Creating an Authorization Profile Using Profile Generator

With Profile Generator, SAP has made authorization management very easy. First, we will create an authorization profile for a role. All users in that role can run queries but cannot change the queries.

Prerequisites

Three users U_EAST, U_MIDWEST, and U_WEST have been created through transaction SU01.

Work Instructions

Step 1. After logging on to the BW system, run transaction PFCG, or double-click Maintain Roles.

SCREEN 6.1

graphics/06fig01.gif

Step 2. Enter a name for the role, and then click graphics/create.gif .

Note

BW provides authorization profiles for a variety of roles in Business Content. To see a list of them, click graphics/c.gif .

SCREEN 6.2

graphics/06fig02.gif

Step 3. Click the Authorizations tab.

SCREEN 6.3

graphics/06fig03.gif

Step 4. Click graphics/yes.gif to save the role and continue.

SCREEN 6.4

graphics/06fig04.gif

Step 5. Click graphics/salesrevenue.gif to Change authorization data.

SCREEN 6.5

graphics/06fig05.gif

Step 6. Select the template S_RS_RREPU, and then click graphics/adoptreferences.gif .

SCREEN 6.6

graphics/06fig06.gif

Note

BW provides authorization templates for a variety of roles in Business Content. S_RS_PPEPU is one of them, for query display and execution.

Step 7. The new window shows all authorizations for this role. For example, the users assigned to the R_RUN_QUERIES role can Display, Execute, Enter, Include, and Assign Calculated key figure, Query, Restricted key figure, and Template structure.

Note

If we expand other nodes, we will see other authorizations granted to this role.

To change an authorization field value, click graphics/rocket.gif next to the field. In our example, the reporting component Query has the activity Execute in two places. Let's remove Query from the first one.

SCREEN 6.7

graphics/06fig07.gif

Step 8. Deselect REP for Query, and then click graphics/save.gif to continue.

SCREEN 6.8

graphics/06fig08.gif

Note

S_RS_COMP is an authorization object; RSZCOMPTP is one of its fields. In this field we specify objects on which users can perform activities.

Step 9. Click graphics/background.gif to generate the profile.

SCREEN 6.9

graphics/06fig09.gif

Step 10. Enter a name and a description, and then click graphics/continue.gif to continue.

SCREEN 6.10

graphics/06fig10.gif

Step 11. The status light of the Authorizations tab turns green (the red square becomes a green circle). Click the User tab to assign users to this role.

SCREEN 6.11

graphics/06fig11.gif

Step 12. Enter three users: one from the East region, one from the Midwest region, and one from the West region.

Click graphics/usercompare1.gif to add the authorization profile to the users' master data.

SCREEN 6.12

graphics/06fig12.gif

Step 13. Click graphics/completecompare.gif to continue.

SCREEN 6.13

graphics/06fig13.gif

Step 14. Click graphics/yes.gif to save the role.

SCREEN 6.14

graphics/06fig14.gif

Step 15. Notice that the status light of the User tab turns green (the red square becomes a green circle).

SCREEN 6.15

graphics/06fig15.gif

Result

You have created the role R_RUN_QUERIES and its corresponding authorization profile AP_R_QUERY. Also, you have assigned three users to this role. To verify that the role and assignments are correct, run transaction SU01 to display user U_WEST's master data. Under the tab Roles, review the role to which this user is assigned (Screen 6.16). Under the tab Profiles, notice the user's authorization profile (Screen 6.17).

SCREEN 6.16

graphics/06fig16.gif

SCREEN 6.17

graphics/06fig17.gif

From this example, we get an idea of how BW manages its authorization. Each role has an authorization profile. Users assigned to a particular role have all authorizations included in the authorization profile. A user can be assigned to multiple roles. The user derives his or her authorizations from the roles to which he or she is assigned.

Part I. Guided Tours