Sei sulla pagina 1di 32
Business & Authorization Roles Applicable Releases: SAP Solution Manager 7.1 SPS 01 SAP Solution Manager
Business & Authorization Roles Applicable Releases: SAP Solution Manager 7.1 SPS 01 SAP Solution Manager
Business & Authorization Roles Applicable Releases: SAP Solution Manager 7.1 SPS 01 SAP Solution Manager

Business & Authorization Roles

Applicable Releases:

SAP Solution Manager 7.1 SPS 01

SAP Solution Manager Scenarios:

Incident Management Change Request Management

Version 1.0

May 2011

Manager 7.1 SPS 01 SAP Solution Manager Scenarios: Incident Management Change Request Management Version 1.0 May

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

SAP NetWeaver “How-to” Guides are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP NetWeaver. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

with this product is only to be used by SA P’s Support Services and may not

Document History

Document Version

Description

1.00

First official release of this guide

Document History Document Version Description 1.00 First official release of this guide

Typographic Conventions

Type Style

Description

Example Text

Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation

Example text

Emphasized words or phrases in body text, graphic titles, and table titles

Example text

File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text

User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

text>

EXAMPLE TEXT

Keys on the keyboard, for example, F2 or ENTER.

Icons

Icon

Description

Caution

Caution

Note or Important

Note or Important

Example

Example

Recommendation or Tip

Recommendation or Tip

F2 or ENTER . Icons Icon Description Caution Note or Important Example Recommendation or Tip

Table of Contents

1. General Information

1

2. Prerequisites

1

3. Overview of SAP Standard Roles

1

3.1 Business Role SOLMANPRO

2

3.2 Standard Authorization Roles

3

3.3 How to Enable the Standard Authorization Concept

5

3.3.1 Assign Business Role SOLMANPRO to System Users

5

3.3.2 Authorization Roles Set-up

6

4. How to Adapt a Business Role

9

4.1 Define a Customer specific Business Role

10

4.2 Create a Role Configuration Key

12

4.3 Create a Navigation Bar Profile

14

4.3.1

Visibility of Customer specific Navigation Bar Links

16

4.4 Define a Layout Profile

17

4.5 Create a Technical Profile

18

4.6 Assign an Authorization Role

19

4.7 Assign a Function Profile

20

5. How to Assign Users to a Business Role

21

5.1 Assignment via Authorization Role

21

5.2 Organizational Assignment

21

5.3 Assignment via User Parameter

24

6. How to Adapt Authorization Roles

25

6.1 Copy an Authorization Role

25

6.1.1 Copy a Composite Authorization Role

25

6.1.2 Copy a Single Authorization Role

25

6.2 Adapt an Authorization Profile

26

6.3 Assign Users to an Authorization Role

26

Authorization Role 25 6.2 Adapt an Authorization Profile 26 6.3 Assign Users to an Authorization Role

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

1. General Information

To set up the SAP WebClient for your system users you need business roles and authorization roles. Using different business roles enables you to tailor the system for its users individually in terms of profiles, screens, set of functionalities and authorizations.

This guide provides information on how to set up authorization roles and business roles for the different users of the SAP WebClient.

2. Prerequisites

installed and running Solution Manager 7.1 SPS 01

For more information, please see the SAP Solution Manager Installation Guide available in SAP Service Marketplace.

the following SAP Notes are relevant for the preparation of the SAP WebClient usage

o

1115493 - CRM Web UI: Mandatory SICF services for CRM framework

o

1144511: System parameters required for CRM WebClient

o

1244321: Activation of detailed CRM WebClient error analysis during the development phase

o

824554: ICM timeout errors

SAP Solution Manager admin user

3. Overview of SAP Standard Roles

This chapter provides an overview on the relevant SAP standard roles required for the configuration of the SAP WebClient and the set-up of an authorization concept.

The business role SOLMANPRO and the authorization roles are only intended to be used as a template for Best Practices scope. The roles have to be validated and adapted to the specific customer requirements.SAP recommends copying the business role SOLMANPRO and the authorization roles into the customer naming

SAP recommends copying the business role SOLMANPRO and the authorization roles into the customer naming space which must begin with Z or Y. This will ensure that changes will not be overwritten in case of an upgrade.as a template for Best Practices scope. The roles have to be validated and adapted to

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

3.1 Business Role SOLMANPRO

Use the business role SOLMANPRO to control the navigation bar and logical links in the SAP WebClient. Via this role you can define the structure of the navigation bar and which links are available on the Work Center pages and the Direct Link group.

A work center describes and provides access to business content. The work center page is a collection of logical links for business content which are organized in link groups. Direct link group is part of the navigation bar and provides direct access to specific business content with one click. Logical links can be used in direct link groups, second level navigation or on work center pages.

The figure below provides an overview of the previously described elements of the SAP WebClient screen.

The figure below provides an overview of the previously described elements of the SAP WebClient screen.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

3.2 Standard Authorization Roles

Authorization roles (also called PFCG roles) are used to implement a comprehensive security concept. Via authorization roles you protect the SAP system against unauthorized access at database, network and frontend level.

Following composite roles are relevant for the Incident Management scenario:

SAP_SUPPDESK_ADMIN_COMP: contains single roles relevant for Service Desk administrators

SAP_SUPPDESK_PROCESS_COMP: contains single roles relevant for Service Desk processors

SAP_SUPPDESK_CREATE_COMP: contains single roles relevant for Service Desk key users

Copy the roles into your customer namespace:

Desk key users Copy the roles into your customer namespace: This step has to be performed
Desk key users Copy the roles into your customer namespace: This step has to be performed
Desk key users Copy the roles into your customer namespace: This step has to be performed
Desk key users Copy the roles into your customer namespace: This step has to be performed

This step has to be performed for all necessary Composite Roles!

It is recommended to Check if the Authorizations inside this Composite Roles were performed correctly (Green Status)

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles Double-click on the Role you want to check In
How to Adapt Business & Authorization Roles Double-click on the Role you want to check In

Double-click on the Role you want to check

Roles Double-click on the Role you want to check In this Case (yellow flag) the Authorizations

In this Case (yellow flag) the Authorizations were not performed correctly Generate Authorizations

In this Case (yellow flag) the Authorizations were not performed correctly  Generate Authorizations June 2011
In this Case (yellow flag) the Authorizations were not performed correctly  Generate Authorizations June 2011

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles Check ALL THE STEPS for ALL SINGLE ROLES of

Check ALL THE STEPS for ALL SINGLE ROLES of ALL COMPOSITE ROLES!

For a detailed description of the Incident Management authorizations roles, please refer to the Security Guide for SAP Solution Manager. This guide is available in SAP Service Marketplace.ALL THE STEPS for ALL SINGLE ROLES of ALL COMPOSITE ROLES! For more information on authorizations

For more information on authorizations and authorization objects, please refer to SAP NoteManager. This guide is available in SAP Service Marketplace. 1436270. 3.3 How to Enable the Standard

1436270.

3.3 How to Enable the Standard Authorization Concept

This chapter provides information on how to enable the standard authorization concept in case that you are going to use the standard and do not intend to change it.

If you need to adapt the roles to your business requirements, you should copy them into the customer naming space to ensure that changes will not be overwritten during upgrade. In this case, please proceed as described in chapter 4 and 6.going to use the standard and do not intend to change it. 3.3.1 Assign Business Role

3.3.1 Assign Business Role SOLMANPRO to System Users

SAP Solution Manager Users need the business role SOLMANPRO to get access to the SAP WebClient and be able to use it. The role SOLMANPRO is assigned to the PFCG role SAP_SM_CRM_UIU_SOLMANPRO. This means that users who are assigned to this authorization role will also have SOLMANPRO assigned.

Copy the Role into customer Namespace as explained on Page 3-4 before and assign it to the SOLMANPRO- User.

To assign the role SAP_SM_CRM_UIU_SOLMANPRO to system users, please do the following:

1. Start transaction PFCG.

2. Enter the role name in the corresponding field and choose Change, as shown in the next figure.

field and choose Change , as shown in the next figure. 3. Go to the tab

3. Go to the tab User.

4. Enter the user ID in the table User Assignments.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles You can include several users at the same time,

You can include several users at the same time, for example, all users in a particular user group or all users in the SAP System. To do this, first choose Selection and then additional value selection pushbuttons.

5. Save your settings.

3.3.2 Authorization Roles Set-up

This section explains how to configure a standard authorization role by an example. It provides step-by-step instructions on how to set-up the standard composite role SAP_SUPPDESK_PROCESS_COMP which contains authorizations for the Service Desk Message Processor.

3.3.2.1 Generate Authorization Profiles

In this step, you have to generate the authorization profiles of the single roles contained in the composite role SAP_SUPPDESK_PROCESS_COMP. Copy this role also into customer namespace before you perform the next steps!

into customer namespace before you perform the next steps! You do not need to perform the

You do not need to perform the following instructions for the roles SAP_SMWORK_INCIDENT_MAN and SAP_SM_CRM_UIU_SOLMANPRO as they do not contain any active authorization objects.

1. Start transaction PFCG.

2. Enter the role name SAP_SUPPDESK_PROCESS_COMP in the corresponding field and choose Change.

3. Go to the tab Roles where all single roles are listed.

4. Do a double click to access a role (e.g. SAP_SMWORK_BASIC_INCIDENT). The role will be open in a new session.

5. In the new window, choose Display <-> Change to switch to Edit mode.

6. Go to the tab Authorizations and choose Change Authorization Data, as shown in the next figure.

Change Authorization Data , as shown in the next figure. 7. Choose Generate to create the

7. Choose Generate to create the authorization profile of the role, as shown in the figure below.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles 8. Choose the Back button and afterwards save your

8. Choose the Back button and afterwards save your settings.

9. Repeat steps 4-8 for the rest of the roles contained in the composite role.

After you copied the Composite Role into customer namespace and generated the different Single Roles your Composite Role SAP_SUPPDESK_PROCESS_COMP should look like this:

Role SAP_SUPPDESK_PROCESS_COMP should look like this: 3.3.2.2 Assign Users In this step, you assign User to

3.3.2.2 Assign Users

In this step, you assign User to the composite role. Be careful the Role is already in your customer namespace!

1. Start transaction PFCG.

2. Enter the role name (SAP_SUPPDESK_PROCESS_COMP) in the corresponding field and choose Change.

3. Go to the tab User.

4. Enter the user ID in the table User Assignments.

User . 4. Enter the user ID in the table User Assignments . You can include

You can include several users at the same time, for example, all users in a particular user group or all users in the SAP System. To do this, first choose Selection and then additional value selection pushbuttons.

5. Save your settings.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

3.3.2.3 Execute User Comparison

After you have assigned system users to the composite role, you must execute user comparison. Please do the following:

1. In the composite role definition, go to the tab User.

2. Choose User comparison to compare the user master record, as shown in the figure below.

the tab User . 2. Choose User comparison to compare the user master record, as shown

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

4. How to Adapt a Business Role

This chapter explains how to adapt a business role according to your business requirements.

The next figure provides an overview on the profiles assigned to a business role.

an overview on the profiles assigned to a business role. A business role has the following

A business role has the following profiles assigned:

Navigation Bar Profile

o Assignment of work centers, work center link groups, direct link groups and logical links

Layout Profile

o Layout of the navigation frame, which includes header and footer area, work area and navigation bar

Technical Profile

o Assignment of specific technical settings, e.g. disable the support of the browser's Back button or frame swapping (reduce noticeable screen flickering)

Function Profile

o Assignment of additional functional areas, e.g. links that appear in the navigation bar or used reporting framework (SAP BI or Interactive Reporting).

Role Configuration Key

o Assignment of adapted UI views (e.g. add/move/rename field) by using the UI configuration tool

add/move/rename field) by using the UI configuration tool A PFCG Role ID is used to assign

A PFCG Role ID is used to assign users to the business role.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles SAP recommends you to use the business role SOLMANPRO

SAP recommends you to use the business role SOLMANPRO and its profiles as templates for your new business role. You should copy them into the customer naming space which must begin with Z or Y. The recommended name for the new business role is ZSOLMANPRO.

4.1 Define a Customer specific Business Role

Use the standard business role SOLMANPRO as template to define the new business role:

1. Start transaction SPRO and go to IMG activity Define Business Role.

SPRO and go to IMG activity Define Business Role . 2. Highlight the business role SOLMANPRO

2. Highlight the business role SOLMANPRO and choose Copy As…, as shown in the figure below.

Role . 2. Highlight the business role SOLMANPRO and choose Copy As… , as shown in

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

3. Choose copy as.

4. Enter the new Busines role Name ZSOLMANPRO

5. ENTER.

6. Save your settings.

The new business role ZSOLMANPRO should look like this:

The new business role ZSOLMANPRO should look like this: After confirmation via SAVE a Prompt for

After confirmation via SAVE a Prompt for Customizing Request appears. So you have to create a new Customizing Request. Make sure that Extended Transport Control Parameter (CTC) = 1 is set in the TMS!

For this go to Transaction STMS Overview Systems Select System Transport Tool Tab Add Parameter CTC =1.

System  Transport Tool Tab  Add Parameter CTC =1. Now it is possible to create

Now it is possible to create the Customizing Request !

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

Create a Customizing Request

& Authorization Roles Create a Customizing Request Enter a Short Description for the newly created Customizing

Enter a Short Description for the newly created Customizing Request and confirm 2 times

the newly created Customizing Request and confirm 2 times After you copied the role SOLMANPRO, you
the newly created Customizing Request and confirm 2 times After you copied the role SOLMANPRO, you

After you copied the role SOLMANPRO, you have to copy and adapt the profiles/keys, as described in the next sections of this chapter:

4.2 Create a Role Configuration Key

The role configuration key is a unique identifier used in the configuration of views for the SAP WebClient. Certain changes can be stored under a role configuration key. For instance, a view can be configured for a specific configuration key, where fields are removed or renamed compared to the original. This role configuration key is also assigned to the business role to identify the configuration that is to be used for this role.

So only those users with business roles assigned, which carries the right key, will see the configuration changes in the SAP WebClient. For all other users no changes will be visible. Thus, the role configuration key provides the possibility of a role-dependent view configuration.

To create a role configuration key, please do the following:

1. Start transaction SPRO and go to IMG activity Define Role Configuration Key as shown below.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles 2. Choose New Entries , as shown below. 3.

2. Choose New Entries, as shown below.

Authorization Roles 2. Choose New Entries , as shown below. 3. Add a new role configuration

3. Add a new role configuration key, e.g. ZSOLMANPRO.

below. 3. Add a new role configuration key, e.g. ZSOLMANPRO. 4. Save your settings. After you
below. 3. Add a new role configuration key, e.g. ZSOLMANPRO. 4. Save your settings. After you

4. Save your settings.

After you created the new role configuration key, you must assign it to the business role which you have defined before. You can do this in the IMG activity Define Business Role as shown below.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles Save your new Settings! 4.3 Create a Navigation Bar

Save your new Settings!

4.3 Create a Navigation Bar Profile

A navigation bar profile is a collection of logical links, work centers, work center link groups and direct link groups.

Use the standard navigation bar profile SOLMANPRO as template to define the structure of your navigation bar:

1. Start transaction SPRO and go to IMG activity Define Navigation Bar Profile.

of your navigation bar: 1. Start transaction SPRO and go to IMG activity Define Navigation Bar

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

2. Highlight the navigation bar profile SOLMANPRO and choose Copy As… (recommended name for the new navigation profile is ZSOLMANPRO). Confirm with ENTER.

3. Save your settings.

Now you are able to adapt your navigation bar profile. In the IMG activity Define Navigation Bar Profile, you get access to the shared lists of all logical links, work centers, work center link groups and direct link groups. Furthermore, you can define navigation bar specific customizing, such as assignment of work centers and direct link groups.

Choose Assign Work Centers To Navigation Bar Profile to specify which work centers should be part of the navigation bar (e.g. ZSOLMANPRO), as shown in the example below.

bar (e.g. ZSOLMANPRO), as shown in the example below. It is possible to add the Workcenters

It is possible to add the Workcenters via the Option “New Entries” Assign Workcenters Save

Option “New Entries”  Assign Workcenters  Save Work centers can be activated or deactivated within

Work centers can be activated or deactivated within a business role via the IMG activity Define Business Role. Highlight your business role (e.g. ZSOLMANPRO) and choose Adjust Work Centers. The column Inactive controls the visibility of a work center.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

Choose Assign Direct Link Groups To Nav. Bar Profile to specify which work centers should be part of the navigation bar, as shown in the example below. In this example the direct link group SM-CREATE is assigned to the navigation bar profile ZSOLMANPRO.

is assigned to the navigation bar profile ZSOLMANPRO. Direct link groups and direct links can be

Direct link groups and direct links can be set to visible or invisible within a business role via the IMG activity Define Business Role . Highlight your business role (e.g. ZSOLMANPRO) and choose Adjust Direct Link Define Business Role. Highlight your business role (e.g. ZSOLMANPRO) and choose Adjust Direct Link Groups to define which direct link groups should be visible or choose Adjust Direct Links to specify which direct links should be visible within a direct link group.

For more information on navigation bar customizing, please refer to the documentation of the IMG activity Define Navigation Bar Profile . Define Navigation Bar Profile.

of the IMG activity Define Navigation Bar Profile . After you created the new navigation bar

After you created the new navigation bar profile, you must assign it to the business role which you

in

the IMG activity Define Business Role.

have defined before.

You

can

do

this

Define Business Role . have defined before. You can do this 4.3.1 Visibility of Customer specific

4.3.1 Visibility of Customer specific Navigation Bar Links

Once you copied the standard Navigation Bar Profile you must activate the links specifically within the customizing of the Business Role. Therefore, navigate through the structure Define Business Role  Define Business Role

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

Adjust Direct Link Groups Adjust Direct Links. It is necessary to select the Group (e.g. SM-Create) for which you want to adjust the Direct Links). Afterwards you have to double-click on the Entry Adjust Direct Links. The column Visible controls the links displayed in the CRM WEB UI.

The example below shows customer specific customizing according to direct links shown in the CRM WEB UI.

according to direct links shown in the CRM WEB UI. Direct Links shown in the CRM

Direct Links shown in the CRM WEB UI:

Save the Changes!

in the CRM WEB UI. Direct Links shown in the CRM WEB UI: Save the Changes!

4.4 Define a Layout Profile

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

Use the standard layout profile CRM_UIU_MASTER as template to define the layout of the header and footer area, work area and navigation bar:

1. Start transaction SPRO and go to IMG activity Define Layout Profile as shown below.

go to IMG activity Define Layout Profile as shown below . 2. Highlight the layout profile

2. Highlight the layout profile CRM_UIU_MASTER and choose Copy As….(recommended name for the new layout profile is ZCRM_UIU_MASTER). Confirm with Enter!

3. Choose copy all.

4. Save your settings.

Now you are ready to adapt the layout profile according to your business needs. For more information, please refer to the documentation of the IMG activity Define Layout Profile.

documentation of the IMG activity Define Layout Profile . After you created the new layout profile,

After you created the new layout profile, you must assign it to the business role which you have defined before. You can do this in the IMG activity Define Business Role.

4.5 Create a Technical Profile

Use the standard technical profile DEFAULT_SOLMAN as template to define your custom technical profile:

1. Start transaction SPRO and go to IMG activity Define Technical Profile as shown below.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles 2. Highlight the technical profile DEFAULT_SOLMANPRO and choose Copy

2. Highlight the technical profile DEFAULT_SOLMANPRO and choose Copy As….(recommended name for the new layout profile is ZDEFAULT_SOLMANPRO). Confirm with Enter!

3. Choose copy all.<--- There was no pissiblity to select copy entry/copy all

4. Save your settings.

Now you are ready to adapt the technical profile according to your business needs. For more information, please refer to the documentation of the IMG activity Define Technical Profile.

After you created the new technical profile, you must assign it to the business role which you have defined before. You can do this in the IMG activity Define Business Role . Define Business Role.

4.6 Assign an Authorization Role

The authorization role is used to assign users to the business role. As default, the business role SOLMANPRO is assigned to the authorization role SAP_SM_CRM_UIU_SOLMANPRO.

SAP recommends you to copy the role SAP_SM_CRM_UIU_SOLMANPRO into the customer naming space which must begin with Z or Y.assigned to the authorization role SAP_SM_CRM_UIU_SOLMANPRO. The recommended name for the new authorization role is

The recommended name for the new authorization role is ZSAP_SM_CRM_UIU_SOLMANPRO.

For more information on how to copy an authorization role, please refer to chapter 6 of this guide or already explained in Chapter 3.2.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

After you created the new authorization role, you must assign it to the business role which you have definedbefore. You can do this in the IMG activity Define Business Role.

You can do this in the IMG activity Define Business Role . 4.7 Assign a Function

4.7 Assign a Function Profile

Function Profiles define special functions, such as the level of personalization, or the working context. Via the IMG activity Define Business Role you can assign function profiles to your business role.

For more information on how to assign function profiles to business roles, please refer to the documentation of the IMG activity Define Business Role.

For detailed information on how to create a function profile, please refer to the documentation of the IMG activity Define Function Profile.

documentation of the IMG activity Define Function Profile . After completing all steps from chapter 4,

After completing all steps from chapter 4, the new business role ZSOLMANPRO should look like this:

. After completing all steps from chapter 4, the new business role ZSOLMANPRO should look like

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

5. How to Assign Users to a Business Role

This chapter provides information on how to assign users to business roles. You can assign users to a business role by using a PFCG role, via an organizational model or a user parameter.

SAP recommends you to use an authorization role to assign users to a business role.PFCG role, via an organizational model or a user parameter. 5.1 Assignment via Authorization Role A

5.1 Assignment via Authorization Role

A business role is assigned to an authorization role. Users who are assigned to such an authorization role have also the business role assigned.

For example:an authorization role have also the business role assigned. The standard business role SOLMANPRO is assigned

The standard business role SOLMANPRO is assigned to the PFCG role SAP_SM_CRM_UIU_SOLMANPRO. This means, that each user who has this role assigned is also assigned to the business role SOLMANPRO.

For more information on how to assign an authorization role to a business role, please

For more information on how to assign an authorization role to a business role, please refer to section 4.6 of this guide.

For more information on how to assign users to authorization roles, please refer to section

For more information on how to assign users to authorization roles, please refer to section 6.3 of this guide.

5.2 Organizational Assignment

Users can be assigned to a business role via the organizational model. The business role is assigned to an organizational unit or a position in the organizational model and the user/business partner is assigned to a position in the organizational unit, as shown in the figure below.

user/business partner is assigned to a position in the organizational unit, as shown in the figure

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles For more information on how to create and adapt

For more information on how to create and adapt an organizational model, please refer to the guide Support Team Determination via Business Rule Framework plus (BRFplus) available in SAP Service Marketplace.

To assign a business role to an organizational unit, please do the following:

1. Start transaction PPOMA_CRM.

2. Navigate to the corresponding organizational unit via the option Structure Search or Search Team, as shown in the figure below.

Search or Search Team , as shown in the figure below. 3. From the menu, select

3. From the menu, select Goto -> Detail object -> Enhanced object description

-> Detail object -> Enhanced object description 4. In the Active tab, select Business role from

4. In the Active tab, select Business role from the list and choose Create infotype, as shown in the next figure.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles 5. Enter the business role in the corresponding field,

5. Enter the business role in the corresponding field, e.g. ZSOLMANPRO, as shown in the figure below.

field, e.g. ZSOLMANPRO, as shown in the figure below. 6. Save your settings. If you assign
field, e.g. ZSOLMANPRO, as shown in the figure below. 6. Save your settings. If you assign

6. Save your settings.

If you assign a business role to an organization unit which includes other units, then all users from these lower units will also have the business role assigned to,

To assign a business role to a position in the organizational model, please do the following:

1. Start transaction PPOMA_CRM.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

2. Navigate to the corresponding position via the option Structure Search or Search Team.

3. Proceed with steps 3-6 on how to assign a business role to an organizational unit.

Each Position can have exactly one business role assigned to.on how to assign a business role to an organizational unit. 5.3 Assignment via User Parameter

5.3 Assignment via User Parameter

A business role can be assigned directly to a system user. In the user maintenance (transaction SU01) assign Parameter ID CRM_UI_PROFILE with Parameter Value <Business Role Key> on the Parameters tab to the user, e.g.:

Role Key> on the Parameters tab to the user, e.g.: In this case, the assignment within

In this case, the assignment within the organizational model will not be taken into account.ID CRM_UI_PROFILE with Parameter Value <Business Role Key> on the Parameters tab to the user, e.g.:

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

6. How to Adapt Authorization Roles

6.1 Copy an Authorization Role

This section provides information on how to copy composite or single authorization roles.

6.1.1 Copy a Composite Authorization Role

To copy a composite authorization role, please do the following:

1. Start transaction PFCG.

2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS_COMP) in the corresponding field.

3. Choose Copy role, as shown in the next figure.

field. 3. Choose Copy role , as shown in the next figure. 4. Enter a name

4. Enter a name for the new role, e.g. ZSAP_SUPPDESK_PROCESS_COMP.

5. Choose Copy All.

6. Choose Yes in the Query dialog box to copy also the single roles contained in the composite role.

copy also the single roles contained in the composite role. 7. Enter target names for the

7. Enter target names for the copied single roles.

6.1.2 Copy a Single Authorization Role

1. Start transaction PFCG.

2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS) in the corresponding field.

3. Choose Copy role, as shown in the next figure.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles
How to Adapt Business & Authorization Roles 4. Enter a name for the new role, e.g.

4. Enter a name for the new role, e.g. ZSAP_SUPPDESK_PROCESS.

5. Choose Copy All.

6.2 Adapt an Authorization Profile

Role profiles contain authorization objects to specify user authorizations, such as change/display authorization for texts or transaction types.

The following example shows how to adapt the authorization profile of the role ZSAP_SUPPDESK_PROCESS to allow users to create/change/display the business transaction type ZMIN (copy of SMIN):

1. Start transaction PFCG.

2. Enter the role name, e.g. ZSAP_SUPPDESK_PROCESS in the corresponding field and choose Change.

3. Go to the tab Authorizations and choose Change Authorization Data.

4. You get a list of all authorization objects which are included in the role.

5. Navigate to the authorization object CRM Order Business Transaction Type (technical name CRM_ORD_PR) and choose Change for the field Business Transaction type, as shown in the figure below.

Business Transaction type , as shown in the figure below. 6. Enter the value ZMIN in

6. Enter the value ZMIN in the dialog box and proceed with Transfer (Enter).

7. Choose Generate to create the authorization profile.

8. Choose Back and afterwards save your settings.

6.3 Assign Users to an Authorization Role

After you generated the authorization profile, you have to assign system users to the role and execute user comparison:

1. Start transaction PFCG.

2. Enter the role name, e.g. ZSAP_SUPPDESK_PROCESS in the corresponding field and choose Change.

How to Adapt Business & Authorization Roles

How to Adapt Business & Authorization Roles

3. Go to the tab User.

4. Enter the user ID(s) in the table User Assignments.

5. Choose User comparison.

6. Save your settings.