Generating Authorizations

Objectives

After completing this lesson, you will be able to:
  • Outline authorizations for organizational objects
  • Generate user authorizations using the RHPROFL0 report

Authorizations for Organizational Objects

The PD Profiles and Standard profiles infotypes allow you to link authorization profiles with the following objects: organizational units, jobs, positions, and tasks (or standard tasks if your company uses Workflow Management). The profiles related to organizational units, jobs, positions, or tasks are used for all employees linked with these objects when you run the RHPROFL0 report.

In the PD Profiles infotype (1017), specify the structural authorization profiles that you want to relate with a task, job, position, or organizational unit. If, for example, the authorization profiles for all employees of an organizational unit tend to be fairly similar, it may be most effective to use profiles for entire organizational units. If, however, authorizations vary by job or task, it may be better to use the profile for the job or task concerned.

The Standard Profiles infotype (1016) enables you to assign a manually created authorization profile to an organizational unit, job, or position, and so on. You should not enter authorization profiles in this infotype that you created for a role using the Profile Generator. Assign the generated profiles to Organizational Management using role maintenance (transaction PFCG).

Authorization Report RHPROFL0

The RHPROFL0 report creates authorization profiles for a user within an organizational plan. The report differentiates between standard authorization profiles and authorization profiles for structural PD authorizations. When authorization profiles are generated using the Profile Generator, the user is also assigned user roles that are linked to the profile.

The system searches along the PROFL0 evaluation path for all persons in the structure and saves them temporarily. Using these persons as a basis, the system reads, up to the next higher organizational unit, all related objects for a given key date that are valid at this time and have infotype 1016 and/or 1017 appended.

The system then checks whether users already exist in the system for the persons found. This is necessary because users also created in the system cannot be entered in infotype 0105 (subtype 0001) for the person.

If the user has not yet been created in the system, it is created automatically. The authorization profiles for all users found in the organizational plan are then entered.

You can check the results of the standard authorization profiles and user roles with transaction SU01. The structural PD authorizations can be displayed using transaction OOSB.

The RHPROFL0 Report (2)

If the Generate standard authorizations parameter is set, the corresponding standard authorization profiles are changed. The same applies to the Generate PD authorizations parameter and the structural PD authorization profiles. If the appropriate parameter is not set, the authorization profiles assigned to the users remain unchanged.

Caution

If the Delete standard authorizations parameter is set, the system deletes all profiles maintained manually for the user through transaction SU01. It only reassigns the new authorization profiles derived from the organizational plan. An exception is the SAP_ALL profile. If you want this profile to be deleted as well, you must set the Delete SAP_ALL profile parameter.

If the parameter is not set (default setting), the system only deletes those authorization profiles resulting from a user role that - according to the current organizational plan - is no longer assigned to the user. These authorization profiles are also flagged as generated profiles in transaction SU01. All other authorization profiles that were maintained manually (infotype 1016) remain.

Caution

If the Delete PD authorizations parameter is set, the system deletes all structural PD authorization profiles that were maintained manually in table T77UA. Note that a user who has no structural authorization profiles automatically receives the SAP* authorization profile. However, this profile is not entered in table T77UA. If the parameter is not set (default setting), the system only deletes authorization profiles that were previously assigned by report RHPROFL0.

The RHPROFL0 Report (3)

If the Include invalid users parameter is set, the system also selects those users who are no longer valid on the key date, but who still exist in the system.

If the Generate new users parameter is set, the system generates users that are assigned to a person in infotype 0105 (subtype 0001) but not yet created in the system. If the Transfer relationship period between person and user parameter is also set, the system creates the new user with the same validity period that is maintained for the person in infotype 0105 (subtype 0001). If this parameter is not set, the system creates the user with a validity period from the key date until the latest possible date (12.31.9999). If you have not stored any authorization profiles in the Standard Profiles infotype (1016), you must activate the parameter Without assigned basis profiles. You use the parameter User Data to assign the initial password and the user group.

All messages that were generated during the profile comparison are saved in an application log. This application log is newly generated each time the RHPROFL0 report is run. You can make it visible by choosing Display log(s).

If the report is planned and automatically executed in a batch job, the output list is printed out. In this case, you can make the application log visible using transaction SLG1. On the selection screen, enter RHPROFL0 in the Object field. The Subobject and Ext. number fields remain empty.

Generate User Authorizations

ExerciseStart Exercise

Business Scenario

In your company, selected structural profiles should be stored in the organizational unit and in the position so that they can be assigned to employees using report RHPROFL0.

Set up structural authorization profiles to enable the assignment of authorizations using the RHPROFL0 report.

Task 1: Task 4: Use transaction OOSB (table T77UA) to review the following results generated by the report:

Steps

  1. Check if assignments to the structural profiles SP01_GR## and SP02_GR## have been entered in the T77UA table the users PATEL-## and CHUNG-##.

    1. On the SAP Easy Access screen, choose: ToolsCustomizingIMGSPRO - Execute Project. On the Customizing: Execute Project screen, choose SAP Reference IMG. In the Implementation Guide, choose: Personnel ManagementOrganizational ManagementBasic SettingsAuthorization ManagementStructural Authorization

    2. Select the Assign Structural Authorization activity. Alternatively, transaction OOSB can be used.

    3. Verify that the following assignments to the structural profiles SP01_GR## and SP02_GR## are entered for the users:

      User NameAuth. profileStartEnd date
      CHUNG-##SP01_GR##<today>31.12.9999
      CHUNG-##SP02_GR##<today>31.12.9999
      PATEL-##SP01_GR##<today>31.12.9999

Learning

SAP FacebookSAP YoutubeSAP LinkedIn