Day 7 - Authorization Tab in PFCG

Role Creation and Authorization in SAP

Overview of Role Creation

• The session begins with a review of the role created previously, specifically focusing on transaction codes (T-codes) SC38, SC16, and SC93.

• The main purpose of the authorization tab is highlighted: to generate profiles associated with roles. The profile generation icon is identified for reference.

Understanding Authorization Objects

• A question is posed regarding the origin of certain authorization objects that appeared automatically when T-codes were added to the menu. This leads to a discussion about authorized objects and their sources.

• SU24 is introduced as a critical T-code that displays T-codes along with their related authorization objects, emphasizing its utility in filtering proposals. For example, it shows three specific objects related to SC38: sunderscode dataset, s underscore develop, and s underscore program.

Exploring Additional T-Codes

• Further exploration reveals additional T-codes such as SE38 and SE16, leading to an examination of their respective authorization objects. For SE16, the object identified is yes underscore turbo underscore dis.

• An efficient method for identifying which T-code corresponds to each object is discussed; users can click on an icon resembling two hills with a sun rising behind them for quick reference. This feature indicates which T-code generates each object within the role.

Identifying Object Origins

• The session emphasizes understanding how different objects are linked to various T-codes by clicking on relevant icons next to each object name in the authorization tab. For instance, S underscore dataset relates back to SC38 while others may link back to multiple T-codes like SC38 and SC93.

• It’s noted that some objects do not originate from any specific T-code but rather reflect those added directly into the menu (e.g., S underscore t code). This distinction helps clarify how roles are constructed based on user-defined parameters versus system-generated ones.

Color Coding in Authorization Management

• A legend feature provides color coding for different types of authorization elements: green indicates an authorization object while light orange signifies an authorization class or object class, aiding users in quickly identifying item types within their roles.

• Users are encouraged to utilize this legend consistently as they navigate through various symbols representing transactions and inactive authorizations within their role management interface.

Traffic Lights Concept in Role Management

Introduction of Traffic Light System

• The traffic lights concept introduces a visual representation using colors (green, yellow, red) indicating the status of fields under maintenance within roles—green means all maintained while yellow suggests partial maintenance needs attention; red typically signals issues requiring resolution or further action before proceeding with role assignments or changes.

Understanding Authorization Field Statuses in SAP

Traffic Light Concept for Field Maintenance

• The color coding system indicates the status of field maintenance: yellow signifies missing values, while red indicates un-maintained authorization levels.

• A normal field that is not maintained appears yellow; when all fields are filled, they turn green, indicating complete maintenance.

• Yellow represents at least one empty field within an object, while green means all fields under that object are filled with values.

• Green indicates all authorization fields are maintained; yellow shows partial maintenance (at least one field is unfilled).

• Red signifies un-maintained R-levels; further discussion on R-level will follow.

Clarifying the Color Codes

• Questions about the traffic light concept were raised; understanding green and yellow is crucial for interviews.

• Interviewers may ask about the meaning of traffic lights in this context: green for fully maintained fields, yellow for partially maintained ones.

Types of Authorization Fields

• There are two types of authorization fields: normal fields and arg (organizational) fields.

• Arg fields represent organizational elements like plant or cost center, whereas normal fields do not relate to organization specifics (e.g., activity).

Understanding Organizational Elements

• A manufacturing plant refers to a facility where production occurs; examples include Tata Steel's operations in Jamshedpur.

• Cost centers manage company expenditures, while profit centers generate income. Each employee incurs costs related to their role and contributes to profits.

Employee Cost Centers vs. Profit Centers

• Cost centers handle operational expenses such as salaries and resources provided to employees.

• Facilities departments provide necessary resources (e.g., equipment), representing a significant expenditure for companies.

• Employees generate revenue through their work but also incur costs associated with their employment and resources used by the company.

Understanding Organizational Fields and Their Values

The Concept of Arg Field

• The term "arg field" refers to fields that represent an organization, with values varying from one organization to another.

• For instance, in BMW, "plant 100" signifies their UK manufacturing plant, while for Walmart, it denotes a specific branch in the USA.

• This illustrates that arg field values are specific to each organization, contrasting with normal fields which have universal meanings.

Normal Fields vs. Arg Fields

• A normal field's value is consistent across all organizations; for example, activity code "0,3" universally means "display" in SAP regardless of the company.

• Understanding this distinction is crucial as it highlights how organizational context influences data interpretation.

Organizational Levels and Traffic Light System

• In roles within SAP, organizational levels can be assessed through a traffic light system indicating maintenance status:

• Green: All fields maintained

• Yellow: At least one field not maintained

• Red: Un-maintained or global fields.

Status of Authorization Objects

• The discussion shifts to the status of authorization objects within roles. There are three statuses:

• Standard: Default values pulled from SU-24 without changes.

• Maintained: When a previously empty value has been filled in.

• Changed: When standard data has been modified.

Clarifying Maintained vs. Changed Statuses

• A maintained status occurs when a new value is added where none existed before; changed status arises when existing standard values are altered (e.g., removing or adding access rights).

• This differentiation emphasizes the importance of understanding how modifications impact role definitions and security settings within SAP systems.

Understanding Authorization Objects in SAP

Overview of Changes and Statuses

• The term "change" indicates that something has been modified, specifically referring to the alteration of SAP default values.

• Distinction between "standard" and "maintained": standard refers to default settings while maintained signifies that a value has been actively set.

• There are 13 authorization objects associated with T codes, which are essential for understanding how these objects function within the system.

Source of Authorization Objects

• SU24 is identified as the origin point from where authorization objects are linked to their respective T codes added in the menu.

• Manual addition of an authorization object can be done directly into a role, such as adding 'S_GUI', which does not originate from SU24.

Types of Authorization Object Statuses

• Four statuses exist for authorization objects: standard, maintained, changed, and manually added. This distinction is crucial for interviews.

• Candidates should prepare clear explanations regarding differences between maintained vs. changed status and standard vs. manually added status.

Interview Preparation Tips

• Practicing answers about authorization object statuses will enhance confidence during interviews; writing notes aids retention.

• Consistent note-taking after each class is recommended to solidify knowledge and prepare effectively for job interviews.

Navigating SAP Icons

• Explanation of icons: the expand icon allows users to view all entries under a category while collapse minimizes them.

• Understanding navigation icons is important; knowing their functions helps clarify any doubts during practical applications.

Generating Profiles in SAP

• Profiles in SAP begin with the letter 'T' followed by alphanumeric characters; this distinguishes them from T codes which have different naming conventions.

Understanding Authorization Object Deletion

Overview of Authorization Objects

• The panel introduces the concept of authorization objects, which are essential for managing user permissions within a system. Icons for generating and deleting inactive objects are highlighted.

• To delete an authorization object, it must first be deactivated. The cursor provides guidance on how to use the icons effectively.

Conditions for Deleting Authorization Objects

• When attempting to delete an active standard authorization object (e.g., S_user_well), the system indicates that only objects with changed or manual statuses can be deleted.

• Two conditions must be met to delete an authorization object: it should be deactivated, and its status must either be 'manual' or 'changed'.

Practical Deletion Examples

• An example is provided where a manually inactivated object (S_GUI) is successfully deleted because it meets both conditions.

• In contrast, attempts to delete maintained or standard status objects fail, reinforcing the importance of understanding these conditions.

Selection Criteria Tab Insights

• The selection criteria tab functions similarly to manual entry, allowing users to insert authorization objects directly into roles.

• A warning is issued against deleting standard authorization objects from this interface as it could lead to systemic issues.

Understanding Open Fields

• The selection criteria page displays classes and allows users to select and insert types manually.

• Clicking "open" expands fields but only shows those that are empty; this helps identify which fields require values.

• Once values are filled in open fields, they become maintained, demonstrating how the system tracks changes in real-time.

Understanding Authorization Objects in SAP

Overview of Open Fields and Recommendations

• The term "open" refers to authorization objects with empty fields. SAP recommends that these should ideally be zero, indicating no open fields.

Exploring Changed Status

• When the status is changed, it indicates that some objects within a role have been modified. The system provides details on how many objects are changed, maintained, or still open.

Organizational Levels and Argument Fields

• Within a role, there may be argument fields (arg fields). For instance, the "Plan version" field can appear multiple times but remain unmaintained if not filled correctly.

Maintaining Argument Levels

• If an arg field is left unfilled, it will show as red in the interface. Filling this value changes its status to maintained, removing the red indicator.

Understanding Traffic Lights and Symbols

• The traffic light colors indicate the maintenance status of fields: green for maintained and red for unmaintained. Various symbols represent actions like deleting contents or reactivating authorizations.

Key Takeaways from Authorization Tab

• This section emphasizes understanding how to fill data accurately in the authorization tab. Expect questions about traffic lights' meanings and differences between various statuses during assessments.

Next Steps in Learning

• Future classes will cover expert mode for profile generation and composite roles. Students are encouraged to clarify any doubts regarding today's topics before proceeding further.