You are on page 1of 8


Monday, September 21, 2009 9:12 PM • Role: A role represents a job function in an organization. They are the basis of implementing security using automatic profile generator. Role is a collection of transaction, reports, tasks etc. role can be defined as the data container for the profile generator to generate authorization profiles and usually represent a job role in the company • Roles are built by the security administrators based on the transaction list and the job description provided by the functional team. These are commonly known as role matrix • Role matrix gives the information to build the roles. ASAP tool is one source of generating the matrices and we can design our own using MS excel or access o Position or job description matrix o SAP role to transaction matrix o Users to role mapping matrix positions to SAP roles mapping o Roles to organization level restriction matrix Role types: o Single role: a single role is the data container of the transactions and the authorization objects and is assigned to the users as per the functions performed by the user o Composite role: it is a collection of single roles and it should contain at least one single role. Composite role do not contain any authorization data. Cannot assign composite role to a composite role o Derived roles: roles that are derived from the existing role. They inherit all the transactions and the authorizations from the source role o User assignment: users can be assigned to a single or to a composite role • Organizational levels: the security administrator can specify the levels to which the users need access (company code, cost center, sales organization etc..) • • Setting up profile generator: o Check for the profile parameter auth/no_check_in_some_cases need to set to yes. It is checked using the report RSPARAM. Earlier versions it is set manually o Go through the steps in transaction SU25 mainly to initialize the USOBT_C and USOBX_C tables. We could edit these defaults to customize as per our needs using transaction SU24

Roles can be assigned to various entities: • R/3 users • Jobs • Position • Organizational unit • Work flow task

When we built a role naming convention is very important

code SPRO • To see the list of authorization classes . AGR_1016B. links to documents on a share drive in the company's network etc SINGLE ROLE CREATION Creating roles . web addresses. we can also assign reports.SU02 • Once authorization tab is done. reports directly or using the menu's. ABAP/4 queries. There are some limitations in naming a role o A customer role name should begin with a Z or Y o The second character should not be an underscore (_) • When a role is created and saved an entry is made in the AGR_DEFINE table and can be seen using the transaction SE16 Menu tab • Go to menu tab where we can assign transactions. AGR_1016. AGR_1252 . entries about the profile can be seen in some of the tables AGR_1250.PFCG There are different ways of creating a role: o From transaction codes o From the SAP standard menu o From SAP area menu o From role based menu Transaction PFCG • Enter the role name and enter the create button. AGR_HIER and AGR_HIERT Authorization tab • It is to maintain the organizational levels and values for the fields of the authorization objects associated with the transaction codes • List of authorization objects can be found in the table TOBJ • To maintain the org levels and field values click on the change authorization data • Organizational levels defined in the system can be checked using the T.We can deactivate an object by clicking on the page with red bar Automatically generated objects are stored in USOBT & USOBX tables Custom objects are stored in USOBT_C & USOBX_C tables User comparison: to update UMR this icon is clicked once user id is assigned Apart from the transactions. AGR_1251. once it is done we can observe that menu tab turns green from red • When transactions are assigned to the role an entry is made in the table AGR_TCODES. internet URLs.

check the box corresponding to the t-code you need. Select the roles and hit transport icon COMPOSITE ROLE . it will take us to the object screen where we should not select the user assignment object and select personalization object and hit enter • Then in the next screen click create request icon and specify a description for the role to be deleted and press enter.Assigning users to the role • Enter user id's and once it is done click user comparison and then click on complete comparison • An entry for each user is made in the AGR_USERS table Inserting Authorization Objects Manually • Sometimes while executing the transactions. we will see the message at the bottom saying data entered in the change request • Now we can go ahead and delete the role • The role which is marked for transport can be seen in SE10/SE09. When you execute SU53 it will display the missing authorizations • To manually insert an authorization object into the role go to Edit. then select display we can see the roles which we deleted is ready for transport.insert authorization. as soon as you enter this screen make sure that modifiable box is checked. it will select the parent nodes as well • If any other transaction need to be found and included we can. all the assignments associated with the role are also deleted. there will be authorization error.manual input Creating Roles Using SAP Menu Structure • In the menu select from the SAP menu window will open with check boxes and at bottom of the screen activate the technical names. Finally select the transfer button DELETION • When a role is deleted. This includes all the authorizations generated for the role and the user assignments • Before deletion create a change request and it should not be released before the deletion of the role configuration • If we have multiple roles to be deleted we can enter all the roles in the change request and we can delete the roles one by one • Click on the transport icon before deletion. Now. These technical names are nothing but the transactions • In the same screen find for the transaction which you want using the find button by entering the transaction code • It will take you to the menu path where the transaction code is.

Transactions are assigned to single roles and single roles are in turn assigned to composite roles • Composite roles provide an efficient method for administrating user access to complex functionality spanning several methods CREATION Transaction PFCG • Enter a role name and click on the composite role button. In composite roles. naming convention is very important that is it should be distinguished from single role Role tab • Click on the role tab button and enter the single roles which you want to bring under this composite role • At this point an entry is made in AGR_AGRS table ( for every single role that makes up a composite role) Menu tab • We can see there is no option for us to enter any transaction or report to a composite role • If we click on the read menu button. you cannot assign transaction directly. if the role contains the single roles then we can delete the composite role it will error out saying that it still contains single roles . the master record for single roles is adjusted and the composite role gets assigned to the users SU01 • If you check the UMR for the user id with composite role we can see the composite role as well as the single role that belongs to the composite role • Single roles are displayed in blue color and composite role with double bullet in the type column TRANSPORTING COMPOSITE ROLE DELETING COMPOSITE ROLE Initial steps before deleting the composite role o We have to remove the single role assignment from the composite role o Create a change request for the composite role o Delete the role o Release and transport the change request • Select the composite role which you want to delete. it will display one node for each role that was included in the roles tab • We can expand the nodes of the single role and we can see the transactions that are present in the single role User tab • Click on the user tab and assign the composite roles to the user id's • Click on the user comparison button.• Composite roles are a collection of single roles.

• Go to the roles tab and delete all the single roles in the composite role • Click on the transport icon before deletion. as soon as you enter this screen make sure that modifiable box is checked. SAP flags the transport entry as a delete if it cannot find the records when you release the transport • Import the transport in the remaining systems and the roles will be deleted from those system DERIVED ROLE • A derived role is a role which is created using some other role as reference. In such a situation only the organizational levels may change but the activities remains the same • Duplication of a role can be done in 2 ways: o Copying an existing role . because there will be positions with similar job responsibilities in every location. and the authorizations of the referenced role • It is basically a duplication of an existing role • Derived role come into picture where the organization have offices and users across the world. we will see the message at the bottom saying data entered in the change request • Now we can go ahead and delete the role • The role which is marked for transport can be seen in SE10/SE09. then select display we can see the roles which we deleted is ready for transport. The derived role will inherit the t-codes. it will take us to the object screen where we should not select the user assignment object and select personalization object and hit enter • Then in the next screen click create request icon and specify a description for the role to be deleted and press enter.but it will act as an independent role after that o By deriving a new role based on the existing role • Once the derived role is created and if we go to the parent role we can see an new icon saying generate derived role nearer to the generate icon • Drawback: o the manually inserted authorization objects in the parent role are not reflected into the derived role automatically as the transaction do o If you want to bring the objects from the parent role to the derived role we have to generate the derived role in the parent role o When any changes done in derived role is not reflected in the parent role CREATION • Derived role can be seen in the table AGR_DEFINE . Select the roles and hit transport icon MASS DELETION OF ROLES • Create one transport request for all the roles in source system (say in the development system) using the mass transport option • Delete all the roles entered in the transport one by one from the development system • Release the change request.

Project Management • Object related to this is S_PROJECT • Once we are done with creating a role it is not possible to add any transactions to the role but can be deleted CREATION IMG Project • Execute the transaction SPRO_ADMIN • If you click on the create button we will get a box asking for the project name. as soon as you enter go to menu tab where we can see all the transactions and the report that are in parent role now can be seen in the derived role which we are creating • Go to authorizations tab and select change authorizations data button we can see there is no organizational levels maintained as well as the values • We have to ensure that the field values that are in parent role should be there in the child role • If we want to maintain everything then click save button and select copy data icon in the page. Once we do that then the derived role values are overwritten by the parent role values except for the organizational levels PROJECT IMG AND IMG ROLE • Project IMG can be created using the transaction SPRO_ADMIN or using the path SPRO . This is to be done only for the first time of creating a derived role • Organizational levels either we can copy from the parent role or we can give our own organizational values (which is independent from the parent role) • Now if we do any changes to the derived role it doesn’t affect the parent role and the changes will exist in the derived role as long as we generate the derived role in the parent role. once you do that we can see the traffic lights turned green. once this is done it will take you to the screen where we can give the description • Go to the Scope tab and select the radio button specify project scope by making manual selections in reference IMG • Click on the specify scope icon and select the node or the module for which we are creating project IMG and select the square with the arrow button.• Enter the derived role name and select the create role button. you will be taken to next screen where you have to give the description and at the bottom of the screen there will be an option derive from role (from which role we want to derive) • Enter the role IMG screen GOTO . we can see the module which we selected is shaded as well as the sub nodes • Node selection in the reference IMG has saved is the message we will get at the bottom of the screen • Now select the generate project IMG icon and select the radio button generate in background • We can check the status of the background job using the transaction SM37 or SM50 IMG Role .

the one you created and select continue icon • We can see the node with all the sub nodes in the menu tab screen and we can no longer add any transaction codes into this role in the menu tab • Specify the required values in the authorizations tab and generate the role To see the values for the org levels go to IMG through SPRO and in there select Enterprise structure . the start transaction code object To create custom authorization objects .maintained : yellow . • When you execute When any of the field values that are not maintained are maintained then the object status changes from std to maintained The authorization objects with the status standard and a green traffic light are entirely profile generator default values • Maintained .settings to display the technical names (authorization class) of the authorization objects and the field names Transaction codes are inserted in the authorization object S_TCODE. select the add icon. select IMG project button • Select the project IMG from the list. we can now use it to create the IMG configuration role • Execute the transaction PFCG • Go to the menu tab and follow the menu path Utilities .Assignment In SU24 we can maintain objects automatically In SU53 it gives what are values need to be maintained.• After the project IMG is created. it will give authorization error and it will say which values to maintained during testing • We can give * • We can assume some value If authorization object names are not displayed then goto Utilities.SU21 Soon after creating an object generate it There are 4 object status: • Standard • Maintained • Manual • Changed These status can be seen in the object class screen along with it there is one more status "NEW" • Standard .technical names on or utilities. we will be taken to insert customizing activities box.changed : green When you change any of the field values it changes from maintained to changed Field value with "$" at the beginning in the organization level screen indicates that it is a plan version .Customizing Authorization • We will get the customizing authorization box.

AGR_USERS (if users are assigned to the roles). the related entries from tables such as AGR_DEFINE. based on that it is deleted from the remaining systems Do not delete any objects .technically yes we can delete a role directly from the production system but should not. it can be seen when we enter into a created role with any modifications. For example: if an object exists twice with old and new value for the fields generally we keep the old object and deactivate the new ones Note: if the newly existed object has more authorization values than the old one then make sure what the role is about and deactivate the unnecessary object S_BTCH_JOB S_BTCH_ADM S_BTCH_NAM Are the objects that controls the transaction code SM37 . if you want to give access only to the user menu and not the SAP menu how to do that? Sol: to hide SAP menu for all users we need to enter the transaction SM30 and edit table SSM_CUST and set SAP_MENU_OFF to YES To hide the SAP menu for individual users. if we delete a role and if we refresh it. because of 2 reasons o Synchronization (system go out of sync) o Trail ( transport says where the object originated) Change request should not be released before the deletion of the role When we delete the roles. enter transaction SM30 and maintain tables USERS_SSM Change request should not be released before the deletion of the role When a role is deleted a flag is set on the role saying that the role is deleted. At most cases we make sure that the old status remains. based on that it is deleted from the remaining systems We can see a delete button in the menu tab screen. AGR_TCODES etc are also deleted When a role is deleted a flag is set on the role saying that the role is deleted. deactivate the objects because the deleted objects pops up when you enter again (adding or deleting t-codes) Apart from the 4 object status there is another status "NEW". it will appear again since the menu is read from the single roles In PFCG.