Ansicht
Dokumentation

WCF_PFCG_COPY - Define Authorization Role

rdisp/max_wprun_time - Maximum work process run time   BAL Application Log Documentation  
This documentation is copyright by SAP AG.

In this IMG activity, you can define authorization roles for business roles. Every authorization role contains a certain authorization profile (PFCG profile). To obtain the necessary authorizations for your business role, you need to perform the steps described below.

After the authorization profiles are generated, the corresponding business role has the required authorizations.

Before you can start working with your business role, the following prerequisites must be fulfilled:

• You have created the necessary navigation bar profiles in the IMG activity Define Navigation Bar Profile. If you use or copy an existing business role, you can use the existing profiles.

• You have created the positions and assigned the business role to these positions in the IMG activity Define Organizational Assignment. You have also assigned the users to the right positions in this IMG activity.

• You have activated the trace function to determine all authorization objects. If you use or copy an existing business role, you do not need to run the trace.
  Note
  For more information about the initial setup of authorizations, search for First Installation Procedurein the relevant version of SAP S/4HANA on SAP Help Portal.

• You have checked if the authorization role has been assigned to the corresponding business role in the IMG activity Define Business Role .
  In this IMG activity, you can find out which authorization role is assigned to each business role.

In the standard system, the following authorization roles are delivered:

• Authorization roles assigned to business roles (see Define Business Role )

• SAP_CRM_UIU_FRAMEWORK (Framework Role)

The following two approaches to working with business roles are described below:

• Use existing business roles

• Copy existing business roles

Use Existing Business Roles

1. If you want to use an existing business role, proceed as follows to select the appropriate authorization role:
2. Start transaction Upgrade Tool for Profile Generator (SU25).
1. Choose Installing the Profile Generator -> Initially fill the customer tables.
   All proposals for traces in the transaction Auth. Object Usage in Transactions (SU22) are copied to the customer namespace.
2. In transaction Auth. Object Check Under Transactions(SU24), verify the traces.

• Select Type of Application: External Service.

• Select Type of External Service: UIU_COMP.

• In the External Service field, enter: ' * '.

• In the Selection Resultlist, select any service at random by double-clicking it.

1. You can also maintain and change the standard values for specific traces in transaction Auth. Object Check Under Transactions (SU24).

Create the authorizations in the IMG activity Define Authorization Role .

1. Select the authorization role SAP_CRM_UIU_*.
2. Choose Change role.
3. Choose tab page Authorizations.
4. Choose Change Authorization Data.
   Caution
   Make sure that the authorization object S_SERVICE is set to inactive. An active authorization object S_SERVICE could interrupt the profile generation.
5. Choose Generate and save your role.

Start report CRMD_UI_ROLE_ASSIGN with transaction ABAP Editor (SE38).

You use this report to assign authorization roles, based on the organizational assignments, to users.

1. Select a user or a user group.
2. Select the Framework Authorization Role.
   Do not change the technical name (SAP_CRM_UIU_FRAMEWORK) of this role. You only need to change the technical name if you have changed the name of the Framework Authorization Role. This role is a special role that is assigned to every user. It contains the authorizations that are necessary to use the UI Framework.
3. Select one of the following options:

• To start the update of the assignments, choose Update Role Assignments.

• To start the report in simulation mode, choose Only Simulation.

• To check the current assignments, choose Check Current Role Assignments.

1. Select the log level. The higher the log level, the more information is logged.

Copy Existing Business Roles

If you have copied an existing business role, proceed as follows to select the appropriate authorization role:

1. Start transaction Upgrade Tool for Profile Generator (SU25) and proceed as described in step 1 under "Use Existing Business Roles."
2. You need a separate authorization role for the business role that you have copied. You copy the delivered authorization role that corresponds to the business role, or you create a new authorization role in this IMG activity.
3. Copy the business role in the IMG activity Define Business Role and use the authorization role created in step 2.
4. After you have completed the definition of your business role, for example, added or deleted links or work centers, start report CRMD_UI_ROLE_PREPARE with transaction ABAP EDITOR (SE38).
1. Select the business role that you created in step 3.
2. Alternatively, you can directly select authorization roles that you created in step 2.
3. Select the language that is used for the authorization menu entries.
4. Select the log level. The higher the log level, the more information is logged.

A file is created and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\\SapWorkDir\.
Notes
This report cannot be run in batch mode, nor used for multiple business roles or authorization roles.

1. To import the locally saved file to your authorization role, use IMG activity Define Authorization Role.
1. Select the authorization role created in step 2.
2. Choose Editmode.
3. Choose tab page Menu.
4. Delete the existing role menu.
5. Choose Import from file under Copy menus.
6. Select the file that has the same name as the authorization role and the extension .txt from the SAP working directory that you created in the previous step.

The file is imported to your authorization role. To check if the file was correctly imported, verify the entries in the Role menu. For more information, see the documentation under Information in this IMG activity.

1. Create the authorizations with the IMG activity Define Authorization Role .
1. Select the newly created authorization role.
2. Choose Change role.
3. Choose tab page Authorizations.
4. Choose Change Authorization Data.
   Caution
   Make sure that the authorization object S_SERVICE is set to inactive. An active authorization object S_SERVICE could interrupt the profile generation.
5. Choose Generate and save your role.
2. To start report CRMD_UI_ROLE_ASSIGN, use transaction ABAP Editor (SE38).
   You use this report to assign authorization roles, based on the organizational assignments, to users.
1. Select a user or a user group.
2. Select the Framework Authorization Role.
   Do not change the technical name (SAP_CRM_UIU_FRAMEWORK) of this role. You only need to change the technical name if you have changed the name of the Framework Authorization Role. This role is a special role that is assigned to every user. It contains the authorizations that are necessary to use the UI Framework.
3. Select one of the following options:

• To start the update of the assignments, choose Update Role Assignments.

• To start the report in simulation mode, choose Only Simulation.

• To check the current assignments, choose Check Current Role Assignments.

1. Select the log level. The higher the log level, the more information is logged.

Assign the new business role to an organizational unit or position in the IMG activity Define Organizational Assignment.

Further notes

If you encounter any difficulties with authorizations at runtime, we recommend that you:

1. Check the user authorizations in the transaction Analyze User Buffer (SU56).
2. Compare users, if necessary, in the IMG activity Define Authorization Role. Proceed as follows:
1. Select an authorization role.
2. Choose tab page User.
3. Choose User comparison.

Note
At runtime, the authorizations assigned to the user are important, independent of the business role.

1. The business role is identified at runtime via the authorization role that you have assigned to the user in transaction User Maintenance (SU01). You can also use the user parameter CRM_UI_PROFILE on the tab page Parameters in transaction User Maintenance(SU01). The technical name of the business role is the parameter value that needs to be assigned to the user parameter.

Assign Business Roles from Partner Channel Management

For Partner Channel Management, the following business roles and authorization roles are available:

• Business role 'CRM UIU Partner Manager' and authorization role 'SAP_CRM_UIU_CHM_PARTNERMANAGER'

• Business role 'CRM UIU Channel Manager' and authorization role 'SAP_CRM_UIU_CHM_CHANNELMANAGER'

If you want to assign the business roles to a user, the process is as follows:

1. The authorization roles are assigned to the business roles:

• SAP_CRM_UIU_CHM_PARTNERMANAGER assigned to CRM UIU Partner Manager

• SAP_CRM_UIU_CHM_CHANNELMANAGER assigned to CRM UIU Channel Manager

1. Manually assign the required authorization role and the generic Framework authorization role to the user in transaction User Maintenance (SU01):

• The authorization role for CRM UIU Partner Manager: SAP_CRM_UIU_CHM_PARTNERMANAGER

• The authorization role for CRM UIU Channel Manager: SAP_CRM_UIU_CHM_CHANNELMANAGER

• The generic CRM Role for UIU Framework: SAP_CRM_UIU_FRAMEWORK

PERFORM Short Reference   Vendor Master (General Section)  
This documentation is copyright by SAP AG.

Length: 14047 Date: 20240523 Time: 200814     sap01-206 ( 135 ms )