Solution 2: Display Authorization Information of the Authorization Concept (ABAP)

36: Extended Maintenance

50: Move
78: Assign
68: Model
PP: Set Productive Password
F4: Address data display in input help

d) Exit the report Authorization Objects by Object Name, Text and go back to the SAP
Easy Access menu.

5. Search for authorization whose names begin with S_USER?

a) In the Information System, under the Authorization Objects node, double-click the
report Authorization Objects - By Object Class.

b) Choose the All Selections icon (Shift+F7).

c) Enter S_USER* in the Authorization Object field.

d) Enter BC_A in the Object class field.

e) Choose Execute (F8).

6. How many authorization objects have a name that begins with S_USER?
____________________
a) Analyze the list of authorization objects.
Number of authorization objects that begin with S_USER:
13 Authorization objects

7. Find out about the authorization object S_USER_TCD by displaying the documentation.
What is controlled with this authorization object?
_________________________________________________________
_________________________________________________________
_________________________________________________________
Which authorization field(s) does the object consist of?
____________________
a) In line with the authorization object S_USER_TCD, double-click the Information button
(i).

b) Read the displayed information.

Definition for authorization object S_USER_TCD:
Authorization objects control the transactions that system administrators can assign to
a role, as well as the transactions for which they can assign transaction code
authorization (object S_TCODE). Note that in the Profile Generator, you can only
maintain intervals of transactions if you have full authorization S_USER_TCD for
authorization object S_TCODE. Otherwise you can only maintain individual values for
the object S_TCODE.
Defined fields:

© Copyright. All rights reserved. 17

Unit 2: Basic Terminology of Authorizations

TCD: Transactions that administrators may assign to roles and for which they may
assign authorization to start a transaction in Role Maintenance.

c) Exit the report and return to the SAP Easy Access menu.

Task 4: Analyze the Role ADM940_SD_SALES Using the User Information System

1. Navigate to the User Information System in the SAP Menu.

a) SAP Menu: → Tools → Administration → User Maintenance → Information System
folder.

2. Use Report Roles by Complex Selection Criteria node → By Role Name with the role
ADM940_SD_SALES.
a) Expand the structure for the Roles node, then expand the structure for the Roles by
Complex Selection Criteria node, and choose the report By Role Name by double-
clicking it.

b) Enter ADM940_SD_SALES in the Role field.

c) Choose Execute (F8).

3. Display the transaction assignment for the role.

Do these roles allow you to start transactions that start with “X”?
____________________
Does this role provide authorization to call transaction VA03?
____________________
Does this role provide authorization to call transaction MM03?
_____________________
a) Display the transaction assignment of the role by selecting the line with the role name
and choosing the button Transaction Assignments (Ctrl+Shift+F6).
Do these roles allow you to start transactions that start with “X”?
Yes.
There are three transactions (XD01; XD02; XD03).
Does this role provide authorization to call transaction VA03?
Yes.
Does this role provide authorization to call transaction MM03?
No.

b) Exit the report and return to the initial Information System screen.

© Copyright. All rights reserved. 18

 Unit 2
Exercise 3
Check Authorization in the SAP System

Business Example
In practice, it is important to know the special features of the authorization check performed
when a transaction is called in the system. It is also important to determine, if an unsuccessful
authorization check is reported, why it was unsuccessful. This exercise will consolidate the
content of the lesson with work in the system.

Task 1: Display the Definition of a Transaction

Display the definition of transaction FB03.

1. Start the transaction MAINTAIN TRANSACTION (SE93).

2. Which authorization object is checked when the transaction is called?

Authorization object:____________________

3. Which authorization values must exist for the authorization check to be positive and the
transaction to be started?
____________________

Task 2: Display Authorization Data for User

Log on to the system with user “ADM940-SU53” (password: ADM940). Then call transaction
VA07 by entering the transaction code in the command line or by choosing the following menu
path: SAP Menu → Logistics → Sales and Distribution → Sales → Information
System → Worklists → Compare Sales - Purchasing (Order).

1. Log on to the system with user “ADM940-SU53” (password: ADM940).

2. Log on to the system as user “ADM940-SU53”.

3. Call transaction VA07

4. Can you call the transaction?

____________________

5. What message is returned by the system?

____________________

6. Find out which object was checked, and what authorizations you have.
Use transaction SU53 to find out which object was checked, and what authorizations you
have.
____________________

7. Test the remote call using your ADM940-## user.

Task 3: Analyze Authorization in the User Buffer

Describe the user buffer and display it for user “ADM940-SU53”.

1. What do you see in the user buffer? Describe its content.

© Copyright. All rights reserved. 19

Unit 2: Basic Terminology of Authorizations

________________________________________
________________________________________
________________________________________
________________________________________

2. How can you call the user buffer?

____________________

3. Display the buffer for your user “ADM940-SU53”. How many authorization entries does
this user have?
____________________

4. Log off as user ADM940-SU53.

© Copyright. All rights reserved. 20

 Unit 2
Solution 3
Check Authorization in the SAP System

Business Example
In practice, it is important to know the special features of the authorization check performed
when a transaction is called in the system. It is also important to determine, if an unsuccessful
authorization check is reported, why it was unsuccessful. This exercise will consolidate the
content of the lesson with work in the system.

Task 1: Display the Definition of a Transaction

Display the definition of transaction FB03.

1. Start the transaction MAINTAIN TRANSACTION (SE93).

a) Choose Menu path: SAP Menu → Tools → ABAP Workbench → Development → Other
Tools → Transactions (SE93).

b) Enter FB03 in the Transaction Code field.

c) Choose Display.

2. Which authorization object is checked when the transaction is called?

Authorization object:____________________
a) Take the value from the Authorization Object field.
Authorization object: F_BKPF_BUK

3. Which authorization values must exist for the authorization check to be positive and the
transaction to be started?
____________________
a) Choose the Values button.
Activity: 03
The company code is not checked here, so it does not matter which authorization
values exist in the user master record for it.

Task 2: Display Authorization Data for User

Log on to the system with user “ADM940-SU53” (password: ADM940). Then call transaction
VA07 by entering the transaction code in the command line or by choosing the following menu
path: SAP Menu → Logistics → Sales and Distribution → Sales → Information
System → Worklists → Compare Sales - Purchasing (Order).

1. Log on to the system with user “ADM940-SU53” (password: ADM940).

2. Log on to the system as user “ADM940-SU53”.

a) Start SAP Logon.

b) Select system T41 and choose Log On.

c) Enter the user name ADM940-SU53 in the User field.

© Copyright. All rights reserved. 21

Unit 2: Basic Terminology of Authorizations

d) Enter ADM940 in the Password field.

e) Choose Enter.

3. Call transaction VA07

a) Enter the transaction code in the command line or by choosing the following menu
path: SAP Menu → Logistics → Sales and Distribution → Sales → Information
System → Worklists → Compare Sales - Purchasing (Order).

4. Can you call the transaction?

____________________
a) No.

5. What message is returned by the system?

____________________
a) “You are not authorized to use transaction VA07”

6. Find out which object was checked, and what authorizations you have.
Use transaction SU53 to find out which object was checked, and what authorizations you
have.
____________________
a) Enter the transaction code SU53 in the command line.
The object “S_TCODE” was checked, and your user had no authorizations for Object
S_TCODE field TCD Value1 VA07.

b) Double-click the row indicating the missing authorization for transaction VA07.

c) Select the node User's Authorization Data ADM940-SU53 and choose Expand Subtree
(F6).
The column Authorization Values shows that your user has the following
authorizations for Object S_TCODE field TCD:
SESS, SESSION_MANAGER, SMEN, SSC1, SU3, SU53, and SU56 .

7. Test the remote call using your ADM940-## user.

a) To do this, use your ADM940-## user to call SU53; then use the icon “User (F5)” for
the remote call of SU53 for a different user.

Task 3: Analyze Authorization in the User Buffer

Describe the user buffer and display it for user “ADM940-SU53”.

1. What do you see in the user buffer? Describe its content.

________________________________________
________________________________________
________________________________________
________________________________________
a) The user buffer has the following meaning:
Each user has his or her own user buffer, in which all authorizations that are assigned
to the user are listed. This list is arranged by Object/Authorization/Object Text.

2. How can you call the user buffer?

© Copyright. All rights reserved. 22

 Solution 3: Check Authorization in the SAP System

____________________
a) With transaction SU56.

3. Display the buffer for your user “ADM940-SU53”. How many authorization entries does
this user have?
____________________
a) Start transaction SU56.

b) The number of entries is 6.

- S_TCODE
- S_USER_AGR
- S_USER_AUT
- S_USER_GRP
- S_DEVELOP
- S_OC_SEND

4. Log off as user ADM940-SU53.

a) In the session for user ADM940-SU53, choose System → Log Off in the menu.

© Copyright. All rights reserved. 23

 Unit 3
Exercise 4
Maintain and Evaluate User Data

Business Example
Almost all companies use PCs and software programs to support their employees in their
daily work. However, to work with this technology, the users require access and
authorizations to call the programs. A control method in an SAP system is the user master
record and its roles and profiles.

Task 1: Create a user group

Create a new user group ZGR## with a description of your choice.

1. Start transaction Maintain User Groups (SUGR).

Task 2: Create a User Master Record

Create a user master record for a dialog user GR##-ADM.

1. Start transaction User Maintenance (SU01).

2. Enter an initial password of your choice and assign the user to user group ZGR##.
Initial password: Init1234

3. Assign the log-on language that you have used yourself for logging on.

4. Save your user master record.

Task 3: Assign a Predefined Work Center Example to Your New User Master Record
Assign a predefined work center example ADM940_BC_ADMIN to your new user master
record by choosing the Other Menu button on the SAP Easy Access initial screen.

1. Choosing the Other Menu button on the SAP Easy Access initial screen (on the application
toolbar: [Shift+F5]).

2. Assign your new user GR##-ADM to the role ADM940_BC_ADMIN.

Task 4: Check the User Master Record

Switch from the Other menu display back to the SAP menu display.
Check the user master record of your user GR##-ADM.

1. Switch from the Other menu display back to the SAP menu display.

2. Check whether a role is assigned to your user GR##-ADM.

Assigned role:
____________________

3. Link your user with another role. Choose the role ADM940_PLUS.
If you are in “display mode”, then change to “change mode” (Shift+F7).

4. Are authorization profiles assigned to your user?

Which authorization profile(s)?

© Copyright. All rights reserved. 24

 Exercise 4: Maintain and Evaluate User Data

___________________;
___________________.

5. Save your user master record.

6. Go back to the SAP Easy Access menu.

Task 5: Display the Change Documents for a User

Display the change documents for your user GR##-ADM by calling up the information system
for users and authorizations and selecting the report For Users under Change Documents for
users and authorizations.

1. Display the change documents for your user GR##-ADM by calling up the information
system for users and authorizations and selecting the report For Users under Change
Documents for users and authorizations.

2. Does the list tell you that creating the user master record and assigning the user to roles
were separate steps?
______________________________________________

Task 6: Log On to the System with the Credentials of the Created User
Try to log on to the system as user GR##-ADM without Language information.

1. Start SAP Logon and log on to the system as user GR##-ADM.

2. Do you need to enter a log-on language?

____________________

3. Check the user menu (Ctrl+F10):

If you want to see the transaction codes in the user menu, select on the top menu
Extras → Settings and select Display Technical Name.
Which functions does it contain? List some examples.
______________________________________________
______________________________________________

4. Check the user buffer by calling the Analyze User Buffer transaction.
How many authorizations exist?
____________________
For which authorization objects? List some examples.
______________________________________________
______________________________________________

5. Log off as user GR##-ADM and log on again as user ADM940-##.

Task 7: Create Users Using the User Mass Maintenance Transaction

Create additional user master records using the User Mass Maintenance transaction.

1. Start the User Mass Maintenance transaction.

2. Create the following six user names.

User Name

GR##-FI1

© Copyright. All rights reserved. 25

Unit 3: User Settings

User Name

GR##-FI2
GR##-SD1
GR##-SD2
GR##-MM1
GR##-MM2

3. Assign the user group ZGR## to all users.

4. Assign the log-on language that you have used yourself for logging on.

5. Save your user master record.

6. Check the result in the change log for a given user entry.
You can copy the generated initial passwords into the tables in the exercise section.

Hint:
Passwords of 40 characters in length are automatically generated. If you
want, you can copy the generated passwords from the log to the following
table, or change them directly for future tasks in transaction SU01 when
required, using the Change Password button (Shift+F8).

User name Generated Password

GR##-FI1
GR##-FI2
GR##-SD1
GR##-SD2
GR##-MM1
GR##-MM2

7. You can copy the generated initial passwords into the tables in the exercise section.

© Copyright. All rights reserved. 26