Outlining Subtleties of Authorization Maintenance

Objective

After completing this lesson, you will be able to describe the special features in SAP Business Role Maintenance.

Icons and Additional Information for Authorization Maintenance

When maintaining and editing authorizations in role maintenance, different terms and icons appear that are perhaps not always correctly interpreted. What task do the traffic lights perform, for example?

Traffic lights refer to authorization fields in lower branches. Screenshot showing the authorizations with respective traffic lights..

The traffic lights are among the most important icons for the administration of authorizations. You can use them to obtain an overview very quickly. They display the current maintenance status of the authorizations at various levels. The different icons here are Green, Yellow, and Red.

Green: All fields below this level have been filled with values.

Hint

If your entry did not make the light go green, this is due to an SAP proposal.

Caution

Regardless of the color, you must always check all entries. A Green traffic light does not mean that you can accept everything without checking it.

Yellow: There is at least one field (but no organizational level) below this level for which no data has been proposed or entered.

Red: There is at least one organizational level field (also known as org level) below this level for which no value has been maintained.

Caution

Never assign organizational levels directly in the structure. This would cause the (possibly critical) status "Changed" (to be explained later in this lesson). Always use the central button Organizational Levels or the key combination "Ctrl + F8" to assign the values.

Authorization Maintenance: Additional Functions

Screenshot showing the functions provided by the context menu.

Functions that are provided by the context menu of the object classes, authorization objects, authorizations, and authorization fields are:

Assignment of authorizations: Displays the transactions that use this object.

Full authorization: You can set full authorization.

Assigning full authorization for all empty fields: If you require a role with full authorizations or want to assign "*" to all empty fields for test purposes, follow the procedure below.

Hint

Assigning full authorization for all empty fields

If you click on a Yellow or Red traffic light in the status line, the system queries whether you want to assign the full authorization asterisk "*" for all unmaintained authorizations.

You can use the traffic lights at the level of object classes, objects, or authorizations in the same way to assign full authorization for the structure below that level. This does not maintain the organizational levels, and you should first use the "Organizational Levels" button to enter and assign them.

To assign full authorization for all empty fields of a role you can click on the Status icon.

Field contents: Choose the maintain icon to maintain an authorization field value. Alternatively, you can double-click the authorization field content, or click an empty field. You enter the values in a separate input window.

Copy: If you choose copy, a complete specification for an authorization object is copied with all fields. The status of the template is retained.

Merge: You can merge identical field contents for authorization fields of an authorization object .

Hint

Under certain conditions, you can merge authorizations for the same object. The merge ignores the maintenance status (Standard/Maintained/Changed/Manual) of the authorizations involved. This could result in standard authorizations being combined with authorizations with different statuses, leading to unexpected behavior of the standard authorizations.

Caution

There are new rules here for merging. The most important and principle rule is associated with the activation status and maintenance status.

Both the activation status (Active/Inactive) and the maintenance status (Standard/Maintained/Changed/Manual) of the authorizations must match. Exception: Changed authorizations can be merged with manual authorizations, as long as the activation status is the same.

If the activation and maintenance statuses are the same, the second condition comes into play. Authorizations can be merged only if one of the further conditions is met.

  • One of the authorizations is included in the other authorization, with reference to all fields (the identity is also considered as a special case).

  • Only one field is different in the two authorizations; all others are the same.

    There are further exceptions here, however:

    • An authorization that has empty fields cannot be merged with another authorization where at least one of these fields has content.

    • An authorization that has fields with full authorization (*) cannot be merged with another authorization where at least one of these fields does not have full authorization.

Delete: Delete the content of a field or delete an inactive authorization, or delete all inactive authorizations.

Activate/Deactivate: You can technically hide authorizations and show specifications for the check in the profile (the entry is retained). Although deleting the authorization has the same effect, it is not as simple to return to the default value in that case.

Hint

Deactivate

  • At authorization object level: All subordinate authorizations are marked as inactive.

  • At authorization level: This authorization is marked as inactive.

Note: Reactivate

This icon means that the authorization or all subordinate authorizations of an authorization object are reset to Active.

Note

The Inactive and Reactivate function has also changed its behavior in the system.

Previously, each authorization was switched to the status "Inactive Standard" regardless of the original status "Standard", "Maintained", or "Changed". This caused complications when merging authorizations.

The status is now always retained. If, for example, an authorization has the status "Changed", it is now switched to "Inactive Changed".

Authorization Maintenance: Status Texts

Listed status texts for authorizations and status texts after a comparison (such as change in menu selection).

Status Texts for Authorizations

Standard: All field values in the subordinate levels of the hierarchy are unchanged from the SAP defaults.

Hint

This includes both filled and unfilled organizational level fields.

The condition for the filled fields is that the entry was made using the maintenance button "Organizational Levels", and for unfilled fields, that the original value $.... is displayed.

Maintained: At least one field in the subordinate levels of the hierarchy was empty by default and has since been filled with a value.

Changed: The proposed value for at least one field in the subordinate levels of the hierarchy has been changed from the SAP default value.

Manual: You maintained at least one authorization in the subordinate hierarchy levels manually (it was not proposed by Role Maintenance).

The "Yellow Traffic Light Problem".

Caution

Yellow traffic light effect. If the status jumps from Standard/Maintained to Changed due to an action in the authorizations, Role Maintenance cannot create a connection between this object entry and the menu. Therefore, for every action that requires "Read old status and merge with new data", the Standard is read again (can also be forced in expert mode). The only exception here is when the new standard is included in the existing authorizations. For more information about this, see SAP Note 113290.

You will also see Changed for entries for organization levels that are not globally set (using the buttons).

Note

This special feature can also lead to entries being copied into the authorizations that cannot be identified by a Yellow traffic light. Red traffic lights (uncritical, since values are missing here) or even green traffic lights (critical since all fields are filled in this case) can appear with new entries. Always pay attention to and consider the status New when processing the authorizations.

Here is the solution for this problem, so that it does not occur repeatedly when you are processing the authorizations:

Hint

Before you make a change to authorizations that generates the status Changed, you must first perform the following steps:

  1. Copy the appropriate (standard) instance.

  2. Set the template to inactive.

  3. Make the changes to the copy.

Only by performing these steps can you avoid the default being read again and again, and ensure that you have no inexplicable values to maintain.

Status Texts After a Comparison

Old: The comparison found that all field values in the subordinate levels of the hierarchy are still current and that no new authorizations have been added.

New: The comparison found that at least one new authorization has been added to the subordinate levels of the hierarchy. If you now click New in the application toolbar, all new authorizations in the subordinate levels are expanded.

Display of Deleted Authorizations and Values for Merging of Authorizations

Following changes to applications in the role menu, the old authorizations are merged with the new authorization default values when authorization maintenance is started. Through this merge process, authorizations can be added, updated, or deleted.

Authorization maintenance displays which authorizations have been added or updated.

The ALV tree technology for authorization maintenance also displays which authorizations have been deleted and which authorization values have been added or deleted.

The ALV display provides the following enhancements for the merging of authorizations:

  • In the column for the update status, authorization maintenance now indicates whether a value range has been added or changed at field level, too.

  • In addition, a second window is displayed at the right or bottom margin, displaying deleted authorizations and values.

Note

If you are still using the old tree display, you can switch to the new ALV display as of SAP NetWeaver 7.50.

Call transaction PFCG and navigate to the Authorizations tab page. Choose Display Authorization Data or Change Authorization Data. Choose UtilitiesSettings from the menu and set the option for using the ALV tree. Note that you have to restart authorization maintenance.

Screenshot showing the merging of authorizations in Role Maintenance.

In addition, the ALV display supports mass changes of authorization values in role maintenance.

Screenshot showing the mass changes of authorization values in Role Maintenance.

Mass Maintenance of Authorization Values in Roles

Transaction PFCGMASSVAL allows you to change the authorization values of multiple roles at the same time.

This includes the changing of organizational level values, field values of authorizations for a selected object, and cross-object field value maintenance of authorizations for a selected authorization field.

Screenshot showing the mass maintenance of authorization values in Roles.

Note

For details see SAP Note: 2177996 — PFCGMASSVAL: Mass maintenance of authorization values in roles.

Practice System Exercise: Understand the Subtleties of Authorization Maintenance

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

After you have you used Role Maintenance for some time, you usually know all of the functions. However, some occurrences, such as yellow traffic lights that keep appearing and the status inactive often still cause some misunderstandings. This exercise reinforces your knowledge of the special features of Role Maintenance.

Task 1: Explaining Traffic Light Colors

Create the role GR##_RGB by copying ADM940_RGB without user assignments and personalization.

Steps

  1. Start the Role Maintenance transaction and create the role GR##_RGB as a copy of the role ADM940_RGB.

    1. SAP Menu:

      ToolsAdministrationUser MaintenanceRole AdministrationRoles, (transaction code PFCG).

    2. Enter the name of the role ADM940_RGB in the Role field.

    3. Choose Copy Role (Shift + F11).

    4. Enter GR##_RGB in the to role field.

    5. Choose Copy All (Enter).

    6. Choose Change on the Role Maintenance screen..

  2. What traffic light colors are displayed for the authorization objects used?

    __________________________

    __________________________

    __________________________

    1. Select the tab Authorizations and choose the button Change Authorization Data.

    2. Explore the traffic lights in the Group/Object/Authorization/Field column.

      The following traffic light colors are displayed for the authorization objects used:

      • Red
      • Yellow
      • Green

  3. What does a red traffic light mean?

    _________________________________________________

    1. A red traffic light stands for an unfilled organizational level field.

  4. The Profile Generator has written a default value in the field with the field text Plan Version. Use the search function to find the authorization field.

    Note the field value. Explain the meaning of the first character.

    _________________________________________________

    1. Open the search option by choosing the Search icon or the menu path EditFind.

    2. Enter plan version in the "or field text" field in the Find Field area.

    3. Choose Find Field.

    Result

    The field you are looking for has the field name PLVAR (authorization object PLOG) and the default value $PLVAR.

    A "$" character at the beginning of a field always indicates a variable for an organizational level.

  5. Maintain Authorizations - Maintain authorization values for the organizational level PLVAR.

    1. Choose Organizational Levels.

    2. Enter the following value in the Define Organizational Levels window:

      - Plan Version: 01,

    3. Choose Save (Ctrl+S) to save the authorization values for the organizational levels.

  6. What does a Yellow traffic light mean, and which objects (role GR##_RGB) have this status?

    _________________________________________________

    _________________________________________________

    _________________________________________________

    _________________________________________________

    _________________________________________________

    1. Expand the Object Class BC_A node.

      Yellow traffic lights indicate a structure in which at least one field does not yet contain a value.

      The following objects have not yet been given default values by the Profile Generator:

      • S_USER_AGR
      • S_USER_AUT
      • S_USER_GRP
      • S_USER_PRO
      • S_USER_SAS
      • S_USER_STA
      • S_USER_SYS
      • S_USER_TCD
      • S_USER_VAL

  7. What does the Green traffic light color mean, and what do you have to take into account here?

    _________________________________________________

    _________________________________________________

    _________________________________________________

    This must be taken into account: ____________________________________

    _________________________________________________

    _________________________________________________

    Result

    The Green traffic light indicates structures in which all fields are assigned a value. However, it is not possible to identify whether this is:

    • An authorization default value
    • An organizational level field that received the field value through the maintenance button
    • A field for which the authorization default value was changed
    • An organizational level field filled directly in the structure (not using the button)

    Hint

    Take into account the fact that authorization objects with the status Standard and a Green traffic light are entirely authorization default values. Green does not mean that you do not have to check these default values.

  8. Assign the following values to the field authorization object S_USER_GRP:

    - CLASS = DEMO

    - ACTVT = 03

    1. Open the search option by choosing the Search icon or the menu path EditFind.

    2. Enter S_USER_GRP in the Authorization Object field in the Find Object area.

    3. Choose Find Object.

    4. Choose the Pencil button on the right side of the CLASS field.

    5. Enter DEMO in the Field values window.

    6. Choose Transfer (Enter).

    7. Choose the Pencil button on the right side of the ACTVT field.

    8. Deselect all activities excluding 03 in the Field values window.

    9. Choose Transfer (Enter).

    Result

    When changing the authorization default value for the field ACTVT, Role Maintenance automatically adds a new inactive entry for authorization object S_USER_GRP with authorization default values.

  9. Generate the authorization profile for your role:

    1. Choose the Generate icon.

    2. In the Generate Profile window, choose Generate.

    3. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    4. Choose Back (F3) to return to the Change Roles screen.

    5. While still in the tab Authorization, go to the next task.

Task 2: Use Expert Mode to Merge the Existing Authorization Data

While still in the tab Authorization, use expert mode to merge the existing authorization data with the authorization default values again.

Steps

  1. What choice must be made when starting the maintenance so that the Profile Generator reads default values again?

    _________________________________________________

    _________________________________________________

    1. On the Authorizations tab page, choose the Expert Mode for Profile Generation icon. Then, choose the mode Read old status and merge with new data.

    2. Choose Back F3 to go back to the tab Authorizations.

    3. Choose Back F3 to go back to the Role Maintenance screen.

  2. Start the role maintenance transaction to open the role GR##_RGB and add transaction FD03 to the menu.

    1. While still in the Role Maintenance transaction, enter the name for the role GR##_RGB in the Role field.

    2. Choose the Change icon.

    3. Open the Menu tab page.

    4. Choose the Transaction button and enter the following transaction code in the Transaction code field:

      - FD03

    5. Choose Assign Transactions.

    6. Then choose Save (Ctrl+S) to save your role.

  3. Read the authorization default values again.

    1. Open the Authorizations tab page.

    2. Choose Expert Mode for Profile Generation on the Authorizations tab.

    3. Select the radio button for the option Read old status and merge with new data.

    4. Choose Execute (Enter).

    5. Choose Cancel (F12) on the Define Organizational Levels window.

  4. Which object class / authorization objects / has the status New?

    Object class:

    _________________________________________________

    Authorization objects:

    _________________________________________________

    1. Search the authorizations for a line with the entry New:

      Object class:

      - FI

    2. Expand the Object Class FI node.

      Authorization objects:

      - F_KNA1_APP, F_KNA1_BED, F_KNA1_BUK, ...

  5. Generate the authorization profile for your role.

    1. Choose the Generate icon.

    2. In the Generate Profile window, choose Generate.

    3. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    4. Choose Back (F3) to return to the Change Roles screen.

  6. Delete transaction FD03 in the role menu.

    1. Open the Menu tab page.

    2. Select the entry FD03 - Display Customer (Accounting) and choose the Delete Node icon.

    3. Then choose Save (Ctrl+S) to save your role.

  7. Read the authorization default values again.

    1. Open the Authorizations tab page.

    2. Choose Expert Mode for Profile Generation on the Authorizations tab.

    3. Select the radio button for the option Read old status and merge with new data.

    4. Choose Execute (Enter).

    5. Choose Cancel (F12)on the Define Organizational Levels window.

    Result

    The removed authorization values are shown in the Deleted Authorizations and Values (Merge) area.

  8. Generate the authorization profile for your role.

    1. Choose the Generate icon.

    2. In the Generate Profile window, choose Generate.

    3. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    4. Choose Back (F3) ,to return to the Change Roles screen.

  9. Complete the maintenance of this role and return to the initial screen of transaction PFCG.

    1. Choose Back (F3) to return to the initial screen of the Role Maintenance.

Task 3: Use Mass Maintenance of Authorization Values in Roles

Add further values for the field company code in the previously created roles GR##_*. Use the mass maintenance of authorization values in roles.

Steps

  1. Start transaction PFCGMASSVAL.

    1. In the OK code field, enter the transaction code PFCGMASSVAL.

  2. Add the values 90FR, 90CA , and 90US to the values of the field company code.

    1. Enter GR##_* in theRoles field.

    2. Select Execute with prior simulation in the Standard Selection area.

    3. Select Change Organizational Levels in the Type of field change area.

    4. In the Change field, enter Add.

    5. In the Organizational Level field, enter BUKRS.

    6. Choose the Values button, and enter the values , 90FR, 90CA and 90US.

    7. Choose Transfer (Enter).

  3. Start the mass maintenance.

    1. ChooseExecute (F8).

      A list is displayed which shows a simulation of the respective changes.

      Then chooseExecute (F8) to perform the changes.

      Result

      Now the values are added to the field company code in the roles GR##_* .

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn