Tuesday, November 20, 2007

Authorization Objects Checked in Role Maintenance

The role maintenance functions (and the profile generator) check the following authorization objects:

Authorization Object

Description

S_USER_AUT

User master maintenance: Authorizations

This authorization object defines which authorizations the administrator can process. You can use the activities to specify the types of processing (such as creating, deleting, displaying change documents).

S_USER_GRP

User master maintenance: User groups

The authorization object is used in role maintenance when assigning users to roles and during the user master comparison.

You can divide user administration between several administrators with this authorization object, by assigning only a certain user group to an administrator. You can use the activities to specify the administrator’s processing types for the group (such as creating, deleting, and archiving).

S_USER_PRO

User master maintenance: Authorization profiles

Profiles are protected with this authorization object. You can use the activities to specify the administrator's processing types for the profile (such as creating, deleting, and archiving).

S_USER_AGR

Authorization system: Check for roles

This authorization object protects roles. The roles combine users into groups to assign various properties to them; in particular, transactions and authorization profiles.

You can use this authorization object together with the authorization objects S_USER_GRP, S_USER_AUT, S_USER_PRO, S_USER_TCD, and S_USER_VAL to set up a distributed user administration.

S_USER_TCD

Authorization system: Transactions in roles

This authorization object determines the transactions that an administrator can assign to a role, and the transactions for which he or she can assign transaction authorization (object S_TCODE).

Note that a user can only maintain ranges of transactions for the S_TCODE authorization object in the Profile Generator if he or she has full authorization for the S_USER_TCD authorization object. Otherwise, he or she can only maintain individual values for the S_TCODE object.

S_USER_VAL

Authorization system: Field values in roles

This authorization object allows the restriction of values that a system administrator can insert or change in a role in the Profile Generator.

This authorization object relates to all field values with the exception of the values for the object S_TCODE.

The authorization to include transactions in a role or to change the transaction start authorization in a role is linked to the authorization object S_USER_TCD.

S_USER_SYS

Authorization object for system assignment in the Central User Administration (CUA).

You can distribute users from a central system to various child systems of a system group. The object S_USER_SYS is used to check the systems to which the user administrator can assign the users. This authorization object is also checked when setting up the CUA.

S_USER_SAS

User master maintenance: System-specific assignments

The authorization object S_USER_SAS is checked in transactions SU01, SU10, PFCG, and PFUD when you assign roles, profiles, and systems to users. It represents a development of the authorization objects S_USER_GRP, S_USER_AGR, S_USER_PRO, and S_USER_SYS, which the system previously checked when users made assignments. If you do not activate the authorization object S_USER_SAS using the Customizing switch, the previously-used authorization objects are checked.

To activate authorization object S_USER_SAS, use transaction SM30 to create the Customizing switch CHECK_S_USER_SAS with the value YES in the table PRGN_CUST. All authorization checks for the objects S_USER_AGR, S_USER_PRO, S_USER_GRP, and S_USER_SYS with the activity assign are replaced by authorization checks for the object S_USER_SAS.

S_USER_ADM

Administration functions for user and authorization administration.

The authorization object S_USER_ADM protects general Customizing and administration tasks for user and authorization administration. It consists solely of the authorization field S_ADM_AREA.

Until now, there was only the fixed value CHKSTDPWD, with which special users (such as SAP*) could be displayed, including their default passwords. SAP extends additional fixed values as required for other general administration functions in the area of user and authorization administration, which are listed in SAP Note 704307.

For more information about the authorization checks, see the system documentation for the authorization objects. To display this documentation, choose Environment ® Authorization Objects ® Display in role maintenance (transaction PFCG). Expand the corresponding node and choose the I button for the relevant authorization object.

No comments:

Blog Archive