Maintain authorization groupsYou can maintain authorization groups for tables and views with the Generate table maintenance dialogmaintenance transaction.An authorization group contains tables and views with the same security requirements.1. Choose Authorization groups and Create/Change in the initial screen.2. Choose new entries. An input area for new entries appears.3. Enter a name for the authorization group and a descriptive text.4. Save your input.To activate the authorization, you must determine an activity for the authorization group in theauthorization object.The system automatically includes the definition of a new authorization group in acorrection only:o if the authorization group is used, ando then generation via the Change or Delete function, or the client is set toautomatic recording of changes.Otherwise you must include it yourself using the Table view → Transport function in theauthorization group maintenance screen.• The table that contains all authorization objects is TOBJ.The table that contains all activities is TACT.The table that contains definition of all authorization groups is TBRG.TBRG -- Contains all authorization groups and gives information about relation betweenauthorization object and authorization group. The description of the authorization groups isdefined in table TBRGT.•
Authorization Objects Checked in Role MaintenanceThe role maintenance functions (and the profile generator) check the following authorization objects:Authorization Object DescriptionS_USER_AUT User master maintenance: AuthorizationsThis authorization object defines which authorizationsthe administrator can process. You can use theactivities to specify the types of processing (such ascreating, deleting, displaying change documents).S_USER_GRP User master maintenance: User groupsThe authorization object is used in role maintenancewhen assigning users to roles and during the usermaster comparison.You can divide user administration between severaladministrators with this authorization object, byassigning only a certain user group to anadministrator. You can use the activities to specify theadministrator’s processing types for the group (suchas creating, deleting, and archiving).S_USER_PRO User master maintenance: Authorization profilesProfiles are protected with this authorization object.You can use the activities to specify theadministrators processing types for the profile (suchas creating, deleting, and archiving).S_USER_AGR Authorization system: Check for rolesThis authorization object protects roles. The rolescombine users into groups to assign variousproperties to them; in particular, transactions andauthorization profiles.You can use this authorization object together withthe authorization objects S_USER_GRP,S_USER_AUT, S_USER_PRO, S_USER_TCD, andS_USER_VAL to set up a distributed useradministration.S_USER_TCD Authorization system: Transactions in rolesThis authorization object determines the transactionsthat an administrator can assign to a role, and thetransactions for which he or she can assigntransaction authorization (object S_TCODE).Note that a user can only maintain ranges oftransactions for the S_TCODE authorization object inthe Profile Generator if he or she has fullauthorization for the S_USER_TCD authorizationobject. Otherwise, he or she can only maintainindividual values for the S_TCODE object.S_USER_VAL Authorization system: Field values in rolesThis authorization object allows the restriction ofvalues that a system administrator can insert or
change in a role in the Profile Generator.This authorization object relates to all field values withthe exception of the values for the object S_TCODE.The authorization to include transactions in a role orto change the transaction start authorization in a roleis linked to the authorization object S_USER_TCD.S_USER_SYS Authorization object for system assignment in theCentral User Administration (CUA).You can distribute users from a central system tovarious child systems of a system group. The objectS_USER_SYS is used to check the systems to whichthe user administrator can assign the users. Thisauthorization object is also checked when setting upthe CUA.S_USER_SAS User master maintenance: System-specificassignmentsThe authorization object S_USER_SAS is checked intransactions SU01, SU10, PFCG, and PFUD whenyou assign roles, profiles, and systems to users. Itrepresents a development of the authorization objectsS_USER_GRP, S_USER_AGR, S_USER_PRO, andS_USER_SYS, which the system previously checkedwhen users made assignments. If you do not activatethe authorization object S_USER_SAS using theCustomizing switch, the previously-used authorizationobjects are checked.To activate authorization object S_USER_SAS, usetransaction SM30 to create the Customizing switchCHECK_S_USER_SAS with the value YES in thetable PRGN_CUST. All authorization checks for theobjects S_USER_AGR, S_USER_PRO,S_USER_GRP, and S_USER_SYS with the activityassign are replaced by authorization checks for theobject S_USER_SAS.S_USER_ADM Administration functions for user and authorizationadministration.The authorization object S_USER_ADM protectsgeneral Customizing and administration tasks for userand authorization administration. It consists solely ofthe authorization field S_ADM_AREA.Until now, there was only the fixed valueCHKSTDPWD, with which special users (such asSAP*) could be displayed, including their defaultpasswords. SAP extends additional fixed values asrequired for other general administration functions inthe area of user and authorization administration,which are listed in SAP Note 704307.For more information about the authorization checks, see the system documentation for the authorizationobjects. To display this documentation, choose Environment → Authorization Objects → Display in rolemaintenance (transaction PFCG). Expand the corresponding node and choose the I button for therelevant authorization object.
S_USER_AGR: Authorizations: Role Check1. Field: Activity2. Role Name.S_USER_AUT: User Master Maintenance: Authorizations Field:1. Activity2. Authorization name in user master3. Authorization ObjectS_USER_GRP: User Master Maintenance: User Groups1. Activity2. User group in user master mainS_USER_PRO: User Master Maintenance: Authorization Profile1. Activity2. Auth. profile in user masterS_USER_TCD: Authorizations: Transactions in Roles1. Transaction CodeIf you dont want to keep the value blank in derived role then usenull (u201Cu201D) value in organizational unit of derived roles.
SQVI Configuration Table(s)Reply from Evgeniy Gichev | posted Sep 9, 2010 | Replies (12)Hi there,Ive just manage to get SQVI queries from one user to be visible and also changeable for another user. There is stillproblem that SQVI works with only one user group and this is the first user group that user is authorized to.I couldntfind a way to change user group there.Here it is USER1 to have access to USER2 queries:Execute transaction SQ03.Choose from menu Settings > SettingsActivate ?Display system objects?, and then press Enter to adopt the changes.Make sure that your work area is set to ?Standard area? in menu Environment > Query areaType username you want to assign queries (USER1); --> change.place tick to usergroup (the name is at the end)- USER2:SYSTQV000005 QuickViews: USER2remove the tick from USER1 if it is before USER2 in the list and save.Unfortunately this will switch USER1 to USER2 queries, will not have access to both at the same time.* (asterisk)� Denotes a set of arbitrary characters� Used alone to grant access to all values� Used at the end of a value to specify a simple pattern (example: SAP*): (colon)� Allows access only to aggregated data (e.g., allows information on allsales areas only on aggregated level – not on particular sales areas)+ (plus)� Denotes exactly one character� Used at the end of a value to specify a simple pattern (example: RED+)� Used to specify date patterns (only for Validity (0TCAVALID))# (hash)� Stands for the initial or unassigned valuehttp://www.sap-school.com/certificationquestionsbi.html01 Create or generate02 Change03 Display04 Print, edit messages05 Lock06 Delete07 Activate, generate08 Display change documents
09 Display prices10 Post11 Change number range status12 Maint.and gen.change document13 Initialize number levels14 Field select.:Generate screen15 Field select.:Assign table16 Execute17 Maintain number range object18 Deliveries from coll. proc.19 Invoices from coll. proc20 Transport without translation21 Transport22 Enter, Include, Assign23 Maintain24 Archive25 Reload26 Change customer account group27 Display totals records28 Display line items29 Display saved data30 Determine31 Confirm32 Save33 Read34 Write35 Output36 Extended maintenance37 Accept38 Perform39 Check40 Create in DB41 Delete in DB42 Convert to DB43 Release44 Flag45 Allow46 Merge
85 Reverse86 Rebook87 Return88 Perform89 Force Posting90 Copy91 Reactivate92 Create from Template93 Calculate94 Override95 Unlock96 Reject97 Set98 Mark for release99 Generate invoice listA1 AccrueA2 PayA3 Change statusA4 ResubmitA5 Display reportsA6 Read with filterA7 Write with filterA8 Process mass dataA9 SendAA Print AgainAB SettleB1 Display permitted valuesB2 Complete TechnicallyB3 DeriveB8 Execute AgainB9 Post Parked DocumentBD Maintain obj. in non-OwnerSys.BE IMG projectionC1 Maintenance of payment cardsC2 Display of payment cardsC3 Maintenance of manual auth.C4 Develope Payment CardC5 Reopen
C8 Confirm changeD1 CopyD3 Detailed DisplayDL DownloadDP Delete planE0 Save extractE6 Delete own extractsE7 Delete external extractsEP Prioritise extractFP Change customer field selectnG1 Maintain BudgetG2 BillingG3 Maintain Overhead CostsG4 Maintain ReevaluationG5 ParkG6 Transfer BudgetG7 ReverseGL General overviewH1 DeactivateH2 Activate LoggingH3 Deactivate LoggingKA Activate noticeKI Knock InKO Knock OutKS Reverse noticeKU Give noticeL0 All functionsL1 Function range level 1L2 Function range level 2LM Change LDAP MappingLS Change LDAP Sync. SwitchMA Deactivate mod.assistantOAOCORP0 Accept CCMS CSM dataP1 Edit CCMS CSM dataP2 Maintain CCMS CSM methods
P3 Register CCMS CSM remote systmPA Open PeriodPB Close PeriodPC Open Consoled. Group ProcessingPD Close Consoled. Unit ProcessingPP Set as productivePR Process CorrespondencePSPU PublishRS Send to New RecipientS1 Edit templateS2 Edit specificationSO Edit in SourcingSZ Assign Switch Framework SwitchU2 Compare business volumesU3 Change business volume comp.U4 Add business volume dataUL UploadV1 Create versionV2 Change VersionV3 Display VersionV4 Delete VersionV5 Transport VersionV6 Delete Version HeaderVE Create an Enhancement IDVF ExpiredW1 DebugW2 External StartSecurityTablesTable DescriptionUSR02 Logon dataUSR04 User master authorization (one row per user)UST04 User profiles (multiple rows per user)
USR10 Authorisation profiles (i.e. &_SAP_ALL)UST10C Composit profiles (i.e. profile has sub profile)USR11 Text for authorisation profilesUSR12 Authorisation valuesUSR13 Short text for authorisationUSR40 Tabl for illegal passwordsUSGRP User groupsUSGRPT Text table for USGRPUSH02 Change history for logon dataUSR01 User Master (runtime data)USER_ADDR Address Data for usersAGR_1016 Name of the activity group profileAGR_1016B Name of the activity group profileAGR_1250 Authorization data for the activity groupAGR_1251 Authorization data for the activity groupAGR_1252 Organizational elements for authorizationsAGR_AGRS Roles in Composite RolesAGR_DEFINE Role definitionAGR_HIER2 Menu structure information - Customer versAGR_HIERT Role menu textsAGR_OBJ Assignment of Menu Nodes to RoleAGR_PROF Profile name for role a
AGR_TCDTXTAssignment of roles to TcodesAGR_TEXTS File Structure for Hierarchical Menu - CusAGR_TIME Time Stamp for Role: Including profileAGR_USERS Assignment of roles to usersUSOBT Relation transaction to authorization object (SAP)USOBT_C Relation Transaction to Auth. Object (Customer)USOBX Check table for table USOBTUSOBXFLAGSTemporary table for storing USOBX/T* changUSOBX_C Check Table for Table USOBT_CList transactions by userGary MorrisUsing SUIM to determine who has the ability to run certain transactions does not always reporton ALL users that can run the said transaction. There is an accurate method using OPF0 (Lastcharacter is zero)From menu, Information > Overview > User > choose object > Cross-application AuthorizationObjects > Authorization Check for Transaction Start > Enter Transaction Code in Upper Case >Enter This will show you who can execute the transaction and what profiles are involved.Which T.Code can display the history of a user in SAP except SM19, and SM20By: Denny Kosiady | 06 Feb 2010 4:20 amDear All,I m new in SAP. and i would like to ask about the tcode that can display thehistory of a user in SAP except SM19, and SM20. I have a case that a user are ableto access a tcode which he/she shouldnt be able to access that tcode, becausehe/she has no authorization for that tcode.Another case is I have a user here that accessing tcode su01, are we able torecord what ever he does for that tcode? lets say he create a user, and I need atcode that is able to display whatever he does for that tcode. is that tcodeavailable?
SU03 and SU21From class to activity hierarchy shows. Besides that, AGR_TCODES only displays transactions from role menus.Manually added transactions and/or transaction ranges will not show here. Got ot AGR_1251 and filter onobject S_TCODE for those.