Authorization restrictions are placed on roles, they can be linked to a codification workbook.
Please read the SAP documentation about role authorizations (profile generator).
Tip:
When a copy of an authorization is needed, do not add the authorization manually (the authorization will then keep status manual).
Instead use the “copy authorization” functionality from the (Authorizations tab) row right click menu.
Tip:
Change the authorizations row height to make all values visible.
The change in row height is remembered.
Note:
The disabled authorization objects and the overridden organizational levels will not be updated automatically.
The role authorizations menu is shown by right clicking on the SAP role Authorizations tab.
Following menu items are shown:
Refresh authorizations : read authorizations again from database.
Expert mode: this contains following sub menu items
Read old status and merge with new data: keep existing changes and merge in new data. Authorizations that were maintained are kept.
Delete and recreate authorizations: remove existing authorizations and create again from t-codes. Authorizations that were maintained are removed.
Create authorizations based on reference (or master): create authorizations as indicated by menu text. This option is not shown for master roles.
Clear authorizations: remove all authorizations for this role from database.
Re-organize authorizations: re-initializes the authorizations counts.
Update all reference role authorizations: this opens the mass change update role authorizations (by codification) window.
Update all derived role authorizations: this opens the mass change update role authorizations (by codification) window. Options create from selected reference in If role has NO authorizations section and create form his reference role (or master if not found) in If role has authorizations section are selected by default. All derived roles for the imparting role concerned are populated in the role selection grid.
Update authorization values: updates the authorization values based on codification
Display codification values: displays the codification values in the Codification field.
Organizational levels: shows a popup for maintaining the organizational levels relevant for this role.
A role has transaction codes and authorizations. The authorizations of a role will become profile authorizations when the role is generated.
Transaction codes and authorizations are related (SU24).
If the transaction codes are changed (added / deleted) the authorizations need to be adjusted.
To indicate that the authorizations tab needs to be adjusted, CSI Accelerator will give the role the status “NOT SYNCRONIZED”.
If Expert mode / Read old status and merge with new data is used the status will change again to “SYNCRONIZED”.
“SIMULATED” means CSI Accelerator has generated the default authorizations.
Note:
Werecommend to use this functionality during design phase, but to load your master roles into production without authorizations and to generate default authorizations for the master roles in the SAP system.
The icon of the authorization tab difference on every status. (top to bottom)
|
|
Note:
The authorization status is shown in the roles' select grid.
It is possible to select roles on its authorization status.
The authorization proposition is different in every SAP system.
It depends on release number, hot package and manual import of OSS notes.
Moreover, there are major differences between an ECC, APO, BW, SEM, … systems.
The default proposed authorizations in CSI Accelerator are consistent with the latest release of SAP (grouping of authorizations, authorization defaults of parameter transactions without USOBT_C entries).
If the authorization tab is filled from an import or verification of a SAP system it will have the status “ACTUAL”.
If you delete or assign a transaction code, the authorization tab gets a status “NOT SYNCRONIZED”.
If the authorization tab is also changed afterwards the role gets the status “SIMULATION”.
SAP has tree maintenance types
The three maintenance types are done as follows:
If you use type 1 or 3 —> the role gets the status ‘SIMULATE – SYNCHRONIZED’
If you use type 2 —> status is not changed
Warning:
Currently the derived role authorization status does not change if you add or delete a
transaction code to the master role.
Note:
The export to text file (Create upload file) will only take the authorization data of the roles that have the selected status.
The status can be selected by right click in the “Upload type“ area. 
If you have role authorizations status which are not selected you will get the following warning message.
In the current version, these roles will be exported without authorizations.
If these roles are uploaded in SAP the authorizations in SAP will be lost.
This document is up to date with version 11.1.10.20 of CSI Accelerator