Transferring Users from New Systems

Use

If you include a new system in the distribution model selected, you must make sure that the user master records in the new system are transferred to the central system.

Prerequisites

You have synchronized the company addresses.

Procedure

...

...

1. Log on to the central system (in this example, ADMCLNT070).

2. In the Implementation Guide (IMG, transaction SALE), choose Modeling and Implementing Business Processes ® Predefined ALE Business Processes ® Central User Administration ® Transfer Users from New Systems (transaction SCUG).

The system displays the Central User Administration Structure Display screen with a tree structure of the systems of the distribution model. The systems with New indicators contain user master records that are not contained in the Central User Administration.

3. If you are setting up a completely new Central User Administration, place the cursor on the central system and choose Transfer Users.

The system displays the following tab pages:

New users	These users are not yet contained in Central User Administration. By choosing Transfer Users, you can transfer the selected users into the central system. This transfers all user parameters such as address and logon data, as well as profiles and roles. In the future, the user will be maintained centrally.
Identical users	These are users with identical user IDs (that is, their name and user name is the same). The roles and profile data for this user can be transferred to the central system. The user is then distributed and therefore appears as it is stored in the central system. Local data is overwritten.
Different users	These user IDs are contained in both the central and the child systems, but with different data. If in a single case, the users are actually the same user, you can transfer the roles and profile data for the user to the central system. The user is then distributed as it exists in the central system. If these are two different users, create a new user ID for one user in the central system, and delete this user in the child system.
Already central users	These users are already in the Central User Administration under the same name and are maintained centrally.

4. Select all new and changed users and choose Transfer Users.

5. Perform steps 3 and 4 successively for all child systems from which you want to transfer users.

6. After you have completed the user transfer, remove the roles Z_SAP_BC_CUA_SETUP_CENTRAL and Z_SAP_BC_USR_CUA_SETUP_CLIENT from the system users.

These roles are only required to set up the CUA, but not for its operation. By restricting the authorizations of the system users to the minimum level, you increase the security of your system landscape.

7. Use transaction SCUL to check the distribution of the users after the transfer.

Users that you have not copied to the central system can still be maintained in the child system. This means that the functions Create and Delete are still displayed in the user maintenance. These functions are no longer available only after the complete transfer of all users.

Assigning Users

You assign users to a role with this procedure.

Prerequisites

· You have created a menu for the new role and set up the authorizations.

· You have created the users that you want to assign to the role.

Procedure

...

1. Choose Tools ® Administration ® User maintenance ® Roles (transaction PFCG).

2. Specify the role to which you want to assign one or more users.

3. Choose the User tab page.

The status display on the tab page tells you whether users have already been assigned to the role.

Red: No users assigned

Green: At least one user assigned

Yellow: Although users are assigned, user master comparison is not current

For composite roles, the status display refers only to the assignment of users.

4. Enter as many user IDs as desired in the list.

Enter the user IDs either directly or from the possible entries help. You can make a multiple selection with the Select pushbutton, such as all users in a user group.

You can specify a validity period for the assignment in the other columns. When you assign users to the role, the default start date is the current date and the default end date is the 31.12.9999. You can change these default values.

5. Perform a user comparison if necessary.

The generated profile is not entered in the user master record until the users have been compared. Changes to the users assigned to the roles and the generation of an authorization profile also require a comparison.

You must then perform a user comparison on the User tab page, to automatically enter the generated authorization profiles in the user master record for the assigned users.

If you do not want to restrict the assignment validity period (current date until 31.12.9999), no further action is required. If you want to limit the validity period, you must periodically schedule the report transaction PFUD daily to update the user master records. It must also be scheduled if you use the organizational management.

Never enter generated authorizatio profiles directly into user master records, as these are deleted if the corresponding role is not contained in the user master record.

You have the following options for performing a user comparison:

¡ Choose the User Comparison button on the User tab page. The users are compared for the role you created. The status displayed for this key specifies whether a new comparison must be made.

¡ Choose Utilities ® Settings ® Automatic comparison at save. When you save the role, a user comparison is performed automatically.

¡ Wait until the user comparison is made with the program PFCG_TIME_DEPENDENCY. Set the indicator HR-OrgComparison indicator on the selection screen of the report.

You should schedule the report PFCG_TIME_DEPENDENCY periodically (preferably daily) as a background job. This ensures that user authorizations are regularly updated. The program performs a complete user master comparison for all roles. The authorizations are updated in the user master records. The authorization profiles of user assignments which have become invalid are removed from the user master record. The authorization profiles of valid user assignments to the role are entered.

Users who are assigned to a composite role are displayed on a gray background in the roles in the composite role. The entries cannot be changed. They should only be changed in the composite role.

If you perform a user master comparison for the composite role, it performs a user master comparison for all roles in the composite role.

Assigning Roles to Users in User Maintenance

. Choose Tools --> Administration --> User Maintenance --> Users (transaction SU01).

2. Specify the user to which you want to assign one or more roles.

3. Specify any number of roles on the Roles tab page.

4. To assign a role to a user for a limited time, specify a date in the Valid from or the Valid to column. You can use the input help calendar to do this.

To assign additional authorizations to a user, you can also assign a reference user for additional rights to it (see Logon Data Tab Page).

Special Features for an Active Central User Administration (CUA)

· Column System

The system also displays the column System on the Roles and Profiles tab page. It specifies the system for which you have assigned the role or profile for each entry.

· Reference user

This assignment of a reference user is valid for all systems in a CUA landscape. If the reference user does not exist in a CUA child system, the assignment is ignored.

· Text comparison from child sys.

On the Roles and Profiles tab pages in the central system of the CUA, you can choose Text comparison from child sys. to inform the central system about the names of the roles and profiles that exists in the child systems. Only then can you display and select roles from the child systems in the central system using the input help. You cannot assign roles from child systems manually without a text comparison.

You can choose the roles obtained through the Text comparison for external systems. If these are composite roles, the composite roles in the target system must consist of local single roles. For your own system, you can enter the roles that can be maintained with role maintenance. This can also be single roles that are tied to the system (single roles with a target system attribute) and composite roles containing single roles that are tied to the system and local single roles.

Assign a Standard Role to a User

If you assign a role predefined by SAP to a user, he or she is automatically given the user menu required for his or her daily work and the authorizations required for it, when he or she logs on to the SAP system.

He or she can also define his or her personal Favorites from the functions assigned to him or her. The user calls transactions, programs or Internet and intranet applications from the Favorites or the job structure tree.

Before you start to create your own roles for your staff, check whether you can use the roles delivered by SAP for the job descriptions in your company.

Prerequisites

Get an overview of the roles delivered by SAP. The program RSUSR070 outputs descriptions of the existing example jobs. To run the program, choose Tools ® Administration ® User maintenance ® Infosystem ® Roles ® Roles by complex selection criteria ® by role name. Or start report RSUSR070 using transaction SE38. If you choose Role description, the description text of the predefined role is displayed as well as its name. The list displayed lists the roles delivered in the SAP Standard.

Predefined roles are delivered as templates and begin with the prefix “SAP_”. Roles with this prefix are overwritten by roles of the same name during an upgrade or when you import Support Packages. To change roles, you must therefore first copy these templates to the customer namespace.

Procedure

How to assign unchanged roles to users is explained in the following.

The SAP System SAP Easy Access initial transaction contains additional functions for administrators. You require authorization as a role administrator to use these additional functions.

...

1. Choose Other menu in the initial transaction SAP Easy Access.

The Name of the Role dialog window appears, on which you can either enter the name of the role or display a list of single or composite roles by leaving the field Maximum Number of Hits empty and choosing Start Search.

2. Choose a role or composite role from the displayed list of standard roles by double-click.

The user menu for the selected role or composite role (such as SAP_FI_FM_BU_PLANNING) is displayed. This does not create an assignment to your user.

3. To assign the currently displayed role directly to one or more users, choose Assign user.

4. Enter the name of the user that you want to assign. User selection displays a multiple selection list of the current users in the system.

The users must already exist in the system before you can assign them. For more information, see Creating and maintaining user master records.

5. Choose Copy user.

6. Confirm that the role profile is to be generated and the user master adjusted. The authorization profile is generated with the Profile generator and put in the user master of the selected user in addition to the user menu of the selected role(s).

If you do not confirm the prompt, only the user menu is assigned to the selected users. The authorization profile is not generated and entered in the user master. Unless you have assigned a role with a profile that is already generated to the users.

Revise the authorization data for the standard roles delivered by SAP and adjust this to the requirements of your company. You should at least define the organizational level fields and complete all empty fields.

Result

The users to whom you have assigned the role can logon to the system. The user menu appears with the functions which the user needs for his or her work and for which he or she has the necessary authorizations.

How to find derived roles under the master roles

1) Goto transaction SE16
2) Enter the table name : agr_define
3) Enter the master role in the second role field ( this field is in the second row) and execute
4) Then you will see the derived roles based on the master roles

Role Maintenance

Purpose

You must maintain roles when the roles in the standard delivery need to be adjusted or you need to create new roles.

Implementation

The SAP Standard contains a large number of roles. Check whether you can use a user role delivered in the standard before you define roles yourself.

Choose Tools ® Administration ® User maintenance ® Infosystem ® Roles ® Roles by complex selection criteria in the SAP menu in the SAP Easy Access initial menu for an overview of the delivered roles.

You can also display a list of the delivered roles in the possible entries help for the Role field in the role maintenance (Tools ® Administration ® User maintenance ® Roles).

You can copy and modify existing roles.

If you do not find a suitable role, write a job description before you maintain the role. See Initial installation procedure.

All maintenance tasks can be executed centrally by a single "superuser". Alternatively, you can distribute these tasks amongst more than one user to ensure greater system security. Further details are contained in the section Organizing User and Authorization Maintenance.

Features

The system administrator chooses transactions, menu paths (in the SAP menu) or area menus, in the role maintenance (transaction PFCG). The selected functions correspond to the activities of a user or a group of users.

The tree which a system administrator creates here for a user group corresponds to the user menu which appears when the user to whom this role is assigned logs on to the SAP System.

The Profile generator automatically provides the required authorizations for the selected functions. Some of them have default values. Traffic lights show you which values need to be maintained.

Generate an authorization profile and assign the role to the users. The user menu appears when a user logs on to the SAP System.

Creating Authorization Roles in Portal

Use

You can create a new authorization role in the SAP system with the Create/Convert Role function.

Prerequisites

To monitor and maintain the data transferred from the portal to the SAP system you need role administration authorization (see Authorizations).

Procedure

To create a new authorization role:

...

1. Start transaction WP3R.

The initial screen for role administration, Follow-Up Processes for Portal Roles, appears.

2. On the initial screen, select Maintain Authorization Roles and run the program.

A report is displayed containing all portal roles and the authorization roles associated with them. Roles transferred from the portal are highlighted in blue. The warning icon allows you to identify that there are no authorization roles for these roles.

If a role is highlighted in red, it has been deleted in the portal.

3. To find out which services there are for a role, expand the structure of the relevant role, select a logical system, and choose Goto ® Service list or .

If SAP Enterprise Portal has transferred services that are not supported in the current system, these are displayed in a separate section of the service list and ignored when the services are transferred to the authorization role.

4. To close the window with the service list, choose Continue.

5. Click the logical system and choose Authorization role ® Create/Convert or choose the icon next to the logical system.

The system asks for the name of the new role. If you enter a name for which there is no role to date, the system creates a new one. You can also create more than one authorization role per logical system, depending on how many authorization versions you require.

If you enter the name of an existing role, the system informs you that you can convert this role to an authorization role. The conversion can only take place if you enter the name of a root single role (not a derived role or a composite role).

When converting an existing role to an authorization role, the system assumes that the structure of the role is defined forthwith through the enterprise portal and role assignment is only assigned through the enterprise portal. During conversion, a dialog box points out the consequences.

The services of the portal role are immediately transferred to the menu structure of the new role. You can also use the Create/Convert function for authorization roles. It can be used to create derived authorization roles.

A warning is given if no authorization roles were yet created for the services of a portal role for a logical system.

Users and Roles

Purpose

Users must be created and roles assigned to user master records before you can use the SAP System.

A user can only log on to the system if he or she has a user master record. A user menu and authorizations are also assigned to the user master record via one or more roles.

Roles are collections of activities which allow a user to use one or more business scenarios of an organization. The transactions, reports and Web-based applications in the roles are accessed using user menus. User menus should only contain the typical functions in the daily work of a particular user.

The integrity of business data is also ensured by the assignment of roles. Authorization profiles are generated which restrict the activities of users in the SAP System, depending on the activities in the roles.

Integration

Data is also protected in the SAP System by the following mechanisms as well as the assignment of authorizations described in the following sections:

· Secure Network Communication (SNC)

· Secure data formats (Secure Store and Forward (SSF))

· Internet security

· System passwords

· Database access

· Transport system

· Individual directory structures for the SAP System and so on

Users and Roles (BC-CCM-USR) pdf free download

Users and Roles (BC-CCM-USR)

Users and Roles PDF

Users and Roles (BC-CCM-USR)