Saturday, 29 June 2013

Composite role creation in SAP (PFCG)



Composite role:  A group of  one or more roles for administrative purpose is refereed as composite role.


Step 1- go to PFCG


Step 2 

enter composite role name and then click on "comp role"












Step 3

Specify the description
In composite role it  doesn't contain authorizations tab.it is nothing but group of one or more roles.













Step4

Specify the roles











Step 5
Click on Read menu tab.when you click on this read menu tab then it will fetch authorizations from  the single roles.













Single Role Creation In SAP (PFCG)

ROLE: role means set of transactions 


1. Go to Tcode PFCG
2. Enter New Role Name you want to create
3. Click "Role " button
4. Describe the Role in "Description" field

5. Click "Menu" tab


6. Click "Transaction" button to add Tcode

7. Click 
8. Click "Authorizations" tab
9. Click "pencil" button to change authorization
10. Put "Org element value"
11. Save

12. Fill in the missing authorization

13. If We wish to give full authorization to this role , Hit the "check" button
This is the current BC_A Object class
And this is the whole roles list
14. Save the role.
15 Enter profile name.
(we can get auto generated profile name from system if we leave it blank).
16. Generate  for authorization
17. Click "user" tab to assign role to relevant users
18. Click  to make comparison of users

Thursday, 27 June 2013

Creating a SAP Account / User Creation in SAP (SU01)

Step 1 

To create an SAP user you should run transaction SU01 or Tools-> Administration->Maintain Users-> Users.  Then enter a user name for the user you want to create.
When creating a user, remember that that user only exists in that client.  If you want a user to have access to another client, you must create the user in that client.
When you create a new user,  that user has various types of information associated with it. 

 
 
Step 2 
Entering a password.
The first field that you edit in a new User Master Record is the password field.  You must add a password for a new user. To protect against typing errors, you must enter the password twice. 
SAP user passwords have various properties.  SAP passwords :
are not case-sensitive (the R/3 System does not differentiate between upper- and lowercase letters)
must be at least three characters long. have a maximum length of eight characters
may contain any characters which can be input from the keyboard. This includes digits, spaces and punctuation marks
cannot begin with a question mark or exclamation mark
may not contain spaces within the minimum length. This is normally the first three characters
may not begin with three identical characters
may not be PASS or SAP*
may not be used if its use has been forbidden
may not start with a sequence of three characters which appears in the user name
When the user logs on for the first time, he or she must enter a new password.
When a user changes his or her password, the new password must be different to each of that user’s last five passwords.



Step 3 (Optional)

User Group
A user group is the name of the group User Master Records to which this user is assigned. 
If you plan to divide maintenance of User Master Records among user administrators, then you must assign the user to a user group.  If a user is assigned to a user group, then only an administrator who is authorized for the user group can maintain the user.   
A User Master Record that is not assigned to a user group can be altered by any user administrator.




Step 4 (Optional )

Account Validity and Account Number
The account valid dates are the dates during which this account is valid.  If you do not enter any information in these fields your account will be valid immediately and never expire.
Account number:  Enter a freely-selectable account name or number.  The user's system usage is assigned to this account if you are using the SAP accounting system.  The account name or number may be unique to each user or can be shared among groups of users.
SAP recommends entering a user's cost center or company code as the account number. 
If you are using the accounting system, then you should always enter an account name or number.  Otherwise, the user's usage will be assigned to a collective "No account" category by the accounting system.




Step 5 (Optional)
 
User type
Dialog 'A'
A normal dialog user is used by exactly one person for all logon types.
Dialog logons are checked for obsolete/initial passwords which must be changed.
Multiple dialog logons are checked and logged.
System 'B'
Use the user type System for dialog-free communication within one system. (for RFC or CPIC service users) or for background processing in one system.
Dialog logon is not possible.
A user of this type is excluded from the standard settings for password validity period. The password can only be changed by user administrators or in transaction Su01 (Goto -> Change Password)
Communication 'C'
Use the user type Communication for dialog-free communication between systems (for RFC or CPIC service users of different applications, for example, ALE, Workflow, TMS ZBV).
Dialog logon is not possible.
Service 'S'
A user of type Service is a dialog user available to a large anonymous set of users. It usually has closely-restricted authorizations.
Service users are e.g. used for anonymous system access via an ITS service. You can change a session which began as an anonymous session with a service user into a personal session under a dialog user with an individual authentification.
There is no check for obsolete/initial passwords at logon. Only the user administrator can change the password.
Multiple logon is allowed.
Reference 'L' A Reference user is a general impersonal user like the Service user. You cannot logon with a Reference user. The Reference user is to give Internet users identical authorizations.
You can specify a Reference user for additional dialog user authorizations, in the Roles tab. The application generally controls the assignment of Reference users. The name of the Reference user can be assigned in variables which should begin with "$". The assignment variable-Reference user is made in the transaction SU_REFUSERVARIABLE.
This assignment applies to all systems in a CUM landscape. If the assigned Reference user does not exist in a CUM subsidiary system, the assignment is ignored.
System
Use the user type System for dialog-free communication between systems (for RFC or CPIC service users) or for background processing in a system. Dialog logon is not possible.
A user of this type is excluded from the general password validity period settings. The password can only be changed by the user administrator in the transaction SU01 under Goto -> Change Password


 
 
Step 6 
Put details like name

Communication type with which you can exchange documents and messages with a business partner.
In the central address management you can specify a standard communication type which can be used by programs to determine the communication type for sending messages.


Step 7 (Optional )

Name of an output device in the SAP System. The name is entered in the definition of the output device. Users in the SAP System use this name (or the long name) to select the output device.
Maintaining the name: Enter any name you choose to identify an output device in the SAP System. If you have many printers, they should be named according to naming convention. This makes it easier to select a printer in spool administration using a generic selection.
Processing a spool request: Enter the SAP name of the output device you want to execute your output request. Display a list of available printers and other devices with Possible entries . To set a default name, choose System -> User profile ->Own data.
Selecting spool requests: Enter the SAP name of an output device to display the spool requests to be executed by this device. Use Possible entries to display a list of available devices.


Step 8 (Optional )

A field can be filled with proposed values from SAP memory using a parameter ID.
Example
A user only has authorization for company code 001. This company code is stored in memory at the beginning of a transaction under the corresponding parameter ID. Fields that refer to the data element are automatically filled with the value 001 in all subsequent screen templates.
Dependencies
A field in the screen template is only filled automatically with the value stored under the parameter ID of the data element if this was explicitly permitted in the Screen Painter.


 
Step 9

The SAP standard contains more than 1200 predefined single roles from all application areas.
If you assign a predefined role to a user, he or she is automatically given the user menu required for his or her daily work and the authorizations required for it, when he or she logs on to the SAP System.
He or she can also define his or her personal Favorites from the functions assigned to him or her. The user calls transactions, programs or internet/intranet applications from the Favorites or the job structure tree.
Before you start to create your own roles for your staff, check whether the roles delivered by SAP can be used for the job descriptions in your company.


 
Step 10
User Profiles
The bottom row of the Maintain User screen contains fields for entering the names of profiles which can be associated with the user.  We will discuss how to add user profiles in a later chapter.
The SAP System contains predefined profiles:
SAP_ALL: assign the profile SAP_ALL to users who are to have all R/3 authorizations including super user authorization.
SAP_NEW: assign this profile to users who are to have access to all not yet protected components.


 
 
Step 11 (Optional)

A User group is a logical grouping of users
The purpose of a user groups is to :
a.Provide administrative groups for users so they can be managed in these groups.
b.Apply Security
c.Create the group “Trmin” for terminated users.  Lock all users in this group.


User Creation Complete 

Wednesday, 26 June 2013

Transport Cycle of SAP with Case Study from Development To Quality & from Quality To Production

Case Study
ABC ltd, car manufacturing company recently formed a group of 5 people in finance department, and decided to give them special authority of Accounts Receivable T- Codes.


Management have asked to SAP team to assign this role to these 5 people in SAP FICO
T- Code used for assigning roles is ‘PFCG’
Click on Single Role, and create that role. i am skipping role creation from snap shots

 after role creation in PFCG; select that role
following window will come with selected role; now click on export (truck )

Tick in check box and then click on execute

warning, press enter

tick in both check boxes and press enter

 warning, press enter


In next window create transport request 


enter details

after saving above window following window will come with Transport Number; press enter

data entered in request now close this transaction & open SE01 to release request 


T- Code used to release the Transport request is ‘SE01’enter our generated transport number & click on display 


details of your transport







T-Code used to import the transport request is ‘STMS_IMPORT’

System is asking want to schedule import or import immediately.... i will import immediately


 click on log

Transport imported successfully to QA, now QA people will test newly created role.and after testing role will be imported to production system. process to import on production will be same as we have imported to QA

error code 0 & 4 are OK....if code is different than 0 or 4 means import is failed