Working with Proile Generator
P$CG % Checking i PG is "ctive
In &#' release ()* PG is alrea+, activate+ an+ there is no nee+
to set the
s,ste- para-eter in the &#' instance proile )
.o check whether PG is activate+/
) S,ste- Para-eter/ auth/no_check_in_some_cases
2) 1alue/ Y
P$CG ! verview
3einition/
"uto-aticall, generates authori4ations an+ authori4ation
proiles
"ssigns the- to users
.ransaction Co+e/ P$CG
Beneits/
Si-pliies the task o setting up the authori4ation
environ-ent
5nables proper 6ser &ole -apping
&e+uces o ti-e or &#' authori4ation
i-ple-entation
P$CG ! Co-ponents o Proile Generator
Proile generator has the ollowing Co-ponents
"ctivit, Groups# &oles
6ser "ssign-ent
P$CG
.o launch the proile generator choose the ollowing ro- S"P
Menu
Tools →
Administration →
P$CG % 8&ole Maintenance9 Screen
Change
Role
Display
Role
Create
Role
Create
P$CG % 3ierent $unctionalities# .abs
1. Define
Role names
1. Define
P$CG % 3escription .ab
P$CG % Menu .ab
P$CG % Menu Selection
$or e:a-ple i we choose to cop, the Menu b, selecting speciic ite-s
or S"P
Menu it -a, be +one as ollows) "ter selection
“*ransfer” button nee+s to be
clicke+
© 2007 IBM CorporationMarch!2007S"P# P$CG ! Proile
Generator
P$CG % "uthori4ation .ab
P$CG % "uthori4ation "ctivities
$or -aintaining "uthori4ations it will take to the ollowing screen
where the
“$rgani"ation +evel” nee+s to be -aintaine+)
P$CG % "uthori4ation "ctivities
"ter rgani4ation ;evels are -aintaine+ the ollowing screen
will appear or
-aintaining "uthori4ations
P$CG % Proile Generation
nce "uthori4ations are -aintaine+ the Proile can be generate+
b,
clicking on the “Generate” button <Shit=$>?) .he new
Proile @a-e nee+s
to be entere+)
P$CG % "uthori4ation .ab <status change?
B, going back to "uthori4ation .ab the Status change woul+ be
visible
an+ Proile @a-e is +ispla,e+
P$CG % 6ser .ab
.he &ole can be assigne+ to as -an, 6ser I3s as reAuire+)
Please note that this
applies onl, or the e:isting 6ser I3s) .hen the user -aster recor+
nee+s to be
up+ate+ ater 6ser Co-parison)
P$CG % 6ser .ab
.he user assign-ent an+ the generate+ proile -ust be up+ate+ in the
user -aster recor+s)
.here are a nu-ber o wa,s in which we can +o this <+epen+ing on
the release status?/
In all releases we can sche+ule a backgroun+ ob that regularl,
up+ates the user -aster
recor+s)
We can either use the user co-parison unction or have the user
-aster recor+s
auto-aticall, up+ate+ when saving the activit, groups or roles)
<Choose Utilities→Settings,
an+ activate the option Automatic comparison
at save)?
5ven i we use the User Comparison unction or the
option Automatic Comparison at Save
it is reco--en+e+ to sche+ule a backgroun+ ob an+ ensure that all
user -aster recor+s
are regularl, auto-aticall, up+ate+)
uestionsDD
6ser Menu an+ "rea Menu
6ser Menu E "rea Menu ! verview
User en!
Co-bination o all the &ole Menus o the &ole <one or -ore
roles? which are
assigne+ to the 6ser)
Area en!
"nother t,pe o Menu that contain a set o unctions inten+e+ to
peror- a
particular task in a co-pan,) .wo t,pes o "rea Menus are
there/
) 3eault "rea Menus <pre+eine+ within S"P?
2) Custo-i4e+ "rea Menu <B, .ransaction S5('?
6ser Menu ! 3eining a Menu using P$CG
In transaction P$CG the Menu .ab gives the option to create Menu or
a
particular &ole
6ser Menu ! 3eining a Menu using P$CG
$or e:a-ple i we choose to cop, the Menu b, selecting speciic ite-s
or ,AP
en! it -a, be +one as ollows) "ter selection “*ransfer” button
nee+s to be
clicke+
6ser Menu ! 3eining a Menu using P$CG
$or e:a-ple i we choose to cop, the Menu b, selecting other Area
en! it -a, be
+one as ollows)
6ser Menu % "ssigning 6sers to &ole b, P$CG
.he &ole can be assigne+ to as -an, 6ser I3s as reAuire+) .he
Menu o this
&ole then beco-es a part o the 6ser Menu or the users who woul+
be
assigne+ this &ole)
6ser Menu % "ssigning &ole to 6ser b, S60
n the 8&oles9 .ab o Maintain 6ser Screen <S60? the &oles
are assigne+ to the
users) Fence the correspon+ing Menus <o &oles as create+ in
P$CG? together or-s
the 6ser Menu)
© 2007 IBM CorporationMarch!2007S"P# P$CG ! Proile
Generator
In the 83eault9 .ab o Maintain 6ser Screen <S60? the Start -enu
can be +eine+ b,
speci,ing the 8"rea Menu9 <pre+eine+# custo-i4e+?) B, +eault its
8S0009 i)e) 3eault
S"P Menu
6ser Menu % "ctivation
We can +eine how the -enus woul+ behave through the SSMC6S.
table)
$or e:a-ple two ob roles are ever assigne+ to the sa-e user or two
+erive+ roles ro- the
sa-e HB!&;5 to the sa-e users S"P will +,na-icall, consoli+ate
the -enus an+
-ini-i4e +uplicate no+es provi+e+ the correct para-eters in the
SSMC6S. table are set)
It +oes not prevent ro-
assigning the S"P 5as, -enu
to the users unless para-eter
";;6S5&M5@6S$$ is set
"rea Menu % Custo-i4e using S5('
Create a ne0
eisting Area en!
uestionsD
Working with Proiles
Working with Proiles
.he ne:t step is creating a proile or that role)
Working with Proiles
.he Profile ame tab an+ the Profile *et tab will be blank
in case o a new role creation <as in this case?
In or+er to go insi+e the role we nee+ to click on the tab 8Change
a!thori"ation Data” or 83pert mo'e for profile generation9
Selecting 3pert mo'e for profile generation pops up three options
vi4 /
Delete an' recreate profile an' a!thori"ations $or an, role
-o+iications i there is an, nee+ to +elete
the e:isting proile an+ authori4ation o the role an+ recreate a new
proilethis option is use+)
3'it ol' stat!s .his option is sa-e as the 8Change a!thori"ation
'ata9 option which is the -ost use+
option use+ in +ail, work which +oes not have an, a++e+
unctionalities like the other two options but si-pl,
gui+e+ the user to the insi+e o the role keeping the ol+ +ata o the
role intact)
Rea' ol' stat!s an' merge 0ith ne0 'ata In case o e:isting role
-o+iications in o+er -erge new
+atas that have been a++e+ to a role <while a++ing a tco+e to a
role the obects that are pulle+ +ue to
,U24? with the e:isting one this option is use+)
Working with Proiles
Working with Proiles
So-eti-es initiall, so-e obects appears to be ,ellow in colour) We
can e:pan+ the obect b,
clicking on the icon
$iel+s
.he ,ellow iel+ is +ue to the unavailabilit, o
the values in the obect iel+s <which can be
-aintaine+ through S62(?)
known as $pen Fiel's.
We can change#e+it the e:isting values o a
iel+ or a++ so-e values to a -issing iel+
+epen+ing upon the Business reAuire-ent)
Working with Proiles
In or+er to change the values o an, authori4ation obect click on
the Icon
" ollowing pop!up e-erges out /
A!thori"ation9 to provi+e ull
access an+ click on
Working with Proiles
.here is a special iel+ calle+ 8Activity9 which +eci+es what t,pe o
access shoul+ be provi+e+)
Clicking on that iel+ e-erge+ out another t,pe pop!up wherero- we
can select the t,pe o
activit,
clicking on the +esire+ checkbo: <002
an+ 0( in this case?)
We can also provi+e ull access b,
clicking on the tab 8F!ll
A!thori"ation9 an+ then click on the
icon
Working with Proiles
We can also a++ an obect -anuall, into the role b, clicking on the
tab
.he ollowing screen pops!up
We nee+ to put the obect na-e in the
iel+ <S."B63IS in this case? an+
click on the green check)
.he obect will be -anuall, a++e+ to the
role)
+escribe+ in the previous sli+es)
Working with Proiles
We can also assign the $rgani"ational -al!es to a role b, clicking
on the icon
We can put the values o
Plant Co-pan, Co+e etc) in
the respective iel+ as
propose+ b, the business
all the $rg -al!es b, clicking
on the tab F!ll A!thori"ation
Working with Proiles
.he last but the -ost i-portant step is Generation of a
profile
Profile Creation can also be +one through this -etho+)
Click on the Icon
.he ollowing screen will pop!out
.he proile na-e as well as the +escription can be change+ )
nce +one ,ou nee+ to click on the green check to save the
changes
5ver, ti-e an, change In the role is -a+e it is -an+ator, to
Generate the proile otherwise the
entire role will not be an, use an+ an, user who will be assigne+
with the role will not get an, access
to the authori4ations)
6S5& "SSIG@M5@. E 6S5& CMP"&IS@
© 2007 IBM CorporationMarch!2007S"P# P$CG ! Proile
Generator
6S5& "SSIG@M5@. E 6S5& CMP"&IS@
WF". IS " 6S5& I@ " S"P SS.5MD
" user here is reerre+ to as an en+ user) .here are ive
t,pes o users in S"P as
-entione+ below/!
i? 3ialog
ii? S,ste-
iii? Co--unication
iv? Service
© 2007 IBM CorporationMarch!2007S"P# P$CG ! Proile
Generator
6S5& "SSIG@M5@. E 6S5& CMP"&IS@
In a S"P &#' S,ste- 6sers are assigne+ to &oles
<where each role is
associate+ to so-e transactions? an+ the authori4ations to run
these transactions
are store+ within the proile) 6ser "ssign-ent to a &ole can be
+one b,
con+ucting the ollowing proce+ure)
6S5& "SSIG@M5@. E 6S5& CMP"&IS@ U,3R *A5
Click on 8 Selection9 button an+ then the
below screen appears) i)e it +ispla,s all the
users belonging to a single user Group)
ou can as -an, users ro- the list)
6ser "ssign-ent 1ali+it, Perio+s
© 2007 IBM CorporationMarch!2007S"P# P$CG ! Proile
Generator
6S5& "SSIG@M5@. E 6S5& CMP"&IS@
.he user -aster recor+ co-parison consists o three t,pes o
co-parison/
a) Profile comparison % .he proile assign-ents an+ newl,
generate+ proiles are up+ate+
an+ associate+ with the respective roles an+ thus eventuall, gets
associate+ with the users)
%) Composite role comparison ! .his up+ates the role
assign-ents +eine+ in co-posite
roles i)e) an, kin+ o up+ation within the granular level roles
present within the co-posite
role)
c) 6R comparison# .his generates the +irect role assign-ents ro-
the in+irect role
assign-ents o the F&!&G -o+el)
Click on 6ser Master
6S5& CMP"&IS@! .&"@S P$63
Click here to enter the roles
Fere the
Hob na-e
.here are two wa,s to e:ecute the co-parison)
"s a backgroun+ ob beore the start o each +a,) I report
PFCG9*739D3P3D3C: is
run ever, night the authori4ation proiles in the user -aster will
be current each -orning
<assu-ing that the ob has run correctl,?)
&eport PFCG9*739D3P3D3C: -ust also have run ater each
i-port o roles ro-
other s,ste-s)
6sing .ransaction P$63 Co-pare 6ser Master
"n a+-inistrator shoul+ use this transaction regularl, to
check that no errors have occurre+
65S.I@S D