Purpose
You can use the role maintenance to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions. These are then presented for fine-tuning. The Profile Generator can also be integrated with HR-Org (Organization management, time dependency).
We recommend that you use the role maintenance functions and the profile generator (transaction PFCG) to maintain your roles, authorizations, and profiles. Although you can continue to create profiles manually, you need detailed knowledge of all SAP authorization components.
The role maintenance functions support you in performing your task by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to centrally maintain the roles delivered by SAP or your own, new roles, and to assign the roles to any number of users.
The roles (previously: activity groups), which are based on the organizational plan of your company, form the structure for the Profile Generator. These roles are the connection between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects.
With the roles, you assign to your users the user menu that is displayed after they log on to the SAP System. Roles also contain the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu.
When working with role maintenance and the profile generator, you are at an information level that is abstracted from the actual objects in the SAP System. The graphic below shows how these two layers are separate but connected through the role maintenance functions.
Implementation
As there is already a large number of roles contained in the standard SAP System, you should check whether you can use the roles in the standard system before defining roles yourself.
You have the following options for gaining an overview of the delivered roles:
· In the SAP Easy Access menu, choose Tools ® Administration ® User Maintenance ® Information System ® Roles ® Roles by complex selection criteriaand then Execute.
· In role maintenance (Tools ® Administration ® User Maintenance ® Roles), choose the entry help for the Role field.
If you want to adjust the existing role, copy the corresponding default role and modify the copy.
If you do not find suitable roles, write job descriptions before beginning your work in role maintenance (see also Initial Installation Procedure).
Either have all maintenance tasks performed centrally by a single superuser, or distribute the maintenance tasks to several users to increase system security. For more information, see Organization of the Authorization Administration.
Features
The system administrator chooses transactions, menu paths (in the SAP menu) or area menus, in the role maintenance (transaction PFCG). The selected functions correspond to the activities of a user or a group of users. The tree corresponds to the user menu that is displayed to the users to whom this role is assigned when they log on to the system.
The Profile generator automatically provides the required authorizations for the selected functions. Some of them have default values. Lights show you which values you must still maintain. After you have maintained all values, generate an authorization profile from the authorizations and assign the role to the users.
In the role maintenance you can:
· Changing and Assigning Roles
· Transporting and Distributing Roles
Process Flow
You process the upper level shown in the graphic with the role maintenance functions and the Profile Generator. You define the roles for the various job descriptions with the permitted activities. The Profile Generator determines the authorizations for users for a particular role based on this information. The basic process is as follows:
...
1. Assign the job descriptions to transactions.
Define job descriptions for each application area in your company (for example, in a job description matrix). Determine for each description the menu paths and transactions that the users with this job require. Determine both the required access authorizations (display, change) and any restrictions.
2. Maintain activity groups or roles with the role maintenance and the Profile Generator (transaction PFCG).
Use the role maintenance functions to create the roles or activity groups that correspond to the individual job descriptions. For each role or activity group, choose the tasks (reports and transactions) that belong to the job.
3. Generate and maintain authorization profiles.
In this step, the profile generator automatically generates the authorization profile for the activity group or role. To accept or change the proposed profile, you must work through the tree structure of the profile and confirm the individual authorizations that you want to assign to the activity group or role.
4. Assign users.
In this step, you assign the users that belong to the relevant roles or activity groups.
5. Update the user master records.
The user assignment and the generated profile must be updated in the user master records. There are a number of ways in which you can do this (depending on your release status):
¡ In all releases, you can schedule a background job that regularly updates the user master records.
¡ As of SAP R/3 4.5, you can either use the user comparison function or have the user master records automatically updated when saving the activity groups or roles. (Choose Utilities ®Settings, and activate the option Automatic comparison at save.)
Even if you use the User Comparison function or the option Automatic Comparison at Save, we recommend that you schedule a background job and ensure that all user master records are regularly automatically updated.
No comments:
Post a Comment