Roles and Authorizations Concept
For Management of Internal Controls (MIC), a large number of frequently changing people need to perform tasks in a variety of functions. Consequently, a special roles and authorizations concept has been created for this purpose. Apart from the general SAP roles, this concept also comprises MIC-specific roles containing various tasks delivered by SAP. These roles and their respective tasks allow you to manage the detailed authorizations and the workflow between those involved.
The following general SAP roles are relevant for MIC:
· Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL)
A user with this role is a power user and can perform Customizing for MIC and administration functions in the SAP GUI. Moreover, the user has special authorizations in the People-Centric UI, such as that for editing roles and for starting role assignment to persons (see Assigning Roles to Persons).
· Management of Internal Controls ‑ Display (SAP_CGV_MIC_DISPLAY)
A user with this role can display Customizing for MIC in the SAP GUI. This role is particularly useful for external auditors.
· Management of Internal Controls ‑ Business User (SAP_CGV_MIC_BUSINESS_USER)
A user with this role is only authorized to perform those specific tasks prescribed by the detailed role concept for MIC. All users that have this role assigned to them also need to have at least one MIC-specific role assigned to them. A user may use the Web applications that are specified by the tasks in the MIC-specific role.
You edit the general SAP roles in Customizing under SAP Web Application Server ® System Administration ® Users and Authorizations ® Maintain Authorizations and Profiles Using Profile Generator ® Generate Role/Profile and Assign Users (transaction PFCG). For more information about the authorization objects contained in the roles, see under Management of Internal Controls: Security Guide..
A power user can edit the MIC-specific roles in the following ways:
· In Customizing for MIC under Edit Roles
· Using a Web application that can be called up from the MIC start page
SAP delivers sample roles in a BC Set. To be able to use these sample roles, you need to activate the BC Set in Customizing. All other activities for editing roles are possible both in Customizing and in the Web application, although the user interface in the Web application is easier to use.
When editing a role, you assign all the tasks to it that anybody assigned to that role should be allowed to perform. You also specify the role level.
· The role level defines whether the tasks can be performed for the entire corporate group, for a single organizational unit, for a process group, for a process, or for a process step.
· The tasks are delivered by SAP and cannot be changed. Each task has the following attributes:
¡ Minimum Role Level: The only tasks you can assign to a role are those with a minimum role level corresponding to the level entered for the role. For example, you can only assign the task Perform Sign-Off at Corporate Level (for which the minimum role level = group) to a role with Corporate level.
¡ Restricted to One Role: Tasks flagged with this indicator can only be assigned to one role. Furthermore, the following restriction applies to role assignment: When a role contains a task flagged with this indicator, that role may only be assigned to just one person for an object.
¡ Processing by One Work Item Recipient Suffices: Tasks flagged with this indicator can be performed by more than one user. However, it is sufficient if only one user performs the task. As soon as one user has completed the task, it is then completed for all other users that the task is assigned to.
¡ Web application that the task calls up: Different tasks can call up the same Web application. For example, the task Assign Process to Organizational Unit and the task Edit Attributes of Process Groups Specific to Org Units both call up the Web application Process Assignment for Org Unit. If a person only has authorization for one of the tasks, then that person may only perform that task in the corresponding Web application. If, however, a person has authorization for both tasks, then he/she may perform both, regardless of the task from which the Web application was called up. In this latter case, it is sufficient for just one of the tasks to be scheduled. In this way, you can restrict the number of tasks that need to be sent.
For an overview of the delivered tasks and their attributes, see Delivered Tasks. To find out which roles contain a task, you can search for a task in the Web application for processing roles. In this way, you can display all roles that the task is assigned to.
The task Create User is handled differently because a special authorization is required for this task. For more information, see Creating Users and Connecting Users to Persons.
The assignment of a role and its tasks to one or more persons is dependent on one object (for example, an organizational unit). The assignment is performed in a Web application by different persons throughout the organization hierarchy. The power user triggers this process for the highest level of the organization hierarchy. For more information, see Assigning Roles to Persons.
Program FOPC_RESOLVE_OBJECTS allows power users to find out (as part of error analysis, for example) for which object a user has to perform a task according to the role assignments.
As a power user, you perform the above-mentioned functions in the following sequence:
1. If you want to use the delivered sample roles, activate the relevant BC Set in Customizing. For information about the procedure for this, see the documentation on the IMG activity Edit Roles.
2. Change the delivered sample roles or create your own roles.
3. Activate the roles that you would like to use and then save your entries.
4. Start the role assignment procedure in the navigation area of the start page (see Assigning Roles to Persons).