Role Administration Functions

Roles contain the following information:

Name of the role

Role description text

Role menu structure

Authorization profile data

Users or organization plan elements to which the role is assigned

MiniApps

Personalization data

Functions in the Role Administration Initial Screen

Function

Notes

Change (This graphic is explained in the accompanying text)

Change and assign delivered roles or change customer roles

Display (This graphic is explained in the accompanying text)

Display single or composite roles

Create Roles (This graphic is explained in the accompanying text)

Creating Single Roles


Creating Roles contains an overview of the procedure.

Create Composite Roles (This graphic is explained in the accompanying text)

Creating Composite Roles

Add to Favorites (This graphic is explained in the accompanying text)

The role is included in the tree display.
The Favorites are displayed when you call the role administration transaction or choose Views.
To delete a role from the Favorites, position the cursor on the role. Choose the right-hand mouse key and choose Delete from Favorites in the context menu.

Where-Used List (This graphic is explained in the accompanying text)

For single roles, specifies the composite roles in which the role currently entered in the Role field is used.

For composite roles, specifies which single roles are contained in the role currently entered in the Role field.

Delete (This graphic is explained in the accompanying text)

If you want the deletion to be transported, place the role objects in a transport request before deleting. To delete the role in a system linked by RFC (like a component system in Workplace), choose Role ® Distribute deletion.

Copy (This graphic is explained in the accompanying text)

Predefined roles are delivered as templates. They begin with the prefix "SAP_". Copy a role to a name in the customer namespace. You can also copy the user assignment and personalization objects.

Transport (This graphic is explained in the accompanying text)

Transport and distribute roles

Transactions (This graphic is explained in the accompanying text)

Where-used list for transactions in roles

Views (This graphic is explained in the accompanying text)

Select views to display roles. You can choose from the following views:

Favorites

Single roles

Composite roles

Roles in composite roles

Inheritance hierarchy

Display roles for role owner

Roles grouped by country

Roles grouped by industry

Roles grouped by target system

Inheritance hierarchy displays all roles from which other roles have been derived. For more information, see Derive roles.

Display Documentation (This graphic is explained in the accompanying text)

Displays the documentation of delivered roles in the bottom right-hand part of the screen. You can link a role with a document in the Knowledge Warehouse by choosing Utilities ® Info Object ® Assign.

Set Filter (This graphic is explained in the accompanying text)

Undo Filter (This graphic is explained in the accompanying text)

You can further restrict the role display at the bottom of the screen with Set filter.


The Roles in composite role view also displays the composite roles to which a single role with the filter search string is assigned.

You can reset filter values with Reset filter.

Other Functions in the Role Menu

Function

Notes

Print

All role data (activity assignments, organizational levels, authorization data, user assignment, and so on) are printed.

Download/Upload

To avoid inconsistencies, all roles from which a role is derived are also downloaded. When you download composite roles, all the roles which they contain are also downloaded.

When you upload a role, all role data, including authorization data is uploaded from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case. You must therefore regenerate the authorization profiles after the upload.

Read from another system by RFC

...

1. On the Mass Import of Roles screen, choose the input help.

2. In the dialog box that appears, specify whether you want to use RFC destinations or a variable.

3. If you use RFC destinations, select the RFC destinations of the systems from which you want to import roles. The Select Roles (no composite roles) dialog box appears.

The program imports the selected roles, together with its menu and description, into the current system using an RFC connection. The authorization data is not imported, however.

You can also enter the RFC destination as a variable with transaction SM30_SSM_RFC.

Options under Goto ® Settings:

Simple maintenance (editing the menu for the Workplace)

Choose this option to set up composite or single roles on the Workplace server.

Basic maintenance (menus, profiles, other objects)

This option contains all functions for role administration. This is the default setting.

Complete view (organizational management and workflow)

You can use this option to display and change Workflow tasks for a role on the Workflow tab page. The assignments are only relevant for Workflow, that is, the users directly or indirectly assigned to the role are potential Workflow task performers.

Utilities Menu Functions:

Function

Notes

Status overview

Displays a list of all or selected roles with user assignment, menu, authorization profile and user master record comparison status information. You can choose the following options to restrict the result list:

Only Display Roles with Errors and Warnings: This option is activated by default and reduces the result list to roles for which the status checks do not return only green lights. There must therefore be at least one traffic light showing at least yellow for the role to be displayed. To display all entered roles in the result list, deselect this option.

Check assignment of workflow tasks You can activate and deactivate the check for workflow assignments, depending on whether the function is used in your system.

Otherwise, roles with missing workflow assignments but that display green traffic lights for all other properties, would also be displayed. This might not actually be what you want.

If you are working with workflow assignments, it is useful to select the option (default setting: inactive) to identify roles with no assignments. Essentially, the option can only be selected if organizational management is active.


If you use organization management, the statuses of the Workflow tasks and the indirect user assignments are also displayed.

Mass generation

Generates the profiles of several roles (Mass generation of profiles) at the same time

Mass comparison

User master comparison for several roles (Compare user master records)

Mass transport

You can select several roles to transport in a dialog box (Transporting and Distributing Roles).

Mass download

Save several roles on the PC.

You can choose on the selection screen whether you:

Also want to transport the single roles contained in the selected composite roles (Customizing switch ADD_COMPOSITE_ROLES in table SSM_CUST)

Also want to transport the generated profiles for all single roles (PROFILE_TRANSPORT in table PRGN_CUST)

You can define the default setting for both options using the value in the Customizing switch. If you explicitly set a switch to NO, the option in question on the selection screen is not active. Otherwise, it is active.

Role comparison tool

(Cross-system) role comparison (Compare roles).

Templates

Templates for roles

Customizing auth.

Assign projects or views of projects in the implementation guide (IMG) to a role. With this assignment, you can generate targeted authorizations for certain IMG activities and assign users. The authorization required to perform all activities in the assigned IMG projects/project views is generated in profile generation. A dialog window appears where you can make this assignment. Choose Information to display more information on using this option.

Environment Menu Functions

Function

Notes

User master

Call user administration (Create and edit user master records).

Text Comparison for CUA Central System

Send the current list of roles and profiles to the CUA central system.

Display Changes

Displaying Change Documents (For more information about the user interface of the evaluation report, see the Determining Documents for Roles and Role Assignments section.)

Installation/upgrade

Call the transaction which initially fills the role administration customer tables or updates them after an upgrade. The role administration customer tables contain a copy of the SAP field value and check indicator default values. (Reducing the Scope of Authorization Checks).

Check Indicators

Call the transaction for changing check indicators and field values.

Auth. Objects ® Display/Deactivate

Display authorization objects with documentation /
Deactivate authorization checks

Roles with responsibilities

In Release SAP R/3 4.5A and higher, all Roles with responsibilities which were created in SAP R/3 4.0A and 4.0B, are migrated in separate roles. The result of the migration is roles that contain transactions, and a derived role that contains the authorization data and user assignments for each responsibility.

End of Content Area

No comments: