Authorisation is for data security and integrity
There are two authorisations -role and structural authorisation
Role authorisation is standard authorisation like tcode.pa30,pa20 etc(PFCG)
structural authorisation on the other hand is for individual objects .lets say a user can access only one particular org unit details then this will take care.
SU21 tcode will give the standard auth objects under HR
p_origin
plog
plog_con are some of auth objects
An auth object can have max of 10 authrorisation fields
p_origin is HR: Master Data and if you see the fields like INFTY,SUBTY,AUTHC,WERKS,PERSG,PERSK
In the role maintenance you can:
Changing and Assigning Roles
Creating Roles
Creating Composite Roles
Transporting and Distributing Roles
steps for creating single role authorisation
1.enter tcode PFCG
please note-SAP start with the prefix “SAP_”. For your own user roles, instead of using the SAP namespace, use the customer namespace. This means that the prefix is “Y_” or “Z_”.
2.enter the standard role (ex-SAP_HR_PT_TIME-ADMINISTRATOR) and click copy and give to role as Z_SAP_HR_PT_TIME-ADMINISTRATOR
3.Choose Change (the new name is in the Role field).Z_SAP_HR_PT_TIME-ADMINISTRATOR
4.you can edit the description as per the requirement
5.to generate profile for the role from the authorisation table click change authorisation data
6.a new window would populate change role:authorisation
there you enter a particular value in the dialog box, the authorization fields of the role are maintained automatically like p_origin we can given read,write access M (read with entry helps)
R (read),W(W (write data records)).for ex
you can also give the PERSA,PERSG,PERSK
7.after doing this Generate an authorization profile for the authorizations by clicking Generate (Shift+F5)
8.You are prompted for an authorization profile name. A valid name in the customer namespace is proposed.(T-I1550498 for ex with the Profile for role Z_SAP_HR_PT_TIME-ADMINISTRATOR text)
9.To delete an authorization, deactivate it first and then delete it.
10. You can also assign users to the role immediately by clikcing Role tabl and assigning the users(userid).
steps for creating composite role authorisation
use PFCG tcode
key point to remember is SAP System does not distinguish between the names of simple and composite roles. we should adopt your own naming convention to distinguish between simple and composite roles
click roles and select the roles you would like to assign
choose users to be assigned this composite role
Choose Compare users. The user data is updated after the comparison.
you can trasport and distribute roles aswel..
Mass Transport of Rolesscreen appears
SUPC is mass profile creation.Su10 or su12 tcodes for mass changes
I found this site very useful
http://www.abapway.com/2009/08/pfcg-role-maintenance/
Thanks to the contributors.
He takes JOY in sharing product knowledge with others. He is passionate about sharing knowledge and also to seamlessly collaborate with SAP SF community members. Long term vision is to use the seed capital for CHARITY purpose. Here’s looking forward to everyone's wishes and support in this initiative. Happy Blogging:)
No comments:
Post a Comment