Role Maintenance (SAP Library - Users and Roles (BC-CCM-USR))

Role Maintenance

Roles contain the following information:

Role name
Role description text
Role menu structure
Authorization profile data
Users or organization plan elements to which the role is assigned
MiniApps
Personalization data

Functions in the role maintenance initial screen:

- Change	Change and assign delivered roles or change customer roles
- Display	Display single or composite roles
- Create roles	Create roles Guidelines for creatiing roles contains an overview of the procedure.
Create Composite Roles	Create composite roles
- Add to Favorites	Role is put in the tree display. The Favorites are displayed when you call the role maintenance transaction or choose Views. To delete a role from the Favorites, position the cursor on the role. Choose the right-hand mouse key and choose Delete from Favorites in the context menu.
- Delete	If the deletion is to be transported, put the role objects in a transport request before deleting. To delete the role in a system linked by RFC (e.g. a component system in Workplace), choose Role ® Distribute deletion.
- Copy	Predefined roles are delivered as templates. They begin with the prefix "SAP_". Copy a role to a name in the customer namespace. You can also copy the user assignment and personalization objects.
- Transport	Transport/assign roles
Views	Select views to display roles. The following views exist: Inheritence hierarchy displays all roles from which other roles have been derived. See Derive roles.
Display documentation	Displays the documentation of delivered roles in the bottom right-hand part of the screen. You can link a role to a document in the Knowledge Warehouse with Utilities ® Info object ® Assign in the role maintenance Change roles screen.
Set filter Reset filter	You can further restrict the role display at the bottom of the screen with Set filter. The Roles in composite role view also displays the composite roles to which a single role with the filter search string is assigned. You can reset filter values with Reset filter.

Other functions in the Role menu :

Print	All role data (activity assignments, organizational levels, authorization data, user assignment, etc.) are printed.
Download/Upload	Download/Upload roles
Read from another system by RFC	Role is imported into the current system via an RFC link. The menu and role description are copied. The authorization data is not imported.

Options under Goto ® Settings :

Choose Simple maintenance (Workplace menu maintenance) to create composite or single roles on the Workplace Server.

The Basic maintenance (menus, profile, other objects) contains all role maintenance functions. This is the standard setting.

You can display and change role Workflow tasks in an additional tab (Workflow) in Full view (Organization management and Workflow). The assignments are only relevant for Workflow, i.e. the users directly or indirectly assigned to the role are potential Workflow task performers.

Environment menu functions:

Status overview	Output a list of all or selected roles with user assignment, menu, authorization profile and user master record comparison status information. If you use organization management, the statuses of the Workflow tasks and the indirect user assignments are also displayed.
Mass generation	Generates the profiles of several roles ( Mass generation of profiles) at the same time
Mass comparison	User master comparison for several roles ( Compare user master records)
Mass transport	You can select several roles to transport in a dialog box ( Transport/distribute roles).
Mass download	Save several roles in the PC ( Upload/Download roles)
User master	Call user maintenance ( Create and maintain user master records).
Role comparison tool	(Cross-system) role comparison Rollen ( Compare roles).
Installation/upgrade	Call the transaction which initially fills the Profile generator customer tables or updates them after an upgrade. The profile generator customer tables contain a copy of the SAP field value and check indicator default values. ( Reducing the Scope of Authorization Checks).
Check Indicators	Call the transaction which allows check indicators and field values to be changed for the Profile generator.
Auth. Objects ® Display/Deactivate	Display authorization objects with documentation / Deactivate authorization checks

Create Customizing roles

You can assign Implementation Guide (IMG) projects or project views to a role under Utilities ® Customizing auth. in the role maintenance. Do this to generate IMG activity authorization and assign users. The authorization to perform all activities in the assigned IMG projects/project views is generated in profile generation. You make the assignments in a dialog box. Choose Information to display more information on using this option.

Roles with responsibilities

Roles with responsibilities which were created in Releases 4.0A and 4.0B, are migrated in separate roles, which are derived from one another, from Release 4.5A. The result of the migration is roles which contain transactions, and a derived role which contains the authorization data and user assignments for each responsibility.

Authorization checks in the role maintenance transaction

This transaction checks the following authorization objects:

Technical name:	Authorization object:
S_USER_GRP	User master maintenance: User groups
S_USER_PRO	User master maintenance: Authorization profile
S_USER_AUT	User master maintenance: Authorizations
S_USER_AGR	Authorization system: Check for roles
S_USER_TCD	Authorization system: Transactions in roles
S_USER_VAL	Authorization system: Field values in roles

See the authorization object documentation for details of the authorization checks.