User Master Records

7/23/2019 User Master Records

http://slidepdf.com/reader/full/user-master-records 1/64

Creating and Editing User Master RecordsUse

With these functions, we can assign user data and access authorizations to the users of ourABAP system.Note:

The changes that we make to user master records only take effect when the user next logs onto the system. If a user is logged on at the time when the system administrator implements thechanges, these will only take effect when the user logs on to their next session.We can also change a users authorizations !y changing and then reacti"ating profiles andauthorizations within the user master record. #hanges to reacti"ated authorizations ha"eimmediate effect. #hanges to profiles, on the other hand, only take effect at the users nextlogon.Prerequisites

We ha"e the following authorizations as the user administrator$% Authorization to create or edit a user master record and to assign it to a user group

&o!'ect ()*(+)-P% Authorization for the authorization profiles we assign to users &o!'ect ()*(+)P/% Authorization to create and edit authorizations &o!'ect ()*(+)A*T0% Authorization to protect roles, we can use this authorization o!'ect to determine whichroles may !e processed and which acti"ities &#reate, 1isplay, #hange, and so on area"aila!le for the role&s &o!'ect ()*(+)A-.% Authorization for transactions that we may assign to the role and for which we canassign authorizations at the start of the transaction in the Profile -enerator &o!'ect()*(+)T#1% Authorization to restrict the "alues which a system administrator can insert or change ina role in the Profile generator &()*(+)2A3

Organizing Authorization AdministrationThe authorization system allows us great flexi!ility in organizing and authorizing theadministration of user master records and roles$% If our company is small and centralized, we can ha"e all administration of user masterrecords and authorization components executed !y a single super user.Protecting Special Users

#lients 444, 445 and 466 are created when our (AP (ystem is installed. Two special users aredefined in clients 444 and 445. (ince these users ha"e standard names and standard

passwords, we must secure them against unauthorized use !y outsiders who know of theirexistence.

7ote that no special user is created in client 466.The two special users in the (AP (ystem are as follows$• The (AP (ystem super user, (AP8(AP8 is the only user in the (AP (ystem that does not re9uire a user master record, !ut thatis instead defined in the system code itself. (AP8 has !y default the password PA((, as wellas unlimited system access authorizations.When we install our (AP (ystem, a user master record is defined for (AP8 with the initial

password 464:5;;<&Its => elease date in #lients 444 and 445. The presence of a (AP8user master record deacti"ates the special properties of (AP8. It has only the password andthe authorizations that are specified for it in the user master record.To secure (AP8 against misuse, we should at least change its password from the standard

PA((. ?or security reasons, (AP recommends that we deacti"ate (AP8 and define our ownsuper user.• The maintenance user for the ABAP 1ictionary and software logistics, user 11I#.



The user master record for user 11I# is automatically created in clients 444 and 445 whenwe install our (AP (ystem. The default password for this user is 5;;<4:46. The system codeallows user 11I# special pri"ileges for certain operations. ?or example, 11I# is the onlyuser that is allowed to log on to the (AP (ystem during an upgrade.To secure 11I# against unauthorized use, we must change the initial password for the user in

clients 444 and 445 in our => (ystem.• The user +arlyWatch is deli"ered in client 466 and is protected using the password(*PP/T. The (AP +arlyWatch experts use this user which should not !e deleted. #hangethe password. This user should only !e used for +arlyWatch functions &monitoring and

performance.Securing User SAP* Against Misuse

The (AP system has a default super user, (AP8, in the clients 444 and 445. A user masterrecord is defined for (AP8 when the system is installed. 0owe"er, (AP8 is programmed inthe system and does not re9uire a user master record.If we delete the (AP8 user master record and log on again as (AP8 with initial passwordPA((, then (AP8 has the following attri!utes$• The user is not su!'ect to authorization checks and therefore has all authorizations.• The user has the password @PA((@, which cannot !e changed.If we want to deacti"ate the special properties of (AP8, set the system profile parameterlogin!no"automatic"user"sapstar# to a "alue greater than zero. If the parameter is set,then (AP8 has no special default properties. If there is no (AP8 user master record, then(AP8 cannot !e used to log on.We should set the parameter in the glo!al system profile, $E%AU&'(P%&#, so that it iseffecti"e in all instances of an (AP system. We should ensure that there is a user masterrecord for (AP8 e"en if we set the parameter. /therwise, resetting the parameter to the "alue4 would once again allow we to log on with (AP8, the password PA(( and unrestricted

system authorizations.(ee Profile maintenance for system profile parameter details.If a user master record exists for (AP8, it !eha"es like a normal user. It is su!'ect toauthorization checks and its password can !e changed.$eacti)ating User SAP*

As (AP8 is a known super user, (AP recommends that we deacti"ate it and replace it withour own super user. In the (AP8 user master record, we should proceed as follows$• #reate a user master record for (AP8 in all new clients and in client 466.• Assign a new password to (AP8 in clients 444 and 445.• 1elete all profiles from the (AP8 profile list so that it has no authorizations.•

+nsure that (AP8 is assigned to the user group (*P+ to pre"ent accidental deletionor modification of the user master record.The (*P+ user group has a special status in the predefined user profiles. The users that areassigned to group (*P+ can !e maintained or deleted only !y the new super user that wedefine, pro"ided that$• we use the predefined profiles, and• we follow (APs other user and authorization maintenance recommendations.$eining a Ne+ Super user

To define a super user to replace (AP8, we need only gi"e a user the (AP)A33 profile.(AP)A33 contains all authorizations, including new authorizations released in the(AP)7+W profile.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/c4/3a616a505211d189550000e829fbbd/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/c4/3a616a505211d189550000e829fbbd/frameset.htm



(AP)7+W assures upward compati!ility of authorizations. The profile ensures that users arenot incon"enienced when a release or update includes new authorization checks for functionsthat were pre"iously unprotected.Protecting User $$,C Against Unauthorized Access

*ser 11I# is a user with special pri"ileges in installation, software logistics, and the ABAP

1ictionary. The user master record is created in clients 444 and 445 when we install our =>(ystem.We should secure the 11I# user against misuse !y changing 11I#s initial password5;;<4:46 in clients 444 and 445.*ser 11I# is re9uired for certain installation and setup tasks in the system, so we should notdelete it.% 1epending on the size and organization of our company, we should, howe"er, distri!utethe administration of user master records and authorizations among multiple administrators,each with limited areas of responsi!ility. This applies in particular in a decentralizeden"ironment, in which different time zones might apply. This also helps to achie"e maximumsystem security.+ach administrator should only !e a!le to perform certain tasks. By separating these tasks, wemake sure that no single super user has total control o"er our user authorizations. We alsomake sure that more than one person appro"es all authorizations and profiles. In addition,define standard procedures for creating and assigning our authorizations.(ince we can precisely restrict authorizations for user and authorization administration, theadministrators do not ha"e to !e pri"ileged users in our data processing organization. We canassign user and authorization administration to ordinary users.Note:

We use the role administration tools and functions &transaction P?#- to maintain our roles,authorizations and profiles. These functions make our 'o! easier !y automating certain

processes and pro"iding more flexi!ility in our authorization plan. We can also use the#entral *ser Administration functions to centrally edit the roles deli"ered !y (AP or ourown, new roles, and to assign the roles to any num!er of users.,n Organization i -e Are Using the Role Administration 'ool

If we are using the role administration tool &the profile generator, we can distri!ute theadministration tasks within an area &such as a department, cost center, or other organizationalunit to the following administrator types$• Authorization data administrator, who creates roles &transaction selection and

authorization data, selects transactions, and edits authorization data. 0owe"er theauthorization data administrator can only sa"e data in the role administration tool,since he or she is not authorized to generate the profile, 0e or she accepts the default

profile name '"((((# when doing this.• Authorization profile administrator, who checks and appro"es the data, and generates

the authorization profile, to do this, he or she choose → All oles in transaction(*P# or P?#-, and then specifies the a!!re"iation of the role to !e edited. /n thefollowing screen, he or she checks the data !y choosing 1isplay Profile.

• *ser administrator, who edits the user data with the user administration transaction&(*45 and assigns roles to the users, this enters the appro"ed profiles in the masterrecords of the users.

• These administrators of one or more areas are administered !y super users who set uptheir user master records, profiles, and authorizations. We recommend that we assign

the super user, the user administrator, and the authorization administrator the (*P+group. If we use the preCdefined user administration authorizations, this group



assignment makes sure that user administrators cannot modify their own user masterrecords or those of other administrators. /nly administrators with the preCdefined

profile ()A.(D(T+E can edit users in the group (*P+.The ta!le in the section (etting *p *ser and Authorization Administrators shows the tasksthat we should assign to indi"idual administrators, tasks that we should not assign, and the

templates that we ha"e predefined for these tasks.Setting Up User and Authorization Administrators

Use

If we ha"e organized our user administration in a decentralized manner, in which we ha"edistri!uted the user administration tasks among multiple administrators, we must create theseadministrators as normal (AP users or assign these tasks to existing users.The ta!le !elow shows the tasks that we should assign to indi"idual administrators, tasks thatwe should not assign, and the templates and roles that we ha"e predefined for these tasks. Arole is only a"aila!le for the user administrator. This has the ad"antage o"er a template thatthe administrator recei"es a menu that contains all of the important functions for his or herwork.Organization o the User Administrators +hen using the Role Administration 'ool

Administrator Permitted Tasks Impermissi!le Tasks Templates and oles*ser Administrator #reating and

changing usermaster records

#hanging role data Template(AP)A1E)*(ole(AP)B#)*(+)A1EI

Assigning roles tousers

#hanging orgenerating profiles

Assigning profiles

!eginning with.'"(((((((. to users

1isplayingauthorizations and

profiles

*sing the *serInformation (ystem

Authorization 1ataAdministrator

#reating andchanging roles

#hanging users (AP)A1E)A*

#hangingauthorization data

and transactionselection in roles

-enerating profiles


AuthorizationProfileAdministrator

1isplaying roles andthe associated data

#hanging users (AP)A1E)P

*sing transactionP?#- or (*P# togenerate the

authorizations and profiles that !egin

#hanging role data

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67170b439b11d1896f0000e8322d00/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67170b439b11d1896f0000e8322d00/content.htm



with '"(((((# forroles that ha"eauthorization data

#hecking roles forthe existence of

authorization data&transaction (*P#

-eneratingauthorization

profiles withauthorizationo!'ects that !eginwith ()*(+

Performing a usermaster comparison&transaction P?*1,Performing a profilecomparison of theuser mastercomparison


Prerequisites

We are an administrator with the predefined profile ()A.(D(T+E, with which we can editusers of the group (*P+.Procedure

5. #reate a role for each administrator.a. +nter a name in the ole field in role administration &transaction P?#- and

choose #reate ole.

!. 1o not assign any transactionsF instead, choose #hange authorization data on theAuthorizations ta! page.A dialog !ox appears asking us to choose a template.

c. #hoose one of the following templates$

'emplate Administrator

(AP)A1E)P Authorization profileadministrator

(AP)A1E)A* Authorization dataadministrator

(AP)A1E)*( *ser administrator

d. -enerate an authorization profile in each case.*se a profile name that does not !egin with '"((((#, so that the authorization data

administrator cannot change his or her own authorizations.<. /n the *ser ta! page, assign the role to the rele"ant user, that is, to the administrator.>. (a"e our entries.G. (o that the user administrators cannot change their own user master records, or those of

other administrators, assign them to the group (*P+. This applies if we are using the predefined user administration authorizations.

a. To do this, choose the 3ogon 1ata ta! page in user administration &transaction(*45.

!. In the *ser -roup for Authorization #heck field, enter the "alue (*P+.c. (a"e our entries.



H. If appropriate, restrict the authorizations of the administrators further$• We can use authorization o!'ects ()*(+)A-, ()*(+)T#1 and

()*(+)2A3 to further differentiate the roles of the administrators.• ?or the user administrator, we can restrict the authorization to particular user

groups.• ?or the profile administrator, we can exclude additional authorization o!'ects, for

example, for 0 data. If we want our generated authorization profiles to !eginwith a letter other than '"(((((#, we should inform our profile administrator.

Note:

7o authorization profile !eginning with '"(((((# may contain critical &()*(+8 o!'ectsauthorization o!'ects.Procedure

5. #hoose Tools→ Administration → *ser Eaintenance→ *ser &transaction (*45.The *ser maintenance$ Initial screen appears.

<. +nter a new user name and choose #reate & or enter an existing user name or alias

&such as an Internet user and choose #hange & .We can also create a user !y copying existing users.>. +nter the personal data for the user on the Address ta! page. The 3ast name field must !e

filled. This data !elongs to the Business Address (er"ices &B#C(2CA1.There are the following ta! pages in user administration$ Address, 3ogon 1ata, &possi!ly(7#, 1efaults, Parameters, &possi!ly (ystems, oles, Profiles, -roups, Personalization,and 3icense 1ata. The ta! pages (7# and (ystems are only displayed if the (7# interfaceand #entral *ser Administration are used.The ta! pages can !e di"ided into those we must maintain and those we can optionallymaintain$ We do not need to edit the 1efaults and Parameters ta! pages. *sers can change this data

themsel"es later !y choosing (ystem*ser profile/wn data &see +diting *ser 1efaults and /ptions.We can use transaction "ariants to restrict the fields that users can edit themsel"es.

The Address, 3ogon data, oles, and Profiles ta! pages contain fields that we must fill in.Cop/ing Users

Use

We can create a user !y copying an existing one. We can copy the standard "alues, addresses,and parameter settings, or copy the entire user and create it under a new name.Prerequisites

We are authorized to assign the authorizations, systems, roles, profiles, and reference usersthat are assigned to the user to !e copied. /therwise, the role for which we do not ha"eauthorization is not copied to the new user master record. When copying or assigning areference user, the system checks whether we are authorized to assign its profiles and roles.If we cannot copy the template user completely, !ecause, for example, the reference user doesnot exist in the current system, the system displays a log with the exact causes of the error.Procedure

5. #hoose Tools→ Administration → *ser Eaintenance→ *ser &transaction (*45.<. (pecify the user to !e copied.>. #hoose #opy .The system displays the #opy *ser dialog !ox.

G. +nter the names of the reference and new users.H. (elect the desired "alues and lea"e the dialog !ox !y choosing #opy & .

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6711c5439b11d1896f0000e8322d00/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/cd/16b0d4100711d295750000e82de14a/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6711df439b11d1896f0000e8322d00/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/67/232037ebf1cc09e10000009b38f889/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/c8/13b237b9a9a968e10000009b38f8cf/frameset.htm






The system displays the Eaintain *ser screen. We can edit the user more here.6. To actually create the user, sa"e our entries.

Note:

When we are copying a user, the reference user of the copy source is always copied too, as

long as we ha"e sufficient authorizations to assign the roles or profiles of the reference user.If we do not want the reference user to !e assigned to the new user, we must manually deleteit from the user master record after the copy process.+rrors that occur during the authorization checks are collected and displayed in a log. If an error occurred during the authorization check, this is displayed in a log. ?or information a!out authorization checks for the assignment of reference users, see(AP 7ote H5>6;G.0usiness Address Ser)ices 10C2SR32A$R4 Purpose

Business Address (er"ices &BA( offer functions for managing addresses in applications.We can store and further process addresses, using different address types. An address issu!ordinate to an associated application o!'ect &such as a customer, a purchase order, or a

plant.,mplementation Considerations

The BA( pro"ide flexi!le dialog integration for standard functions such as creating,changing, displaying and finding addresses. In this way, the BA( guide users throughdifferent applications when they maintain addresses.BA( function modules ena!le the application to store addresses for the associated applicationo!'ect in BA( ta!les. These ta!les contain the addresses of all applications that use the BA(in a system. ?unctions and data storage in address management are central with regard to aclient in a system.,ntegration

The BA( are already used !y a !road range of applications, including, for example$• #ustomer and "endor master • (ite master &etail• Bank addresses• (ales and 1istri!ution documents$ 1ocument addresses and oneCtime customer

addresses• *ser addresses• (AP office addresses &external communication• #ustomizing addresses &(E>4• EE Purchasing$ Permanent deli"ery addresses, manual deli"ery addresses in

purchase orders, purchase re9uisitions, oneCtime "endors• PE=(E &functional locations, e9uipment, notification, order• I(C* &connection o!'ects, contracts• I(C/il &ser"ice stations• (AP Business Partners• 7ew 1imension products such as (?A, BW, AP/, #EIn addition, the BA( pro"ide functions to support other tools and interfaces$• Integration into (AP connect• Pro"ision of archi"ing classes for the Archi"e 1e"elopment Jit &A1J• (upport of addresses as o!'ects in the B/ • Pro"ision of interfaces for applicationCspecific enhancements• Automatic writing of change documents for address data changes%eatures

5eneral Characteristics



• Together with the address, we can enter data for all common communication methods&for example, telephone num!er, fax num!er, eCmail address, and so on.

• International address re9uirements &print output according to international mailstandards, multiple address formats, for example for Asian countries are considered.

• By means of a whereCused list, we can determine which application o!'ects reference

an address as an attri!ute.• #hecks against city and street directories are performed using interfaces &for example,

for partner solutions or as a function in the standard system &city and street files aredeli"ered without content and can !e filled !y means of transfer programs.

• A duplicate check and an errorCtolerant search are performed using interfaces, whichcan !e "alidated, for thirdCparty "endors.

• ?unctions are pro"ided for using addresses in com!ination with other tools &seeIntegration.

,ntegration into the Application

• Three address types are a"aila!le to map addresses from the application onto BA(data structures$ #ompany addresses, personal addresses, and workplace addresses

It is also possi!le to maintain addressCindependent communication data. ?or moreinformation, see AddressCIndependent #ommunication 1ata.• 1ialogs for maintaining addresses can !e integrated flexi!ly into the application &as a

dialog !ox, su! screen, or full screen. We can parameterize the screens to hide fieldsor to define re9uired fields, for example.

• Address data is updated together with the application data.• Addresses are grouped !y their assignment to an application, which can !e used as a

filter for searches and authorization checks.Address $istri6ution and 'ransport

Address used

or

E7ample 'ransport or distri6ution methods or tools

used 6/ 0AS

Easter data #ustomer,"endor

1istri!ution using A3+ &Application 3ink+na!ling

#ustomizingo!'ects

Plant, salesorganization

Eethods for transporting addresses within thenormal #ustomizing o!'ect transport process

(ystem user (ystem user Eethods for client copy and BAPIs for centraluser management &crossCsystem in this case

Constraints

The functions of Business Address (er"ices are systemCdependent. 0owe"er, we can use thetools and methods mentioned a!o"e to transport and distri!ute addresses.TimeCdependent addresses &which are "alid for a limited period only, such as the "acationaddress of a newspaper su!scri!er are currently not supported.0OR

$einition

The Business /!'ect epository &B/ is the o!'ectCoriented repository in the => (ystem. Itcontains the (AP !usiness o!'ect types and (AP interface types as well as their components,such as methods, attri!utes and e"ents.BAPIs are defined as methods of (AP !usiness o!'ect types &or (AP interface types in theB/. Thus defined, the BAPIs !ecome standard with full sta!ility guarantees as regards their content and interface.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/03/d9673c86d19b35e10000000a11402f/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/03/d9673c86d19b35e10000000a11402f/content.htm



?or general information on creating !usiness o!'ects see the documentation on (APBusiness Workflow.

Use

The B/ has the following functions for (AP !usiness o!'ect types and their BAPIs$• Pro"ides an o!'ect oriented "iew of => (ystem data and processes.=> application functions are accessed using methods &BAPIs of (AP Business

/!'ects. Implementation information is encapsulatedF only the interface functionalityof the method is "isi!le to the user.

• Arranges the "arious interfaces in accordance with the component hierarchy, ena!lingfunctions to !e searched and retrie"ed 9uickly and simply.

This finds the functionality searched for 9uickly and simply.• Eanages BAPIs in release updates.BAPI interface enhancements made !y adding parameters are recorded in the B/. Pre"iousinterface "ersions can thus !e reconstructed at any time. When a BAPI is created the release"ersion of the new BAPI is recorded in the B/. The same applies when any interface

parameter is created.The "ersion control of the function module that a BAPI is !ased on is managed in the?unction Builder.• +nsures interface sta!ility.Any interface changes that are carried out in the B/, are automatically checked for syntaxcompati!ility against the associated de"elopment o!'ects in the ABAP 1ictionary.IntegrationA BAPI is implemented as a function module that is stored and descri!ed in the ?unctionBuilder. We should only define a BAPI as a method of an (AP !usiness o!'ect type in theB/, if the function module that the BAPI is !ased on has !een fully implemented.

Access to the B/ is restricted at (AP.0OR!0AP, -izard

The B/=BAPI Wizard helps us to create new BAPIs in the B/. It takes us through the process step !y step.0AP,s

$einition

A Business Application Programming Interface &BAPI is a precisely defined interface pro"iding access to processes and data in !usiness application systems such as =>.0AP,s o SAP 0usiness O68ect '/pes

BAPIs are defined as API methods of (AP !usiness o!'ect types. These !usiness o!'ect typesand their BAPIs are descri!ed and stored in the Business /!'ect epository &B/. A BAPI

is implemented as a function module, which is stored and descri!ed in the ?unction Builder.0AP,s o SAP ,nterace '/pes

As of elease G.HA BAPIs can also descri!e interfaces, implemented outside the => (ystemthat can !e called in external systems !y => (ystems. These BAPIs are known as 0AP,s

used or out6ound processing. The target system is determined for the BAPI call in thedistri!ution model of Application 3ink +na!ling &A3+.BAPIs used for out!ound processing are defined in the Business /!'ect epository &B/ asAPI methods of (AP Interface Types. ?unctions implemented outside the => (ystem can !estandardized and made a"aila!le as BAPIs. ?or further information see BAPIs *sed ?or/ut!ound Processing.,ntegration

http://help.sap.com/saphelp_46c/helpdata/en/c5/e4a930453d11d189430000e829fbbd/frameset.htm


http://help.sap.com/saphelp_46c/helpdata/en/a5/3ec9734ac011d1894e0000e829fbbd/frameset.htm

http://help.sap.com/saphelp_46c/helpdata/en/a5/3ec8534ac011d1894e0000e829fbbd/content.htm


http://help.sap.com/saphelp_46c/helpdata/en/35/6cdebd157f11d28b3800a0c93036fb/frameset.htm





http://help.sap.com/saphelp_46c/helpdata/en/a5/3ec9734ac011d1894e0000e829fbbd/frameset.htm






BAPIs can !e called within the => (ystem from external application systems and other programs. BAPIs are the communication standard for !usiness applications. BAPI interfacetechnology forms the !asis for the following de"elopments$• #onnecting$• 7ew => components, for example, Ad"anced Planner and /ptimizer &AP/ and

Business Information Warehouse &BW.• 7onC(AP software• 3egacy systems• Isolating components within the => (ystem in the context of Business ?ramework• 1istri!uted => scenarios with asynchronous connections using Application 3ink

+na!ling &A3+• #onnecting => (ystems to the Internet using Internet Application #omponents

&IA#s• P# programs as frontends to the => (ystem, for example, 2isual Basic &Eicrosoft or

2isual Age for Ka"a &IBE.• Workflow applications that extend !eyond system !oundaries• #ustomers and partners own de"elopmentsThe graphic !elow shows how BAPI interfaces ena!le different types of applications to !elinked together. 0AP,s 2 ,nteraces to the R!9 S/stem

?or further !ackground information on BAPIs refer to the document BAPI *ser -uide.AP, $ocumentation

If we are working in the 1e"eloper (tudio, the corresponding Ka"a doc is directly a"aila!leunder the Reerence AP, $ocumentation node from within the Ka"a 1e"elopmentEanual structure./therwise, if we access this documentation using the 0elp Portal without ha"ing installed the

1e"eloper (tudio, we can use selected "ersions of Ka"a doc made a"aila!le in the (AP1e"eloper 7etwork &(17.

http://help.sap.com/saphelp_46c/helpdata/en/7e/5e115e4a1611d1894c0000e829fbbd/frameset.htm





?or more information, see http$==www.sdn.sap.com=ir'=sdn='a"adocsNote:

If we do not ha"e an (17 user, we must register !efore we can log on.

Editing User $eaults and OptionsBoth system administrators and indi"idual users can edit user data. The system administratorcan edit all data &see #reating and +diting *ser Easter ecords. *sers can edit the followinguser data$ Password, #onstants, Addresses and Parameters.The following sections descri!e the user options that e"ery user can set himself or herself.Editing Our O+n User $ata

*sers can edit their own data !y choosing (ystem *ser profile /wn data. #hoose ?5 to display 0elp on the fields. We can display selecta!le input "alueswith the possi!le entry help &?G.Pass+ord

*sers can change their current password using the Password !utton. The password can only !e changed once e"ery day.%i7ed 3alues

*sers can set the following default "alues and can call up information a!out this with ?5$% (tart menuThe user can specify the name of an area menu from the possi!le entries help in this field.The (AP Eenu then only contains the components of this area menu.A user needs the credit management transactions for his or her daily work. If the start menu inhis or her user data is ?E7, the (AP Eenu only displays the credit managementtransactions.The systemCwide initial menu can !e specified in the transaction ((E<.% 3ogon languageThe default system language at logon. *sers can howe"er choose another language on thelogon screen% /utput de"ice% (pool control% Personal time zone &different from the company time zone on the Address ta! page,crucial with ?#% 1ate format% The format for decimals% #ATT test status

AddressThe user address data fields are selfCexplanatory. /nly the system administrator can editcompany addresses.A time zone is assigned to each company address. *serCspecific time zones can o"erlapcompany time zones &see 1efaults a!o"e.Parameters

*ser parameters supply defaults to (AP fields. If a field is indicated, the systemautomatically fills in the default "alue. 1epending on the field definition, the entry can also

!e replaced with a "alue entered !y the user.The two input fields on the parameter editing screen are descri!ed !riefly !elow. ?or moreinformation, choose ?5.

% Parameter$ +nter the parameter I1 for which we want to define a default "alue. We candisplay all of the parameter I1s defined in the system !y choosing ?G.

http://www.sdn.sap.com/irj/sdn/javadocs

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67116a439b11d1896f0000e8322d00/content.htm

http://www.sdn.sap.com/irj/sdn/javadocs




% 2alue$ +nter the default "alue for the parameter.'ransaction 3ariants and Screen 3ariants

Whene"er we use a transaction in the (AP system to process specific !usiness transactions, itoften makes sense to ad'ust processing flow to mirror these !usiness acti"ities. This can !edone !y hiding all information not pertinent to the !usiness. Eore important information

should !e placed in a !etter position.#reating a transaction "ariant alters the layout of the screen. Business processes deli"ered !y(AP retain their integrity in any case.Transaction "ariants are actually made up of a series of screen "ariants. The field "alues andsettings for each screen in the transaction "ariant are stored in a screen "ariant.We can create as many "ariants of a specific transaction as we like. These "ariants are started

!y entering a transaction code that we ha"e selected. We system administrator can assign ourtransaction codes to user menus. This allows the users in the departments that use ourtransaction to call the transaction directly. ?or more information, refer to the section entitled

#reating oles.The functions of the transactions "ariants are supplemented !y the integration of the tool-uiLT. Transactions can !e enhanced using graphics, texts, and 0TE3 pages. (creen fieldscan also !e mo"ed around on the screen, and important new menu functions can !e added tothe user interface or application tool!ar in the form of push!uttons.Eore information$Transaction 2ariants2ariant Transactions, (etting Transaction 2ariants#reating and Eaintaining 2ariant -roups(creen 2ariantsTa!le #ontrol 3ayout in 2ariantsTransaction 2ariants and (creen 2ariants$ 3imitations

Transaction 2ariants and (creen 2ariants$ (pecial ?eatures-uiLTEore information a!out the ta! pages for user administration$&ogon $ata 'a6 Page

When we create a user, it is only mandatory to fill out the Initial Password field on the 3ogon1ata ta! page. All other entries on this screen are optional. The fields are descri!ed in detail

!elow.Alias

We can assign an alias of up to G4 characters to a user to specify more memora!le names.1epending on the programming of the application, the user can then log on using either the&5< character user name or the alias.

If an external user sets up a user account for himself or herself in the Internet, he or sheautomatically uses an alias instead of a user name to do this. The (AP system then creates anew user master record with this alias and an automatically generated 5< character user name.The user then reports, for example, password pro!lems using his or her alias instead of thetechnical user name, which is unknown to the user. The system administration determines thecorrect user master record in the (AP system using the alias.,nitial Pass+ord

We ha"e the following options when assigning initial passwords$% +nter the password manually and repeat it in the epeat Password field to a"oid

typographical errors.% To generate the password, choose -enerate & .

% To deacti"ate the password, choose 1eacti"ate & .

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a0d015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a22015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f639f8015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a0a015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/46/8ad19434a801dce10000000a1553f7/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a1c015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a1f015111d396480000e82de14a/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f639f8015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a0a015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/46/8ad19434a801dce10000000a1553f7/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a1c015111d396480000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7d/f63a1f015111d396480000e82de14a/content.htm




This means that the user can no longer log on using a password, !ut only with (ingle (ignC/n"ariants &L.H4; certificate, logon ticket. This is useful if we do not re9uire passwordC!asedlogon !ecause logon is performed exclusi"ely in other ways &such as using logon tickets, see(AP 7ote 5::M;H. In this case, deacti"ating the password increases security, as passwordsthat are not used are usually still initial.

Although the deacti"ation of passwords cannot !e made retrospecti"ely &looking !ackward,the administrator can define a new initial password at any time.The deacti"ation of the password on the 3ogon 1ata ta! page refers to the local system. If#entral *ser Administration is in use, we can change or deacti"ate passwords systemCspecifically in user maintenance.Eore Information$% Password ules % 3ogin Parameters for password rules% *ser Eaintenance ?unctions, #hange Password section.Although the Password (tatus is always displayed when creating a user, it only shows thestatus for users that ha"e !een created &see also Password (tatus.Pass+ord RulesThe following ta!le descri!es the specifications that are to !e followed for passwords. It alsoshows whether these guidelines are predefined in the system or whether we can change themusing profile parameters.

ule 7otesThe password must !e at least >characters long

We can change this with profile parameterlogin=min)password)lng.

The password cannot !e morethan G4 characters long *ntil

(AP 7etWea"er 6.G4 &inclusi"eF passwords could not !e morethan M characters long.

Predefined in (AP system

*ntil (AP 7etWea"er 6.G4&inclusi"e, all characters of thesyntactic character set can !eused, that is, all letters and digits,and some special characters. Thesystem does not differentiate

!etween upperC and lowerCcase.After (AP 7etWea"er 6.G4, any

*nicode characters can !e used,and the system does differentiate !etween upperC and lowerCcase.As of (AP We! A( 6.54, theadministrator can define howmany digits, letters, and specialcharacters must !e contained innew passwords &see profile

parameter.

We can change this with profile parameterslogin=min)password)letters,login=min)password)digits, andlogin=min)password)specials.(ee also$ login=password)charset.

The first character may not !e anexclamation point &N or a9uestion mark &O.


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/e1/120024e74011d2962b0000e82de14a/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/47/09989fc6864ed7e10000000a11466f/content.htm










The first three characters may notappear in the same order in theuser I1This rule applies only in systemsup to (AP => G.61.


The first three characters cannotall !e the same.


7one of the first three characterscan !e a spaceThis rule applies only in systemsup to (AP => G.61.


The password may not !e in a listof impermissi!le passwords&ta!le *(G4 The list containscharacter com!inations or terms,where the asterisk &8 and9uestion mark &O can !e used as

placeholders. Asterisk &8 standsfor a character se9uence, and the9uestion mark &O for a singlecharacter.The administrator recei"es only awarning, if he or she !reaks this

password rule when assigning passwords in user maintenance.

#an !e changed. The default "alue is that all passwords, except PA(( and (AP8 are allowed.

The password cannot !e PA(( or

(AP8.


The password may not !echanged to any of a users last x

passwords, if the user changesthe password himself or herself.*ntil (AP 7etWea"er 6.G4&inclusi"e, the password historywas fixed to the "alue H.After (AP 7etWea"er 6.G4, theadministrator can set the size ofthe password history &up to 544

passwords selected !y the user.The administrator can reset ausers password to any initial

password, therefore also to one of the last x passwords for this user.This is necessary, since theadministrator should not knowthe passwords of the users. Theuser is prompted to change theinitial password at the firstinteracti"e logon.

We can change this with the profile parameterlogin=password)history)size.



The password can only !echanged after the old passwordhas !een entered correctly.*p to (AP We! A( 6.54, the user can only change the password

during the logon procedure. As of (AP We! A( 6.<4, the user canalso change the password !ychoosing (ystem → *ser Profile→ /wn 1ata &transaction (*>


*sers can only change their passwords again after a wait period.*ntil (AP 7etWea"er 6.G4

&inclusi"e, the wait period wasone day. A password changed !ya user could only !e changedagain !y that user on the nextday.The system can now re'ect all

password changes during the wait period &unit$ days. If theadministrator changes the users

password, the user must changethis initial password the next time

he or she logs on, regardless ofwhen he or she last changed hisor her password.(ystem administrators can stillchange passwords as often asnecessary.

We can change this with the profile parameterlogin=password)change)waittime.

The password must contain atleast x lowerCcase letters.*ntil (AP 7etWea"er 6.G4&inclusi"e, the system did notdifferentiate !etween upperC and

lowerCcase.

We can change this with profile parameterlogin=min)password)lowercase.

The password must contain atleast x upperCcase letters.*ntil (AP 7etWea"er 6.G4&inclusi"e, the system did notdifferentiate !etween upperC andlowerCcase.

We can change this with profile parameterlogin=min)password)uppercase.



At least one character in the new password must !e different fromthe old password.As of (AP We! A( 6.54, theadministrator can specify the

minimum num!er of charactersthat must !e different in the oldand new passwords in a profile

parameter.

We can change this with profile parameterlogin=min)password)diff.

The password must comply withthe current password rules andmust !e changed if it does not.*ntil (AP 7etWea"er 6.G4&inclusi"e, changed passwordrules did not apply to old

password, !ut were onlye"aluated when passwords werechanged.

We can acti"ate this with the profile parameterlogin=password)compliance)to)current)policy.

A producti"e password &chosen !y the user is "alid for amaximum of x days, if it is notused.A"aila!le after (AP 7etWea"er6.G4.

We can change this with the profile parameterlogin=password)max)idle)producti"e.

An initial password &set !y theuser administrator is "alid for a

maximum of x days, if it is notused. After this period hasexpired, the password can nolonger !e used for authentication.The user administrator canreacti"ate passwordC!ased logon

!y assigning a new initial password.A"aila!le after (AP 7etWea"er6.G4.

We can change this with the profile parameterlogin=password)max)idle)initial.

As of (AP We! A( 6.54, the function module PA((W/1)?/EA3)#0+#J can

determine whether a string meets the current password rules. The following rules are note"aluated here$% Password may not !e changed to any of a users last fi"e passwords% The password can only !e changed after the old password has !een entered correctly.% A user can change his or her password only once a day.% At least x characters in the new password must !e different from the old password.?or an exact description of the se9uence and the scope of the check, see the documentationfor the function module. We can display this documentation with transaction (+>:.Proile Parameters or &ogon and Pass+ord 1&ogin Parameters4

The following ta!le presents the profile parameters with which we can set password andlogon rules. These profile parameters define the minimum re9uirements for passwords, forexample, that the password must contain at least three special characters. We cannot set upper limits for password rules. ?or example, in accordance with the usual password rules, the users



can enter any num!er of special characters. ?or information a!out the procedure for changing profile parameters, see #hanging and (witching Profile Parameters.To make the parameters glo!ally effecti"e in an (AP system &system profile parameters, setthem in the default system profile 1+?A*3T.P?3. 0owe"er, to make them instanceCspecific,we must set them in the profiles of each application ser"er in our (AP system.

To display the documentation for one of the parameters, choose Tools ##E( #onfiguration Profile Eaintenance &transaction 54, specify the parameter name, andchoose 1isplay. /n the following screen, choose the 1ocumentation push!utton.

Pass+ord Rules

Parameter +xplanationlogin=min)password)lng 1efines the minimum length of the

password.1efault "alue$ 6F permissi!le "alues$ > QG4*ntil (AP 7etWea"er 6.G4 &inclusi"e,up to M characters.

login=min)password)digits 1efines the minimum num!er of digits&4C; in passwords.1efault "alue$ 4F permissi!le "alues$ 4 QG4A"aila!le as of (AP We! A( 6.54 &*ntil(AP 7etWea"er 6.G4 &inclusi"e, up to Mcharacters.

login=min)password)letters 1efines the minimum num!er of letters

&AC in passwords.1efault "alue$ 4F permissi!le "alues$ 4 QG4A"aila!le as of (AP We! A( 6.54 &*ntil(AP 7etWea"er 6.G4 &inclusi"e, up to Mcharacters.

login=min)password)lowercase (pecifies how many characters in lowerCcase letters a password must contain.Permissi!le "alues$ 4 Q G4F default "alue4A"aila!le after (AP 7etWea"er 6.G4

login=min)password)uppercase (pecifies how many characters in upperCcase letters a password must contain.Permissi!le "alues$ 4 Q G4F default "alue4A"aila!le after (AP 7etWea"er 6.G4

login=min)password)specials 1efines the minimum num!er of specialcharacters in the password Permissi!lespecial characters are, in particular, N@RSU=&VO8XYZC).,F$[\]^_`b and spaceand the gra"e accent.After (AP 7etWea"er 6.G4, allcharacters that are not letters or digitsare regarded as special characters.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/c4/3a6247505211d189550000e829fbbd/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/c4/3a6247505211d189550000e829fbbd/frameset.htm



1efault "alue$ 4F permissi!le "alues$ 4 QG4A"aila!le as of (AP We! A( 6.54 &*ntil(AP 7etWea"er 6.G4 &inclusi"e, up to Mcharacters.

login=password)charset This parameter defines the characters ofwhich a password can consist.Permissi!le "alues$% &restricti"e$ The password canonly consist of digits, letters, and thefollowing &A(#II specialcharacters$ N@R SU=&VO8XYZC).,F$[\]^_` and space and the gra"eaccent.% 5 &!ackward compati!le, default"alue$ The password can consist of anycharacters including national specialcharacters &such as , , from I(/3atinC5, MMH;C5. 0owe"er, allcharacters that are not contained in theset a!o"e &for "alue V 4 are mapped tothe same special character, and thesystem therefore does not differentiate

!etween them.% < &not !ackward compati!le$ The

password can consist of any characters.

It is con"erted internally into the*nicode format *T?CM. If our systemdoes not support *nicode, we may not

!e a!le to enter all characters on thelogon screen. This restriction is limited

!y the code page specified !y the systemlanguage.-arning:

With login=password)charset V <, passwords are stored in a format thatsystems with older kernels cannot

interpret. We must therefore only set the profile parameter to the "alue < after weha"e ensured that all systems in"ol"edsupport the new password coding.A"aila!le in the standard system as of(AP We! A( 6.G4.

Pass+ord &ogon

login=password)compliance)to)current)policy Permissi!le "alues$ 4 Q no checkF 5 Q thesystem checks during password logonwhether the current password complies

with the current password rules andforces a password change if this is not



the case.1efault "alue$ 4A"aila!le after (AP 7etWea"er 6.G4

login=disa!le)password)logon #ontrols the deacti"ation of passwordC !ased logon

This means that the user can no longerlog on using a password, !ut only with(ingle (ignC/n "ariants &L.H4;certificate, logon ticket. Eoreinformation$ 3ogon 1ata Ta! PageA"aila!le as of (AP We! A( 6.54, as of(AP Basis G.6 !y (upport Package

login=password)logon)usergroup #ontrols the deacti"ation of passwordC !ased logon for user groupsA"aila!le as of (AP We! A( 6.54, as of(AP Basis G.6 !y (upport Package

login=password)max)idle)producti"e (pecifies the maximum period for whicha producti"e password &a passwordchosen !y the user remains "alid if it isnot used. After this period has expired,the password can no longer !e used forauthentication. The user administratorcan reacti"ate passwordC!ased logon !yassigning a new initial password.Permissi!le "alues$ 4 Q <G,444 &unit$daysF 1efault "alue 4, that is, the check

is deacti"atedA"aila!le after (AP 7etWea"er 6.G4login=password)max)idle)initial (pecifies the maximum period for which

an initial password &a password chosen !y the administrator remains "alid if itis not used. After this period has expired,the password can no longer !e used forauthentication. The user administratorcan reacti"ate passwordC!ased logon !yassigning a new initial password.This parameter replaces the profile

parameterslogin=password)max)new)"alid andlogin=password)max)reset)"alid.Permissi!le "alues$ 4 Q <G,444 &unit$daysF 1efault "alue 4, that is, the checkis deacti"atedA"aila!le after (AP 7etWea"er 6.G4

login=password)max)new)"alid 1efines the "alidity period of passwordsfor newly created users./nly a"aila!le in (AP We! Application(er"er 6.<4 and 6.G4.

login=password)max)reset)"alid 1efines the "alidity period of reset passwords.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67119e439b11d1896f0000e8322d00/content.htm





/nly a"aila!le in (AP We! Application(er"er 6.<4 and 6.G4.

Pass+ord Changes

login=min)password)diff 1efines the minimum num!er of

characters that must !e different in thenew password compared to the old

password.1efault "alue$ 5F permissi!le "alues$ 5 QG4A"aila!le as of (AP We! A( 6.54 &*ntil(AP 7etWea"er 6.G4 &inclusi"e, up to Mcharacters.

login=password)expiration)time 1efines the "alidity period of passwordsin days.1efault "alue$ 4F permissi!le "alues$ 4 Q5444

login=password)change)for)((/ If the user logs on with (ingle (ignC/n,checks whether the user must change hisor her password.A"aila!le as of (AP We! A( 6.54, as of(AP Basis G.6 !y (upport Package

login=password)history)size (pecifies the num!er of passwords&chosen !y the user, not theadministrator that the system stores andthat the user cannot use again.

Permissi!le "alues$ 5 Q 544 &unit$num!er of entriesF default "alue HA"aila!le after (AP 7etWea"er 6.G4

login=password)change)waittime (pecifies the num!er of days that a usermust wait !efore changing the passwordagain.Permissi!le "alues$ 5 Q 5,444 &unit$daysF default "alue 5A"aila!le after (AP 7etWea"er 6.G4

Other Pass+ord Proile Parameters

login=password)downwards)compati!ility (pecifies the degree of !ackward compati!ilityto !e achie"ed. The default "alue is 5, wherethe "alues ha"e the following meaning$4-arning:

Withlogin=password)downwards)compati!ility V 4,

passwords are stored in a format that systemswith older kernels cannot interpret. The systemonly generates new &!ackward incompati!le

password hash "alues.5The system also generates !ackward



compati!le password hash "alues internally, !ut does not e"aluate these for passwordC!asedlogons &to its own system. This setting isre9uired if this system is used as the centralsystem of a #entral *ser Administration that

systems that only support !ackward compati!le password hash "alues are also connected to thesystem group.<The system also generates !ackwardcompati!le password hash "alues internally,which it e"aluates if a logon with the new, nonC

!ackward compati!le password failed. In thisway, the system checks whether the logonwould ha"e !een accepted with the !ackwardcompati!le password &truncated after eightcharacters, and con"erted to upperCcase. Thisis recorded in the system log. The logon fails.This setting is to allow the identification of

!ackward incompati!ility pro!lems.>As with <, !ut the logon is regarded assuccessful. This setting is to allow thea"oidance of !ackward incompati!ility

pro!lems.G

As with >, !ut no entry is created in the systemlog.H?ull !ackward compati!ility$ the system onlycreates !ackward compati!le password hash"alues.A"aila!le after (AP 7etWea"er 6.G4

Multiple &ogon

Parameter +xplanationlogin=disa!le)multi)gui)login #ontrols the deacti"ation of multiple dialog

logons

A"aila!le as of (AP Basis G.6login=multi)login)users 3ist of excepted users, that is, the users thatare permitted to log on to the system morethan once.A"aila!le as of (AP Basis G.6

,ncorrect &ogon

Parameter +xplanationlogin=fails)to)session)end 1efines the num!er of unsuccessful logon

attempts !efore the system does not allowany more logon attempts. The parameter isto !e set to a "alue lower than the "alue of

parameter login=fails)to)user)lock.1efault "alue$ >F permissi!le "alues$ 5 C;;



login=fails)to)user)lock 1efines the num!er of unsuccessful logonattempts !efore the system locks the user.1efault "alue$ HF permissi!le "alues$ 5 C;;

login=failed)user)auto)unlock 1efines whether user locks due tounsuccessful logon attempts should !e

automatically remo"ed at midnight.1efault "alue$ 4 &locks due to incorrectlogon attempts remain in force for anunlimited periodF permissi!le "alues$ 4, 5

SSO &ogon 'ic;et

Parameter +xplanationlogin=accept)sso<)ticket Allows or locks the logon using ((/ ticket.

A"aila!le as of (AP Basis G.61, as of (APBasis G.4 !y (upport Package

login=create)sso<)ticket Allows the creation of ((/ tickets.A"aila!le as of (AP Basis G.61

login=ticket)expiration)time 1efines the "alidity period of an ((/ticket.1efault "alue$ MF *nit$ hoursA"aila!le as of (AP Basis G.61

login=ticket)only)!y)https The logon ticket is only transferred using0TTP&(.A"aila!le as of (AP Basis G.61

login=ticket)only)to)host When logging on o"er 0TTP&(, sends theticket onl/ to the ser"er that created theticket.

A"aila!le as of (AP Basis G.61Other &ogin Parameters

Parameter +xplanationlogin=disa!le)cpic efuse in!ound connections of type #PI#login=no)automatic)user)sapstar #ontrols the emergency user (AP8 &(AP

7otes <>M> and 6M4GM1efault "alue$ 5, that is, the emergencyuser must !e explicitly acti"atedPermissi!le "alues$ 4, 5

login=system)client (pecifies the default client. This client isautomatically filled in on the system logonscreen. *sers can type in a different client.

login=update)logon)timestamp (pecifies the exactness of the logontimestamp.A"aila!le as of (AP Basis G.6

Other User Parameters

Parameter +xplanationrdisp=gui)auto)logout 1efines the maximum idle time for a user

in seconds &applies only for (AP -*Iconnections.1efault "alue$ 4 &no restrictionF

permissi!le "alues$ any numerical "alue



User Administration %unctions

As an administrator, we can use the following functions in the user administration tool &Tools→ Administration → *ser Eaintenance → *sers$?unction 1escription

C #reate +nter a user name and choose #reate. ?or moreinformation, see #reating and maintaining user masterrecords.

C #hange +nter an existing user name or an alias and choose #hange.?or more information, see #reating and maintaining usermaster records.

C 1isplay +nter a user name or an alias and choose #hange. ?or moreinformation, see #reating and maintaining user masterrecords.

Q 1elete +nter a user name or an alias and choose 1elete. Q #opy

5. +nter the name of the user to !e copied and choose#opy.The system displays the #opy *ser dialog !ox.

<. In the ?rom field, enter the user to !e copied, and inthe To field, enter the new user. In the #hoose parts group

!ox, we can specify the user data to !e copied using thecheck!oxes. 3ogon data &password, (7# is, of course, notcopied.The user administration function appears, and we can editthe new user as descri!ed under #reating and Eaintaining*ser Easter ecords.

Note:We can also rename user master records &*ser → enameif we simply want to replace one record with an identicalone of a different name.

Q 3ock=*nlock +nter an existing user name and choose 3ock=*nlock togrant or deny a user access to a system. 3ocking orunlocking a user master record takes effect the next time auser attempts to log on. *sers who are logged on at thetime that changes are made are not affected.The system automatically locks users if twel"e successi"eunsuccessful attempts are made to log on. The lock isrecorded in the system log, along with the terminal I1 ofthe machine where the logon attempt took place.We can set the num!er of permissi!le unsuccessful logonattempts in a system profile parameter &see ProfileParameters for 3ogon and Password &3ogin Parameters.This automatic lock is released !y the system at midnight.We can also remo"e the lock manually !efore this time.3ocks that we specifically set our self apply indefinitelyuntil we release them.

C #hange password +nter the user name and choose #hange password.

This new password must fulfill the standard conditionsregarding permissi!le passwords &see Password rules. ?or

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/671191439b11d1896f0000e8322d00/content.htm


























more information, see 3ogon 1ata Ta! Page or the ?5 help.The new password take effect immediately, meaning thatthe user can use the new password immediately after thechange.*sers can change their own passwords no more than once a

day. (ystem administrators, on the other hand, may changeuser passwords as often as necessary.Special %eatures or Central User Administration

1CUA4(

If we change passwords in the central system, a dialogwindow with a list of target system appears. We canacti"ate or deacti"ate the password in this window &see3ogon 1ata Ta! Page.The selections in the dialog window are set so that if we arechanging the password the child system is selected, and ifwe are deacti"ating the password, the central system isselected. We can change this setting.

+dit → Address (elect a component &telephone num!er, fax num!er, and soon and make changes as needed.

Info → Info (ystem With this function, the system displays the *serInformation (ystem &transaction (*IE.

+n"ironment→ Easschanges

We can also perform most changes which can !e made forone user in the user management for a selected set of users.?or more information, see Eass changes.

+n"ironment → Archi"eand read

$ispla/ing Change $ocuments

To call a list of changes to user master records,

authorization profiles and authorizations, chooseInformation Information system and then #hangedocuments. The system logs the following changes$% 1irect authorization changes for a user &that is,changes to the profile list in the user master record.Indirect changes are changes to profiles and authorizationscontained in the user master record. These changes cannot

!e seen in the display. We can, howe"er, see them in thechange documents for profiles and authorizations.% #hanges to user passwords, user type, user group,"alidity period and account num!er

?or each change made, the log shows the deleted "alue inthe 1eleted entries line. The changed or new "alue isdisplayed in the Added entries line.Archi)ing change documents

*ser master records and authorizations are stored in the*(8 ta!les. We can reduce the amount of space that thesetake up in the data!ase !y using the archi"ing function.#hange documents are stored in the *(08 ta!les. Thearchi"ing function deletes change documents that are nolonger re9uired from the *(8 ta!les.We can archi"e the following change documents relating to

user master records and authorizations from the *(08ta!les$




http://help.sap.com/saphelp_nw70ehp1/helpdata/en/2e/6d9704db7811d2961c0000e82de14a/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/2e/6d9704db7811d2961c0000e82de14a/content.htm



% #hanges to authorizations &archi"ing o!'ect*()A*T0% #hanges to authorization profiles &archi"ing o!'ect*()P/?% #hanges to the authorizations assigned to a user

&archi"ing o!'ect *()*(+% #hanges to a users password or to defaults stored inthe user master record &archi"ing o!'ect *()PA((The functions for administering users and authorizations

pro"ide access to the archi"ing system. In the useradministration function, choose +n"ironment Archi"eand read. In profile and authorization administration,choose *tilities → Archi"e and read. We then ha"e twooptions, either Archi"e auth. docs or ead auth. docs.These options refer to whether we want to archi"e or readchange documents pertaining to users, profiles orauthorizations.?or more detailed information a!out the archi"ing system,see the Archi"ing *ser and Authorization #hanges sectionin 1ata Archi"ing in the (AP We! A(.

+n"ironment→ EaintainProfiles

With this function, we go to the o!solete, manual profileadministration &transaction (*4<. Instead of this, use thenew role administration tool &transaction P?#-.

+n"ironment→ EaintainAuthorization

With this function, we go to the o!solete authorizationadministration &transaction (*4>. Instead of this, use thenew role administration tool &transaction P?#-.

+n"ironment→ *sergroups *sers can !e assigned to one or more user groups. ?ormore information, see *ser groups.+n"ironment→ /rganizational Assignment

We can assign a position to the user in accordance with hisor her place in the organizational management here.

+n"ironment→ Eaintain#ompany Address

With this function, we go to the company addressadministration &transaction (*#/EP. We can assign thecompany address in user administration using the rele"ant

push!uttons.+n"ironment→ 1istri!ution 3og

The log display for central user administration appears, inwhich we can display distri!ution logs &transaction (#*3.

Mass Changes

With the Eass #hanges function &transaction (*54, we can perform most of the changesthat we can make for indi"idual users in user maintenance for user groupsF that are certainsets of users. This applies for 3ogon data, 1efaults, Parameters, oles, and Profiles.The mass change functions apply to all of the users displayed in the initial screen unless wemake a selection.-arning:

We must choose #hange in the Address, 3ogon data and #onstants ta! pages for each change.In this way, we can ensure that our changes, such as the deletion of a fields contents areaccepted for the corresponding fields.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8d/3e4bb1462a11d189000000e8323d3a/frameset.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/6d/96a5c4ddd711d296200000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8d/3e4bb1462a11d189000000e8323d3a/frameset.htm




Eass Eaintenance ?unctions%unction Comment

(elect users *sed to select a set of users that ha"e a particular characteristicwith the *ser Information (ystem. We can then process this set ofusers with the other mass maintenance functions.

5. #hoose Address or Authorization data. <. (pecify a selection criterion. >. (elect some or all users in the result list and choose #opy.

We ha"e transferred a su!set of the users that exist in the system tomass maintenance and can now process these with the other massmaintenance functions.

#reate users 5. +nter the names of the users to !e created in the *ser

column. <. #hoose #reate .

Eaintain the user data as in the user maintenance &(*45. ?ormore information, see #reating and Eaintaining *sers.Note:

We cannot assign indi"idual passwords !ecause we create se"eralusers at the same time. They are generated automatically anddisplayed in the mass changes log.

#hanging users 5. #hoose #hange . <. #hange the user data. We can decide whether parameters,

roles, profiles and groups are added to or remo"ed from the user

master records.1elete users #hoose 1elete .3ock=unlock users #hoose 3ock & or *nlock & .

Note:

The users are only locked or unlocked if it is allowed in the currentsystem. If the system is in the #entral *ser Administration, onlythe central system may !e a!le to lock and unlock. (ee (etup fielddistri!ution parameters.

The functions of the Info and +n"ironment menus correspond to those of user maintenance&see *ser Eaintenance ?unctions.

Mass changes logAfter e"ery mass change, the system shows who made which changes in which system atwhat time.The log contains se"eral message le"els which we can expand with a push!utton. If amessage has a long text, we can display it with a push!utton next to the message.We can make certain settings for the log display under (ettings and the #olor legend explainsthe colors used in the display.We can print the log or sa"e it in a P# file.Special %eatures or Central User Administration 1CUA4(

If we use the #entral *ser Administration, i.e. we make the mass changes from the centralsystem, profiles and roles are displayed systemCdependently. ?or more information, see

1istri!uting users.User Administration +ith Acti)e Central User Administration


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/6a/b1b13bb3acd607e10000000a11402f/content.htm












With acti"e #entral *ser Administration, we still use transaction (*45 to edit usersF howe"er user administration is somewhat different$% Whether fields are ready for input or not depends on the distri!ution attri!utes that weassigned to the field in transaction (#*E. ?or more information a!out this, see (etting1istri!ution Parameters for ?ields.

/nly the fields that may !e maintained in the system are ready for input.We can only change a field that is to !e maintained glo!ally in the central system. This fielddoes not accept input in the child systems.% In the central system, the user administration transaction also displays the ta! page(ystems. 0ere we enter the systems to which users are to !e distri!uted. To display thesystems for the corresponding distri!ution model, use the possi!le entries help. +ach time wesa"e, the system distri!utes the user data to these listed systems.% The oles and Profiles ta! pages each contain an additional column for each entry,specifying the system for which the user is assigned the role and=or profile.With the Text comparison from child sys. Push!utton on the oles and Profiles ta! pages, wecan update the texts for roles=profiles that we ha"e changed, for example, in the childsystems. The texts in the child systems are stored temporarily so that they are a"aila!le in thecentral system. As the comparison re9uires some time, it is performed asynchronously andthe current texts may not !e a"aila!le immediately.We can only assign profiles to users for the systems in which they are distri!uted. If we entera new system when we assign profiles to users, the system displays a warning that the userwas assigned a new system. The entry is automatically transferred into the ta! page (ystems.After this, the user master record is also distri!uted in the new system.1uring text comparisons from child systems, the names of the generated profiles for the roleare not copied to the central system, that is, only assigned profiles are displayed on theProfiles ta! page &such as (AP)A33 or (AP)7+W, !ut no generated profiles of the roles.All user master records are created in the user master records. *sers can then only log ontothe central system if the central system itself is entered in (ystems ta! page of thecorresponding user master record.Note:

We can display the glo!al user data from a child system in the *ser Information (ystem.%urther ,normation

As well as the authorizations already mentioned, we also need another authorization in thecentral system for o!'ect ()*(+)(D(. We can only assign new systems to a new user withthis authorization.When a user is deleted in the central system, the system entry for the user is retained until thedeletion is confirmed. If an error occurs, we can repeat the deletion !y canceling the system

&in the child system.In the child systems, the ?# user is output as the last person to make changes. #hoose anappropriate name when we set up the ?# user.Pass+ord Status

The 3ogon 1ata ta! page and the dialog !ox for changing the password on the initial screenof user administration transaction (*45 always display the status of the password.The meaning of these displays depends on whether the system is a #*A central system withglo!al initial password assignment or a standalone system &or a #*A central system with ane9ui"alent setting in the #*A distri!ution parameters, such as initial password V proposal.% (tandalone (ystemThe password status corresponds to the status in the data!ase.

% #*A #entral (ystem











The password status corresponds to the initial password to !e newly assigned !efore sa"ing,since it is not possi!le to determine and display the indi"idual password statuses from thechild systems.1epending on the type of password change, the password status is changed to Passworddeacti"ated or Initial password &set !y administrator.

Possi6le Pass+ord Statuses% Initial password &set !y administratorThe user administrator &and not the user himself or herself assigned this password. The useris prompted to change the password at his or her next logon, to ensure that only he or sheknows the password.% Producti"e passwordThe password was set !y the user.% Password deacti"atedThe password has !een deacti"ated, that is, the user can no longer log on to the system with a

password.Special %eatures o Pass+ord Status or Special User '/pes

The password for the user types ser"ice and system can only ha"e the status producti"e password or password deacti"ated. When creating a reference user, it is no longer necessaryto specify a password. (ince it is not possi!le to log on at all with a reference user, the

password is automatically deacti"ated for a reference user. This also applies when copyingand renaming a user of type eference.In addition to the user type eference user, the system displays the message 3ogon not

possi!le. If we change any user type to a reference user, the pre"ious password and passwordstatus &relating to the pre"ious user type and always retained.Additional ,normation on the &ogon $ata 'a6 Page

If a users password has not !een deacti"ated, the 3ogon 1ata ta! page displays the followinginformation in the first line under password, in the specified order$% If profile parameter login=disa!le)password)logon is acti"ated$ Password logon not

possi!le &deacti"ated systemCwide% If the user has !een locked due to incorrect logon attempts$ Password logon not possi!le&too many incorrect logon attempts% If profile parameter login=password)max)idle)initial is acti"ated$ Password logon not

possi!le &initial password has expired% If profile parameter login=password)max)idle)producti"e is acti"ated$ Password logonnot possi!le &producti"e password has expiredUser 5roup

To assign the user to a user group, enter the group. This is necessary if we want to distri!ute

user maintenance among se"eral user administrators. /nly the administrator that hasauthorization for a group can edit users of the group. If we lea"e the field empty, the user isnot assigned to any group &see Assigning *ser -roups. This means that the user can !emaintained !y any user administrator.User '/pe

We can specify the following user types$% 1ialog &A Indi"idual system access &personalized It is possi!le to log on using (AP -*I. The user is therefore capa!le of interactionthrough (AP -*I. The system checks whether the password has expired or is initial.

The user can change his or her password himself or herself. Eultiple dialog logons are checked and, where appropriate, logged.





Purpose$ for indi"idual human users &including Internet users% (ystem &B (ystemCrelated and internal system processes. It is not possi!le to log on using (AP -*I. The user is therefore incapa!le ofinteraction through (AP -*I.

The password change re9uirement does not apply to the passwords, that is, they cannot !e initial or expired. /nly a user administrator can change the password. Eultiple logons are permissi!le. Purpose$ !ackground processing and communication within a system &internal ?#calls and !etween multiple systems &external ?# calls. Purpose$ for example, ?# usersfor A3+, workflow, TE(, #*A.% #ommunications &# Indi"idual system access &personalized It is not possi!le to log on using (AP -*I. The user is therefore incapa!le ofinteraction through (AP -*I. Although the system checks whether the password has expired or is initial, theimplementation of the re9uirement to change the password, which exists in principle, dependson the logon method &interacti"e or nonCinteracti"e. The user can change his or her password himself or herself. Purpose$ external ?# calls of indi"idual human users.% (er"ice &( (hared system access for a larger, anonymous group of users. Assign only "eryrestricted authorizations for this user type. It is possi!le to log on using (AP -*I. The user is therefore capa!le of interactionthrough (AP -*I. 1uring a log on, the system does not check whether the password has expired or isinitial. /nly a user administrator can change the password. Eultiple logons are permissi!le. Purpose$ Anonymous system access &such as for pu!lic We! ser"ices. After anindi"idual authentication, an anonymous session !egun with a ser"ice user can !e continuedas a personCrelated session with a dialog user.% eference &3 It is not possi!le to log on to the system. *ser type for general, nonCperson related users that allow the assignment of additionalidentical authorizations, such as for Internet users created with transactions (*45.

To assign a reference user to a dialog user, specify it when maintaining the dialog user on theoles ta! page. In general, the application controls the assignment of reference users. Thisassignment is "alid for all systems in a #entral *ser Administration &#*A landscape. If theassigned reference user does not exist in a #*A child system, the assignment is ignored.We should !e "ery cautious when creating reference users. If we do not implement the reference user concept, we can deacti"ate this field inaccordance with (AP 7ote >>446:. We also recommend that we set the "alue for the #ustomizing switch+?)*(+)#0+#J in ta!le P-7)#*(T to @E@. This means that only users of type+?++7#+ can then !e assigned. #hanging the #ustomizing switch affects only newassignments of reference users. +xisting assignments are retained.

We further recommend that we place all reference users in one particularly secure usergroup to protect them from changes to assigned authorizations and deletion.



Note:

Prior to elease G.6#, the (AP (ystem categorized users into two !asic types$ dialog usersand nonCdialog users &also referred to as #PI# users or !ackground users. We recommendusing nonCdialog users for communications !etween systems where the user I1 and passwordare defined in the system &for example, in ?# destinations !etween systems. This ensures

that no one logs on for a dialog session with this user.We recommend assigning the appropriate user type when creating users. ?or example, if theuser does not need dialog access to the (AP system, define it as a system user. If the user isan anonymous, pu!lic user that many different indi"iduals can use, define it as a ser"ice userand keep its authorizations to a minimum.3alid rom((( and 3alid to(((

We define the "alidity period of the user master record with these fields. If we do not want torestrict the "alidity, lea"e the fields empty.Account Num6er

?or each user or user group, assign an account name or num!er of our choice. The userappears in the computing center accounting system &A##/*7TI7- +LIT under thisnum!er.A suita!le account num!er would !e the users cost center or company code, for example.We recommend that we always enter an account name or num!er in the computing centeraccounting system. The user will otherwise !e assigned to a general category without accountnum!er.SNC 'a6 Page

This ta! page is only displayed if we are using (ecure 7etwork #ommunications &(7#. Itcontains the following fields$SNC Name

The (7# name is the user name from (AP 7etWea"er (ingle (ignC/n or the external

security product that we copy from there and either enter in this field or in ta!le *(A#3. Auni9ue that is a canonical (7# 7ame is also generated for storage in the data!ase.Allo+ pass+ord logon or SAP 5U, 1user2speciic4

This indicator only has an effect when secure network communication &(7# has !eenena!led and password logon o"er (AP -*I is allowed for specific users. ?or this condition toapply, we must set the following profile parameters$ snc=ena!le V 5 snc=accept)insecure)gui V *The (7# (tatus indicates the status of these profile parameters.If the profile parameters are set as descri!ed a!o"e, use this indicator to determine whetherthe user is forced to log on with their (7# name or not.

By default, Allow password logon for (AP -*I is not selected, meaning the user can onlylog on with their (7# name, pro"ided a mapping exists !etween the (7# name and the useraccount.When Allow password logon for (AP -*I is selected, the system allows the user to log onwithout their (7# name, using user I1 and password. If the system recei"es an (7# nameand a mapping exists for that user, the user can still log on securely, e"en if logon with

password is allowed.See also:

The (7# user manual in the (AP(er"ice Earketplace&http$==ser"ice.sap.com=security → (ecurity in 1etail → (ecure (ystem Eanagement (AP 7ote 666M:$ *se of 7etwork (ecurity ProductsSecure Net+or; Communications 1SNC4Purpose

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm



(ecure 7etwork #ommunications &(7# integrates (AP7etWea"er (ingle (ignC/n or anexternal security product with (AP systems. With (7#, we strengthen security !y usingadditional security functions pro"ided !y a security product that are not directly a"aila!lewith (APsystems.Note:

If we are using standard protocols such as 0TTP, then we can use the (ecure (ockets 3ayer&((3 protocol to pro"ide such protection.,mplementation Considerations

There are regulations in "arious countries that restrict the use of encryption in softwareapplications. Pay close attention to the regulations that apply to our area of application.%eatures

(7# secures the data communication paths !etween the "arious (AP system clientand ser"er components of the (AP system that use the (AP protocols ?# or 1IA-. Thereare wellCknown cryptographic algorithms that ha"e !een implemented !y security productssupported and with (7#F we can apply these algorithms to our data for increased protection. With (7#, we recei"e applicationCle"el, endCtoCend security. All communication thattakes place !etween two (7#Cprotected components is secured &for example, !etween the(AP -*I for Windows and the application ser"er.% We can use additional security features that (AP does not directly pro"ide &for example,the use of smart cards. We can change the security product at any time without affecting the (AP !usinessapplications.&e)els o Protection

There are three le"els of security protection we can apply. They are$% Authentication only% Integrity protectionRoles 'a6 Page

We assign authorizations for accessing the (AP (ystem to a user on the oles ta! page.Note:

After an upgrade or release change, we must regenerate and re"ise the role profiles&generated profiles. To do this, choose +n"ironment → Installation=*pgrade &transaction(*<H.'a6le

We can enter any num!er of roles, the "alidity of which we can restrict with the 2alid fromand 2alid to columns. If we choose input help for these columns, the system displays acalendar in which we can select the date.Reerence User or Additional Rights

To assign additional authorizations to a user, we can also assign a reference user to it &see3ogon 1ata Ta! Page.Special %eatures i <ou Are Using Central User Administration 1CUA4(

If we are using #entral *ser Administration with the field distri!ution setting -lo!al for theole field &transaction (#*E, the oles ta! page in the central system has the followingspecial features$ The additional column (ystem that specifies the system in which the role is "alid The additional push!utton Text #omparison, with which we can make the profile androle names of the child systems known to the central systemAssigning Roles

Use

Assign roles to the users in the (AP (ystem so that they recei"e authorizations to executefunctions. We ha"e the following options$





Assign the ole to *sers in ole Eaintenance &Transaction P?#- Assign the ole to *sers *sing the (AP +asy Access Eenu. We are assigning roles to users in user maintenance &transaction (*45 &explained inthe procedure !elow.Note:

#ollecti"e roles are automatically !roken down. The indi"idual roles contained within themare entered.Prerequisite

We ha"e created the roles that we want to assign to the users.Assigning Roles to Users in User Maintenance

5. #hoose Tools → Administration → *ser Eaintenance → *sers &transaction (*45.<. (pecify the user to which we want to assign one or more roles.>. (pecify any num!er of roles on the oles ta! page.G. To assign a role to a user for a limited time, specify a date in the 2alid from or the

2alid to column. We can use the input help calendar to do this.Note:

To assign additional authorizations to a user, we can also assign a reference user foradditional rights to it &see 3ogon 1ata Ta! Page.Special %eatures or an Acti)e Central User Administration 1CUA4

#olumn (ystemThe system also displays the column (ystem on the oles and Profiles ta! page. It specifiesthe system for which we ha"e assigned the role or profile for each entry. eference userThis assignment of a reference user is "alid for all systems in a #*A landscape. If thereference user does not exist in a #*A child system, the assignment is ignored. Text comparison from child sys.

/n the oles and Profiles ta! pages in the central system of the #*A, we can choose Textcomparison from child system, to inform the central system a!out the names of the roles and profiles that exists in the child systems. /nly then can we display and select roles from thechild systems in the central system using the input help. We cannot assign roles from childsystems manually without a text comparison.We can choose the roles o!tained through the Text comparison for external systems. If theseare composite roles, the composite roles in the target system must consist of local singleroles. ?or our own system, we can enter the roles that can !e maintained with rolemaintenance. This can also !e single roles that are tied to the system &single roles with atarget system attri!ute and composite roles containing single roles that are tied to the systemand local single roles.

Proiles 'a6 Page/n the Profiles ta! page, we assign manually created authorization profiles and thereforeauthorizations to a user. The generated profiles of the roles assigned to the user are alsodisplayed here.Authorization Proile 10C2SEC2USR4

User Administration 10C2SEC2USR4

An element of the authorization concept.Authorization profiles gi"e users access to the (AP (ystem. They contain authorizations,which are identified using the name of an authorization o!'ect and the name of anauthorization. If a profile is specified in a user master record, the user is assigned all of theauthorizations defined in this profile.Note:

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/5c/deaa7ad3d411d3970a0000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/23/07d128f31011d296330000e82de14a/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/35/26b182afab52b9e10000009b38f974/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/5c/deaa7ad3d411d3970a0000e82de14a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/23/07d128f31011d296330000e82de14a/content.htm





7e"er enter the generated profiles directly on the Profiles ta! page, as transaction P?*1deletes these assignments if there is no entry for them on the oles ta! page. When we assigna role to a user on the oles ta! page, the profile generated for this role is automaticallyentered on the Profiles ta! page &see Assigning a ole and #omparing Profiles in the *serEaster ecord with oles.

We can assign >44 authorization profiles to a user &see (AP 7ote G54;;>.We can manually maintain profiles !y choosing Tools Administration *ser Eaintenance Eanual Eaintenance +dit Profiles Eanually &see #reating and Eaintaining Authorizations and ProfilesEanuallyF howe"er, we recommend that we use the Profile -enerator instead, and generatethe profiles automatically. We can enter composite profiles &a com!ination of se"eral profilesin the user master records when manually maintaining profiles.The (AP system contains predefined profiles, the most important of which are explained

!elow$ SAP"A&&$ To assign all authorizations that exist in the (AP system to users, assignthe profile (AP)A33.Authorization Proile SAP"A&&

This composite profile contains all (AP authorizations, meaning that a user with this profilecan perform all tasks in the (AP system. We should therefore not assign this authorization

profile to any of our users. We recommend that we create only one user with this profile. Weshould keep the password of this user secret &store it in a safe and only use it in emergencies&see also Protecti"e Eeasures for (AP8.Instead of using the (AP)A33 profile, we should distri!ute the authorizations it contains tothe appropriate positions. ?or example, instead of assigning our system administrator &orsuper user the authorization (AP)A33, assign him or her only those that apply to systemadministration, namely the ()8 authorizations. These authorizations gi"e him or her enoughrights to administer the entire (AP system, without allowing him or her to perform tasks inother areas such as Personnel. SAP"NE-$ #omposite profile to !ridge the differences in releases in the case of newor changed authorization checks for existing functions, so that our users can continue to workas normal. This composite profile contains "ery extensi"e authorizations, as, for example,organizational le"els are assigned with the full authorization asterisk &8.Temporarily assign either the composite profile (AP)7+W, suita!ly ad'usted !eforehand, orthe rele"ant single profile (AP)7+W)`elease contained in the composite profile. Were9uire all single profiles !etween the old release and the new release. ?or example, if we are

upgrading from (AP => G.HB to (AP => G.6#, we re9uire the following (AP)7ew profiles$(AP)7+W)G.6A, (AP)7+W)G.6B and (AP)7+W)G.6#. The simplest way to make theseassignments is to delete all other single profiles from (AP)7+W and to assign (AP)7+W./nce we ha"e incorporated the new authorization checks in our authorization concept, deletethe (AP)7+W profile to a"oid assigning authorizations that are too extensi"e.Authorization Proile SAP"NE-

This composite profile contains a single profile for each release that contains theauthorizations that the users re9uire to !e a!le to continue using the functions that they ha"eused until now, !ut which are protected with new authorization checks. 0owe"er, we shouldnot lea"e this profile acti"e for a long period of time.We recommend that we perform the following steps$

5. After the upgrade, delete the (AP)7+W)8 profiles from the composite profile(AP)7+W for releases !efore the last re"ision of our authorization concept.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6711ab439b11d1896f0000e8322d00/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6711ec439b11d1896f0000e8322d00/content.htm







http://help.sap.com/saphelp_nw70ehp1/helpdata/en/78/7a553efd234644e10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8a/7b553efd234644e10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6711ab439b11d1896f0000e8322d00/content.htm






http://help.sap.com/saphelp_nw70ehp1/helpdata/en/78/7a553efd234644e10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8a/7b553efd234644e10000000a114084/content.htm



<. Assign the composite profile (AP)7+W to all users. This means that they cancontinue to use the functions that they ha"e used until now.

>. 1istri!ute the authorizations contained in the (AP)7+W single profiles to the rolesor profiles that we use producti"ely and maintain the authorization "alues.

G. 1elete the profile assignment for (AP)7+W and the (AP)7+W profile.

A long list of (AP)7+W profiles &for example, after multiple upgrades indicates that it istime to re"ise and redefine our authorization concept.Note:

We must add the new authorizations to manually generated profiles SAP"APP$ This profile contains all application authorizations. It is not included inthe standard (AP systemF howe"er we can generate it with the report+-+7+AT+)(AP)APP. We can decide when executing this report whether authorizationsfor the (AP 7etWea"er and 0 areas should !e included.Special %eatures i <ou Are Using Central User Administration 1CUA4(

If we are using #entral *ser Administration with the field distri!ution setting -lo!al for theProfiles field &transaction (#*E, the Profiles ta! page in the central system has thefollowing special features$ The additional column (ystem that specifies the system in which the manuallygenerated profile is "alid The additional push!utton Text #omparison, with which we can make the profile androle names of the child systems known to the central system The profiles generated !y the assignment of roles are no longer displayed &these

profiles are only displayed in the child systems in which they are "alidComparing User Master Records

Use

The user master record comparison consists of three types of comparison$% The profile comparisonWith this, the profiles of timeCdependent role assignments are updated.Note:

We cannot set time limits for authorization profiles and their entry in user master records.% The composite roll areaThis updates the role assignments defined in composite roles, that is, added or deleted.% The organizational management comparisonThis generates the direct role assignments from the indirect role assignments of theorganizational management model.We can also choose the #leanC*ps option to delete in"alid, generated profiles, and in"alidrole assignments.

Procedure5. (tart transaction P?*1.<. (pecify the roles that we want to use for the comparison.>. #hoose one of the following actions$ (chedule or check 'o! for the full comparison0ere we can start report P?#-)TIE+)1+P+71+7#D !y specifying the time when the 'o!is to start. The o"er"iew displays the status of !ackground 'o!s that ha"e already !eenscheduled.If we schedule the report P?#-)TIE+)1+P+71+7#D daily !efore the start of !usiness asa total comparison and it runs errorCfree, the authorization profiles in the user master are upCtoCdate e"ery morning.

If we choose this action, all four processes types are always included, regardless of ourselection under Processing Type. To execute only certain processing types of the comparison



as a !ackground program &for example, with the aim of impro"ing runtime !eha"iorF choosePerform *ser Easter #omparison and the desired processing types. Then choose (a"e, toschedule a "ariant of the program 0A*T*P1)7+W. Performing the *ser Easter #omparisonWith this action, we start the user master comparison in dialog for indi"idual roles. We can

select the re9uired processing types &see G..G. If we ha"e selected Perform *ser Easter #omparison, choose one or more of thefollowing processing types$

Proile Comparison$ (tart the profile comparison immediately after generating orimporting profiles. If we are using timeCdependent role assignments, we recommend that weschedule this daily as a !ackground 'o!. This compares the authorization profiles with theuser master recordsF that is, profiles that are no longer current are deleted from the usermaster records and the current profiles are entered in the user master records. Composite role comparison$ (tart the composite role comparison if we make changesto a composite role definition &that is, if we add or delete single roles to a composite role orimport a change. (ingleCrole assignments are compared with the composite role assignmentsfor the user. If we add single roles to the composite role, the single roles are assigned to thoseusers that are assigned the composite role. #on"ersely, if single role assignments are deletedfor the users, the single role is remo"ed from the composite role. =R comparison$ (tart the 0 comparison, if we make changes to our localorganizational management model that influence the indirect role assignment or transportthese to the system. We can only select this processing type if organizational management isacti"eF that is, if the switch 0)/-)A#TI2+ is set in the ta!le P-7)#*(T to D+(. Clean2Ups$ Perform cleanCups when we generate or import profiles. -enerated profilesthat no longer exist are deleted. egular cleanCups are particularly important if we transportour roles and profiles fre9uently, as this helps to sol"e possi!le inconsistencies 9uickly.We can also select the following options$ $ispla/ error messages$ All error messages are displayed on the screen in dialogmode. Replicate local =R assignments in the central s/stem: We can only select this optionif we are in a child system of a #*A group and if organizational management is acti"e. Thisoption replicates the role assignments that exist in the child system that originate throughrelationships in the local organizational management model, for information in the #*Acentral system. We can display these relationships in the user maintenance &transaction(*45.Result

?ollowing the comparison the system displays a log that includes any errors that occurred

&!ackground processing log for a !ackground 'o!.

5roups 'a6 Page

We assign the user to a user group on this ta! page. This is purely a grouping that is suita!le,for example, for mass maintenance of user data &transaction (*54.Assignments that we make on the -roups ta! page are not used for authorization checks thatare specified on the 3ogon 1ata ta! page using the *ser -roup field.Personalization 'a6 Page

/n the Personalization ta! page, we can make personCrelated settings using personalizationo!'ects. We can call this ta! page !oth in role maintenance and in user maintenance. The

procedure for personalization is the same.Personalizing User or Role

5. As the Personalization ta! page is a"aila!le !oth in user and role maintenance, we ha"ethe following options$

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/07/5430fbdb39fb4d9abb56754e039d0d/content.htm





To perform a personalization for a user, choose Tools→ Administration → *serEaintenance→ *sers &transaction (*45.

To perform a personalization for a role, choose Tools→ Administration → *serEaintenance→ oles &transaction P?-.

<. +nter the role in the ole field and choose #hange.>. To display the application components on the left side of the screen on thePersonalization ta! page, choose By Application #omponents on the Personalization ta!

page. & .G. (elect the components for which we want to maintain personalization data !y dou!le

clicking them.The personalization o!'ects for the component are output on the rightChand side.+xample of the Personalization Ta! Page

To change the "alues of a personalization o!'ect, choose #hange & or select the o!'ect !ydou!le clicking it.A dialog !ox for entering default "alues appears.The opportunity to create personalization o!'ects pro"ides a framework for applicationde"elopment with which userCdependent data can !e easily sa"ed for an application.To use the framework, we must simply create a key, under which the userCdependent data isto !e sa"ed. The data can then !e stored in the application simply !y calling an interfacedirect to a generic data repository. We can specify if changing the data for this key shouldalso !e performed with the user administration. To do this, the application must pro"ide adialog window that can !e called in the user maintenance for the personalization key.In addition to using the generic storage of personalization data, it is possi!le to connect our

own ta!les with userCdependent data to user administration using the framework. ?or moreinformation, see #entral (tore for Personalization 1ata.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ab/e70538389511d5974400a0c930dcc1/content.htm





Central Repositor/ or Personalization $ata

The purpose of a central repository for personalization data is to pro"ide storage for userCspecific and roleCspecific data without ha"ing to create any additional data!ase ta!les. Thisdata should !e taken into consideration whene"er users or roles are changed.

Another aim was to integrate existing userCspecific ta!les in the concept using a gi"eninterface.%eatures

The functionality includes a generic repository for userCspecific and roleCspecific data and for central access to this data !y user and role maintenance. It also permits existing ta!lescontaining userCspecific data to !e linked to the central access using a fixed interface.A key must !e assigned for personalization data to !e stored in the central repository. Thiscan !e done with registration transaction P+(+-.5eneric Repositor/ or Personalization $ata

The generic repository is used to store the personalization data. It can !e accessed with theclass methods of class #3)P+()A1EI7.5eneric Repositor/The data can !e stored either as simple "alues, structures or internal ta!les. As fields,structures can only contain elementary data. Internal ta!les can contain structures orelementary data as rows.Note:

The internal ta!les must !e defined as ta!le types. Ta!les with a header line &for example$ likeT(T# occurs 4 with header line cannot !e used.The data types used need not !e stored in the 1ictionary.Selecti)e Access

If an internal ta!le was selected as the data type for the personalization data, we can read only parts of the ta!le when we access the data. (election conditions can also !e defined for anyfields of the internal ta!le. The conditions are passed in the form of field nameCfield "aluecom!inations when we read the data.(imilarly, we can update only parts of the stored internal ta!le. In this case the fields to !eused as keys for the modification must !e defined when the data is written.'/pe Chec;

The type check when reading or writing is not "ery strict. If the type with which the data waswritten in the repository is not the same as the type with which the data is read, there is onlyan error if the indi"idual fields do not ha"e the same length. If other changes are made to thetype, e.g. if the name of the field changes, the fields might not !e completely defined.0uering

A !uffer can !e used when the data is written. In this case the data is only written to thedata!ase when the corresponding method is called.$ierent &e)els o Personalization

The data can !e stored either for the user, for roles or for the system. In this case all the dataassigned to a user &with the role or with ones own setting can !e read at one time.Central Access to Personalization $ata

We can access the personalization data from user administration or from role administration.Transactions (*45 and P?#- were enhanced to cope with this situation.We can also access the data from a maintenance transaction for personalization.The use of the generic repository for personalization data is explained in the followingdocumentation$

*se of the -eneric epositoryImplementing a 1ialog

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993c8389711d5974400a0c930dcc1/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993cb389711d5974400a0c930dcc1/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993c8389711d5974400a0c930dcc1/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993cb389711d5974400a0c930dcc1/content.htm



Integrating +xternal Ta!lesegistering Personalization /!'ects&icence $ata 'a6 Page

Use

We specify the contractual user type of the user on this ta! page.

?or more information a!out user types, see the (AP (er"ice Earketplace under the pathhttp:!!ser)ice(sap(com!licenseauditing → (ystem Eeasurement 7amed *ser → *ser#lassification.If we are using #entral *ser Administration, we can edit the user types in the central systemusing *ser Eaintenance &transaction (*45 or Eass *ser Eaintenance &transaction (*54.The following re9uirements must !e fulfilled$ #entral and child systems ha"e a release status of at least (AP We! A( 6.<4 and (AP

7ote :4GG5< is installed In transaction (#*E, the maintenance of the license data is set to -lo!al &see (etting1istri!ution Parameters for ?ields. This is the default setting for a new installation of the#*A.Setting Up %ield $istri6ution Parameters

Use

If we are using #entral *ser Administration, we can use the distri!ution parameters intransaction (#*E to determine where indi"idual parts of a user master record aremaintained. In the central system 3ocally in the child system In the child system with automatic redistri!ution to the central system and the other#*A child systems+"ery input field of the user maintenance transaction (*45 has a field attri!ute that we set

once in the central system with transaction (#*E during #ustomizing. As far as possi!le, weshould then not change the field maintenance indicator at all.-arning:

If we later change the distri!ution from 3ocal or Proposal to -lo!al or edistri!ution, datainconsistencies can occur.User Master Record

ecord that contains important master data for a user in the (AP system. The user masterrecord contains the assignment of one or more roles to the user. In this way, a user menu andthe corresponding authorizations for the acti"ities contained in the user menu are assigned tothe user. /nly users who ha"e a user master record can log on to the system.We must !e particularly careful when remo"ing inconsistencies, since data is lost when we

switch systemCdependent parameters from local to glo!al maintenance and then distri!ute theusers again. The distri!ution creates the central system status in all child systems. If we ha"e pre"iously maintained systemCdependent data, such as the user assignment of roles, this datais unknown to the central system. This means that when we distri!ute the central systementries, we o"erwrite the role assignments of the child system. This systemCspecific data istherefore permanently lost.To recreate data consistency after changing the field distri!ution parameters, proceed asfollows$ To maintain cross2s/stem parameter &such as printers glo!ally rather than locally,set the parameter appropriately and then redistri!ute the users from the central system to thechild systems. This means that the central system status is adopted in all child systems.Caution:To maintain s/stem2dependent parameters &such as role or profile assignments glo!ally

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993ce389711d5974400a0c930dcc1/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993d1389711d5974400a0c930dcc1/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/c25fc996a1494aa9e313d261a3728d/content.htm



http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993ce389711d5974400a0c930dcc1/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/c993d1389711d5974400a0c930dcc1/content.htm






rather than locally, we must not redistri!ute the users. Instead, we must remo"e the #*A andset it up again, so that we can copy the users and their systemCspecific data from the childsystems into the central system again. After completely remo"ing the #*A and setting it upagain, the field distri!ution parameters are set to @glo!al@ !y default. #heck these settings

!efore we transfer the users again with transaction (#*-.

The only exception to this is the 3ocks ta! page. We can change the indicators on this ta! page at any time without any risk.Procedure

5. 3og on to the central system &in this example, A1E, client 4:4.<. In the Implementation -uide &IE-, transaction (A3+, choose Eodeling and

Implementing Business Processes → Predefined A3+ Business Processes→ #rossCApplication Business Processes → #entral *ser Administration → (et 1istri!utionParameters for ?ields &transaction (#*E.

The system displays the *ser 1istri!ution ?ield (election screen, with ta! pages of the fieldswhose distri!ution parameters we can set. To display additional fields, choose page down.

We can select the following options on the ta! pages$-lo!al We can only maintain the data in the central system. The data is

then automatically distri!uted to the child systems. These fieldsdo not accept input in the child systems, !ut can only !edisplayed.Note:

All other fields that are not set to glo!al accept input !oth inthe central and in the child systems and are differentiated only

!y a different distri!ution after we ha"e sa"ed.Proposal We maintain a default "alue in the central system that is

automatically distri!uted to the child systems when a user iscreated. After the distri!ution, the data is only maintainedlocally, and is not distri!uted again, if we change it in thecentral or child system.

et2al We can maintain data !oth centrally and locally. After e"erylocal change to the data, the change is redistri!uted to thecentral system and distri!uted from there to the other childsystems.

3ocal We can only maintain the data in the child system. #hanges arenot distri!uted to other systems.

+"erywhere We can maintain data !oth centrally and locally. 0owe"er, onlychanges made in the central system are distri!uted to othersystems, local changes in the child systems are not distri!uted.

>. To maintain the other parameters, too, switch to the other ta! pages. The ta! pages

correspond to those of user maintenance.G. (a"e our entries.The distri!ution parameters are automatically transferred to the child systems.&oc;s 'a6 Page

We can control the distri!ution of lock data on this ta! page, and therefore determine whichlocks can !e set and=or reset in which systems. When we reset locks, we must pay close

attention to the lock indicators in the user master record that can !e com!ined in any way we



choose, and the functions a"aila!le in this system, so that we can set the indicators on the3ocks ta! page appropriately.A user cannot log on to a child system of a #*A. The local administration remo"es the lock.0owe"er, this remo"al refers only to a local lock that may exist in the user master record.-lo!al locks, or, if the indicator for 3ocked due to incorrect logons is set to glo!al, locks due

to incorrect logon attempts, are not remo"ed !y this. Therefore, if the local administrationshould !e a!le to remo"e locks due to incorrect logon attempts, we must not set the indicatorfor 3ocked due to incorrect logons to glo!al in transaction (#*E.To !e a!le to unlock a user from the central system after an incorrect logon attempt or forlocal locks in a child system, set the indicator e"erywhere for the lines *nlock incorrect.3ogon and *nlock locally.The following functions are a"aila!le in the respecti"e systems$ 3ock glo!ally$ This function is only a"aila!le in the central system. The re9uest to lock

or unlock is sent to all child systems and performed there. *nlock glo!ally$ This function is only a"aila!le in the central system. The re9uest to

lock or unlock is sent to all child systems and performed there. *nlock incorrect logon glo!ally$ This function is only a"aila!le in the central system.

The re9uest to lock or unlock is sent to all child systems and performed there. 3ock locally *nlock locally$ This function attempts to remo"e all three possi!le lock indicators$

3ocked due to incorrect logons, glo!al lock, and local lock. *nlock incorrect logon locally(election on the 3ocks Ta! Page

?ield +xplanation -lo!al 3ocal +"erywhere*nlock

Incorrect.3ogon

#ontrols the

remo"al of theindicator 3ockeddue to incorrectlogons

emo"al of the

indicator 3ockeddue to incorrectlogon using theunlock glo!allyfunction isallowed

emo"al of the

indicator 3ockeddue to incorrectlogon using theunlock locallyfunction isallowed

emo"al of the

indicator 3ockeddue to incorrectlogon using theunlock locallyfunction isallowedemo"al of theindicator 3ockeddue to incorrectlogon using theunlock glo!ally

function is alsoallowed3ock3ocally

#ontrols thesetting of thelocked locallyindicator

(etting theindicator lockedlocally using thelock locallyfunction isallowed

*nlock3ocally

#ontrols theremo"al of thelocked locally

indicator

emo"ing theindicator lockedlocally using the

unlock locallyfunction is

emo"ing theindicator lockedlocally using the

unlock locallyfunction is



allowed allowedemo"al of theindicator lockedlocally using theunlock glo!ally

function is alsoallowed3ock-lo!ally

#ontrols thesetting of thelocked glo!allyindicator

(etting theindicator lockedglo!ally using thelock glo!allyfunction isallowed

*nlockglo!ally

#ontrols theremo"al of thelocked glo!allyindicator

emo"al of thelocked glo!allyindicator usingthe unlockglo!ally functionis allowed

emo"al of thelocked glo!allyindicator usingthe unlockglo!ally functionis allowedemo"al of theindicator lockedglo!ally using theunlock glo!allyfunction is alsoallowed

Recommendations or Other %ields?ield (ettingPrinter ProposalParameters Proposal-roup &-en. Proposal?ields for data that theusers maintain themsel"es

edistri!ution

See also:

(AP 7ote >5>;GH$ #*A$ Incorrect logon locks not glo!ally re"ersi!le We ha"e transferred the users with all of their data &address data, license data, and soon from the child systems to the central system &see Transferring *sers from 7ew (ystems'ranserring Users rom Ne+ S/stemsUse

If we include a new system in the distri!ution model selected, we must make sure that theuser master records in the new system are transferred to the central system.Prerequisites

We ha"e synchronized the company addresses.Procedure

5. 3og on to the central system &in this example, A1E#37T4:4.<. In the Implementation -uide &IE-, transaction (A3+, choose Eodeling and Implementing Business Processes→ Predefined A3+ Business Processes→ #entral

*ser Administration→

Transfer *sers from 7ew (ystems &transaction (#*-. The system displays the #entral *ser Administration (tructure 1isplay screen with a

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8c/b1b13bb3acd607e10000000a11402f/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8c/b1b13bb3acd607e10000000a11402f/content.htm



Tree structure of the systems of the distri!ution model. The systems with 7ewindicators

contain user master records that are not contained in the #entral *ser Administration.>. If we are setting up a completely new #entral *ser Administration, place the cursor on the central system and choose Transfer *sers.

The system displays the following ta! pages$

7ew users These users are not yet contained in #entral *serAdministration. By choosing Transfer *sers, wecan transfer the selected users into the centralsystem. This transfers all user parameters such asaddress and logon data, as well as profiles androles. In the future, the user will !e maintainedcentrally.

Identical users These are users with identical user I1s &that is,their name and user name is the same. The rolesand profile data for this user can !e transferred tothe central system. The user is then distri!uted andtherefore appears as it is stored in the centralsystem. 3ocal data is o"erwritten.

1ifferent users These user I1s are contained in !oth the centraland the child systems, !ut with different data.Note:

If in a single case, the users are actually the sameuser, we can transfer the roles and profile data forthe user to the central system. The user is then

distri!uted as it exists in the central system.If these are two different users, create a new userI1 for one user in the central system, and deletethis user in the child system.

Already central users These users are already in the #entral *serAdministration under the same name and aremaintained centrally.

G. (elect all new and changed users and choose Transfer *sers.H. Perform steps > and G successi"ely for all child systems from which we want to transfer

users.

6. After we ha"e completed the user transfer, remo"e the roles)(AP)B#)#*A)(+T*P)#+7TA3 and)(AP)B#)*()#*A)(+T*P)#3I+7T from the system users.

These roles are only re9uired to set up the #*A, !ut not for its operation. By restrictingthe authorizations of the system users to the minimum le"el, we increase the security ofour system landscape.

:. *se transaction (#*3 to check the distri!ution of the users after the transfer.Note:

*sers that we ha"e not copied to the central system can still !e maintained in the childsystem. This means that the functions #reate and 1elete are still displayed in the user maintenance. These functions are no longer a"aila!le only after the complete transfer of allusers.M. (a"e our entries.



The application tool!ar contains the following push!uttons$

3icense data The 3icense 1ata ta! page appears, so that we can entermeasurementCrele"ant data. ?or more information, see the(ystem Eeasurement -uide on the (AP (er"ice Earketplace1http:!!ser)ice(sap(com!licenseauditing4 → (ystemEeasurement 7amed *ser → 1ocumentation.

eferences This function allows the application de"elopers to assign a !usiness o!'ect to a user, to, for example, display this users owndata. In transaction (*45, it is used only for display.A ta!le appears in which we can assign !usiness o!'ect types to auser. An o!'ect type is a description of data &o!'ects used in the

system, created at definition time in the Business /!'ectBuilder . An o!'ect is any type of connected information that isaddressed with a uni9ue keyF such as master data &customer,material, "endor, and so on.The possi!le entries help for the /!'ect type field lists alla"aila!le o!'ect types.Note:

This function is not the same as assigning reference users on theoles ta! page.

0usiness O68ect 0uilder

UseWe can use the Business /!'ect Builder to create, display or change o!'ect types in theBusiness /!'ect epository.,ntegration

If we want to display or change a defined o!'ect type in the Business /!'ect Builder, we mustknow its I1, name or description.If we do not know the o!'ect type precisely or if we are not sure whether there is anappropriate o!'ect type, we can find an o!'ect type using its position in the componenthierarchy or using its relationships to other o!'ect types. In this case, use the Business /!'ectepository Browser .untime o!'ects are !ased on o!'ect types.%eatures2arious functions such as check, test, generate, or whereCused list are a"aila!le. We can alsocreate su!types of an existing o!'ect type or determine a delegation type .More inormation:

*ser Administration ?unctionsUser ,normation S/stem

Use

We can use the *ser Information (ystem &transaction (*IE to o!tain an o"er"iew of theauthorizations and users in our (AP system at any time using search criteria that we define. In

particular, we can display lists of users to whom authorizations classified as critical areassigned.Note:


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/35/26b0b0afab52b9e10000009b38f974/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/c5/e4acc8453d11d189430000e829fbbd/content.htm




http://help.sap.com/saphelp_nw70ehp1/helpdata/en/36/aaa2749235503be10000009b38f9b6/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/35/26b0bcafab52b9e10000009b38f974/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/4f/5668735cf211d194a30000e82dec10/frameset.htm






http://help.sap.com/saphelp_nw70ehp1/helpdata/en/36/aaa2749235503be10000009b38f9b6/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/35/26b0bcafab52b9e10000009b38f974/content.htm




To explicitly search for authorizations that contain the full authorization asterisk &8, we needto enter a num!er sign &Z !efore the asterisk, that is, search for Z8. /therwise, the systemsearches for any "alues.We can also use the *ser Information (ystem to$% #ompare roles and users

% 1isplay change documents for the authorization profile of a user % 1isplay the transactions contained in a role% #reate whereCused listsecommend that we regularly check the "arious lists that are important for us. 1efine amonitoring procedure and corresponding checklists to make sure that we continually re"iewour authorization plan.+specially recommend we determine which authorizations we consider critical and regularlyre"iew which users ha"e these authorizations in their profiles.The possi!le e"aluations are descri!ed in the following sections$% 1etermining *sers with the *sers 7ode % 1etermining oles, Profiles, Authorizations, and Authorization /!'ects % 1etermining Transactions % #omparing #rossC(ystem *sers, Authorizations, oles, and Profiles % #reating WhereC*sed 3ists for Profiles % #reating WhereC*sed 3ists for Authorization /!'ects % #reating WhereC*sed 3ists for Authorizations % #reating WhereC*sed 3ists for Authorization 2alues % 1etermining #hange 1ocuments $etermining Users +ith the Users Node

There are a num!er of e"aluation options a"aila!le to us using the *sers node. These areexplained !elow. #rossC(ystem Information *sers !y Address 1ata &(*(44<)A11+((We perform the procedure for e"aluating with generic input options &placeholder asterisk andmultiple selection. To o!tain a result, the corresponding criteria, such as room, must !emaintained in the user data. *sers !y #omplex (election #riteria &(*(44< By #ritical #om!inations of Authorizations at Transaction (tart &(*(44M With incorrect logon attempts &(*(446This e"aluation is started immediately without additional selection criteria when we choose+xecute in the *ser Information (ystem. The result list displays all users with incorrect logonattempts$

7um!er of incorrect logon attempts &users that are not locked *sers locked due to incorrect logon attempts *sers locked !y administration *sers locked glo!ally in the central system &if we are using #*A *sers locked locally and glo!ally !y the administration &if we are using #*AThis e"aluation also displays the date and time of the last logon. By logon date and password change &(*(<44 With critical authorizations &(*(44; With #ritical Authorizations &7ew 2ersion &(*(44M)44;)7+W$etermining Cross2S/stem ,normation

Prerequisites

We can only perform these e"aluations in the central system of a #entral *ser Administration&#*A. This also means that we can only use these reports if we are using a #*A.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/73/84be0ca5a65f4e9ef2b23ad795d34a/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/71/8fba30840c6e4d90da3526971cc684/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8e/448450771c4544aad54321ddaff2e4/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/12/342a299bb21847863aac7894d90564/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ab/51853df3e60968e10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a1/6e533d96d9c20fe10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/1d/0115f895a27c4d9b3d7e554ac029ef/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/77/0488311f34e74e855ea713866d648d/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/90/c3e45b841f214ca32fcc17f7eb059e/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a7/428f40f3b19920e10000000a1550b0/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/81/ba904062b76e1de10000000a1550b0/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/0e/4f8f40f3b19920e10000000a1550b0/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/1e/478f40f3b19920e10000000a1550b0/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7a/ad9040bca2ef4ae10000000a1550b0/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/f9/558f40f3b19920e10000000a1550b0/content.htm




http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8e/448450771c4544aad54321ddaff2e4/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/12/342a299bb21847863aac7894d90564/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ab/51853df3e60968e10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a1/6e533d96d9c20fe10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/1d/0115f895a27c4d9b3d7e554ac029ef/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/77/0488311f34e74e855ea713866d648d/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a7/428f40f3b19920e10000000a1550b0/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/81/ba904062b76e1de10000000a1550b0/content.htm


http://help.sap.com/saphelp_nw70ehp1/helpdata/en/1e/478f40f3b19920e10000000a1550b0/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/7a/ad9040bca2ef4ae10000000a1550b0/content.htm




Procedure

The procedure is explained using an example of Users 6/ S/stem

&(*()(D(I7?/)B2. To, for example, display the list of users on a child system,follow the procedure !elow$5. (tart the user information system &transaction (*IE in the central system of the central

user administration.<. +xpand the nodes *sers and #rossC(ystem Information &#entral *serCAdministration.>. #hoose the +xecute option next to *sers !y (ystem.G. We now ha"e the following options$

• To determine the #*A systems in which a certain user exists, enter the name ofthe user, and then choose +xecute.

• To determine all or some of the users in one or more #*A systems, either enterthe user name only a placeholder or some of the name and the placeholder, such as?+8.

Result

The result list appears. 1epending on our selection, the user names and recei"ing systems aredisplayed as well as the last out!ound I1oc num!er of the respecti"e user master record.?or the reports Users 6/ Role and Users 6/ Proile, we can restrict the selection further$

• *sers !y ole &(*()(D(I7?/)/3+We can use this report to display, systemCspecifically, which roles are assigned to users, or theusers to which specific roles are assigned.We can restrict the selection using the name and "alidity of the role assigned to the user$ allroles that exist and that are "alid today or during a particular time period.

• *sers !y Profile &(*()(D(I7?/)P/?I3+We can use this report to display, systemCspecifically, which manual profiles are assigned tothe users, or the users to which specific manual profiles are assigned.

We can restrict the selection using the names of the profiles assigned to the user. ?orexample, to find all users with the profile (AP)A33 in all child systems, enter (AP)A33 inthe Proile field and choose E7ecute.Users 6/ Comple7 Selection Criteria 1RSUSR>4

Use

This e"aluation pro"ides a total screen Users 6/ Comple7 Selection Criteria on whichsu!ordinate selection criteria that can also !e used directly &such as !y user name, !y role, !yauthorization "alues are com!ined. To o!tain users, restrict the selection !y entering data inthe fields. If we execute the report without making any entries, all users of the current systemare displayed.Procedure

To compare, for example, the master records of two users at the le"el of authorization for ano!'ect, follow this procedure$5. In our (AP (ystem, open two sessions to perform the procedure in parallel for !oth

authorization o!'ects to !e compared.<. In the user information system, choose *sers→ Users 6/ comple7 selection criteria

→ 6/ user ,$, or execute report (*(44< using transaction (A>M.>. (pecify the user name in the *ser field.G. #hoose +xecute.H. By dou!le clicking the user name, we can display the list for the user.6. (elect the first node ?user name@ and choose Select!E7pand Su6 tree(

The Restrict User 3alues to the %ollo+ing Simple Proiles and Auth( O68s screen appears.



:. (pecify the authorization o!'ect to !e compared, such as ?)BJP?)B*J, and choose+xecute.

Result

In the hierarchy display of the user master record, all !ranches that contain authorizations forthe selected o!'ect are expanded.

0/ Critical Com6inations o Authorizations at 'ransaction Start 1RSUSRB4eport RSUSRB is o!solete and has !een replaced !y report RSUSRB""NE-. Wecan start this report in the *ser Information (ystem !y choosing Users → With #riticalAuthorizations &7ew 2ersion.This e"aluation allows us to monitor task separation. It lists all users that simultaneously ha"eauthorizations for up to fi"e transactions whose com!ination was rated as critical. Theauthorization o!'ect ()T#/1+ is checked.We can use the 1isplay #ritical #om!inations !utton to acti"ate or deacti"ate the (AP

proposals for each line in the 1eletion Indicator column, !y choosing inacti"e or (APProposals.We can also permanently restrict the e"aluation !y critical com!inations. To do this, choosethe change !utton Crit(Com6. To call the ta!le of com!inations and delete or change ta!lerows as re9uired. 0owe"er, we can only import (AP proposals again during the next upgrade.0/ &ogon $ate and Pass+ord Change 1RSUSR>4

We can determine the date of the last logon and whether the user in 9uestion has changed hisor her initial password. To do this, use either a "ariant with predefined selection criteria &-et2ariant or specify selection criteria ourCself &with multiple selection and generic input.The selection criteria 1ays since last logon and 1ays since password change mean that atleast the specified num!er of days has passed since the last logon or password change.We can use the following selection options to restrict the result list$ (election !y the "alidity of the user

• *sers "alid today• *sers not "alid today (election !y the status of the user • *sers not locked• 3ocked users• *sers with incorrect logon attempts (election !y user type• 1ialog user • #ommunication user • (ystem user • (er"ice user • eference user (election !y the status of the password• *sers with "alid password• *sers with initial password• *sers with inacti"e passwordThe entries in the 3ast #hange and Password #hanged columns of the result list mean thefollowing$&ast Change

ow +xplanation*nused The user has not yet logged on to this

system.








with date and time The user last logged on at the specified dateand time.

Pass+ord Changed

ow +xplanationThe password is initialF that is, the user hasne"er yet changed it.

with date The user changed his or her password onthe specified date.

with date The user has not logged on to the systemagain since the administrator changed the

password. inacti"e The password has !een deacti"ated.

To change a user in the result list, select it and choose Select. The user maintenancetransaction &transaction (*45 appears.-ith Critical Authorizations 1RSUSR4

Useeport RSUSR is o!solete and has !een replaced !y report RSUSRB""NE-. Wecan start this report in the *ser Information (ystem !y choosing *sers→ With #riticalAuthorizations &7ew 2ersion.We can use this report to determine the users that ha"e critical com!inations ofauthorizations, as defined in ta!le USDR,A.A ta!le entry consists of the specification of an authorization o!'ect with field name and field"alue. The entries are com!ined using a common fourCcharacter I1 and the logical linkingoperators A71 or /.+xample of an +ntry (chemaI1 /!'ect ?ield ?rom To A71=/ Text ?or #olor

T45 ()TAB*)1I( A#T2T 4< 4> A71 #om!ination5 5T45 ()TAB*)1I( 1I#B+#3( P(7/ A71 5T45 ()T#/1+ T#1 (*45 A71 5In the a!o"e example, a user is displayed in the result list if all three authorizations arecontained in his or her user master record. #ritical com!inations for the same o!'ect mustexist in the same authorization &see (AP 7ote 6:G<5<. If the linkage / was used instead of A71, the user would !e displayed in the result list if he or she had only one of the threeauthorizations in his or her user master record.We can call the maintenance dialog for creating and changing entries in ta!le USDR,A !othon the initial screen and from the result list of the report.Notes on Maintaining Critical Authorizations

• Within one I1, use only uniform and completely entered linking operators &exclusi"elyA71 or exclusi"ely /.

• There is no input help a"aila!le for entering authorization o!'ects, fields, and field"alues.

• We can copy the defaults deli"ered !y (AP &again !y choosing (AP 1efault &#ontroland ?>.

-arning

When we do so, we o"erwrite all pre"iously maintained entries.• Ta!le USDR,A is a crossCclient ta!le. This means that we cannot maintain this ta!le in

systems that are locked for crossCclient #ustomizing. In this case, we must deli"er thedata !y transport from the de"elopment system.

Procedure







We can restrict the e"aluation !y critical com!inations !y choosing the !utton Change

Crit(Com6. To call the ta!le of com!inations and deleting or changing ta!le rows asre9uired.5. (tart the user information system &transaction (*IE.<. +xpand the Users node.

>. #hoose the option +xecute next to 3ist of *sers with #ritical Authorizations.G. #hoose #hange #rit. #om!.The Entr/ o Critical Authorizations or Report RSUSR "iew appears, on which wecan enter the critical authorizations in a ta!le. We can also call this screen from the result list

!y choosing #hange #rit. Auth.H. We can delete the existing com!inations or add new com!inations !y choosing Ne+

Entries.6. To create new com!inations, enter the re9uired data.?or more information, see the a!o"e example.$ata o a Critical Authorization

?ield #ommentI1 7ame of the authorization o!'ects link/!'ect 7ame of the authorization o!'ect?ield 7ame 7ame of the authorization field. /ptional

specification, without which, the systemsearches in the user master records only forthe authorization o!'ect.

?rom ?irst authorization "alue./ptional specification, without which, thesystem searches in the user master recordsonly for the authorization o!'ect.

If we lea"e the ?rom field empty, the program searches for authorizations withspaces for the specified field and o!'ect&see (AP 7ote 6:G<5<.If we enter an asterisk &8 in the ?rom field,the report searches for full authorization for the specified field.?or fields with fixed "alues, the reportsearches for authorizations that contain all

possi!le fixed "alues and displays the usersto which authorizations of this type are

assigned.To 3ast authorization "alue./ptional specification, without which, thesystem searches in the user master recordsonly for the authorization o!'ect.

A71=/ 3inkage typeText for #ritical Authorizations +nter a short text to explain the critical

com!ination in the Text for #riticalAuthorizations field of the first entry ofeach I1. This text is displayed in the resultlist after the report has !een executed.Any texts that are not in the first entry arenot taken into account.



#olor We can assign any critical com!ination anum!er from 5 to : in the #olor field todefine the !ackground color of the I1 in theresult list. The num!ers correspond to thefollowing colors$

#olor$ 5 V !lue, < V white, > V yellow, G Vtur9uoise, H V green, 6 V red, : V purpleThe color code only takes effect if wemaintain it completely for all entries of theI1, and all entries are identical. The defaultsetting is red.

:. (a"e our entries in a transport re9uest.M. #hoose Back and +xecute.Result

The system displays a list of all users that ha"e the com!ination of authorizations for whichwe are searching.-ith Critical Authorizations 1Ne+ 3ersion RSUSRB""NE-4

Use

This report replaces the reports RSUSRB and RSUSR and offers the followingimpro"ements$• 1ifferentiation !etween (AP defaults for critical data for different !usiness areas.

Pre"iously, we could only use and change defaults collecti"ely.• +xtended com!ination options for critical authorization data• Impro"ed performance• ?ilter for the users to !e displayed• Eore analysis options for users in the result list• Impro"ed userCfriendlinessWe can either start the report using transaction (A>M or in the *ser Information (ystem&transaction (*IE !y choosing *sers → With #ritical Authorizations &7ew 2ersion.The report is pro"ided as of (AP We! A( 6.<4 with the following (upport Packages$• (AP We! A( 6.<4, as of (APJB6<4>;• (AP We! A( 6.G4, as of (APJB6G44>We can continue to use the old programs RSUSRB and RSUSR until (AP We! A(6.G4. The new report is deli"ered with the old (AP defaults for critical authorization data,which were already used for RSUSR. The data is com!ined in the "ariant(AP)(*(44;.Anal/zing Users +ith Critical AuthorizationsWith the following procedure, we first define critical authorizations and the associatedauthorization data. We then com!ine the critical authorizations into a "ariant with which wethen perform the e"aluation.5. To maintain critical authorizations, choose #ritical Authorizations on the initial screen.A dialog !ox appears that displays four folders, which form two hierarchies$• 2ariants for #ritical Authorizations → #rit. Authorizations• #rit. Authorizations → Authorization 1ataThe #ritical Authorizations folder consists of the I1s of critical authorizations. +ach I1contains a list with critical data. The Ids are used to define report "ariants.

<. In change mode, open the #rit. Authorization folder in the lower hierarchy !y dou!leCclicking it, and choose 7ew +ntries.



>. (pecify the following data in the ta!le control$• The name of the I1 in accordance with the naming con"ention &customer namespace• A text• The color in the result list• The transaction code, if re9uiredG. (a"e our entries.H. To maintain the authorization data, select the entry that we ha"e 'ust created and open

the Authorization 1ata folder !y dou!leCclicking it.A new "iew appears.a. #hoose 7ew +ntries.

!. ?ill out all re9uired fields, which are identified with an asterisk &8. 7ote the following when filling out the fields$• All entries within a group must ha"e the same operand A71 or /. The indi"idual

groups are essentially linked with A71. An / link is not possi!le.• We can specify critical data for different authorization o!'ects within the same group.• If we specify a transaction code for an I1, all authorization data re9uired to execute the

transaction and maintained in transaction (+;> is automatically entered as critical data,after we ha"e confirmed and sa"ed the dialog !ox.

• If we lea"e the %rom field empty, the program searches for authorizations with spacesfor the specified field and o!'ect. If we enter an asterisk &8 in the %rom field, the reportsearches for full authorization for the specified field. &(ee (AP 7otes <56HH: and6:G<5<

c. (a"e your entries.6. #reate a "ariant.a. /pen the folder 2ariants for #ritical Authorizations !y dou!leCclicking it, and then

choose 7ew +ntries. !. +nter the name and description of the "ariant.c. (a"e our entries.:. Assign the I1s of critical authorizations to the "ariant that we ha"e 'ust created.a. (elect the "ariant and choose the #ritical Authorizations folder under the 2ariants for

#ritical Authorization folder !y dou!leCclicking it. !. #hoose 7ew +ntries.c. *se the input help to choose existing I1s.d. (a"e our entries.M. +xecute the report "ariant with critical authorizations.a. /n the initial screen of the report, choose the option ?or #ritical Authorizations under

7ame of the 2ariant !. *se the input help to select an existing "ariant, and choose +xecute.The users identified for each I1 are displayed !y the program in the result list.Anal/zing Users +ith Critical Com6inations o Authorizations

We can use the report RSUSRB""NE- to com!ine the I1s for critical authorizationsin any way, and to create "ariants with these com!inations.5. To maintain critical com!inations, choose #ritical #om!inations on the initial screen.A dialog !ox appears that displays four folders in two hierarchies$• 2ariants for #ritical #om!inations of Authorizations→ #om!ination• #om!ination→ #ritical AuthorizationWe specify I1s of critical authorizations that we ha"e maintained in accordance with the

procedure a!o"e, and now want to com!ine with each other in the in the #om!ination folder.A "ariant consists of a list of critical com!inations.



<. In change mode, open the #om!ination folder in the lower hierarchy !y dou!leCclickingit, and choose 7ew +ntries.

a. (pecify the following data in the ta!le control$• The name• The color for the result list• The description of the com!ination

!. (a"e our entries.>. Assign the I1s of critical authorizations to the com!ination.a. (elect the com!ination and open the #ritical Authorization folder !y dou!leCclicking it.

!. #hoose 7ew +ntries.c. *se the input help to select I1s of critical authorizations.d. (a"e our entries.Note

The selected I1s are essentially linked with A71. An / link is not possi!le.G. #reate a "ariant.

a. /pen the folder 2ariants for #ritical #om!inations of Authorizations !y dou!leCclickingit, and then choose 7ew +ntries. !. (pecify the name and description of the "ariant in accordance with the namespace

con"ention.c. (a"e our entries.H. Assign critical com!inations to the "ariant.a. (elect the "ariant and choose the #om!ination folder under the 2ariants for #ritical

#om!inations of Authorizations folder !y dou!leCclicking it. !. #hoose 7ew +ntries.c. *se the input help to choose existing com!inations.d. (a"e our entries.

6. +xecute the report "ariant with critical com!inations.a. /n the initial screen of the report, choose the option ?or #ritical #om!inations under 7ame of the 2ariant

!. *se the input help to choose an existing "ariant.c. #hoose +xecute.The result list displays the users for each com!ination within the selected "ariant.Additional Selection Criteria

We can use the group (election #riteria for *sers to define additional properties that the usersto !e displayed must fulfill. This makes analysis 9uicker and more flexi!le.

7ote that the *ser -roup field relates to entries in the field *ser -roup for Authorization#heck on the 3ogon 1ata ta! page of user maintenance &transaction (*45, while entries in

the field *ser -roup &-eneral e"aluate the data specified on the -roups ta! page of usermaintenance &transaction (*45.We can use the indicator 1isplay /nly 2alid *sers to restrict the display to users whose"alidity period co"ers the date of the report execution.E)aluation o the Result &ist

The result lists are different, depending on the type of the selection "ariant$• ?or #ritical AuthorizationsThe selected users are grouped !y the I1s of critical authorizations. To check which criticaldata is represented !y an I1, click on the name of the I1. To analyze the authorization data of a user master record, select the user !y dou!leCclicking it. The other fields pro"ide additional

information a!out the user.We can use the Profiles and oles !uttons to display lists of profiles and roles assigned to theselected users.



All other functions are standard functions of the A32 -rid #ontrol.• ?or #ritical #om!inationsThe selected users are grouped !y critical com!inations. If we select a com!ination name, thecorresponding critical data is displayed.The other functions correspond to those for critical authorizations.E7amples o Using Critical Authorizations and Com6inationsE7ample

We determine all users that ha"e de"elopment authorization for either executa!le programs&reports or function groups.?or a user to !e a!le to de"elop, he or she re9uires the following authorizations$• Authorization for the o!'ect ()T#/1+ that contains at least one of the transaction

(+M4, (+>:, or (+>M• An authorization for the o!'ect ()1+2+3/P with the "alue P/- or ?*- in the

/BKTDP+ field and the "alue 4< in the A#T2T fieldThe I1 to !e created with critical authorization data therefore contains three groups, for each

of which the "alues are each linked with /.,$ E7ample

-roup /!'ect8 ?ield 7ame ?rom To A71=/8A445 ()T#/1+ T1# (+M4 / A445 ()T#/1+ T1# (+>: / A445 ()T#/1+ T1# (+>M / A44< ()1+2+3/P /BKTDP+ P/- / A44< ()1+2+3/P /BKTDP+ ?*- / A44> ()1+2+3/P A#T2T 4< any &/ or

A71 E7ample >

In a modification of the first example, we now determine users that ha"e de"elopmentauthorization !oth for executa!le programs and for function groups. To do this, split the I1 of the first example into two indi"idual I1s and create a com!ination of these two I1s$,$

-roup /!'ect8 ?ield 7ame ?rom To A71=/ A445 ()T#/1+ T#1 (+M4 / A445 ()T#/1+ T#1 (+>M / A44< ()1+2+3/P /BKTDP+ P/- A71A44< ()1+2+3/P A#T2T 4< A71

and,$ >

-roup /!'ect8 ?ield 7ame ?rom To A71=/ A445 ()T#/1+ T#1 (+M4 / A445 ()T#/1+ T#1 (+>: / A44< ()1+2+3/P /BKTDP+ ?*- A71A44< ()1+2+3/P A#T2T 4< A71

$etermining Roles Proiles Authorizations and Authorization O68ects

Use

These reports RSUSRF &roles, RSUSR> &profiles, RSUSR9 &authorizations, andRSUSRG &authorization o!'ects are constructed in the same way$ The first node !ycomplex selection criteria represents a com!ination of the nodes !elow in each case. The



e"aluation for the oles node is presented as an example. In this way, we can, for example,find all roles that contain the authorization post document &?)BJP?)B*J, acti"ity 45.Procedure

5. (tart the user information system &transaction (*IE.<. +xpand the oles node.

>. #hoose the +xecute option next to oles !y complex selection criteria.G. *nder (election !y authorization "alues, enter %"0DP%"0UD in the /!'ect5 field, andchoose Input 2alues &we cannot enter any "alues for report RSUSRG.

The fields pre"iously hidden for entering the "alues are now ready for input.H. +nter the acti"ity as the "alue.The result list appears.6. There are additional functions a"aila!le to us on the result list, depending on the search

area$1etail$ (tarts transaction P?#-$ displaying the role*ser assignmentProfile assignmentTransaction assignment3alue ,nput

The input "alues for the 2alue field of the authorization o!'ect are interpreted as follows$

2alue +xplanationno input The system displays all authorization o!'ects, irrespecti"e of the "alue

entered in the field. The system displays all authorization o!'ects whose field contains a space

as the "alue.A8 The system displays all authorizations "alues whose field "alue !egins with

A.8 The system displays all authorization o!'ects whose field contains the placeholder asterisk as the "alue.

8 The system displays all authorization o!'ects whose field contains the placeholder asterisk as the "alue.

2A3*+ The system displays all authorization o!'ects whose field contains2A3*+ as the "alue.

$etermining 'ransactions 1RSUSR4

We can use this report to determine the transactions that a user can start. A user can start atransaction if he or she has the authorization ()T#/1+ and, if appropriate, the authorization

o!'ect entered in transaction (+;> for this transaction. ?or more information a!out prere9uisites for starting transactions, see Authorization #hecks.The report also determines transactions that are executa!le with a certain profile &generatedauthorizations of a role, a particular single or composite role, or with a certain authorizationfor an authorization o!'ect.5. (tart the user information system &transaction (*IE.<. +xpand the Transactions node.>. #hoose the +xecute option next to +xecuta!le for *ser.G. *nder Transaction +xecuta!le, restrict the selection using the field ?or *ser.H. #hoose +xecute.The result list appears, in which we can select a transaction and choose (elect to display thelist of authorization o!'ects and "alues for this transaction.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/67129f439b11d1896f0000e8322d00/content.htm



Note:

With the selection ?or *ser, the reference user assigned to this user is also taken into account.If we specify a reference user in the +xecuta!le for *ser selection, only the authorizationsassigned directly to this user are taken into account. (ince a reference user cannot log on to asystem, the transactions displayed !y the report cannot !e directly started !y the reference

user. /nly a dialog user that has !een assigned this reference user can do so.Authorization Chec;s

To ensure that a user has the appropriate authorizations when he or she performs an action,users are su!'ect to authorization checks.The following actions are su!'ect to authorization checks that are performed !efore the startof a program or ta!le maintenance and which the (AP applications cannot a"oid$• (tarting (AP transactions &authorization o!'ect ()T#/1+• (tarting reports &authorization o!'ect ()P/-AE• #alling ?# function modules &authorization o!'ect ()?#• Ta!le maintenance with generic tools &()TAB*)1I(

Chec;ing at Program &e)el +ith AU'=OR,'<2C=ECD Applications use the ABAP statement A*T0/ITDC#0+#J, which is inserted in the sourcecode of the program, to check whether users ha"e the appropriate authorization and whetherthese authorizations are suita!ly definedF that is, whether the user administrator has assignedthe "alues re9uired for the fields !y the programmer. In this way, we can also protecttransactions that are called indirectly !y other programs.A*T0/ITDC#0+#J searches profiles specified in the user master record to see whetherthe user has authorization for the authorization o!'ect specified in the A*T0/ITDC#0+#J.If one of the authorizations found matches the re9uired "alues, the check is successful.Starting SAP 'ransactions

When a user starts a transaction, the system performs the following checks$• The system checks in ta!le T(T# whether the transaction code is "alid and whether the

system administrator has locked the transaction.• The system then checks whether the user has authorization to start the transaction.The (AP system performs the authorization checks e"ery time a user starts a transaction fromthe menu or !y entering a command. Indirectly called transactions are not included in thisauthorization check. ?or more complex transactions, which call other transactions, there areadditional authorization checks.• The authorization o!'ect ()T#/1+ &transaction start contains the field T#1

&transaction code. The user must ha"e an authorization with a "alue for the selectedtransaction code.

•

If an additional authorization is entered using transaction (+;> for the transaction to !estarted, the user also re9uires the suita!le defined authorization o!'ect &T(TA, ta!leT(T#A.

Note

If we create a transaction in transaction (+;>, we can assign an additional authorization tothis transaction. This is useful, if we want to !e a!le to protect a transaction with a separateauthorization. If this is not the case, we should consider using other methods to protect thetransaction &such as A*T0/ITDC#0+#J at program le"el.• The system checks whether the transaction code is assigned an authorization o!'ect. If

so, a check is made that the user has authorization for this authorization o!'ect.The check is not performed in the following cases$

We ha"e deacti"ated the check of the authorization o!'ects for the transaction &withtransaction (*<G using check indicators, that is, we ha"e remo"ed an authorization o!'ect






entered using transaction (+;>. We cannot deacti"ate the check for o!'ects from the (AP 7etWea"er and 0 areas.This can !e useful, as a large num!er of authorization o!'ects are often checked whentransactions are executed, since the transaction calls other work areas in the !ackground. Inorder for these checks to !e executed successfully, the user in 9uestion must ha"e the

appropriate authorizations. This results in some users ha"ing more authorization than theystrictly need. It also leads to an increased maintenance workload. We can therefore deacti"ateauthorization checks of this type in a targeted manner using transaction (*<G.• We ha"e glo!ally deacti"ated authorization o!'ects for all transactions with transaction

(*<G or transaction (*<H.• (o that the entries that we ha"e made with transactions (*<G and (*<H !ecome

effecti"e, we must set the profile parameter A*T0=7/)#0+#J)I7)(/E+)#A(+(to D &using transaction 54.

All of the a!o"e checks must !e successful so that the user can start the transaction./therwise, the transaction is not called and the system displays an appropriate message.Starting Report Classes

We can perform additional authorization checks !y assigning reports to authorization classes&using report (#(A*T0. We can, for example, assign all PA8 reports to an authorizationclass for PA &such as PAxxx. If a user wants to start a PA report, he or she re9uires theappropriate authorization to execute reports in this class.We do not deli"er any predefined report classes. We must decide ourCself which reports wewant to protect in this way. We can also enter the authorization classes for reports with themaintenance functions for report trees. This method pro"ides a hierarchical approach forassigning authorizations for reports. We can, for example, assign an authorization class to areport node, meaning that all reports at this node automatically !elong to this class. Thismeans that we ha"e a more transparent o"er"iew of the authorization classes to which the

"arious reports are transported.Note

We must consider the following$• After we ha"e assigned reports to authorization classes or ha"e changed assignments,

we may ha"e to ad'ust o!'ects in our authorization concept &such as roles &acti"itygroups, profiles, or user master records.

• There are certain system reports that we cannot assign to any authorization class. Theseinclude$

• (33-4• (TATE+7 &as of (AP => G.4•

eports that are called using (*BEIT in a customer exit at logon &such as (*(4445,L*(*45.• Authorization assignments for reports are o"erwritten during an upgrade. After an

upgrade, we must therefore restore our customerCspecific report authorizations.Calling R%C %unction Modules

When ?# function modules are called !y an ?# client program or another system, anauthorization check is performed for the authorization o!'ect ()?# in the called system.This check uses the name of the function group to which the function module !elongs. Wecan deacti"ate this check with parameter auth!rc"authorit/"chec;# .Chec;ing Assignment o Authorization 5roups to 'a6les

We can also assign authorization groups to ta!les to a"oid users accessing ta!les using

general access tools &such as transaction (+56. A user re9uires not only authorization toexecute the tool, !ut must also ha"e authorization to !e permitted to access ta!les with the





rele"ant group assignments. ?or this case, we deli"er ta!les with predefined assignments toauthorization groups. The assignments are defined in ta!le T11ATF the checkedauthorization o!'ect is ()TAB*)1I(.We can assign a ta!le to authorization group 444. &*se transaction (E>4 for ta!le T11ATA user wants to access this ta!le must ha"e authorization o!'ect ()TAB*)1I( in his or her

profile with the "alue 444 in the field DICBERCLS &authorization group for ABAP1ictionary o!'ects.See also:

• (AP 7otes :6G<, <4H>G, <>>G<, >>5HG, and 6::66• 1ocumentation for (#(A*T0Chec; ,ndicators

As of (AP 7etWea"er :.4, the check status &check=do not check is separate from theauthorization default status &authorization default "alue yes=no and there are the followingcheck indicators and default "alues$

7ew #heck Indicator /ld #heck Indicator +xplanation#heck with default to !e set&Des or 7o

*$ *nmaintained #heck for the correspondingauthorization o!'ect takes

place in accordance with"alues defined !y

programmer.If the authorization default"alue is set to yes, theadministrator must specify adefault when creating a role.?ield "alues are not

displayed in the roleadministration tool.1o not check with default7o

7$ 1o not check #heck disa!led. ?ield"alues are not displayed inthe role administration tool.This indicator can only !eset for transactions, and notfor 0 or Basisauthorization o!'ects. ?orser"ices, this is technicallynot possi!le.

#heck with default 7o P$ #heck #heck always executed.?ield "alues are notdisplayed in the roleadministration tool, sincethere is no authorizationdefault "alue.

#heck with default Des PP$ #heck=maintain #heck always executed.?ield "alues are displayed inthe role administration tool.A yellow traffic light means

that an authorization default"alue still contains at least



one empty field.5lo6all/ $eacti)ating Authorization Chec;s

As of (AP => G.H, we can glo!ally suppress authorization checks for indi"idualauthorization o!'ects. If we use this option, the system does not perform any authorizationchecks at all for the specified o!'ects. If we are using the Profile -enerator, the option

significantly reduces authorization maintenance. The Profile -enerator does not enter anyauthorization data for deacti"ated authorization checks in profiles. We also do not ha"e to

post process the authorization data after an upgrade for transactions for which we ha"eglo!ally deacti"ated the corresponding authorization o!'ects.-arning

If we suppress authorization checks, we allow users to perform acti"ities without ensuringthat the users ha"e the re9uired authorization. This can ha"e undesired conse9uences.#onsider "ery carefully !efore suppressing authorization checks for authorization o!'ects.To suppress authorization checks for specific authorization o!'ects, set the profile parameterauth!o68ect"disa6ling"acti)e# to the "alue @D@. We then select the affected authorizationo!'ects using transaction (*<H &or transaction A*T0)(WIT#0)/BK+#T(. \We deacti"ateauthorization o!'ects in the tree display !y selecting the check!ox to the left of the o!'ect.The deacti"ated authorization o!'ects are then displayed in red. Then acti"ate our settings&only then are the authorization checks ignored in the system.]Note that:

• We cannot suppress authorization checks for authorization o!'ects that !elong to Basiscomponents or to 0uman esources &0.

• We re9uire authorization for the o!'ect ()*(+)/BK to !e a!le to suppressauthorization checks for authorization o!'ects. We recommend that we assign therele"ant acti"ities &sa"ing, acti"ating, or transporting to different administrators.

• If we reacti"ate pre"iously suppressed authorization checks for authorization o!'ects,

we must post process the authorization data for the rele"ant roles.These authorization o!'ects are not contained in any role. In this case, call transaction P#?-and choose Read old status and compare +ith the ne+ data on the ta! pageAuthorizations in e7pert mode to generate proiles. Eaintain missing authorization "aluesand then regenerate the profile.• When transporting the settings &in transaction A*T0)(WIT#0)/BK+#T(, for

security reasons, the system does not transport the acti"e "ersion of the settings, !utrather the sa"ed "ersion. We need to explicitly acti"ate these in the target system&Authorization /!'ects → Acti"ate 1ata.

Note

To sa"e or acti"ate deacti"ated authorization checks for authorization o!'ects, we re9uireauthorization for the o!'ect ()*(+)/BK. ?or security reasons, we should assign theauthorizations for sa"ing and for acti"ating deacti"ated authorizations checks forauthorization o!'ects to different users. It makes sense to deacti"ate the authorization checksonly if at least two people agree on this.Comparing Cross2S/stem Users Authorizations Roles and Proiles 1RSUSRH4

Use

We can use this procedure to compare two user master records, roles &including compositeroles, profiles, or authorizations in the same system or different systems in the *serInformation (ystem. We define the name of the ?# destination with transaction (EH;.When comparing composite roles, we recei"e as the result a list of the single roles and then

!elow this, a comparison of the authorization o!'ects.



This example descri!es how we can compare two users &the procedure is the same for roles, profiles, or authorizations. The master records are resol"ed to authorization field le"el andcompared.Procedure

5. (tart the user information system &transaction (*IE.

<. +xpand the #omparisons node.>. #hoose the +xecute function in the ?rom *sers line.G. In the *ser A and *ser B fields, enter the names of the users to !e compared.H. To compare users in different systems, choose the Across (ystems !utton.• To compare a user of the current system with a user from another system, enter the user

name for user A and the ?# destination and the user name for user B. We can use theinput help to select from the a"aila!le ?# destinations.

• To compare a user from another system A with a user from a further system B from thecurrent system, enter the ?# destinations of these systems in the fields ?#1estination for (ystem A and ?# 1estination for (ystem B.

6. #hoose +xecute.The system displays the #omparisons screen, on which a comparison of the two users isdisplayed. This is di"ided into same "alues, different o!'ects, same "alues, and different"alues. In the case of different o!'ects, only the user for which an authorization o!'ect isdisplayed has the o!'ect. 1ifferent "alues means that although !oth users ha"e authorizationsfor the same o!'ect, the "alues are different. (ame "alues mean that !oth the authorizationo!'ect and the authorization "alues of the two users match.• To display documentation for an authorization o!'ect, select the o!'ect and choose

1ocumentation.• To display a sorted comparison of the "alues !y authorization fields, select the rele"ant

line and choose (elect.

ResultThe authorizations from different profiles were resol"ed, com!ined !y o!'ects and sorted !yfields. This means that we ha"e a compact comparison of the "alues for each field.

7ote that this display allows a 9uick comparison, !ut that the interaction of the fields withinan authorization is of "ital importance. In particular, it can !e the case for the o!'ects listedunder @same "alues@ that although two users ha"e the same "alues for an o!'ect, they do notha"e the same authorizations, as the field "alues are com!ined differently in differentauthorizations. We should therefore regard this comparison function only as a utility forfinding differences and not for documenting e9uality.?or information a!out in"estigating the user master records of two users for an o!'ect at theauthorization le"el, see the *sers !y complex selection criteria section of 1etermining *serswith the *sers 7ode.Creating -here2Used &ists or Proiles 1RSUSR>4

Use

We can use this report to create whereCused lists for profiles, authorization o!'ects,authorizations, and authorization "alues. We are looking for, for example, all users to which acertain profile &such as (AP)A33 is assigned.Procedure

5. (tart the user information system &transaction (*IE.<. +xpand the nodes WhereC*sed 3ist and Profiles.>. #hoose the +xecute option next to one of the following search areas &in this example,

next to In *sers$• In *sers







• In oles• In #omposite ProfilesG. (pecify the profile &in our example, (AP)A33, and choose +xecute.The result list By #omplex (election #riteria appears.H. There are additional functions a"aila!le to us on the result list, depending on the search

area.Result

The result list shows the whereCused list of the o!'ect in the specified search areaF in ourexample, therefore, all users to which the (AP)A33 profile is assigned.

?unctions in the esult 3ist for the In *sers (earch Area

?unction #omment1isplay 1etails 1isplay details for the user.3ist with oles 3ist of users with their role assignment

3ist with Profiles 3ist of the users with all profiles assigned to the user #hange 1ocuments 3ist of change documents for a user

?unctions in the esult 3ist for the In oles (earch Area

?unction #omment1isplay 1etails (tarts role maintenance &transaction P?#- for the selected role.*ser Assignment (tarts the whereCused list for the users assigned the role selected in

the result listProfile Assignment 3ist of the profiles for a role, from which, in turn, we can create a

whereCused list for the profiles contained in the list.#ontained in#omposite oles

1isplays a list of composite roles in which the single role selectedin the result list are contained.

#ontained (ingleoles

1isplays which single roles are contained in the selectedcomposite role from the result list.

TransactionAssignment

3ist of all transactions contained in the role, for which we candisplay all fields and "alues !y choosing 1etails.

?unctions in the esult 3ist for the In #omposite Profiles (earch Area

?unction #omment1isplay 1etails 1isplay details for the profile.WhereC*sed 3ist WhereCused list for a profile selected in the result list that contains

the profile for which we originally performed the search in thewhereCused list. The same selection options are a"aila!le again onthe Profile WhereC*sed 3ist dialog !ox &use in profiles, usermaster records, or roles

#hange 1ocuments 3ist of change documents for a profileCreating -here2Used &ists or Authorization O68ects 1RSUSR>4

Use

We can use this report to create whereCused lists for profiles, authorization o!'ects,authorizations, and authorization "alues.



Procedure

5. (tart the user information system &transaction (*IE.<. +xpand the nodes WhereC*sed 3ist and Authorization /!'ects.>. #hoose the +xecute option next to In Programs.G. +nter the authorization o!'ect and choose +xecute.

The Authorization /!'ect WhereC*sed 3ist dialog !ox appears.H. (pecify the search area. *se in$• Programs• #lasses• B(P Applications• Transactions• Package InterfacesThe result list appears.Result

The result list displays the whereCused list for the authorization o!'ect in the specified search

area. Additional functions are a"aila!le to us in the result list.

?unctions in the esult 3ist?unction #omment#hange #alls the ABAP +ditor in change mode for the program.1isplay #alls the ABAP +ditor in display mode for the program.WhereCused list 1isplays all programs, classes, and so on that use the selected

program.1elete 1eletes the program#omplete 3ist Additional properties of the programs are displayed in the complete

list.

Creating -here2Used &ists or Authorizations 1RSUSR>4

Use

We can use this report to create whereCused lists for profiles, authorization o!'ects,authorizations, and authorization "alues.Procedure

5. (tart the user information system &transaction (*IE.<. +xpand the nodes WhereC*sed 3ist and Authorizations.>. #hoose the +xecute option next to one of the following search areas$• In *sers

• In ProfilesG. +nter the authorization and the associated authorization o!'ect, and choose +xecute.The result list appears.H. There are additional functions a"aila!le to us on the result list, depending on the searcharea.Result

The result list displays the whereCused list for the authorization o!'ect in the specified searcharea.

?unctions in the esult 3ist for the In *sers (earch Area?unction #omment1isplay 1etails 1isplay details for the user.3ist with oles 1isplays all roles of the users in the result list



3ist with Profiles 1isplays all profiles of the users in the result list#hange 1ocuments 3ist of change documents for the users selected in the result list

?unctions in the esult 3ist for the In Profiles (earch Area

?unction #omment1isplay 1etails 1isplay details for the profile.WhereCused list (tarts the whereCused list for the profile selected in the result list#hange 1ocuments 3ist of change documents for the selected profile

Creating -here2Used &ists or Authorization 3alues 1RSUSR>4

Use

We can use this report to search for certain authorization "alues, such as all users that ha"eauthorization to post goods receipt.

Procedure5. (tart the user information system &transaction (*IE.<. +xpand the nodes WhereC*sed 3ist and Authorization 2alues.>. #hoose the +xecute option next to one of the following search areas$• In *sers• In oles• In Profiles• In AuthorizationsG. (pecify the authorization o!'ect &such as E)E(+-)WW+, for the "alues of which we

want to create the whereCused list, and the "alues for the authorization o!'ect in thefields, which are different, depending on the authorization o!'ect &in this example,acti"ity V 45.

H. #hoose +xecute.The result list appears.6. There are additional functions a"aila!le to us on the result list, depending on the search

area.Result

The result list displays the whereCused list for the authorization o!'ect in the specified searcharea.

?unctions in the esult 3ist for the In *sers (earch Area

?unction #omment1isplay 1etails 1isplays profiles for the selected user, including the authorization

o!'ects, authorizations, and authorization fieldsoles 3ist of users with their rolesProfiles 3ist of users with their profiles#hange 1ocuments 3ist of change documents for the users selected in the result list

?unctions in the esult 3ist for the In oles (earch Area

?unction #omment1isplay 1etails (tarts the role maintenance transaction &P?#-.*ser Assignment 1isplays a list of the users assigned to the role.



Profile Assignment 1isplays a list of the profiles assigned to the role.#ontained in#omposite oles

1isplays a list of composite roles in which the single role selectedin the result list are contained.

#ontained (ingleoles

1isplays which single roles are contained in the selected compositerole from the result list.

TransactionAssignment

1isplays a list of the transactions assigned to the role.

?unctions in the esult 3ist for the In Profiles (earch Area

?unction #omment1isplay 1etails 1isplays all authorization o!'ects, authorizations, and authorization

"alues for the profileWhereC*sed 3ist (tarts the whereCused list for the profile selected in the result list#hange 1ocuments 3ist of change documents for the profiles in the result list

?unctions in the esult 3ist for the In Authorizations (earch Area

?unction #omment1isplay 1etails 1isplays the authorization "alues for the authorization.WhereC*sed 3ist (tarts the whereCused list for the authorization selected in the result

list#hange 1ocuments 3ist of change documents for the authorization selected in the result

list

$etermining Change $ocuments

UseWe can use this report to determine all changes to the following o!'ects$• A user &(*(544• A profile &(*(545• An authorization &(*(54<• A role assignment &((#1544)P?#-• A role &((#1544)P?#-

7ote that changes for users, profiles, and authorizations are di"ided into two areas$• #hanges to authorizations$ creating the user, changing, adding, or remo"ing profiles• #hanging header data$ password changes, "alidity, user type, user group, account

num!er, lock statusWe can select !oth fields to o!tain all information. In this case, the left column shows thestatus !efore the change the right column the changed entry.We determine the changes for roles and role assignments using a separate interface.$etermining $ocuments or Users Proiles and Authorizations

5. (tart the user information system &transaction (*IE.<. +xpand the #hange 1ocuments node.>. #hoose the +xecute option next to ?or *sers &or ?or Profiles or ?or Authorizations.G. (pecify the user &or the profile, or the authorization and other restricting "alues, and

choose +xecute.The result list 3ists of #hange 1ocuments for *sers appears.



H. We can display details for profiles and authorizations !y dou!le clicking the appropriateo!'ect in the result list.

$etermining $ocuments or Roles and Role Assignments

The interface for determining change documents for role assignment is a section of theinterface to determine the change documents for roles.

5. (tart the user information system &transaction (*IE.<. +xpand the #hange 1ocuments node.>. #hoose the +xecute option next to ?or oles &or ?or ole Assignments.G. +nter the re9uired details and then choose +xecute.We can select an indi"idual role or a particular change document with the fields 7ame of theole and #hange 7um!er of the 1ocument. We can use the fields #hanged By and To 1ateor To Time to further restrict the selection. We can use the !utton next to #hanged By to enter our user name in the input field.We can also choose the following document types under #hange 1ocuments, where anadditional input field is displayed at the end of the list for some document types$• /"er"iew of change documents• #reating and deleting roles• ole description• (ingle roles in composite roles• Transactions in the role menu• /ther o!'ects in the role menu• Authorization data• /rg. le"el "alue• Authorization profile• Attri!utes

• EiniApps• #omposite role home page• *ser assignmentWith the *ser Assignment option, we can use the input field Assigned *ser to display thechanges to role assignments for indi"idual users.We can use the option All #hange 1ocuments &Technical 2iew to display the contents of thekey fields of the ta!le entered in the field #hange 1ocument Ta!le. If we enter an asterisk &8as a placeholder or lea"e the field empty, all ta!les are used in the e"aluation.Result

Initial entries for role data are differentiated from empty entries in the result list !y thecomment unknown.We can also create userCspecific A32 list "ariants in the result list.

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/64/c9d3446fe6b546994762946e44905e/content.htm

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/64/c9d3446fe6b546994762946e44905e/content.htm



Documents

User Master Records