1 / 38

SAP R/3 簡介 #5: 權限管理

SAP R/3 簡介 #5: 權限管理. Users in R/3 System Authorization Concept 複習:建立新 user 及 Role 修改 Roles 之 Authorization. 1. Users in R/3 System. R/3 User. Server. Server. Admin User. Server. DB User. Users in R/3 System. 系統管理者( Admin User) 及資料庫管理者( DB User) 需擁有能進入作業系統層面的權限 R/3 User

cassia
Download Presentation

SAP R/3 簡介 #5: 權限管理

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAP R/3簡介 #5:權限管理 • Users in R/3 System • Authorization Concept • 複習:建立新user及Role • 修改Roles之Authorization

  2. 1. Users in R/3 System R/3 User Server Server Admin User Server DB User

  3. Users in R/3 System • 系統管理者(Admin User)及資料庫管理者(DB User) • 需擁有能進入作業系統層面的權限 • R/3 User • 若要存取R/3中的任何程式(transaction)或是資料,該使用者必須要有合適的權限

  4. 2. Authorization Concept • 權限(authorization) • 確保使用者在R/3中是有限制的存取程式、物件,以保護R/3系統的安全 • User的權限會被紀錄於一個profile中 • 每位User在使用transaction執行階段,R/3都會做權限確認的動作 • 即使user有足夠權限執行工作,但若要存取被保護的物件、公司機密,系統仍會繼續 確認使用者目前的權限

  5. User master data User master data Profile Authorizations For Task A Profile Authorizations For Task B 權限概念圖示 Action Action Transaction Permitted? Authorization assigned? Objects needing protection vendor Company code Material Plant

  6. 最基本 的單位

  7. 權限物件圖示 Authorization object Authorization Object class Customer company code: Authorization A Object: Customer company code 0001-0009 Financial accounting Display, change Company code Activity Customer company code: Authorization B * Delete

  8. (1) Object class • Object classes have an orange background in the hierarchy display. • Authorization objects are divided into classes for comprehensibility. An object class corresponds, for example, to an application (Financial accounting, and so on).

  9. (2) Authorization objects • 以權限類別(class)形式被群集在一起 • 權限類別可依公司領域而有不同之分類 • 可在權限物件欄位輸入適當值以設定權限 • Authorization objects have a green background in the hierarchy display. • You get the authorization object documentation by double-click on an authorization object. • The documentation describes how you maintain the authorization values.

  10. (3) Authorizations • Transaction • 例如某支程式權限可能分為create, change, display, delete… • 由於sap程式很多,因此可用*表示全部權限

  11. (3) Authorizations • Authorizations have a yellow background in the hierarchy display. • Authorization fields are light blue and their values are white. • An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

  12. Authorizations實例 • T_9092029701 is an authorization for the authorization object F_KNA1_BUK with the following values: • * for company code and • 01,02 activity

  13. (4) Profile • User authorizations are not usually assigned directly to user master records, but grouped together in authorization profiles. • Authorizations can be collected in authorization profiles to reduce the maintenance effort which would be required to enter individual authorizations in the user master record. • In the example, T_58000097 is an authorization profile containing company code authorizations.

  14. (5) User Master Record • These enable the user to log onto the SAP System and allow access to the functions and objects. • Changes only take effect when the user next logs on. • In the example a user whose user master record contains the profile T_58000097 can perform the activities in the profile authorizations.

  15. Authorization Check • When a transaction is called, a system program makes various checks to ensure that the user has the appropriate authorization. • Is the transaction code valid? • Is the transaction locked by the system administrator? • Is the user authorized to call the transaction? • Does the transaction code have an authorization object? If so, a check is made that the user has authorization for this authorization object. • If one of this checks fails, the transaction is not called and the system sends a message.

  16. 權限檢查流程 Dynpro (解譯器) User authorizations in the user buffer Authorization check 使用者登錄系統時,系統 會將使用者在profile中的 權限放到使用者buffer no OK? yes Processing Message(錯誤訊息)

  17. 3. 複習:建立新user及Role • 請先以自己的帳號密碼登入系統 • 先建立一新的User (例如EC1_user1) • 輸入SU01指令 • 輸入新user之帳號 (例如EC1_user1) • 按create圖示 • 在Address標籤輸入姓名 • 在logon data標籤輸入啟始密碼 • 按save按鈕

  18. 建立Role • 建立新的Role (例如EC1_Role1) • 輸入PFCG指令 • 輸入新的Role名稱 (例如EC1_Role1),按create按鈕 • 選擇menu標籤 • 選擇copy menu from the sap menu按鈕 • 假設勾選一功能: Human Resources,按Transfer按鈕

  19. 指派Role給user • 選擇user標籤,將此Role指派給EC1_user1 • 存檔save • 以EC1_user1登入,可看到menu,此時仍無法執行(尚未給定權限)

  20. 4. 修改Roles之Authorization • 以自己的帳號密碼再次登入 • 輸入PFCG指令 • 輸入Role名稱 (例如EC1_Role1),按change按鈕 • 選擇Authorization標籤

  21. 可觀察information about authorization profile是空的 • 按change authorization data按鈕

  22. Change authorization • Choose Change authorization data and then proceed as follows: • You can maintain organizational levels by choosing Org. levels 決定變數範圍(例如可以看到哪些公司及會計科目) • Check or change the default authorizations in the hierarchy view displayed. 決定程式權限 (例如新增,展示或刪除)

  23. (1) Maintain organizational levels • Organization levels can be plants, company codes and business areas, for example. • For each field that displays an organizational level, you determine the global values for these roles.

  24. Global values • 變數類型 • client可包含數個公司(Company code) • 每個公司又可包含數個營運事業(business area),例如機械,營造,汽車… • 之下包含許多會計科目分類(account type) • … • 變數設定 • 可由From至To設定上述變數之範圍 • 如果要給予上述變數之全部權限,選擇full authorization • 再按Transfer按鈕

  25. (2) Change default authorizations • color-coded in the hierarchy display.

  26. Profile存檔與Generate • 按存檔圖示save • 按exit圖示,再按Generate按鈕

  27. User權限調整 • 選user標籤 • 按user compare按鈕,此時出現一compare role user master record視窗 • 選擇complete compare按鈕,重新調整使用者之權限 • Save後離開 • 以新的user登入系統,即可發現該user有權限使用HR之功能

  28. 練習 • 請更改使用者可用的company code,讓使用者只能登錄IDES AG (CoCd= 1000) 公司 • 記得要重新user compare • 如果設定成功,該user在選擇其他company code,將缺乏權限而系統不允許其開啟

  29. 建立新Role

  30. EC1-ROLE1 Menu Transfer

  31. EC1-ROLE1 Authorization

  32. EC1-ROLE1 Authorize Profile Org. Level

  33. EC1-ROLE1 Authorize Profile Generate

  34. EC1-ROLE1 User Compare

  35. 建立新User

  36. ec1-user1

  37. Ec1-user1 Roles

  38. ec1-user1 Login

More Related