Show TOC

Role Administration FunctionsLocate this document in the navigation structure

Use

A role can contain the following information:

  • Role name

  • Description text for the role

  • Menu structure of the role

  • Authorization profile data

  • Users or elements of the organizational plan to which the role is assigned.

  • MiniApps

  • Personalization data

Functions in the Initial Screen

Function

Comments

Change

Starts change mode, in which you can change and assign roles that have been delivered by SAP or that you have created yourself.

Display

Displays single roles or composite roles.

Single Role Create Single Role

Creates a single role. Creating Roles provides an overview of the procedure.

Composite Role Create a Composite Role

Creates a composite role.

Add to Favorites

Adds the role the list of favorites. The favorites are displayed when you start the role administration transaction, or when you choose the Favorites display using . To remove a role from the list of favorites, right-click the role name and, from the context menu, choose Delete from Favorites

Where-Used List

For single roles, shows the composite roles that contain the single role currently entered in the Role field.

For compsite roles, shows which single roles are contained in the composite role currently entered in the Role field.

Copy Role

Copies the role entered in the Role field. SAP delivers predefined roles as templates. The names of these roles start with the prefix SAP_. When copying these roles, use a name from the customer namespace. You can copy the user assignment and personalization objects along with a role.

Delete Role

Deletes the role.

To transport the deletion, record the objects that belong to the role in a transport request before the deletion.

To delete the role in a system connected by an RFC connection, choose Start of the navigation path Role Next navigation step Distribute deletion End of the navigation path.

Transport Role

Transports and distributes the role.

Transactions Where-Used List for Transactions in Roles

Displays the transactions contained in the role.

Allows you to select one of the following views for displaying roles:

  • Favorites

  • Single Roles

  • Composite Roles

  • Roles in Composite Roles

  • Inheritance hierarchy

    Displays all roles from which other roles have been derived (see Creating Derived Roles and Copying Authorizations).

  • Display Roles for Role Owner

  • Roles Grouped by Country

  • Roles Grouped by Industry

  • Roles Grouped by Target System

Set Filter

Undo Filter

Restricts the display of roles or removes the restriction.

Note

The view Roles in Composite Role also displays the compsite roles that have been assigned a single role containing the relevant filter search string.

Show Documentation

Displays the documentation for delivered roles. In change mode, you can connect a document from the Knowledge Warehouse by choosing Start of the navigation path Utilities Next navigation step InfoObject Next navigation step Create Assignment End of the navigation path.

Function

Comments

Print

Prints all of the data for the role (assignment of activities, organizational units, authorization data, user assignment, and so on).

Download or Upload

Downloads the role. To avoid inconsistencies, the system downloads all roles that have been derived from a role. If you download composite roles, this download also includes all of the contained roles.

If you upload a role, the role data including the authorization data is loaded from a file into the SAP system. The user assignments for the role and generated profiles for the role are not uploaded. You therefore need to generated the authorization profiles after you have performed the upload.

Read from Another System by RFC

Imports a role from another system.

  1. To specify whether you want to use an RFC destination or a variable, use the input help on the Mass Import of Roles screen.

  2. For RFC Destination, use the input help to select the RFC destinations of the system from which you want to import the role, and choose Execute

    The Select Roles (No Composite Roles) dialog box appears.

  3. Select the roles to be imported.

    The program imports the selected roles including menu and description into the current system, but does not import the authorization data.

You can also use transaction SM30_SSM_RFC to enter the RFC destination as a variable.

Function

Comments

Status Overview

Displays a list of all or of selected roles with status information about user assignment, menu, authorization profile, and user master record comparison. You can use the following options to restrict the result list:

  • Only Display Roles with Errors and Warnings: This option is activated by default, and reduces the result list to roles for which the status checks do not return only green lights. For the role to be displayed, at least one traffic light must be yellow or red. To display all entered roles in the result list, remove the selection of this option.

  • Check Assignment of Workflow Tasks: You can activate and deactivate the checking of workflow assignments, depending on whether the function is used in your system.

    Otherwise, roles would be displayed for which only workflow assignments are missing, but for which all other properties have green lights.

    If you are working with workflow assignments, select this option (default setting: inactive) to identify roles without assignments. You can only select this option if Organizational Management is active.

    Note

    If you use Organizational Management, the system also displays the statuses of the tasks in the workflow and the indirect user assignments.

Mass Generation

Generates profiles for multiple roles simultaneously (see Performing a Mass Generation of Profiles).

Mass Comparison

Performs a user master comparison for multiple roles (see Comparing User Master Records).

Mass Transport

Transports multiple roles (see Transporting and Distributing Roles).

You can choose whether you also want to transport:

  • Single roles contained in the selected composite roles (Customizing switch ADD_COMPOSITE_ROLES in table SSM_CUST)

  • Generated profiles of all single roles ( PROFILE_TRANSPORT in table PRGN_CUST)

    You can control the default settings for the options using the Customizing switches. If you explicitly set the switch to NO, the corresponding option is not active on the selection screen.

Mass Download

Downloads multiple roles to your PC.

Mass Maint. of Price List Categories

Starts the maintenance transaction for license attributes of roles.

Role Comparison Tool

Performs a (cross-system) comparison of role menus (see Comparing Roles).

Templates

Templates for roles.

Function

Comments

User Master Record

Switches to user administration (see Creating and Editing User Master Records).

Text Comparison for CUA Central System

Sends current list of roles and profiles to the CUA central system.

Display Changes

Displays change documents. For more information about the user interface of the evaluation report, see the section Determining Documents for Roles and Role Assignments.

Installation or Upgrade

Starts the transaction for filling customer tables for role administration for first use or to update after an upgrade. The customer tables for role administration contain an adjustable copy of the SAP default values for the field values and check indicators (see Reducing the Scope of Authorization Checks).

Check Indicator

Starts the transaction to change check indcators and field values.

Start of the navigation path Authorization Objects Next navigation step Display End of the navigation path or Start of the navigation path Authorization Objects Next navigation step Deactivate End of the navigation path

Displays authorization objects or deactivates authorization checks.

Function

Comments

Settings

  • Simple maintenance (Workplace menu maintenance)

    Choose this setting to set up composite or single roles on the Workplace server.

  • Basic maintenance (menus, profiles, other objects)

    Default setting, which contains all functions for role administration.

  • Complete view (Organizational Management and workflow)

    With this setting, you can display and change workflow tasks for a roleon the Workflow tab page. These assignments are only relevant for the workflow, that is, the users assigned directly or indirectly to the role become possible agents for the workflow tasks.

Transactions in Roles

Finds all roles that contain a particular transaction.

Functions in Change Mode

Function

Comments

Role Obsolete and Reset Obsolete Role

Marks a role as obsolete, but does not prevent its use. As the person responsible for the role, set the indicator in the following cases, for example:

  • The role is inconsistent with the principle of functional separation, which restricts the area of responsibility for individual users to increase system security. The obsolete role therefore contains authorizations that do not permit functional separation. Assign different technical functions to different roles.

    Example

    An employee in accounting wants to enrich himself. To do this, he creates bank details and a vendor. He can then transfer small sums to himself inconspicuously. To avoid this, a user who can create bank details should never have authorization to create vendors. The functional separation could look roughly like this: One user has authorization to create vendors. A second user has authorization to create bank details.

  • The applications contained in the role are obsolete.

The Role Obsolete indicator is also contained in the following User Information System reports about roles ( RSUSR070):

  • Roles by Complex Selection Criteria

  • By Role Name

Function

Comments

Start of the navigation path InfoObject Next navigation step Create Assignment End of the navigation path

Links a role with a document that exists in Knowledge Warehouse.

Customizing Auth.

Assigns projects or view of Implementation Guide (IMG) projects to a role. With this assignment, you can generate authorizations for particular IMG activities in a targeted way, and assign them to users. When you generate profiles, the sytsem generates the authorization necessary to execute all activities in the assigned IMG projects or project views. A dialog box appears in which you can enter the assignment. To display more information about the use of this option, choose the Information button.

Settings

Starts the user master comparison when saving the role with the following selection:

  • Automatic User Master Adjustment when Saving Role

    You can use this setting if a relatively small number of user masters need to be compared. Otherwise, the comparison takes too long and you would be better to start it manually.

  • Copy menu: Do not insert existing entries. Default: NO

    You can use this setting to activate the automatic menu compression. In this case, identical menu paths are not displayed more than once (see SAP Note 504006 Information published on SAP site).

Display Changes

Starts the display of the change documents for role administration.

Optimize User Assignment

Starts report PRGN_COMPRESS_TIMES, which combines multiple assignments of a role to the same user, if the validity periods overlap. It also deletes expired role assignments if the indicator Remove validity periods that have already expired indicator is set.

Function

Comments

Org. Management

Only active if you chose Start of the navigation path Goto Next navigation step Settings Next navigation step Overall View End of the navigation path on the initial screen.

Displays existing assignments for the role within HR Organizational Management. You can change these assignments.

User Comparison

Starts the user master comparison (see Assigning Users).

Assignment of Price List Category

Starts the maintenance transaction for license attributes of roles.

Roles with Responsibilities

Roles with responsibilities that were created in releases 4.0A and 4.0B are migrated as of release 4.5A to separate roles that are derived from each other. As a result of the migration, you receive the roles that contain the transactions, and for each responsibility, a derived role that contains the authorization data and user assignments.