Description
Functions of Report RHPROFL0
Report RHPROFL0 creates authorization profile assignments forusers in an organizational structure. A distinction is made betweenstandard authorization profiles and authorization profiles forstructural PD authorizations. In addition, user roles and theirprofiles are assigned.
Using the start evaluation path PROFL0 , the system finds andtemporarily saves all users in the structure. Starting from theseusers, on a key date, the system reads all valid related objects forwhich infotype 0106 (standard authorization profile) and / or 1017(authorization profile for structural PD authorizations) is maintained,up to the next highest organizational unit. This means that thesuperior organizational units are not taken into account.
The relevant object types are job (C), position (S), organizationalunit (O), task (T), task group (TG), workflow template (WS), workflowtask (WF), standard task (TS), work center (A), and responsibilities(RY). In addition, all user roles (AG) and their standard authorizationprofiles are included.
The system then checks whether the users found are already created inthe system. This is necessary because in infotype 105 (subtype 0001) ofa person, users can be entered that are not created in the system.
If a user is not yet in the system, it is automatically created. Thenthe system enters authorization profiles for all users found in theorganizational plan.
You can check the results for the standard authorization profiles anduser roles using transaction SU01 . The structural PDauthorizations can be displayed using transaction OOSB .
Report Parameters
Start object
Starting from a Start object , the Evaluation path searches for all assigned users in the organizational plan. If youenter a user as start object, the system selects only that one user.The Key date is the date on which the relationships areevaluated. If the Testrun parameter is set, the system onlyfinds and evaluates the authorization profiles, without assigning themto the corresponding users.
Generate authorization profiles
If the Generate standard authorizations parameter is set, thecorresponding standard authorization profiles are changed. Likewise forthe Generate PD authorization profiles parameter and thestructural PD authorization profiles. If the respective parameter isnot set, the authorization profiles assigned to the users remainunchanged.
Delete manually maintained authorization profiles
Standard authorizations
Caution: if the Delete standard authorizations parameter is set,all user profiles that were manually maintained via transactionSU01 are deleted and only the new authorizations that werederived from the organizational plan are reassigned. An exception isthe SAP_ALL profile. If you want to delete this profile too, theDelete profile SAP_ALL must also be set.
If this parameter is not set (default setting), the system deletes onlythose authorization profiles originating from a user role that is nolonger assigned to the user, according to the current organizationalplan. These authorization profiles are also marked as generatedprofiles in transaction SU01 . All other manually maintainedauthorization profiles (infotype 1016) remain in existence.
Structural PD authorizations
Caution: if the Delete PD authorizations parameter is set, thesystem deletes all the structural PD authorization profiles that weremanually maintained in table T77UA . This includes the delimitedprofiles. Note that a user that has no structural authorizationprofiles automatically gets the authorization profile SAP* (inother words authorization for all organizational objects). Thisprofile, however, is not entered in table T77UA .
If the parameter is not set (default setting), the system deletes onlythose authorization profiles that were assigned via report RHPROFL0, as these were marked by the new program.
Invalid users
If the Include invalid users parameter is set, the system alsoselects those users that are no longer valid on the key date, but thatstill exist in the system.
New users
If the Generate new users parameter is set, users are generatedthat were assigned to a person in infotype 105 (subtype 0001) but notyet created in the system. If the Transfer relationship periodbetween person and user is also set, the new users are created withthe same validity period that is maintained in infotype 105 (subtype0001) for the person. If the parameter is not set, the new users arecreated from the key date to the latest possible date (31.12.9999).Over the User data parameter, the system assigns the Initialpassword and the User group .
Application Log
All messages that are generated during the profile comparison are savedin the application log. The application log is newly generated eachtime the report RHPROFL0 is run. You can display it by choosingthe Display log(s) pushbutton, which is at the top of theoutput list.
If the report is planned in a batch job and automatically executed, theoutput list is printed out. In that case, you can see the applicationlog by choosing transaction SLG1 . On the selection screen,enter 'RHPROFL0' as the Object . The Subobject andExt. number fields remain empty.