The Role Maintenance tool is an evolution of the Profile Generator available in releases of SAP R/3 since 4.6 that aids in facilitating the management of roles, user authorizations, and profiles. Previous to the Role Maintenance and Profile Generator, there was a great deal of effort involved in the implementation and support of the authorization concept, and this was a costly activity within projects. The Role Maintenance tool was designed by SAP with the objective of reducing the time needed for implementing and managing the user menus and authorizations associated with a job description, thus decreasing the implementation costs. SAP recommends using the Role Maintenance and Profile Generator to set up authorizations.
Using the Role Maintenance is very different from manual profile management, where authorization objects must be selected, authorizations defined, and profiles created to be assigned to users later. With the Role Maintenance, the management of profiles and authorizations is based on the functions and tasks that users will perform with the SAP systems, and the Profile Generator is in charge of selecting and grouping the authorization objects.
Assigning authorizations to the new profile
The definition of roles with the Role Maintenance is based on grouping functions or tasks user menu that generates the profiles and authorizations selected by the customers. As introduced in a previous section, roles form a set of tasks or activities that can be performed in the system, such as running programs, transactions, and other functions that generally represent job roles. SAP systems already include a very large number of predefined roles that can be freely selected, or copied and then modified to accommodate specific needs.
In summary, the Role Maintenance tool and the Profile Generator
The Role Maintenance and Profile Generator can be accessed from the initial SAP Easy Access screen by clicking on the Create Role pushbutton on the application toolbar; or, from the main menu tree by selecting Tools | Administration | User Maintenance | Role Administration | Roles or alternatively by entering transaction code PFCG in the command field. The following sections introduce how the Role Maintenance works, how to configure it, and a basic example of creating roles and using automatically generated profiles to assign those roles to user master records.
How the Role Maintenance Works
Based on a job role, or group of tasks that represents what the users are trying to perform, administrators can identify and select the transactions, reports, or values that are required for users to pass the authorization checks.
Using the Role Maintenance and Profile Generator tool, the administrator creates roles with functions and tasks, associated to SAP transactions, reports, and other object types, that automatically will create a generate profiles and select the required authorizations, and sets authorization values or let the administrator maintain those values for the authorization objects that correspond to the specific functions selected.
Once roles are created, the Profile Generator is in charge of retrieving all the authorization objects for the selected transactions. This is accomplished using special check tables. The Profile Generator then creates the profile or profiles, and then the roles can be assigned to the user master record. The user master record is then updated by a direct assignment, which automatically assigns the generated profiles as well. This assignment can be also performed via a batch job. Once the assignment is done, when the users log on, their user buffer will contain the corresponding authorization that will allow them to pass the authorization checks required for performing their usual jobs.
Configuring the Profile Generator
Before using the Role Maintenance, you have to configure the Profile Generator for the first time. The steps required to configure and work with the Profile Generator tool are the following:
Basic Concepts for Working with Roles
Access the Role Maintenance screen by clicking on the Create Role pushbutton in the initial screen of the SAP Easy Access, or enter transaction PFCG in the command field.
Role Maintenance initial screen in complete view
Role maintenance includes three different views, which you can select from the initial screen by choosing Goto | Settings:
When implementing structural authorizations, that is, roles linked with HR organizational management, roles are assigned to agents. There are several types of agents, being the most common the user master record; however, there are other types of organizational agents that can be created within the Human Resource module, such as organizational units, positions, jobs, persons, or work centers.
The basic steps for creating a new role are, in a simplified way:
The following example shows how to create a simple role for the purchasing department users, providing them with authorizations for creating purchasing orders when the vendor is known (transaction code ME21) and for changing and displaying purchasing orders (transaction codes ME22 and ME23). These are the steps:
Activity group browser view
You can verify that the role and profiles have been effectively transferred by looking up the user master records using transaction SU01. There is the possibility of running a general report for updating all user masters and pending assignments of activity groups by using transaction PFUD. The Role Maintenance and Profile Generator tools include many additional functions to facilitate the creation and maintenance of roles, authorizations and profiles, such as using single roles as templates, collections of authorization objects that can be included within roles.
The SAP system includes some options to find the authorization for any transaction or function a user performs in the system. This is quite useful when looking for an authorization denial problem or when defining profiles when you want to specify exactly what authorization objects a particular transaction checks. The two methods available in SAP systems for finding authorizations are the authorization check transaction (SU53) and using the system trace.The system trace is a more general-purpose tool used mainly by developers or system administrators which can provide a great detail of information and can be used to trace other user sessions.
Transaction SU53 is more specific for authorization error analysis but can only be used for the current user sessions. However, SU53 is a faster and more direct method for finding an authorization denial problem. Transaction SU53 can be accessed from the menu System | Utilities | Display Authorization Check.
Using the System Trace for Tracing Authorizations
The SAP system includes extensive tracing and debugging utilities. You can find more information about tracing in Chapter. This section covers just the simple process of activating and displaying a trace concerning authorization checks. To start the system trace, from the main menu select Tools | Administration | Monitor | Traces | System Trace. The system displays the available trace options and switches, one of which is the Authorization Check. Make sure you mark the check box next to Authorization Check.
To limit the trace to your own user ID or another user ID, enter the name of the user ID you want to trace in the General Filter field by clicking on the possible entries arrow and then selecting it from the list. To activate and start the tracing process, select Trace On from the application toolbar. The trace will start recording every system function you or the entered user performs. So, if you are looking for an authorization problem or just want to find a particular authorization check, open a new session and go to the screen, function, or transaction you want to analyze.
Once you are finished you should stop the system trace. Go back to the session where you activated the trace, and if you are on the tracing screen, stop the trace by selecting Trace Off. Now you should look at the trace file generated. To analyze the trace click on the Analysis pushbutton on the application toolbar, and enter the criteria for the analysis. The trace file contains the authorization objects, authorization fields, and values that have been tested while you have been performing system functions. Authorization tests are displayed in the following format:
But you can display a more legible view of the authorization check by clicking over the entry.
Using the SU53 Transaction
The transaction SU53 can be used to analyze a function when getting the error You are not authorized to in the status bar. When you get this message, enter SU53 or /NSU53 in the command field. Alternatively, you can select System | Utilities | Display Authorization Check from any SAP screen. The system will display the authorization object and value for which you were not authorized. Transaction SU53 can also be used from any of your open sessions and not only from the one in which you got the authorization error message. However, you cannot use SU53 to analyze other users' authorization errors. In those cases, administrators should instruct users to reproduce the error and then to enter the transaction SU53 in the command field to receive information about the authorization error messages they got.
SAP BASIS Related Interview Questions
|SAP CRM Interview Questions||SAP HR Interview Questions|
|SAP ABAP Interview Questions||SAP HANA Interview Questions|
|SAP Crystal Reports Interview Questions||SAP SOLMAN Interview Questions|
|SAP Security Interview Questions||SAP BPC Interview Questions|
|SAP Netweaver Interview Questions||SAP UI5 Interview Questions|
|SAP Smart Forms Interview Questions|
Sap Basis Tutorial
Sap: From Sap R/3 To Sap Netweaver
The Architecture Of The Sap Web Application Server
Sap Netweaver: An Overview
Using Sap Systems
Upgrading To Sap R/3 Enterprise: The First Step Into Sap Netweaver
The Change And Transport System
Development Options With Sap Solutions: Abap Engine
User Management And Security In Sap Environments
Web Application Server System Management
Performance And Troubleshooting With Sap Solutions
Sap For It Managers: Implementation, Planning, Operation, And Support Of Sap Systems
All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.