Configuration of Access Control

System administrators can use this function to set up the access control framework through user management (PFCG roles) and Customizing.

Process

Assign PFCG roles to users
PFCG roles form the generic tier of user management and the ability to use SAP Commercial Project Management. Separate authorization objects are provided for Project Workspace, Project Cost and Revenue Planning, and Project Issue and Change Management. You create users and assign relevant PFCG roles in User Maintenance (transaction SU01).

However, since access control is a framework that spans all applications of SAP Commercial Project Management, you can use Authorization Object to Override Access Control (OAUTH) to allow special users to override access control settings in the project setup. This authorization object allows users to view all project information and access all available functions.

Create access control groups

Based on the typical roles in your organization and the corresponding tasks of each role, create access control groups using access control IDs. You can do this in Customizing for SAP Commercial Project Management, under Start of the navigation path Master Data Next navigation step Master Project Define Access Control End of the navigation path . Access control IDs define actions or functions that users can use as part of their roles in master project teams. They can be used to distinguish permissions based on roles. For example, as part of their respective tasks, a project manager can view and update business objects in a master project, while a cost estimator may be allowed to work only with financial plans.

Note Note

Optionally, you can also define dependencies between access control IDs. For example, the access control to edit master projects may also contain the access control ID to view master projects.

End of the note.

The following access control IDs are available:

Access Control ID	Description	Comment
001	Administrator	Allows access to all functions and project data in SAP Commercial Project Management. This access control also consists of all other standard access controls (through dependent access controls).
002	Change Master Project	Allows a user to edit a master project.
003	Read Master Project	Allows a user to view a master project.
004	Change Master Project Item	Allows a user to edit attributes of specific business objects and subobjects, based on assigned responsibilities.
005	Read Master Project Item	Allows a user to view attributes of specific business objects and subobjects, based on assigned responsibilities.
006	Change All Master Project Items	Allows a user to edit attributes of all business objects and subobjects in the master project structure, even without being assigned specific responsibilities.
007	Read All Master Project Items	Allows a user to view attributes of all business objects and subobjects in the master project structure, even without being assigned specific responsibilities.
008	Maintain Master Project Team	Allows a user to create master project teams, and maintain project team members.
009	Read Master Project Team	Allows a user to view master project teams and their members.
010	Maintain Contact Person	Allows a user to add, update, or delete the contact person for a master project.
011	Read Contact Person	Allows a user to view information about the contact person in a master project.
012	Maintain Status and Trends	Allows a user to create and update the status of a master project and set trends for status areas.
013	Read Status and Trends	Allows a user to view the status and trend of a master project, along with status logs.
014	Create Financial Plan	Allows a user to create new financial plans for a master project to which the user is assigned.
015	Change Financial Plan	Allows a user to update information in financial plans to which the user is assigned responsibility.
016	Read Financial Plan	Allows a user to view information in financial plans to which the user is assigned responsibility.
017	Delete All Financial Plans	Allows a user to delete all financial plans for a master project.
018	Change All Financial Plans	Allows a user to update information in all financial plans even if they are not assigned as responsibilities.
019	Read All Financial Plans	Allows a user to only view information for all financial plans even if they are not assigned as responsibilities.
020	Access Financial Plan Item	Allows a user to access specific plan items for the purpose of cost and revenue planning or estimation based on specific business objects and subobjects, assigned as responsibilities.
021	Access All Financial Plan Items	Allows a user to access all plan items in the structure of a financial plan even without being assigned specific responsibility.
022	Forecasting	Allows a user to create and update forecasts for plan versions.
023	Transfer to ERP	Allows a user to transfer planned data into backend systems such SAP ERP and SAP Multiresource Scheduling (MRS).
024	Map and Transfer Bid Structure	Allows a user to copy structures and associated plan data from a bid structure.
025	Change Plan Hierarchy Type	Allows a user to change the type of structure of a financial plan (that is, change between bid structure and master project structure).
026	Switch Plan Type	Allows a user to change the plan type of a financial plan. For example, to change from weekly planning to monthly planning. This also requires access to all financial plan items (Access All Financial Plan Items).
027	Maintain Exchange Rate	Allows a user to create or update exchange rates in financial plans.
028	Create Change Requests	Allows a user to create change requests for the master project to which the user is assigned.
029	Update Change Requests	Allows a user to update information in change requests for the master project to which the user is assigned.
030	Read Change Requests	Allows a user to read information in change requests for the master project to which the user is assigned.
031	Create Milestone Checklist	Allows a user to create a milestone checklist for the master project to which the user is assigned.
032	Change Milestone Checklist	Allows a user to update the milestone checklist for the master project to which the user is assigned.
033	Read Milestone Checklist	Allows a user to view the existing milestone checklist for the master project to which the user is assigned.
034	Log Issue	Allows a user to log an issue for the master project to which the user is assigned.
035	Update Issue	Allows a user to update an existing issue in the master project to which the user is assigned.
036	Read Issue	Allows a user to view information for existing issues in the master project to which the user is assigned.

Assign access control groups to master project roles
Assign each access control group to its respective master project role, to define the tasks and functions that members of each role can access. You do this in Customizing for SAP Commercial Project Management, under Master Data Master Project Define Role Profiles Assign Roles to Role Profile .
Activate the usage of access controls in master projects
Finally, activate the usage of access control for master project types. This allows you to selectively use access control for project environments that require detailed access management. You do this in Customizing for SAP Commercial Project Management, under Master Data Master Project Make Settings for Master Projects .

Example Example

Suppose team leads in a project team who are responsible for the execution of a large construction project. The main task of each team lead is to keep track of accounts, report cost overruns, and ensure that the project meets financial goals set out in the plan.

To enable this group of users to perform their tasks, you create a role with the following access controls:

Role: Team Lead

Access Control Group: Team Lead

Access Control IDs:

003: Read Master Project
015: Read Financial Plan
016: Change Financial Plan
021: Access Financial Plan Item
024: Map and Transfer Bid Structure
023: Transfer to ERP

End of the example.