Start of Content Area

Background documentation Authorizations  Locate the document in its SAP Library structure

Use

The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles, use the Profile Generator (transaction PFCG). For more information, see Editing Roles and Authorizations for Web Dynpro Services.

Caution

The Self-Service applications for Human Resources also use the authorizations of the individual components. For more information, see the Human Capital Management section of the ERP Central Component Security Guide.

Standard Roles

Employee Self-Service

The following table presents the standard roles used in Employee Self-Service applications:

Standard Roles for Employee Self-Service (ESS):

Role

Description

SAP_ESSUSER_ERP05

Single role that comprises all non country-specific functions.

SAP_EMPLOYEE_ERP05_xx

Single role comprising country-specific functions. A separate role exists for each country version (xx = country ID). The corresponding composite role is SAP_EMPLOYEE_ERP05.

In each case, the profile has been copied from the predefined composite role. The data required for ERP and the relevant NetWeaver authorizations have been added to this role.

The composite role is assigned to the individual employee.

Manager Self-Service, Business Unit Analyst, and Project Self-Services

There are no standard roles for these components.

E-Recruiting and HR Administrative Services

For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research

For information about the standard roles for this component, see the Security Guide for this component.

Standard Authorization Objects

The following table presents the general authorization objects relevant for security that are used by the Self-Service applications.

Standard Authorization Objects for Self-Service Applications:

Authorization Object

Field

Value

Description

S_RFC

RFC_NAME

Depends on service

Saves data from RFC access to Web Dynpro frontend to the backend system.

S_SERVICE

SRV_NAME

*

Additional object for Web Dynpro applications. Check that is run when external services are started.

This authorization object is needed when an employee, project lead or manager wants to start self-service applications.

When you enter the value * for the authorization object S_SERVICE, you provide users with the authorization to start all applications. However, you can also assign authorizations for individual applications. In this case, use the syntax S_SERVICE‑SRV_NAME = <vendor>/<dc>/<Application>, for example, sap.com/pcui_gp~xssexamples/AttendanceExample.

E-Recruiting and HR Administrative Services

For information about the standard authorization objects for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research

For information about the standard authorization objects for this component, see the Security Guide for this component.

Internal Service Request and Personnel Change Requests

For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.

 

End of Content Area