Sunday, June 21, 2009

Transporting Authorizations

User data and authorization data must be exchanged in system landscapes with multiple SAP systems. The data is either exchanged between different clients of an SAP system or between clients of different SAP systems.

In principle, the SAP authorization concept differentiates between the following transport contents.


Which Authorization Components Can Be Transported?

. Usermasterrecords
. Roles
. Authorization profiles
. Check indicators

Authorization profiles can be transported together with their roles.
Working with authorization profiles without an assigned role should remain the exception. The transport connection of transaction SU02 for maintaining authorization profiles is only mentioned here for completeness and is not further discussed.


It is only possible to transport all user master records when performing a client copy. It is not possible to select individual user master records.


User master records can also be distributed using Central User Administration.


If you do not want to transport the user assignments to roles, you can protect the target system with an import lock. To do this, the control table PRGN_CUST must contain the entry (USER_REL_IMPORT:=NO).

Caution: If you transport user assignments, the entire user assignment for the role in the target system is replaced. Existing connections to this role are removed. You must also performa user master comparison for all affected roles in the target system after the import.

(Reference : ADM940)