Roles

Monday, September 21, 2009

9:12 PM
• Role: A role represents a job function in an organization. They are the basis of
implementing security using automatic profile generator. Role is a collection of
transaction, reports, tasks etc. role can be defined as the data container for the profile
generator to generate authorization profiles and usually represent a job role in the
company
• Roles are built by the security administrators based on the transaction list and the
job description provided by the functional team. These are commonly known as role
matrix
• Role matrix gives the information to build the roles. ASAP tool is one source of
generating the matrices and we can design our own using MS excel or access
o Position or job description matrix
o SAP role to transaction matrix
o Users to role mapping matrix positions to SAP roles mapping
o Roles to organization level restriction matrix

• Role types:
o Single role: a single role is the data container of the transactions and the
authorization objects and is assigned to the users as per the functions performed
by the user
o Composite role: it is a collection of single roles and it should contain at least
one single role. Composite role do not contain any authorization data. Cannot
assign composite role to a composite role
o Derived roles: roles that are derived from the existing role. They inherit all
the transactions and the authorizations from the source role
o User assignment: users can be assigned to a single or to a composite role
• Organizational levels: the security administrator can specify the levels to which
the users need access (company code, cost center, sales organization etc..)

• Setting up profile generator:

o Check for the profile parameter auth/no_check_in_some_cases need to
set to yes. It is checked using the report RSPARAM. Earlier versions it is set
manually
o Go through the steps in transaction SU25 mainly to initialize the USOBT_C
and USOBX_C tables. We could edit these defaults to customize as per our
needs using transaction SU24

Roles can be assigned to various entities:

• R/3 users
• Jobs
• Position
• Organizational unit
• Work flow task

When we built a role naming convention is very important

We can deactivate an object by clicking on the page with red bar

Automatically generated objects are stored in USOBT & USOBX tables

Custom objects are stored in USOBT_C & USOBX_C
tables

User comparison: to update UMR this icon is clicked once user id is assigned

Apart from the transactions, we can also assign reports, ABAP/4 queries, internet URLs,
links to documents on a share drive in the company's network etc

SINGLE ROLE

CREATION

Creating roles - PFCG

There are different ways of creating a role:

o From transaction codes
o From the SAP standard menu
o From SAP area menu
o From role based menu

Transaction PFCG

• Enter the role name and enter the create button. There are some limitations in
naming a role
o A customer role name should begin with a Z or Y
o The second character should not be an underscore (_)
• When a role is created and saved an entry is made in the AGR_DEFINE table and
can be seen using the transaction SE16

Menu tab

• Go to menu tab where we can assign transactions, web addresses, reports

directly or using the menu's, once it is done we can observe that menu tab turns green
from red
• When transactions are assigned to the role an entry is made in the table
AGR_TCODES, AGR_HIER and AGR_HIERT

Authorization tab

• It is to maintain the organizational levels and values for the fields of the
authorization objects associated with the transaction codes
• List of authorization objects can be found in the table TOBJ
• To maintain the org levels and field values click on the change authorization data
• Organizational levels defined in the system can be checked using the T- code SPRO
• To see the list of authorization classes - SU02
• Once authorization tab is done, entries about the profile can be seen in some of the
tables AGR_1250, AGR_1251, AGR_1016, AGR_1016B, AGR_1252
Assigning users to the role

• Enter user id's and once it is done click user comparison and then click on
complete comparison
• An entry for each user is made in the AGR_USERS table

Inserting Authorization Objects Manually

• Sometimes while executing the transactions, there will be authorization error.

When you execute SU53 it will display the missing authorizations
• To manually insert an authorization object into the role go to Edit- insert
authorization- manual input

Creating Roles Using SAP Menu Structure

• In the menu select from the SAP menu window will open with check boxes and at
bottom of the screen activate the technical names. These technical names are
nothing but the transactions
• In the same screen find for the transaction which you want using the find button by
entering the transaction code
• It will take you to the menu path where the transaction code is. Now, check the box
corresponding to the t-code you need, it will select the parent nodes as well
• If any other transaction need to be found and included we can. Finally select the
transfer button

DELETION

• When a role is deleted, all the assignments associated with the role are also deleted.
This includes all the authorizations generated for the role and the user assignments
• Before deletion create a change request and it should not be released before the
deletion of the role

configuration
• If we have multiple roles to be deleted we can enter all the roles in the change
request and we can delete the roles one by one
• Click on the transport icon before deletion, it will take us to the object screen
where we should not select the user assignment object and select
personalization object and hit enter
• Then in the next screen click create request icon and specify a description for the
role to be deleted and press enter, we will see the message at the bottom saying data
entered in the change request
• Now we can go ahead and delete the role
• The role which is marked for transport can be seen in SE10/SE09. as soon as you
enter this screen make sure that modifiable box is checked, then select display we
can see the roles which we deleted is ready for transport. Select the roles and hit
transport icon

COMPOSITE ROLE
• Composite roles are a collection of single roles. In composite roles, you cannot
assign transaction directly. Transactions are assigned to single roles and single roles
are in turn assigned to composite roles
• Composite roles provide an efficient method for administrating user access to
complex functionality spanning several methods

CREATION

Transaction PFCG

• Enter a role name and click on the composite role button, naming convention is very
important that is it should be distinguished from single role

Role tab
• Click on the role tab button and enter the single roles which you want to bring under
this composite role
• At this point an entry is made in AGR_AGRS table ( for every single role that makes
up a composite role)

Menu tab
• We can see there is no option for us to enter any transaction or report to a
composite role
• If we click on the read menu button, it will display one node for each role that was
included in the roles tab
• We can expand the nodes of the single role and we can see the transactions that are
present in the single role

User tab
• Click on the user tab and assign the composite roles to the user id's
• Click on the user comparison button, the master record for single roles is adjusted
and the composite role gets assigned to the users

SU01
• If you check the UMR for the user id with composite role we can see the composite
role as well as the single role that belongs to the composite role
• Single roles are displayed in blue color and composite role with double bullet in
the type column

TRANSPORTING COMPOSITE ROLE

DELETING COMPOSITE ROLE

Initial steps before deleting the composite role

o We have to remove the single role assignment from the composite role
o Create a change request for the composite role
o Delete the role
o Release and transport the change request

• Select the composite role which you want to delete, if the role contains the single
roles then we can delete the composite role it will error out saying that it still contains
single roles
• Go to the roles tab and delete all the single roles in the composite role
• Click on the transport icon before deletion, it will take us to the object screen
where we should not select the user assignment object and select
personalization object and hit enter
• Then in the next screen click create request icon and specify a description for the
role to be deleted and press enter, we will see the message at the bottom saying data
entered in the change request
• Now we can go ahead and delete the role
• The role which is marked for transport can be seen in SE10/SE09. as soon as you
enter this screen make sure that modifiable box is checked, then select display we
can see the roles which we deleted is ready for transport. Select the roles and hit
transport icon

MASS DELETION OF ROLES

• Create one transport request for all the roles in source system (say in the
development system) using the mass transport option
• Delete all the roles entered in the transport one by one from the development
system
• Release the change request. SAP flags the transport entry as a delete if it cannot
find the records when you release the transport
• Import the transport in the remaining systems and the roles will be deleted from
those system

DERIVED ROLE

• A derived role is a role which is created using some other role as reference. The
derived role will inherit the t-codes, and the authorizations of the referenced role
• It is basically a duplication of an existing role
• Derived role come into picture where the organization have offices and users across
the world, because there will be positions with similar job responsibilities in every
location. In such a situation only the organizational levels may change but the activities
remains the same
• Duplication of a role can be done in 2 ways:
o Copying an existing role - but it will act as an independent role after that
o By deriving a new role based on the existing role
• Once the derived role is created and if we go to the parent role we can see
an new icon saying generate derived role nearer to the generate icon
• Drawback:
o the manually inserted authorization objects in the parent role are not
reflected into the derived role automatically as the transaction do
o If you want to bring the objects from the parent role to the derived role we
have to generate the derived role in the parent role
o When any changes done in derived role is not reflected in the parent role

CREATION

• Derived role can be seen in the table AGR_DEFINE

• Enter the derived role name and select the create role button, you will be taken to
next screen where you have to give the description and at the bottom of the screen
there will be an option derive from role (from which role we want to derive)
• Enter the role name, as soon as you enter go to menu tab where we can see all the
transactions and the report that are in parent role now can be seen in the derived role
which we are creating
• Go to authorizations tab and select change authorizations data button we can see
there is no organizational levels maintained as well as the values
• We have to ensure that the field values that are in parent role should be there in the
child role
• If we want to maintain everything then click save button and select copy data icon
in the page, once you do that we can see the traffic lights turned green. This is to be
done only for the first time of creating a derived role
• Organizational levels either we can copy from the parent role or we can give our own
organizational values (which is independent from the parent role)
• Now if we do any changes to the derived role it doesn’t affect the parent role and the
changes will exist in the derived role as long as we generate the derived role in the
parent role. Once we do that then the derived role values are overwritten by the parent
role values except for the organizational levels

PROJECT IMG AND IMG ROLE

• Project IMG can be created using the transaction SPRO_ADMIN or using the path
SPRO - in IMG screen GOTO - Project Management
• Object related to this is S_PROJECT
• Once we are done with creating a role it is not possible to add any transactions to
the role but can be deleted

CREATION

IMG Project

• Execute the transaction SPRO_ADMIN

• If you click on the create button we will get a box asking for the project name, once
this is done it will take you to the screen where we can give the description
• Go to the Scope tab and select the radio button specify project scope by making
manual selections in reference IMG
• Click on the specify scope icon and select the node or the module for which we are
creating project IMG and select the square with the arrow button, we can see the
module which we selected is shaded as well as the sub nodes
• Node selection in the reference IMG has saved is the message we will get at the
bottom of the screen
• Now select the generate project IMG icon and select the radio button generate in
background
• We can check the status of the background job using the transaction SM37 or SM50

IMG Role
 • After the project IMG is created, we can now use it to create the IMG configuration
role
• Execute the transaction PFCG
• Go to the menu tab and follow the menu path Utilities - Customizing
Authorization
• We will get the customizing authorization box, select the add icon. we will be
taken to insert customizing activities box, select IMG project button
• Select the project IMG from the list, the one you created and select continue icon
• We can see the node with all the sub nodes in the menu tab screen and we can no
longer add any transaction codes into this role in the menu tab
• Specify the required values in the authorizations tab and generate the role
To see the values for the org levels go to IMG through SPRO and in there select
Enterprise structure - Assignment

In SU24 we can maintain objects automatically

In SU53 it gives what are values need to be maintained.

• When you execute it, it will give authorization error and it will say which values to
maintained during testing
• We can give *
• We can assume some value

If authorization object names are not displayed then goto Utilities- technical names on
or utilities- settings to display the technical names (authorization class) of the
authorization objects and the field names

Transaction codes are inserted in the authorization object S_TCODE, the start transaction
code object

To create custom authorization objects - SU21

Soon after creating an object generate it

There are 4 object status:

• Standard
• Maintained
• Manual
• Changed
These status can be seen in the object class screen along with it there is one more
status "NEW"

• Standard - maintained : yellow - green

When any of the field values that are not maintained are maintained then the object
status changes from std to maintained
The authorization objects with the status standard and a green traffic light are
entirely profile generator default values

• Maintained - changed : green

When you change any of the field values it changes from maintained to changed

Field value with "$" at the beginning in the organization level screen indicates that it is
a plan version
technically yes we can delete a role directly from the production system but should not,
because of 2 reasons
o Synchronization (system go out of sync)
o Trail ( transport says where the object originated)

Change request should not be released before the deletion of the role

When we delete the roles, the related entries from tables such as AGR_DEFINE,
AGR_USERS (if users are assigned to the roles), AGR_TCODES etc are also deleted

When a role is deleted a flag is set on the role saying that the role is deleted, based on that
it is deleted from the remaining systems
We can see a delete button in the menu tab screen, if we delete a role and if we refresh
it, it will appear again since the menu is read from the single roles

In PFCG, if you want to give access only to the user menu and not the SAP menu how to do
that?
Sol: to hide SAP menu for all users we need to enter the transaction SM30 and edit table
SSM_CUST and set SAP_MENU_OFF to YES
To hide the SAP menu for individual users, enter transaction SM30 and maintain tables
USERS_SSM

Change request should not be released before the deletion of the role

When a role is deleted a flag is set on the role saying that the role is deleted, based on that
it is deleted from the remaining systems

Do not delete any objects , deactivate the objects because the deleted objects pops up
when you enter again (adding or deleting t-codes)

Apart from the 4 object status there is another status "NEW", it can be seen when we enter
into a created role with any modifications. At most cases we make sure that the old status
remains.
For example: if an object exists twice with old and new value for the fields generally we
keep the old object and deactivate the new ones

Note: if the newly existed object has more authorization values than the old one then make
sure what the role is about and deactivate the unnecessary object

S_BTCH_JOB
S_BTCH_ADM
S_BTCH_NAM
Are the objects that controls the transaction code SM37