Assigning Authorization Profiles

Procedure

Choose Profiles to assign authorization profiles to a user.

You can assign a large number of authorization profiles to a user (about 150).

Profiles issue users with various authorizations.

You should maintain your profile using the Profile Generator unless you have to edit profiles that were created manually.

You can manually maintain profiles by choosing Tools ® Administration, User maintenance ® Profiles (see Creating and Maintaining Authorizations and Profiles Manually). You can also enter composite profiles (a combination of several profiles) in the user master records when manually maintaining profiles.

If you choose automatic maintenance, the Profile Generator generates an authorization profile on the basis of an activity group. For this, the system parameter auth/no_check_in_some_cases = Y must be set (see the system documentation).

From the user maintenance, you can select Environment ® Maintain act. group to branch into the functions for maintaining activity groups and generating profiles. Further details on this topic are contained in: Generating Authorization Profiles Automatically with the Profile Generator

You can assign activity groups to a user by choosing Environment ® Maintain activity group. This simultaneously assigns the appropriate authorization profiles to the user. You can find further details in Assigning Task Profiles and Comparing Profiles in the User Master Record With Activity Groups.

The R/3 System contains predefined profiles for all components. A few examples of these are listed below:

System administrator: S_A.SYSTEM

System operator: S_A.ADMIN

Customizer: S_A.CUSTOMIZ

Program developer: S_A.DEVELOP

End user: S_A.USER

Further details are contained in the section Basis Authorizations in Standard Profiles.

In the Customizing documentation you can find information about predefined profiles for SAP work areas. If you want to display this information, choose Tools ® Business Engineer ® Customizing, Implementation projects ® SAP Reference IMG. You can then search for the work area documentation regarding authorizations. The individual documentation modules all contain the word ‘authorization’.

You can find information about the SAP naming convention for predefined profiles in the section Naming Convention for Pre-Defined Profiles.

The SAP_NEW Profile

The SAP_NEW profile is a composite profile which is supplied by SAP in every Release or upgrade level. It contains a single profile, SAP_NEW_<Release> with new authorizations for each new Release or upgrade level, for example, SAP_NEW_30D. SAP_NEW is included in every SAP delivery.

The SAP_NEW profile grants unrestricted access to all existing functions for which additional authorization checks have been introduced. Users can therefore continue to work uninterrupted with functions which are subject to new authorization checks which were not previously executed. This ensures upwards compatibility.

For this reason you should assign SAP_NEW to all user master records.

As system administrator, you decide which users should receive the new authorizations following a Release upgrade.

If you have skipped releases or upgrades, when you execute this operation you need to take into account all authorizations which have come into the system in the meantime.

Once you have carried out these tasks, delete the single SAP_NEW_<release> profiles from the SAP_NEW profile.