Many
of the Functional Consultants face issues in understanding what are the Roles
and what are Authorizations in SAP. This is a document which would help people
who are curious to know what is exactly the concept behind this and how does it
work.
Functional
Consultants have a lot of questions in mind regarding this concept and one of
the main questions here is why should Functional Consultants worry about Roles
and Authorization when it is a job of BASIS team.
Well,
to answer this, it is not solely a job of BASIS team rather it is also like
other activities, it an integrated activity which should be performed by both
BASIS team and Functional team.
BASIS
team have a know how about the User Management, Roles Creation, Profile
Creation, Roles and Profile assignment, Authorization assignments etc. but main
concern in most of the cases arises when the below questions are unanswered by
BASIS team:
- Whom to Assign the Roles or transactions
- What to Restrict in a transaction and for
whom
- How to authorize Custom transactions
and many more such questions cannot be answered by BASIS team.
Hence, it becomes the role of a Functional Consultant to guide them with the
exact process flow and exact organizational chart.
Explaining with a small example here, suppose we have a
maintenance team as below:
Supervisor – He is responsible for
notifying the breakdown or Corrective Maintenance requirements
Maintenance In-charge –
He is responsible for assigning the above tasks to Engineers
Head of the department –
He is responsible for approving the Maintenance tasks.
Now, Functional Consultant is very well aware that for Supervisor
would require only the transactions related to Notifications (say IW21, IW22,
IW28, IW29 etc), Maintenance In-charge would require some of the notification
related transactions (say IW22, IW28, IW29) and also order related transactions
(IW31, IW32, IW38, IW39 etc) and the Head of the department would require
notifications and order transactions (say IW28, IW29, IW38, IW39) and also
along with this he require special permissions like releasing orders, approving
permits, technical completions etc.
Looking from BASIS team’s perspective they are not clear with
these requirements and they thus cannot take the decision for this and should
be provided by Functional Consultants.
But, the main issue in most of the cases arises when Functional
Consultants are not aware about the concept of Roles and Authorizations.
Hereby, this document will explain the basic concept of Roles and
Authorizations:
WHAT IS ROLES AND AUTHORIZATION CONCEPT:
Roles and Authorizations allow the users to access SAP Standard as
well as custom Transactions in a secure way.
SAP provides certain set of generic Standard roles for different
modules and different scenarios.
We can also define user defined roles based on the Project
scenario keeping below concept in mind:
There are basically two types of Roles:
Master Roles – With Transactions, Authorization
Objects and with all organizational level management.
Derived Roles –With organizational level
management and Transactions and Authorization Object copied from Master Role.
The reason behind this concept is to simplify the management of
Roles.
WHAT ARE THE COMPONENTS OF A ROLE:
A Master Role or a Derived Role is having below components inside
it:
·
Transaction Codes
·
Profile
·
Authorization Objects
·
Organization level
Transaction Codes:
SAP Transaction codes (Standard or custom)
Profile: Profiles are the objects that
actually store the authorization data and Roles are the Container that contains
the profile authorization data.
Authorization Objects:
Objects that define the relation between different fields and also helps in
restricting/ allowing the values of that particular field (For ex:
Authorization object I_VORG_ORD: PM: Business Operation for Orders, contains
relation between fields: AUFART = Order Type and BETRVORG Business
Transaction).
Authorization objects are actually defined in programs that are
executed for any particular transactions. We can also create custom
authorization objects for any particular transaction (generally custom
transaction).
Organization level:
This defines actually the organizational elements in SAP for ex: Company Code,
Plant, Planning Plant, Purchase organization, Sales organization, Work Centers,
etc.
Suppose we take an example of creating a role for Maintenance
In-charges in a particular industry who are responsible for different
maintenance plants. Consider the Scenario as under:
Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence
assuming 4 Shift In-charges).
As mentioned before, Maintenance In-charge will have rights to
following transactions – IW22, IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but
he will not have rights to release the Maintenance order.
Now based on this Master Role we have to create derived Roles for
all 4 Maintenance In-charges individually say for first Maintenance In-Charge
we create a derived role ZDPM_MAIN_IN_CHARGE_ROLE_MI1 referring the above
Master Role ZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the transactions and
authorization objects from Master Role but will not copy the organizational
level assignments which we have assigned in Master Role. Hence, we need to
maintain the organizational level for the derived role (say Plant P1).
Here once we save (& Generate) the Master as well as Derived
Role we can assign this role to the User ID for the particular Maintenance
In-charge.
