SAP Authorization and ALE

SAP Authorization and how it is used while implementing ALE is the main discussion of the present post. Data is exchanged between systems utilizing ALE know-how with transactional RFC. The objective is to ensure the consistent distribution of information among all methods, even in the case that a part system is temporarily unavailable.

Steps for Configuring ALE

The following are the required steps for configuring ALE as a way to use CUA:

  1. First, the title of the element methods must be known; the Office server must know the title and location of each part system. Likewise, every part system must know the identify of the Office server.
  2. Because the communication is established utilizing RFC calls, the RFC connections must be outlined in each part system that can take a part of the mySAP landscape.
  3. Inside the WPS, the ALE distribution mannequin have to be defined. This model defines which data (data sorts) is exchanged and among which methods that is performed. It defines how many techniques exist, how the information flows, and the documentation between them.
ALE Configuration

The programs that participate in the mySAP Workplace panorama are defined within an ALE situation based mostly on an alias, which is defined using logical systems. A logical system corresponds exactly to one shopper within a SAP system. For each system and shopper that ought to be enabled for connection, a logical system have to be defined. This definition is consumer particular in order that the client is immediately associated to the logical system. Throughout the Office server, all component programs need to be outlined as logical systems. Within the part system, the identical system and the WPS system have to be outlined as logical systems. The next step is to assign the logical identify to the purchasers, which is completed utilizing normal transaction for consumer upkeep such as the SCC4. For outlining the RFC connections, the transaction SM59 is used. Determine 5-9 reveals an summary of transaction SM59.

As a consequence of the WPS might need to join to every component system, all RFC connections to those programs have to be defined. This isn't required in part programs that solely need to outline the RFC connection to the WPS for this purpose. The definitions of RFC connections are client unbiased and are held in desk RFCDES. The identify of the RFC connection must match exactly that of the logical names of the part systems. The connection sort is “3,” which signifies that it is an R/three connection (Foundation).Additionally, SAP recommends utilizing the load distribution feature for these connections.

For the RFC communication to operate correctly, it is required to outline a CPI-C consumer for each of the part programs with the SAP_ALL authorization profile. This person ought to be defined at the beginning of the customization process.

ALE Distribution Mannequin

The ALE distribution mannequin is first outlined in the WPS and later distributed to every of the component systems. This configuration is a three step course of that may be performed using transaction BD64.

1. First, while in change mode, choose possibility Create mannequin view for creating a model new ALE distribution model. This mannequin shall be recognized by a
2. The logical system of the WPS is defined because the sender and the logical name of the element system is the receiver.
3. The subsequent step is to generate the associate profile, which is required for the ALE distribution. This is accomplished by choosing Atmosphere/Generate associate profiles from the menu.
4. Next, the mannequin should be distributed to the element systems. This is carried out by deciding on Edit/Model view; then the ALE distribution mannequin and all the logical names of the element methods are selected. The companion profiles must also be generated within the element systems.

CUA Configuration

The CUA utility is activated within the WPS utilizing transaction SCUA. For each of the weather of the consumer master knowledge, you can define whether or not they are going to be maintained globally from the WPS or domestically from the part system. This is accomplished utilizing transaction SCUM.


Integrating Current Systems

There are two ways of implementing CUA with present methods:

  1. Ranging from scratch, creating all person grasp records
  2. Using the existing user grasp data that might be migrated to the CUA atmosphere

Within the first case, the consistency for the information to be distributed is guaranteed. Within the second case, wherein CUA is implemented when there are already person master knowledge records, there must be a migration course of to reuse this data, which will need to be modified and validated within the Workplace server. Likewise, both the easy and composite roles in addition to the user assignments to those roles or exercise groups should be known to the WPS. The assignment of authorizations to easy roles must still be maintained in local programs (element methods).

Migration Software

The migration of user master information from the prevailing part techniques to the Workplace server will be carried out using the transaction SCUG (option Switch users). The migration is finished only once for every of the part systems. After knowledge is transferred (migrated), the person grasp data can only be maintained throughout the WPS based on the sphere attributes which have been outlined . A consumer account (consumer grasp record) ought to have the final and first identify in all of the element programs utilizing CUA the place the identical user should be defined. When transferring users using the Migration Software, three circumstances are possible:

  1. The consumer account in the component system does not exist within the Office server. On this case, the migration can happen without problems.
  2. The user account already exists in the WPS with the identical first and last name. On this case, the account may additionally be transferred with out problems.
  3. The person account within the element system exists in the WPS but has a totally different first or last name. On this case, earlier than transferring the data, the ambiguity ought to be resolved. If the name on the WPS is the proper one, the information might be migrated. On the contrary, the username in the WPS should be modified before using the common user upkeep
  4. transaction SU01.

Once the CUA utility is activated, the appearance of the SU01 transaction modifications slightly. Within the WPS there could be an additional tab Systems. This tab will contain the logical techniques the place the person data needs to be distributed. The person is just available in those systems. Within the tabs Roles and Profiles, there is also a Systems column. On this means, the project of users to simple roles, composite roles, and profiles could be defined individually for each of the element systems.When the possibility Save is chosen, the info is distributed.

The creation and upkeep of simple and composite roles takes place within the part systems. For assigning these roles or authorizations which would possibly be solely recognized within the element techniques, the choice Text comparability for little one techniques should be selected in the folders for profiles and activity groups. The names of the roles and authorization profiles are replicated to the WPS. From that moment, these names will be available in the WPS (use the help operate F4). Because this information might be modified at any time and in any of the component programs, the replication operation should be repeated regularly.

CUA Log System

Every change in the person data is distributed asynchronously to the element system. These systems reply to every change by sending a message to the WPS. This message is often a profitable, warning, or error situation. That is displayed utilizing transaction SCUL.

Managing Roles within the Office

Within the mySAP methods, actual application components are offered by technique of Business Scenarios. These eventualities are provided on a role basis in order that clients can select SAP functionality for the roles they need. Customers can have several roles within Business Eventualities or can take part in numerous ones. For occasion, a person might be knowledgeable purchaser, however at the same time needs the Worker Self Service functionality or access to components of the financial accounting. This might be a actual-life instance of why the concept of roles is so important and fundamental inside mySAP. The performance of the roles is handled in the Workplace. The mySAP Workplace consists of a large set of predefined roles prepared for use or for copying and adapting to specific firm needs.

From a logical standpoint, a task is the outline of a job place, function, or responsibility inside a company organization. Your complete working setting of the mySAP technique is targeted on the position concept. That's, every person defined within the mySAP Office will must have one or a quantity of corresponding roles. From a technical standpoint, a task is made up of a collection of transactions, Internet hyperlinks, stories, MiniApps, non-SAP purposes, and so on. Moreover, a task is associated with the required authorizations to have the option to begin and execute the functionality related to the role. Principally, roles define which transactions, which info, and what companies are available for the users of the Workplace.



Defining Roles

The primary query that must be answered within a Office atmosphere configured with several component techniques is,The place are roles managed? Depending on the function kind, roles are outlined and managed in the part systems or in the WPS.

1. The first step for defining a role is to outline to which techniques the user having such a job could have access.
2. Subsequent, the roles (menus) are created, and the authorizations and profiles are generated for every role defined.
3. As quickly as roles are generated, they should be assigned to the corresponding users. How and when this task takes place relies on whether or not the CUA is used or not. If the CUA is not getting used, the roles should be assigned to the users, and then the administrator should perform a consumer comparison for transferring the authorization values to the consumer grasp records. If the CUA is used, the function project is completed later within the WPS.
4. Subsequent, the function definitions and the person assignments are transferred, in the case of not utilizing the CUA. For configuring the Workplace, the customers and roles have to be available to the WPS.
5. The composite roles are defined inside the WPS. If the CUA is enabled, the administrator should assign the customers to the techniques to which they should have access.
6. The final step is to assign composite roles to the WPS users.

Defining Easy Roles

Simple roles are first created and maintained within the element programs, to be later transferred to the WPS. Roles could be created from scratch. However, SAP provides a large assortment of ordinary roles that might be imported and later copied and used in order that prospects can modify their needs without starting from scratch. There's a standard report, RSUSR070, which supplies an inventory of consumer roles that are supplied by SAP. You too can use the SUIM (user and authorization data system) to generate an outline of available roles.

Menu Design

The role administration is performed utilizing the traditional transaction for the Profile Generator: PFCG. You too can entry the utility by selecting Tools/Administration/ Person Maintenance/Roles. The consumer menu options (LaunchPad) may be adapted to consumer necessities by including or deleting transactions and folders, together with studies, Internet hyperlinks, files, and MiniApps. When a report is included inside a job, the Profile Generator creates a consumer-outlined transaction code so that the user can begin the report. Generating Authorization Profiles Roles are maintained using the Profile Generator transaction PFCG, which robotically generates the authorizations comparable to the transactions which can be previously chosen using a menu tree for the consumer role. There is, nonetheless, some manual maintenance for these authorizations as a consequence of there are values that should be outlined by the client for every case: as an example, the organization structure allowed, activities, and so on.

When maintaining and generating profiles to be assigned to roles, the display exhibits a yellow light right by the object if the authorization objects will not be utterly maintained (don't have values assigned). When all values are assigned, the light becomes green. Once all values are adjusted for the authorization objects in accordance with the consumer necessities (the authorization project), the profile will be generated just by clicking on the Generate button.

Related posts

What is SAP and Why do we are in need of It
What is SAP Full form and its definition part one

SAP authorization and client administration in mysap.com

No comments :

Post a Comment