in the SAP ABAP
Dictionary. The permissible values constitute an authorization. When an authorization
check takes place, the system checks the values you have specified in an authorization
Release 4.5A/B
1–4
29. Chapter 1: R/3 System Security and the Authorization Concept
Overview of the Authorization Concept
against those required to carry out the action. Users may only carry out the action if they
satisfy the conditions for every field defined for a specific authorization object.
Using the authorization maintenance functions, define all authorization fields in the system
development environment. Changes are necessary only if you “modify” your system and
the new system elements are subjected to authorization checks.
Authorizations
An authorization allows you to carry out an R/3 task based on a set of field values in an
authorization object. Each authorization refers to exactly one authorization object and
defines the permitted value range for each authorization field of this authorization object.
Authorizations are utilized in the user master record as profiles. By themselves,
authorizations do not exist. They only have meaning inside a profile.
Field Value
Customer type (CUSTTYPE) *
Activity (ACTVT) 02
Explanation: * = all possible values; 02 = display
Authorizations are used to specify permitted values for the fields in an authorization object.
There may be one or more values for each field. Authorizations allow you to determine the
number of specific values or value ranges for a field. All values or empty fields can be
permissible values. Changes affect all users whose authorization profile contains that
authorization. The R/3 authorization administrator can maintain authorizations
automatically, using the PG, or manually. Once the authorization is activated, changes affect
all users which contain the profile with the activated authorization.
Once generated, authorizations and profiles created with the PG are automatically
activated. If you manually create and maintain authorizations and profiles, you must
also manually activate them. Generated profiles and authorizations cannot be
maintained manually with the conventional maintenance transactions SU02 and SU03.
Authorization Profiles
User authorizations are not directly assigned with the PG to the user master records.
Instead, these authorizations are assigned as authorization profiles. The authorization
administrator can create authorization profiles manually or automatically.
Single and composite profiles are possible, but, since the PG only generates single profiles,
you must manually create composite profiles. By choosing, Tools → Administration → User
maintenance → Profiles, the authorization administrator can manually maintain profiles or,
with the PG, create profiles.
Authorizations Made Easy
1–5
30. Chapter 1: R/3 System Security and the Authorization Concept
Overview of the Authorization Concept
Changes affect all users to whom this profile is assigned and take effect only when the user
logs on. Users who are logged on when the change takes place remain unaffected during
their current session (see chapter 3 for additional information), but when they log on again,
their profile will change accordingly. A user’s authorizations are loaded into the user buffer
only when they log on.
It is not possible to use the authorization profile maintenance transaction SU02 to
manually manipulate the PG-created authorization profiles. Although technically
possible, never create a profile that contains partly manually created and partly
generated authorizations or profiles.
User Master Records
Master Records enable the user to log on to the R/3 System and allow limited access to the
functions and objects. The user administrator maintains user master records by choosing
Tools → Administration → User maintenance → Users.
Authorization Checks
To conduct an authorization check, this check must be included in the transaction’s source
code. During the check, the system compares authorization profile values (assigned by the
authorization administrator) to the values needed to carry out a program-specified action. A
user may only carry out the action if the authorization check is successful for every field in
the authorization object.
Authorization checks are triggered by the ABAP AUTHORITY-CHECK statement. The
programmer specifies an authorization object and the required values for each authorization
field. The AUTHORITY-CHECK then verifies if a user has authorization and if this
authorization is from the user master record. The check is successful if an authorization is
found that contains the values specified in the AUTHORITY-CHECK.
When R/3 transactions are conducted, since the transaction calls other work areas in the
background, many authorization objects are often checked. For these checks to be
successful, the user must have the appropriate authorizations. Authorization checks can be
disabled by setting check indicators in transaction SU24 or by switching off objects globally.
Activating and Deactivating Authorization Checks in Transactions
Most users receive more authorization than necessary, leading to an increased maintenance
load. Authorization checks are conducted wherever they are written into a transaction’s
source code. Only by using the PG can check indicators be set to exclude:
[ Certain authorization objects from authority checks
[ Specific authorization checks in specific transactions
[ An authorization object from being checked
All of these adjustments are possible without altering the program code. Prior to
automatically generating the authorization profile, use the check indicators to control which
objects appear in the PG and which field values are displayed. SAP delivers a default check
Release 4.5A/B
1–6
31. Chapter 1: R/3 System Security and the Authorization Concept
SAP* and DDIC Users
indicator setting with R/3. Please refer to chapter 2, the section Reducing the Scope of
Authorization Checks.
SAP* and DDIC Users
During your R/3 installation, clients 000, 001, and 066 are created. In clients 000 and 001,
two special users are defined, but no special user is created in client 066. Since these users
have standard names and passwords, you need to secure these users from unauthorized
usage (the EarlyWatch and CPIC user are not covered in this book).
The two special R/3 users are:
[ SAP*
Defined as the standard R/3 superuser, SAP* does not require a user master record.
Rather, it is:
Defined in the system code
Has a default password (PASS)
Has unlimited system access authorizations
When you install R/3, a user master record is defined in clients 000 and 001 with the
initial password 06071992. SAP* user master record deactivates SAP*’s special
properties. To prevent SAP* misuse, change the password. We recommend, however,
that you deactivate SAP* and define your own superuser.
[ DDIC
This user is the maintenance user for the ABAP Dictionary and software logistics. The
user master record for DDIC is automatically created in clients 000 and 001 and has the
default password 19920706. System code testing allows DDIC special privileges for
certain operations. For example, DDIC is the only user that can log on during an
upgrade. To prevent DDIC misuse, change the password.
Use report RSUSR003 to check whether the standard SAP* and DDIC passwords have
been changed.
What Is the Profile Generator?
SAP’s Profile Generator (PG) facilitates the authorization administrator’s creation,
generation, and assignment of authorization profiles. Released with 3.1G, this tool
accelerates R/3 implementation by simplifying the task of setting up the authorization
environment. The administrator needs only to configure the customer-specific settings; the
PG manages other tasks, such as selecting the relevant authorization objects for
consideration. The PG is fully integrated in R/3 and is available on all R/3-supported
Authorizations Made Easy
1–7
32. Chapter 1: R/3 System Security and the Authorization Concept
What Is the Profile Generator?
platforms. The PG represents yet another improvement of SAP’s tool-based support and a
reduction in R/3 implementation time.
The PG is an approach to defining the authorization environment. The administrator no
longer uses the authorization objects to define the authorizations for various user groups;
instead, authorization profiles are built around the functions to be performed in R/3. Based
on function selection, the PG selects the relevant authorization objects and groups them in a
new authorization profile.
Using functions to define authorization profiles:
[ Speeds up the process
[ Defines authorization profiles
[ Simplifies administrator/user communication, allowing both the administrator and
users to use the same R/3 function terminology
To use the PG, you first have to set it up. Setting it up involves a three-step process that you
only perform once:
[ Setting the SAP R/3 system parameter correctly
[ Using SU25 to initialize the tables USOBT_C and USOBX_C (and then customizing them
if desired)
[ Creating and generating the company menu
For detailed information please read chapter 2.
Once the PG is set up, then you can work with it. However, before starting, it is good to
understand its components.
The Components of the Profile Generator
The PG utilizes the following components:
Activity Groups
An activity group is a collection of R/3 transactions, authorizations, and additional objects.
You can assign an activity group to as many users as you want. You can create, display,
change, copy, and transport activity groups.
Derived Activity Groups
You can use an existing activity group as a reference when creating a new one. The system
transfers the transactions in one activity group to a new activity group—one that remains
dependent on the first. You can display the hierarchy of the activity groups that inherit
transactions from each other by choosing Activity group → Where-use list.
With an activity group derived from a different activity group, you cannot enter
transactions directly. You cannot reset the definition of the initial activity group from which
the derived activity group inherited its transactions. Passing on transactions only refers to
the menu selection and not to the authorizations. You must maintain authorizations
separately in each activity group, these are not passed on. It is also possible to transfer the
authorization data of the previous activity group to the derived activity group as a copy.
Release 4.5A/B
1–8
33. Chapter 1: R/3 System Security and the Authorization Concept
What Is the Profile Generator?
Company Menu
The company menu displays the menu options that exist in the activity group.
User Assignment
The users that you assign to an activity group may execute the transactions in the activity
group with the corresponding authorizations.
In order to successfully create an activity group and assign it to a user, the following steps
are involved:
1. Create an activity group and give it a name.
2. Select from the company menu which transaction codes this activity group is to have
access to (this is not a required step). Alternative transaction codes can also be entered
manually, without using the company menu.
3. Review, complete, or add the field values needed to the authorizations included in the
activity group.
4. Assign the activity group to an appropriate user.
Generating the Profiles
Authorization profile definitions are based on the company menu, which is generated
during the R/3 implementation and is intended to show only the R/3 functions (transaction
codes) that are actually used by the customer. Each customer is responsible for generating
its own company menu. From this menu, the administrator chooses the specific menu paths
and functions for each user group. This selection describes the R/3 activities that users in
each user group are authorized to perform. These initial configuration steps are also used in
the Session Manager (please read chapter 4 for detailed information) to generate the user-
specific menu.
Using the selected transaction codes, the PG determines the effected authorization objects.
To simplify the creation of subsequent individual authorization profiles, R/3 contains
default values for many authorization fields in specific authorization objects. For example,
one possible access restriction might be the default value Display, limiting the user to
display mode on certain transactions.
Additionally, the PG identifies the organizational levels that play a role in the extracted
authorization objects and clearly displays these levels for the administrator. The
authorization administrator may have to intervene and manually define the levels to which
the users need access (for example, the company code).
The PG then places the specified levels in the authorization objects. At this point, a lot of
authorization object fields for the new authorization profile have been filled, however there
are still fields that need to be maintained. The authorization objects are displayed
hierarchically in a special maintenance transaction. The administrator may fine-tune the
remaining values, such as material type, order type, etc.
Within this maintenance transaction, the administrator can easily navigate from the
overview screen to the lowest display level (the authorizations and their fields) and directly
Authorizations Made Easy
1–9
34. Chapter 1: R/3 System Security and the Authorization Concept
What Is an Activity Group?
assign the values. Generally, permissible values can also be assigned at higher levels. The
following utilities to specify the values are available at every level of the hierarchical
display:
[ Value selection from lists
[ Checkboxes for simple activity selection
[ Delete and copy functions
If administrators determine that no further authorization restrictions are necessary on a
certain level, by choosing a button, the PG fills in the remaining values.
Finally, another menu item in the system assigns the users to the R/3 functions. In this
process, the PG automatically copies all the corresponding authorization profiles to the user
master record. Of course, users can be assigned multiple selections, which means that
certain general authorizations need to be maintained only once and are available for
assignment to all system users.
Integrating the PG in R/3 also enables the administrator to access the documentation on
every authorization object directly from the PG. Furthermore, the PG can list all R/3
functions that check a specific authorization.
Requirements and Availability
The PG runs on all supported platforms and has been available since Release 3.1G for
general customer use. With Release 4.5 it is already activated for use.
What Is an Activity Group?
The process of security implementation with the new PG is based on the creation of activity
groups or a collection of linked or associated activities, such as tasks, reports, and
transactions. An activity group is a data container for the PG to generate authorization
profiles and usually represents a job role in your company. (However, customers
throughout the world often define activity groups somewhat differently. As such, there is
no one concrete definition of an activity group, other than it is a data container for
authorizations.)
For example, to implement security for a buyer:
1. Create the activity group, Buyer.
2. Include all of the business transactions Buyer can access.
3. Generate the appropriate authorization profile for Buyer by selecting the transactions a
buyer would perform and by providing the authorizations that the transactions utilize
with the appropriate values.
4. Assign Buyer to a new user or a position in your system.
5. Update the user master record for the user.
The new user now has all the necessary access rights needed to work as a buyer in your
company.
Release 4.5A/B
1–10
35. Chapter 1: R/3 System Security and the Authorization Concept
What Happened to Responsibilities?
Activity groups are defined by the customer performing the implementation and allow
systematic organization and efficient maintenance of system activities.
The SAP Session Manager, SAP Business Workflow, and Personnel Planning and
Development are intricately linked with the PG. The SAP Session Manager uses the PG’s
company menu (which is the same menu used when an activity group’s transactions are
selected from a menu structure). SAP Business Workflow includes something called
workflow tasks that can be linked to an activity group. Users assigned to have access to a
particular activity group really come from the HR-Personnel Planning and Development
Functionality. Furthermore, the plan version that is used in HR-Personnel Planning and
Development is the same plan version used by the PG and Workflow.
Using an activity group as an information database reduces data entry time. Select the
criteria, such as access rights, and divide the activities into appropriate groups. For example,
you could decide to group activities by subject matter, such as personnel, payroll, or
budgeting. Or, you could group activities by job classes, such as translation activities,
computer programmer activities, or secretarial activities. You could also set up a
combination of subject matter and job-oriented activity groups. Activity groups are created
and maintained in the activity group maintenance transaction PFCG (the transaction for
calling the PG). After setting up activity groups, you may assign them to various R/3
objects.
What Happened to Responsibilities?
If you have worked with the R/3 System in Release 4.0x or have read the 4.0B Authorizations
Made Easy guidebook, then you may have wondered what happened to the functionality
called “responsibilities.” In Release 4.5, responsibilities were replaced by a concept called
“derived activity groups” and these derived activity groups function a bit different from the
4.0 responsibilities. If you used responsibilities in 4.0 and upgrade to 4.5, your
responsibilities are converted automatically into derived activity groups.
For detailed information on derived activity groups please see the corresponding section
earlier this chapter and chapter 4.
Activity Group Assignments
An activity group can be assigned to many users. One user can also be assigned to many
activity groups.
An activity group can be assigned to the following types of users:
[ R/3 login user IDs
An R/3 user is an individual who is recognized by the R/3 System and is allowed to log
on. For the system to recognize users, their names must be entered in the user master
record of the Basis component.
Authorizations Made Easy
1–11