Working with the Role Maintenance Tool SAP BASIS

The Role Maintenance tool is an evolution of the Profile Generator available in releases of SAP R/3 since 4.6 that aids in facilitating the management of roles, user authorizations, and profiles. Previous to the Role Maintenance and Profile Generator, there was a great deal of effort involved in the implementation and support of the authorization concept, and this was a costly activity within projects. The Role Maintenance tool was designed by SAP with the objective of reducing the time needed for implementing and managing the user menus and authorizations associated with a job description, thus decreasing the implementation costs. SAP recommends using the Role Maintenance and Profile Generator to set up authorizations.

Using the Role Maintenance is very different from manual profile management, where authorization objects must be selected, authorizations defined, and profiles created to be assigned to users later. With the Role Maintenance, the management of profiles and authorizations is based on the functions and tasks that users will perform with the SAP systems, and the Profile Generator is in charge of selecting and grouping the authorization objects.

Assigning authorizations to the new profile

Assigning authorizations to the new profile

The definition of roles with the Role Maintenance is based on grouping functions or tasks user menu that generates the profiles and authorizations selected by the customers. As introduced in a previous section, roles form a set of tasks or activities that can be performed in the system, such as running programs, transactions, and other functions that generally represent job roles. SAP systems already include a very large number of predefined roles that can be freely selected, or copied and then modified to accommodate specific needs.

In summary, the Role Maintenance tool and the Profile Generator

  • Can be used to automatically create profiles and assign them easily to users
  • Only select and use the necessary authorization objects, avoiding excessive validations in the system and thereby improving performance
  • Facilitate functional communication between security or the authorization administrator and end users or consultant
  • Make defining and maintaining authorization profiles easier

The Role Maintenance and Profile Generator can be accessed from the initial SAP Easy Access screen by clicking on the Create Role pushbutton on the application toolbar; or, from the main menu tree by selecting Tools | Administration | User Maintenance | Role Administration | Roles or alternatively by entering transaction code PFCG in the command field. The following sections introduce how the Role Maintenance works, how to configure it, and a basic example of creating roles and using automatically generated profiles to assign those roles to user master records.

How the Role Maintenance Works

Based on a job role, or group of tasks that represents what the users are trying to perform, administrators can identify and select the transactions, reports, or values that are required for users to pass the authorization checks.
Using the Role Maintenance and Profile Generator tool, the administrator creates roles with functions and tasks, associated to SAP transactions, reports, and other object types, that automatically will create a generate profiles and select the required authorizations, and sets authorization values or let the administrator maintain those values for the authorization objects that correspond to the specific functions selected.

Once roles are created, the Profile Generator is in charge of retrieving all the authorization objects for the selected transactions. This is accomplished using special check tables. The Profile Generator then creates the profile or profiles, and then the roles can be assigned to the user master record. The user master record is then updated by a direct assignment, which automatically assigns the generated profiles as well. This assignment can be also performed via a batch job. Once the assignment is done, when the users log on, their user buffer will contain the corresponding authorization that will allow them to pass the authorization checks required for performing their usual jobs.

Configuring the Profile Generator

Before using the Role Maintenance, you have to configure the Profile Generator for the first time. The steps required to configure and work with the Profile Generator tool are the following:

  1. Activate the Profile Generator. The activation of the Profile Generator is based on the instance profile parameter auth/no_check_in_some_cases = Y. If this value is not set, users won't be able to see the Authorization pushbutton within the role maintenance screen. This is the default value since R/3 Basis release 4.0. This profile parameter tells the system to allow certain authorization checks to be ignored in a program. With this setting the profiles will only contain the necessary authorizations. For example, if the installation includes only one company code, administrators don't want to worry about setting authorizations for company code.
  2. Set up the initial copy of Profile Generator configuration tables. You must run transaction SU25 to transfer the SAP transactions and authorization objects from SAP tables USOBT and USOBX to the customer tables USOBT_C and USOBX_C. You can then maintain these tables using transaction SU24. Table USOBT includes the relation between the transactions and the authorization objects. If it is a new installation, just click on the button next to option 1, Initially fill the customer tables. If you are upgrading from a previous release, you must use the lower options, but first look up the most recent information concerning your release in the online documentation.
  3. Maintain the scope of authorization object checks in transactions. This is performed using transaction SU24 (also the last button on the screen for transaction SU25) in order to maintain customer tables USOBX_C (transactions and authorization objects) and USOBT_C (proposed values for authorization objects). This is not a mandatory step, but can be used by customers to maintain their own authorization checks as well as to assign SAP authorization objects to custom transactions. You can also maintain the assignment for a single transaction, and enforce or suppress the authorization check for any transaction. Additionally, it is possible to maintain the field assignments for the transactions. In any case there is always the possibility of comparing these settings with the SAP standard settings. The purpose of this transaction is for the administrator to be able to maintain the scope of authorization checks in transactions by
    • Assigning the authorization objects that are relevant to a transaction
    • Assigning default values and organizational level defaults for authorization object fields

Basic Concepts for Working with Roles

Access the Role Maintenance screen by clicking on the Create Role pushbutton in the initial screen of the SAP Easy Access, or enter transaction PFCG in the command field.
Role Maintenance initial screen in complete view

Role Maintenance initial screen in complete view

Role maintenance includes three different views, which you can select from the initial screen by choosing Goto | Settings:

  • The Simple Maintenance View is used only to maintain the Role menu.
  • The Basic Maintenance View allows additional functions for defining and maintaining roles, not only for maintaining the menu, but also the profile and authorizations.
  • The Complete View includes all the functions for the basic maintenance plus the organizational management link and the workflow. This is the more comprehensive view that can display all the assignments for a role. This view is tightly related to the personnel development HR application, so it is useful for users working in organizational management.

When implementing structural authorizations, that is, roles linked with HR organizational management, roles are assigned to agents. There are several types of agents, being the most common the user master record; however, there are other types of organizational agents that can be created within the Human Resource module, such as organizational units, positions, jobs, persons, or work centers.

Creating Roles

The basic steps for creating a new role are, in a simplified way:

  1. Enter a role name in the input field and press the Create pushbutton to the right of the name or the Comp. Role if wishing to create a composite role. Remember to follow the naming convention, starting the role name with Z_ or Y_.
  2. Save the role, click on the Menu tabstrip and select the transactions from the SAP menu, from other role, or insert individual transactions or objects by clicking on the corresponding pushbutton. The process is very easy and intuitive.
  3. Next, go to the Authorizations tab, and enter a profile name, or let the system propose one for you. Click on Change Authorization Data. The system will present the Change Role: Authorization screen. Complete the authorizations for chosen activities: those marked with an orange light.
  4. Select Authorizations | Generate the Profiles.
  5. Assign the role to users and press User Comparison to transfer profiles to the user master record.

The following example shows how to create a simple role for the purchasing department users, providing them with authorizations for creating purchasing orders when the vendor is known (transaction code ME21) and for changing and displaying purchasing orders (transaction codes ME22 and ME23). These are the steps:

  1. Access the main Role Maintenance screen by entering transaction code PFCG in the command field. The system will display the Role Maintenance initial screen.
  2. Enter the name for the activity group, and click the Create icon located to the right of the name. Enter a description, or even some sort of documentation in the space provided at the bottom of the screen.
  3. Click on the Menu tabsirip. The system will display the main Change Roles screen, full of options to create a menu for this specific role. In this case, we will do it from a standard SAP menu.
  4. Click on the From the SAP Menu pushbutton located on the right of the screen. The system will show a dialog box with the standard SAP Menu tree. In our example, click on the plus signs on Logistics, Materials Management, Purchasing, Purchase Order, Create. Finally, mark the square box next to Vend or/Supplying Plant Known. On the same level as Create and below, mark the square box next to Change and Display. Save your selection by clicking on the Transfer icon.
  5. You will return to the previous screen. The next step is to maintain the Authorizations, by clicking on the Authorizations tabstrip. Click on the small icon to the right of the Profile Name field, so that the system will propose a profile name. Then click on the Change Authorization Data pushbutton in the lower part of the screen. Save the role.
  6. Next, the system first displays a new screen where you have to maintain the organizational levels. In this case, these are the Purchasing Group, Purchasing Organization, and Plant. You can input simple values or ranges, or enter a wildcard such as * to indicate all organizations. Pill in the fields or click on the Full Authorization pushbutton if you want to allow authorization on all organizational levels and save it. The system will display the Change Role:Authorizations screen, as shown in Figure.
  7. Expand the nodes by clicking on the folders or by positioning the cursor on the line and clicking on the Expand icon. Notice how the browser view is presented in four levels: authorization object class, authorization object, authorizations, and field values. The system automatically selects the objects and values according to the previous selections. Select Utilities | Technical Names On to display the familiar authorization objects. Notice also how the Profile Generator tool has selected the authorization object S_TCODE (authorization for transaction start) and provided it with the values of the selected transactions.
  8. You have to maintain all pending authorizations before you can generate the complete profile. The maintenance status of the authorizations at every level is shown using traffic lights: green indicates that all values are maintained, yellow that there is some value that is not yet maintained, and red that at least an organizational level is missing. In order to maintain pending or open values, you can click on the individual level so the system will display a new dialog box for entering required field values. Or, you can click on a traffic light and maintain all outstanding fields below, or assign full authorizations. For this example, you can assign complete authorizations for the subtree by clicking the stoplight on the Standard: Document type in purchase order line. On the dialog box, click the Enter icon.
  9. Next, click the Generate icon on the application toolbar. If you did not define previously, the system will display a dialog box for entering the profile name and a short text. You can keep the proposed system name or change it to your own standards. Continue by pressing ENTER. The system will now generate the profile.
  10. Go back to the initial activity group maintenance screen. The screen will show green traffic lights for both Menu and Authorizations. Now assign this profile to one or more user master records by clicking on the User tabstrip.
  11. In this part of the role maintenance, you could simply assign this role to one or several users, or associated with other type of agents, by clicking on the Organizational Management pushbutton (you will only see this pushbutton if in complete view). Enter the name of the user or users you want to assign the new created role.
  12. If you want the profiles to be transferred to the actual user master records, click the User Comparison pushbutton. The system will display the use comparison program.

Activity group browser view

Activity group browser view

You can verify that the role and profiles have been effectively transferred by looking up the user master records using transaction SU01. There is the possibility of running a general report for updating all user masters and pending assignments of activity groups by using transaction PFUD. The Role Maintenance and Profile Generator tools include many additional functions to facilitate the creation and maintenance of roles, authorizations and profiles, such as using single roles as templates, collections of authorization objects that can be included within roles.

Tracing Authorizations

The SAP system includes some options to find the authorization for any transaction or function a user performs in the system. This is quite useful when looking for an authorization denial problem or when defining profiles when you want to specify exactly what authorization objects a particular transaction checks. The two methods available in SAP systems for finding authorizations are the authorization check transaction (SU53) and using the system trace.The system trace is a more general-purpose tool used mainly by developers or system administrators which can provide a great detail of information and can be used to trace other user sessions.

Transaction SU53 is more specific for authorization error analysis but can only be used for the current user sessions. However, SU53 is a faster and more direct method for finding an authorization denial problem. Transaction SU53 can be accessed from the menu System | Utilities | Display Authorization Check.

Using the System Trace for Tracing Authorizations

The SAP system includes extensive tracing and debugging utilities. You can find more information about tracing in Chapter. This section covers just the simple process of activating and displaying a trace concerning authorization checks. To start the system trace, from the main menu select Tools | Administration | Monitor | Traces | System Trace. The system displays the available trace options and switches, one of which is the Authorization Check. Make sure you mark the check box next to Authorization Check.

To limit the trace to your own user ID or another user ID, enter the name of the user ID you want to trace in the General Filter field by clicking on the possible entries arrow and then selecting it from the list. To activate and start the tracing process, select Trace On from the application toolbar. The trace will start recording every system function you or the entered user performs. So, if you are looking for an authorization problem or just want to find a particular authorization check, open a new session and go to the screen, function, or transaction you want to analyze.

Once you are finished you should stop the system trace. Go back to the session where you activated the trace, and if you are on the tracing screen, stop the trace by selecting Trace Off. Now you should look at the trace file generated. To analyze the trace click on the Analysis pushbutton on the application toolbar, and enter the criteria for the analysis. The trace file contains the authorization objects, authorization fields, and values that have been tested while you have been performing system functions. Authorization tests are displayed in the following format:

  • <Authorization object>:<Field>=<Value tested>

But you can display a more legible view of the authorization check by clicking over the entry.

Using the SU53 Transaction

The transaction SU53 can be used to analyze a function when getting the error You are not authorized to in the status bar. When you get this message, enter SU53 or /NSU53 in the command field. Alternatively, you can select System | Utilities | Display Authorization Check from any SAP screen. The system will display the authorization object and value for which you were not authorized. Transaction SU53 can also be used from any of your open sessions and not only from the one in which you got the authorization error message. However, you cannot use SU53 to analyze other users' authorization errors. In those cases, administrators should instruct users to reproduce the error and then to enter the transaction SU53 in the command field to receive information about the authorization error messages they got.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status