Creating an Authorization Profile Using Profile Generator

With Profile Generator, SAP has made authorization management very easy. First, we will create an authorization profile for a role. All users in that role can run queries but cannot change the queries.

Prerequisites

Three users U_EAST, U_MIDWEST, and U_WEST have been created through transaction SU01.

Work Instructions

Step 1. After logging on to the BW system, run transaction PFCG, or double-click Maintain Roles.

 

 

SCREEN 6.1

Step 2. Enter a name for the role, and then click .

 

 

Note

BW provides authorization profiles for a variety of roles in Business Content. To see a list of them, click .

SCREEN 6.2

Step 3. Click the Authorizations tab.

 

 

SCREEN 6.3

Step 4. Click to save the role and continue.

 

 

SCREEN 6.4

Step 5. Click to Change authorization data.

 

 

SCREEN 6.5

Step 6. Select the template S_RS_RREPU, and then click .

 

 

SCREEN 6.6

Note

BW provides authorization templates for a variety of roles in Business Content. S_RS_PPEPU is one of them, for query display and execution.

Step 7. The new window shows all authorizations for this role. For example, the users assigned to the R_RUN_QUERIES role can Display, Execute, Enter, Include, and Assign Calculated key figure, Query, Restricted key figure, and Template structure.

 

 

Note

If we expand other nodes, we will see other authorizations granted to this role.

To change an authorization field value, click next to the field. In our example, the reporting component Query has the activity Execute in two places. Let's remove Query from the first one.

 

SCREEN 6.7

Step 8. Deselect REP for Query, and then click to continue.

 

 

SCREEN 6.8

Note

S_RS_COMP is an authorization object; RSZCOMPTP is one of its fields. In this field we specify objects on which users can perform activities.

Step 9. Click to generate the profile.

 

 

SCREEN 6.9

Step 10. Enter a name and a description, and then click to continue.

 

 

SCREEN 6.10

Step 11. The status light of the Authorizations tab turns green (the red square becomes a green circle). Click the User tab to assign users to this role.

 

 

SCREEN 6.11

Step 12. Enter three users: one from the East region, one from the Midwest region, and one from the West region.

Click to add the authorization profile to the users' master data.

 

 

SCREEN 6.12

Step 13. Click to continue.

 

 

SCREEN 6.13

Step 14. Click to save the role.

 

 

SCREEN 6.14

Step 15. Notice that the status light of the User tab turns green (the red square becomes a green circle).

 

 

SCREEN 6.15

Result

You have created the role R_RUN_QUERIES and its corresponding authorization profile AP_R_QUERY. Also, you have assigned three users to this role. To verify that the role and assignments are correct, run transaction SU01 to display user U_WEST's master data. Under the tab Roles, review the role to which this user is assigned (Screen 6.16). Under the tab Profiles, notice the user's authorization profile (Screen 6.17).

SCREEN 6.16

SCREEN 6.17

From this example, we get an idea of how BW manages its authorization. Each role has an authorization profile. Users assigned to a particular role have all authorizations included in the authorization profile. A user can be assigned to multiple roles. The user derives his or her authorizations from the roles to which he or she is assigned.

Related

Категории