Companies making use of SAP and its products need to be vigilant about their SAP system and use an authorization plan that prevents unauthorized access. Until the users have a defined authorization access for certain programs and transaction codes in the SAP system, they must not be allowed to execute the same. SAP PCFG is a transaction code that is used for managing roles and authorization data in role maintenance administration. The user can select the menu functions required and the profile generator automatically creates the authorization data through the tool for role maintenance. The role maintenance functions are recommended by SAP for segregating and defining the roles, profiles, and authorizations. It is possible to create the roles manually as these roles create a connection between the user (employee) along with their authorizations. The SAP system stores the actual authorizations and profiles as objects which can be displayed to users after assignment by top management.
Types of Users
The earlier versions of SAP contained only two divisions of users into Dialog and Non-Dialog users. Non-Dialog users were recommended to ensure communication between systems in the company. The new categories have been developed as-
- Dialog User: The individual interactive system access can be done by this user profile and it usually manages the client side of operations. The user can change his/her own password and in this profile, multiple logins can be prevented.
- Service User: Some predetermined tasks such as product catalogue display can be performed using this user profile through interactive system access. This user profile allows multiple logins as many employees could be managing the predetermined tasks. An administrator has the rights to change the password.
- System User: The system related tasks are managed an performed by this user ID. Some of these tasks include the Transport Management System, ALE, and defining Workflows. Multiple logins are allowed for the users and it does not constitute an interactive system dependent user interface.
- Reference User: This user ID is not used for logging into the system of the company. Internal users are delivered additional authorization through the reference user ID. The additional rights for dialog users can be defined by going to the Roles tab and selecting a reference user.
- Communication User: Dialog free login can be facilitated between different systems such as RFC connections and CPIC through this user profile. SAP GUI based Dialog login is not available to communication users. The user can change passwords like common dialog users and this is possible through the RFC module.
Central User Administration (CUA)
A central system that can manage all the present users in the SAP system is called the Central User Administration system. All the master records can be managed centrally using CUA. Similar users in a single landscape can be managed using CUA, which is why it saves money and resources in a company.
- An admin can delete and add users using CUA through one central system.
- The roles and authorization are displayed as a child system in active forms.
- Administration becomes easy as all users are managed centrally and a clear view of all the management activities becomes possible.