Configuring the Authorization Concept in ERP E-Commerce
You can assign authorization roles to users in ERP E-Commerce to determine the activities and transactions they can carry out. For example, you can determine whether a B2B Web shop user can create orders, or only display them. Or, for example, if an internal employee can manage the Auctioning via Web Shop application. Assigning authorization roles to users results in the system performing background checks on the users’ permissions and restricting the tasks they can carry out accordingly. Users can only access menus and transactions relevant to them and their Web-based application authorizations match their backend user authorizations.
SAP delivers a standard set of authorization roles for use in ERP E-Commerce. This means all authorization values are specified and you only need to generate the user profiles. However, several authorization objects have been assigned full authorizations values since they are based on customizing and master data. This means that certain functions are enabled which you may not be using in your Web shop, and also the permission levels they give to users may not meet your requirements. SAP therefore recommends that you copy the standard roles, rename them, and modify them before use. This will improve security.
The authorization roles provided are for the user type SU01 only. The SU05 user concept does not support the assignment of authorizations to SU05 users or Single-Sign-On (SSO) functionality. Therefore, SAP recommends you use SU01 users to improve security. You can migrate existing SU05 users to SU01 users in the backendobject-cogig.xml file. For more information, see SU05 to SU01 User Migration in ERP E-Commerce.
If you do have to use SU05 users you have to assign authorizations to the service user. SU05 users are based on the anonymous service user concept, whereby the service user has full application functionality. Therefore, if you have user roles and service user roles that exist for one application only, you can assign these roles to the service user and the SU05 users can be supported by the authorization concept.
You copy the standard delivered roles in your SAP ERP system as follows:
1. In the SAP Easy Access Menu choose Tools ®Administration ® User Maintenance ® Role Administration ® Roles (Transaction PFCG).
2. Enter the standard role in the Role field and select Copy Role.
3. Specify a new name for your local role and select Copy selectively.
4. Deselect all the checkboxes in the Choose Objects dialog box and select Continue.
5. The copied role is now created and you can generate the authorization profile.
6. Select Change. The system displays the roles details.
7. On the Authorizations tab page select Change Authorization Data. The system displays the authorization objects contained in the authorization role.
8. Select the Generate icon and change the profile name if required. The system creates a profile.
Once you have created a profile you can change the authorization objects and values in the role to meet your requirements.
1. In the SAP Easy Access Menu choose Tools ® Administration ® User Maintenance ® Role Administration ® Roles (Transaction PFCG).
2. Enter the name of your authorization ole in the Role field and select Change. The system displays the roles details.
3. On the Authorizations tab page select Change Authorization Data. The system displays the authorization objects contained in the authorization role.
4. Select the authorization object you wish to change and expand the view to display all the authorization values.
5. Select Change (pencil icon next to the value). The system displays a dialog box with all values for the authorization object for your selection.
6. Select the appropriate value(s) and Save your selection.
7. Regenerate the user profile as described above.
Standard delivered roles
For a list of the standard roles delivered by SAP for the ERP E-Commerce, see Authorization Roles in ERP E-Commerce.
Assign authorization roles to users
assign the authorization roles to users in backend user creation in ERP and in
Web-based User Management application.
Create a user
Create a new user in the Web-based User Management application. Assign the business partner and company to the user.
The same user components are created for the user in the Web-based User Management application as would be if the user was being created in the ERP backend system. That is an SU01 user of user type Dialog, a business partner (Contact person), a company (customer) In the backend system the Web shop Manager would proceed as follows:
· Create a business partner in the account group of Sold-to party.
In the SAP Easy Access Menu choose Logistics ® Sales and Distribution ® Master Data ® Business Partner ® Customer ® Create ® Sales and Distribution (transaction VD01). For more information, see Creating and Changing Business Partner Master Data.
· On the Contact persons tab page enter the details for a contact person for this customer and fills in all necessary fields. The system automatically assigns an ID to the new contact person.
· Create a user in the ERP system (transaction SU01).
In the SAP Easy Access Menu choose Tools ® Administration ® User Maintenance ® Users (transaction SU01).
· Select References and fill in the object type and key.
· The object type must be BUS1006001 Business partner employee.
· The Key is the contact persons ID created automatically by the system in the first step above.
· KNA1 is the type and the customer number is the key.
For more information, see User Maintenance Functions.
Backend user creation role assignment
In the SAP Easy Access Menu choose Tools ® System Administration ® User Maintenance ® Users (transaction SU01). Select the user you created in the step above. On the Roles tab page enter the role you wish to assign to the user. Any roles you have created in role maintenance are available for your use.
Web-based User Management application role assignment
When creating a user in the Web-based user management application the system displays a list of modified authorization roles for your selection. You select the role you want and assign it to the user.
You make the roles available in the Web-based User Management application by entering them in the Customizing area of the application. They are then available for selection during user creation..
You can assign the authorization roles to users directly or by assigning them to reference users, and then assigning the reference user to the user.
Role assignment for self-registered users
In the ERP E-Commerce B2C Web shop users self-register. Therefore you cannot assign authorizations directly to these users. Instead, you have to use a reference user. You create a user of the type Reference in your ERP backend system (transaction SU01) and assign the authorization role you wish your self-registered users to have to the reference user. When a customer registers in the Web shop the system looks for the reference user assigned to the Web shop and assigns it to the customers user record. The user inherits all authorizations assigned to the reference user and carry out all necessary activities in the Web shop.
You assign the reference user to a Web shop using the Shop Management application. On the General Information tab page in Shop Management the system administrator enters the reference user ID in the Reference User field. When a user logs on to this Web shop the system will read the reference user ID entered for the shop and assign this reference user to the new user in the backend system.
For more information on user creation and authorization assignment, see the ERP E-Commerce user management documentation in the SAP Library.