SAP Business Content Roles and Authorizations Continued

SAP business content is discussed in the previous post and this is the continuation for that. The development of the user role concept was based on the idea that employees within a company who have the same tasks may also use the same transactions, Internet links and reports. It makes sure that the individual users are able to see only what they need for the tasks they perform. A role describes the business tasks of its assigned users. If a user is assigned to a user role that is predefined by SAP, the menu designed for his or her task area automatically appears when they log on to the SAP system (for example, transactions, reports and/or Internet links) as well as the authorizations the user needs for his or her work.

SAP distinguishes between single and composite roles. The single roles contain the authorizations that users need to access, for example, the transactions and reports in the user-specific menu. Composite roles consist of several single roles. They do not receive any authorization data themselves, but get the authorizations from the single roles assigned to them. Use composite roles if some of your co-workers need authorizations for several single roles. This means you can assign user groups to one of the SAP composite roles instead of entering the required single roles for each individual user.

SAP's Role Concept

Regional sales managers are responsible for planning, organizing and converting the sales strategy.They supervise the sales targets and profitability in the sales department and have an overview of the sales employees and distributors. As well as monitoring the sales activities in general, sales managers can also check cost center activities. Regional sales managers coordinate the budget and the forecast. They also report on the products and prices. Additionally, they follow the development of customer complaints. The Business Information Warehouse delivers information on the sales pipeline, the sales portfolio, and the budget, by requesting information on sales activities.

Role Activities

From the task of regional sales manager, we derive the activities that can be assigned to this role. The regional sales manager needs, for example, current figures on incoming orders and deliveries, in order to monitor sales activities. The Business Information Warehouse delivers this information in the form of workbooks, which contain different queries. Every role is assigned one or more of these workbooks, which retrieve the required information. Moreover, you can assign R/3 and BW system transactions, MiniApps, Internet and intranet links to a role.

The Profile Generator

Authorizations are summarized into profiles that are directly assigned to the users or to a role. The profile generator is a tool with which the authorization administrator can automatically generate and assign authorization profiles. This simplifies the set up of the authorization environment with the SAP BW implementation guide. Before you create your own roles, you should check SAP's predefined roles for their usability. You can assign the delivered roles directly to the users. To makes changes to the roles, copy the SAP template then make the required changes.


With the right authorization, a user can carry out certain actions in the Business Information Warehouse. Every authorization refers to an authorization object and defines one or more values for each field in the authorization object. Individual authorizations are brought together into authorization profiles by the system administration with the profile generator. These authorization profiles are assigned to the users in their user master record. There are preset and open authorizations for the transactions that you assign to the role. You can change the authorization data and then generate an authorization profile with the help of the profile generator.

This authorization profile is then entered for the users of the role, when the user master comparison is run. How you set up the authorization check in BW reporting depends on a few conditions. For example, what type of queries are used, how detailed the authorizations are to be checked and how many users there are. The administration for authorizations, roles and user assignments takes place in the role maintenance screen.

Assigning Users to a Role

The users that you assign are permitted to carry out the transactions of the roles with the corresponding authorizations. The entered transactions are displayed in the SAP Easy Access Menu and in the BEx Browser for the user to see.

You can record user's restrictions in the list as follows:
By single entry or by selecting via F4 Help
By multiple selection from a selection list
By choosing 'Org.Management‘
The user names are entered automatically next to the user ID in the second column. In the next two columns you can enter a validity period for the assignment. You can use the relevant pushbuttons to delete or add user IDs.

User Master Comparison

You assign the user to the authorization profile for the role using the user master comparison. Changes to users that are assigned to the role and generating their authorization profiles require a user master comparison. This compares the authorization profiles with the master user records, meaning, profiles that are no longer current are removed from the master user records and the current profiles entered. The status display for 'user comparison' is only green if it is green for the authorization profile. You can also have the user master comparison run automatically when you save the role. To do this, choose Utilities -> Settings from the menu and make the relevant selections for the automatic comparison there.

If the option to run an automatic comparison is set when you press save, the process could take a little longer. To carry out the user master comparison, please take note of the information button on the user
assignment toolbar.

Authorization Objects in Reporting

An authorization object consists of no more than 10 authorization fields. To define an authorization,specify values for the individual fields in the object. Authorization objetcs can be used as connections between the authorizations, which are checked by the applications, and the given authorizations. You can create as many authorizations as you want for an authorization field, with different values and fields.

The administrator creates authorizations for the authorization objects, which characterize the object fields. There are authorization objects in BW in the Administrator Workbench area and also reporting
authorization objects.

Reporting Authorization

You see an authorization object that has been created for the cost center 001. With this authorization the user can only view the values for the cost center 001 and the values of the other cost centers are displayed as totals.

Using Variables to Check Reporting Authorizations

As a prerequisite for using a variable when you are processing authorizations, you have to have assigned users to authorization objects. Proceed as follows: Open the variable maintenance using the path SAP Easy Access Menu/Business Explorer/Variable Maintenance. Create a new entry in the list of variables. You can create this type of variable for characteristic values and for hierarchy nodes. Enter "Processing by authorization" (1). Make the required entries for parameter selection and for the characteristic, for which you want to create a variable. Remove the flag from the field "Ready for Input" (2). The variable is automatically filled with the values for which the user has authorization. Save the variable. It can now be included in a query in which the corresponding characteristic is used.

the BEx Browser

As a user of the BEx Browser, you can access all types of documents that have been assigned to you in the role maintenance, or that you have saved in your favorites. You can select and organize documents in the BEx Browser. You also create folders, and specify how you want them presented on the screen as regards their position and graphics. You can maintain your favorites, and add new folders and objects. You can also maintain your favorites (with the creation of corresponding authorizations) in the SAP Easy Access Menu. The objects are also displayed in a tree here.

Types of Document in the BEx Browser

  Using the BEx Browser, along with queries you can also manage all other types of documents that are assigned to your role as a user or that you have stored in your favorites These include:

BW workbooks
Documents stored in the Business Document Service (BDS)
Links (references to the file system, shortcuts)
Links to Internet pages (URLs)
Transaction calls for connected R/3 Systems and BW.
You can organize all given objects in folders and choose your own colors and symbols for these.

 Roles in BW and Workplace

If you want to call up the menu of a BW roles using the Workplace, first of all you have to export to the Workplace. The following procedures are possible:
1. With download and upload Logon in the BW system and call up Transaction PFCG (change roles). Select a single role and download using the path ”Role". Logon to the Workplace system and call up Transaction PFCG (change roles). Upload with the path Role > Upload Insert single role in Workplace composite role.

2. With an RFC connection Logon to the BW system and call up Transaction PFCG (change roles). Enter the target (BW) system under menu. Logon to the Workplace system and call up Transaction PFCG (change roles). Choose Roles > Read from other systems with RFC Enter RFC connection and select role Insert single role in Workplace composite role.

When you download and upload roles, SAP-GUIDS (fabricated addresses) are transferred for the roles' menu items. The Workplace system uses these SAP-GUIDS to find workbooks, HTML pages and MiniApps. Authorization profiles are not transported when you upload and download roles. In the Workplace, BW authorization profiles have no purpose at all since the BW authorizations do not exist in the system. It makes sense, therefore, not to transfer the profiles when you upload and download  the roles.

When it performs the authorization check, the Workplace system accesses BW with the RFC connection. The relevant authorization checks are run in the BW system. For every Workplace user, you can create composite roles in the Workplace system, which contain single roles from other components (for example, BW, APO, CRM). Workplace users interested in BW can call up BW reports (URL addresses), BW workbooks, BW transactions (RRMX addresses), HTML pages (URL addresses) and MiniApps. The system carries out an authorization check using the RFC connection to the BW system.

 Related posts

Information warehouse overview

SAP Business content roles

No comments :

Post a Comment