identity management v1
Post on 24-Mar-2015
151 Views
Preview:
TRANSCRIPT
ABAP – USR relationshipsClient
User
Dialog Service
ReferenceBackground
Communication
Group
Administrator(A User)
Manages group of user
Single Role
M:N
Authorization profile
1:1
Object Class
Auth. object
Auth. field
1:n
1:n
1:10
1:1
Belong to a
Transactions1:n
Types of users
Composite Roles
n 1
n
m
Can belong to a group
1:n This applies only when using SAP predefined profiles
PFCG – Role SUGR – User GroupSU01 – User SU10 – User Mass Maintenance SUIM – User Information SystemSPRO – Implementation GuideSE93 - Copy transaction, create transaction, SU24 – Authorization maintenanceSU25PFUD – User Master comparisonSUPC – Mass generation of profiles
SAP user creation
Role creation (PFCG)
Assign Transaction (Menu tab)
Assign Transaction (Menu tab)
Auth Values by
1) Choice list 2) Spro3) F14) SU035) Help.sap.com,
sdn.sap.com, service.sap.com
6) Google7) Business User
User Creation(SU01)
Change Auth Data
SU01 – User creationPFCG - Role creationSU03 - Maintain Auth profiles – said to be replaced by pfcg
Auto gen Auth. Profile name
(Auth tab)Set Org. Values
Set Auth vales
Generate
Assign User(s)(User tab)
User Comparison
SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations.
Role creation (PFCG)
Copy SAP* role to Z/Y role and edit
the copy
Auth Values by
1) Choice list 2) Spro3) F14) SU035) Help.sap.com,
sdn.sap.com, service.sap.com
6) Google7) Business User
User Creation(SU01)
Change Auth Data
SU01 – User creationPFCG - Role creationSU03 - Maintain Auth profiles – said to be replaced by pfcg
Auto gen Auth. Profile name
(Auth tab)
Set Org. Values
Set Auth vales
Generate
Assign User(s)(User tab)
User Comparison
Typical USR creationAt customer location
SU24 Can be used to preset what auth object should be checked and what values go in the default auth object field values. Not used much in client locations.
SUPC For mass generation of authorization profile. This was used in older versions predating PFCG
At the start of PFCG make the following setting to be able to see the “Org. Mgt” button.
Role creation (PFCG)
Copy SAP* role to Z/Y role and edit
the copy
Change Auth Data
SU01 – User creationPFCG - Role creationSU03 - Maintain Auth profiles – said to be replaced by pfcg
SU24 – Authorization managementSUPC – Mass generation of authorization profileSU53 - The last authorization errorST01 – Trace authorization check
Auto gen Auth. Profile name
(Auth tab)
Set Org. Values
Set Auth vales
Generate
Click Org . Mgmt.(User tab)
Click on create assignment
Authorization using HR Organization structure
Select Org. level entity
( Ex. Position, job)
Click on indirect assignment
User comparison ….
The user assigned to the position/job in
HR will be assigned the current role.
PFCG – Assigning users by reference using Organizational Management
- Position exists, - person assigned to position NO - Infotype/subtype (105/0001) - SAP User Id
- Position exists, - Person assigned to position - 105/0001 defined ( using PA 30 )NO - SAP User Id
- Position exists, - Person assigned to position - 105/0001 defined ( using PA 30 ) - SAP User Id defined (SU01)
HR & Basis transaction auth ‘check’ disablement is not allowed when using SU24,But allowed to change auth field values.Duplicate Auth Objects cannot be added. To do this PFCG, manual entry has to be used.
When using SU24 to uncheck auth object check ( S_TRANSL),for PA30.
Structural Authorization – to mange person’s info types
Review Org. Struct(PPROME)
Requirement: A user to maintain info type (PA30, PPOME?) for employees in her organization ‘x’ levels below and/or ‘y’ levels above
OOAC -> OOAW -> OOSP -> OOSB
Set “Struct Auth. Check” to 1
(OOAC)
Review Evaluation Paths
(OOAW)
Create struct. Auth profile(OOSP)
Look up the SAP user id
(105/0001 )(PA30)
Create 105/0001 , if non-
existent(PA30)
Create/validate SAP user defined in PA30
(105/0001)
(SU01)
Associate user to Auth profile
(OOSB)
Create profile for user , add PA30 and
SU53(PFCG)
Login as the new user and test PA30
Run PA30 with ST01 trace on and check for required authorization
objects
Set the required Auth Objects using PFCG in
the new profile
Run SU53, apply required authorization, run PA30,
SU53…. Until no auth errors occur.
Assign user by assigning role to the Org. Unit of the user
Exclude user from modifying own HR data(P_PERNR Auth. object)
Should not have any other P_PERNR other than the one above
<Dummy> in SU53 = *
SAP Library on Structured auth.
Structural Authorization – Additional Info: PPOME
OOAC - Structural Authorization Check settingIf you want authorization to be refused as default, set themain switch to 1 or 2, other wise to 3 or 4. The following combinationare possible:
Evaluate organizational unit/Reject authorization as default: 1Evaluate organizational unit/Grant authorization as default: 3Never evaluate organizational unit/Reject authorization as default: 2Never evaluate organizational unit/Grant authorization as default: 4
OOAC
Click here and check ‘id’ to be
displayed
Status codes are 1) Active 2) Planned3) Submitted4) Approved5) rejected
Periods are D – Key Date M – Current month Y – Current year P - Past F - Future
Flag for Excluded Structural ProfilesIf not set - NCERTO, can view org unit 50004515 and 3 levels lower in the hierarchy. List shown when ‘I’ is pressed and personnel not assigned to any org unit will be displayed in PA30. NCERTO will be included in the list.If set – The list shown when ‘I’ is pressed will be excluded when using PA30, and personnel not assigned to any org unit . NCERTO will be included.
Clicking in ‘i’, should bring a finite/small list.. If ‘All’ is in the auth profile column, the user does not have infotype 105/0001 defined, or SAP user has not been created (SU01)
OOSP
OOSB
Structural Authorization – Additional Info OOSP, OOSB
Addition filtering of result set can be controlled by custom function (ABAP,JAVA)
Sequence number. Can have more than one row for the Auth profile.
Evaluation defined in OOAW transaction
Object Type defines the number entered in ‘Object I’
Sign if ‘+’ depth value applies below ‘object. Type ,If sign ‘-’ it applies above.Default is ‘+’
Make sure the start date and end date are as required
OOSP
Depth of 3 covers only the department employees..Need to understand this better.The number given does not correspond to Org. Levels, in testing
The auth. Check for PA30 failed
The green tick should show for authorization checks. The HR stuct check can show failure to reflect the personals excluded by the structural auth defined in OOSP and OOSB( the exclude flag)
Structural Authorization – Additional Info PA30 and SU53
The key transactions and programs to keep handy when working with structural profiles are OOAC (activate structural authorization checks -- this is configuration and transportable), OOSP (create structural profiles -- also transportable), OOAW (create evaluation paths, which are used by structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position assignments, the holders of those positions, and the usernames associated with those holders, ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB (checks which users have which profiles -- but not recommended as a way of directly assigning them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and RHBAUS00 (create indexes for users with large structural authorizations, for performance reasons), and RHSTRU00 (display structures via evaluation path, for testing and development purposes).
Transaction OOSP - Definition of Authorization Profiles (Table T77PR):Create the structural authorizations that you then assign to the administrator users in transaction OOSB.See: Definition of Structural AuthorizationsTransaction OOSB – Assignment of Profile to Users (T77UA):Assign the authorization profiles from transaction OOSP to the administrator users.See: Assignment of Structural Authorizations
Add all personals not associated to a
org. unit.
Structural Authorization – Filters in the process
Master list - all personnel in client
AC_AW_SP_SB -> OOAC, OOAW, OOSP, OOSB
In OOSB is ‘exclude’ check box checked
‘A’ List included ‘ A’ list excluded
Filter down to list defined in OOSP/OOSB
( ‘A’ list) ( when ‘i’ is clicked )
Not checkedchecked
Auth Object ‘P_PERNER’ field
value ‘ ‘
User of PA 30 included
User of PA 30 excluded
??????
Allow editing based the check made in
OOSP
Filter 1
Filter 2
Filter 3
Default addition
Cost CenterPersonnel
Area
Sub-Area
Organizational Unit
Business Area
Person /Employee
Position(VP of..)
Job(VP)
Org. Key
Work Center
Credit Control Area
Info type(105 -
Communication)
Sub-Info type(0001 - usr id.)
Profit Centers
Line of business
Company Code
HR – Entity relations
Legal Person
n
Company
n
Client
1n
n
m
Functional Areas
Employee Group
Employee Sub-Group
n
n
n
n
n
n
SPRO - Implementation guidePA30 - Maintain HR MasterPPOME – Change Org. and staffing
n Obj. Type KeyOrg. Units OJobs CPositions SCost centers KPersons P
Does
holds
is a
Position – another prespective
User Creation(SU01)
Super User creation
Out of the box clients and usersClient User Description000 Sap* Is used during install. But its password is not ‘pass’
subsequently .If the User Sap* is deleted. We can login again with SAP* and passwd “pass”.Deactivate the special properties of SAP*, set the system profile ( NEED TO CHECK THIS OUT ONCE MORE)parameter login/no_automatic_user_sapstar to a value greater than zero. If the parameter is set, then SAP* has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on.
001 Ddic Maintainer to data dictionary and software logisticsDo not delete. Manage the password.
066 Earlywatch Used in earlywatch functions – performance and monitoringDo not delete. Manage the password.
Type PurposeDialog Individual, interactive system access.
System Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA).
Communication Dialog-free communication for external RFC calls.
Service Dialog user available to a larger, anonymous group of users.
Reference General, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01. No logon is possible.
ABAP User Types
http://help.sap.com/saphelp_nw04/helpdata/EN/52/67119e439b11d1896f0000e8322d00/frameset.htm
Central User Administration
Central system
Childsystem
ALE – Application link enabling
Application Link Enabling (ALE) is a technology to create and run distributed applications.
The IDoc interface exchanges business data with an external system.The IDoc interface consists of the definition of a data structure, along with processing logic for this data structure.
You need the IDoc interface in the following scenarios:· Electronic data exchange (EDI)· Connect other business application systems (e.g. PC applications, external Workflow tools) by IDoc· Application Link Enabling (ALE).Application Link Enabling (ALE) is a technology to create and run distributed applications.
Central User Administration (CUA) system. With active Central User Administration, you can only delete or create child system users in the central system. You can change users that already exist in the child system, if the settings that you choose for the distribution of the data (transaction SCUM) allow this.
User Management Engine – Java
UME
SAP ERP CRM SRMSCM
Accounting Logistics HR
Financial accounting Controlling
SAPSAP for Banking
SAP for Retail
SAP for Automotive
SAP for Chemical
SAP for Chemical
SAP for Health care
PLM IS
BI
BW
SAP Solutions
Solution Manager – IT management
This is the user id
This is a warning message. Press
‘Enter’ to ignore the warning
PA30 - Creating info type – 105, subtype 0001 ( userid)
top related