Authorization in @SAP gui

Mickael QUESNOT ©
 Motivation for change

Solution proposal

Objectives Directive

System Steps

Troubleshooting
 • Due to timing constraints during the Picard and Fnac
implementations the approach regarding security was to
manage accesses via the FIORI front end (apps/catalogue)
• This model facilitates the restriction of authorisation,
by the assignment of only the required applications per
functional area to the FIORI catalogue
• The SAP S4 “backend” systems authorisations
restrictions are not necessary in this model
(assignment of SAP_ALL)
• The initial premise was that only the FIORI UX would
be used, therefore making this model sustainable

Motivation • The limitations of this approach only become material when

the S4 GUI “back end” is used

for Change • Due to the change in approach from using solely the FIORI
UX, to the additional use of the S4 GUI the requirement to
manage authorizations has become necessary and urgent
• SAP’s audit findings will recommend that the SAP_ALL
Access be removed
• The proposed solution can be implemented in a relatively
short time frame
 • The Best Practice SAP standard roles are to be
identified per functional area:
• Finance
• Store Operations
• Buyer – (Pricing & Purchasing)
• Master Data

Solution • DC Operations
• Custom composite “shell” roles will be created per
Proposal functional area and contain the SAP Best Practice
roles
• Analysis will be done to ensure that only low risk
transactions overlap the functional areas, e.g.
display transactions
• Organization area segregation is not critical at this
point of time (no separation between Fnac and
Picard, except store operations managed via FIORI)
 • Identify SAP authorizations into 5 high level areas,
the approach was taken as to avoid future
authorization issues, due to changing business
requirements
• Per operational area the SAP Standard Roles were
identified, this was done in the following way,
extract all roles from Table AGR_1251 (single roles
only), (AGR_TCODES can be used to the
transaction assignment)
Directive • Roles were identified with based on role name,
e.g. *FI*, *CO*, *BUYER*
• An additional step was to ensure these roles have
the required transactions per operational are
• Other helpful tools T/Code SUIM
System Steps

• The SAP standard roles are not delivered

completed, the reason is because they are not
supposed to be used, but should be used only as a
reference
• Incomplete SAP Role, e.g.
System Steps

• See SAP Note 440231, this note will

explain why T/Code SU25 should be
executed after a system install or
upgrade
• This tool attempts to complete
the SAP Standard roles, by
assigning the missing profiles
and generating the role
• This tool is required to be run
in all systems
• Including the gateway
System Steps

▪Once SU25 has run the SAP roles should be completed (60%)
▪Next make copies of the SAP standard roles, this is best practice as the SAP standard roles
might change with an upgrade
▪This is done using T/Code PFCG (or mass program - ZZ_PAUL_COPY_PFCG)
SAP_MM_PUR_LIS_GENERAL

Z_MM_PUR_LIS_GENERAL
System Steps

• Next a mass generations is required for the still missing

profiles, T/Code PFCG:

• The remainder must be done manually (those that do not

generate during the Mass run)
• Next step, Mass comparison
• A user comparison is always required once role changes
have taken place
System Steps

▪Next depending on the clients requirements, Organization objects need to be managed

▪Possibilities:

Derived Role Z_MM_PUR_LIS_GENERAL

Company Code split Z_MM_PUR_LIS_GENERAL_1000 Z_MM_PUR_LIS_GENERAL_2000

OR CC and Site split Z_MM_PUR_LIS_GENERAL_1001 Z_MM_PUR_LIS_GENERAL_1002

System Steps – SAP Solution

▪The Organizational split was not a requirement

▪Next all operational roles were added to a Composite role per operational area, this reduces
the maintenance time, e.g. FI +/- 340 roles
Z_APPROVISIONNEMENT

Z_BPR_BUYER_16

Z_ISR_PUR_PURCHASEORDER

Z_ISR_PROMOTION_ADMIN

Z_MM_PUR_CONDITIONS

Z_MM_IM_REPORTS
System Steps – SAP Solution

• The creation of a Composite Role is

done in T/Code PFCG, once created
all roles must be assigned:
• Z_APPROVISIONNEMENT
• Z_DONNEES_MAITRES
• Z_ENTREPOT
• Z_FINANCE
• Z_OPERATIONS_MAGASIN
System Steps – SAP Solution

• Next the menu must be generated,

by importing the menu (this can be
customized on this screen)
System Steps – SAP
Solution

• The user must be assigned, this can be done

in the next tab, once done a User
Comparison must be run to finally complete
the authorization assignment to the user:

• ystem Steps – SAP Solution

 • First S4 Roles need to be assigned, (remember to complete
the roles):
• SAP_S_RFCACL
• SAP_UI2_ADMIN_750 (check which version you have)
• SAP_UI2_USER_750 (check which version you have)
• Next FIORI roles need to assigned if a gateway is used:
• SAP_S_RFCACL
• SAP_UI2_PAGEBUILDER_CUST
• SAP_UI2_USER_750 (check which version you have)
System Steps • Additional steps need to be followed for roles below, see
SAP Help – Configuring Authorization Roles - SAP Fiori
– Fiori launchpad (as an end user)
• SAP_UI2_PAGEBUILDER_CUST
• SAP_UI2_USER_750

• https://help.sap.com/saphelp_ewm92/helpdata/en/85
/be3fff35604fa09a1668dd97ef4407/frameset.htm
Troubleshooting

▪A user experiences missing authorization:

▪First determine if the user should have access to the transaction, here are the rules:

• ME21N
• ME22N
Master • MIRO
Finance Logistics Purchasing • MIGO
Data

▪This was a Finance user that received this error and if the business decides that the Finance
user must create articles, assign the Master Data composite role to this user only
 • There are 2 possible issues why authorization is
missing
• The user does not have the transaction because
none of the roles assigned to the user contain
the transaction
• To resolve - high level – Find a role with the
required auths an assign to user /
Composite role
Troubleshooting • The user has the transaction contained in a role
already assigned, this scenario is a little more
difficult to resolve
• See next steps
Troubleshooting

▪If the Master User is missing this authorization, the following steps will assist in correcting
the missing authorization:
▪Is the transaction an operational specific sensitive transaction, e.g. MM41
▪If this is the case the transaction must be only assigned to the composite role of the
operational area, here Z_DONNEES_MAITRES
▪Always ask the user to run T/Code SU53, directly after the authorization error:
▪The users SU53 can be viewed by you by
clicking
Troubleshooting

• Go to T/Code SUIM, this step is to

confirm that the transaction is not
assigned to the user:
Troubleshooting

• Next step is to find which roles assigned

to the user, T/Code SUIM, Copy all
roles:
Troubleshooting

• Now, find the role with the transaction

in question, T/Code SUIM:
Troubleshooting

• Next copy role and go to T/Code PFCG

(or double click on the role), click
change and go to Authorizations tab
then Change Authorizations

• Based on the SU53 copy the affected

Object (M_BEST_EKG), use the SAP
search functionality to find the object:
 Repeat If the user is allowed access to the transaction and does not
currently have access, repeat the process as above:

Find a SAP standard role with the required authorizations, but

Find that does not allow authorizations forbidden for the operational
area (SUIM)

Troubleshooting Copy Copy role Z_ (PFCG)

Complete Complete Role (PFCG)

Add Add role to Composite role (PFCG)

Troubleshooting

• Next step is to find which role assigned

to the user that is problematic, only
flag Composite: