Show TOC

Function documentationStandard Roles and Authorization Objects Locate this document in the navigation structure

 

The authorization concept of SAP NetWeaver assigns authorizations to users on the basis of roles. Some general SAP standard roles are delivered with Process Control as described below.

You can copy and adjust these default roles in the Customizing activities under   SAP NetWeaver   Application Server   System Administration   Users and Authorizations   Maintain Authorizations and Profiles using Profile Generator   Maintain Roles   (transaction PFCG).

In the Process Control application, the power user can assign these roles to the corresponding entities.

Features

The standard roles that are delivered are:

  • Basic Role (SAP_GRC_FN_BASE): The basic technical role for a user who wants to use Risk Management or Process Control. This role contains all necessary authorizations to make the necessary Customizing settings for this application. This role does not contain any authorizations for the portal interface.

  • Business User (SAP_GRC_FN_BUSINESS_USER): A user with this role is only authorized to perform operations on assigned entities. We recommend that a user with this role also be assigned a portal role for in order to use the web interface of the application.

  • Power User (SAP_GRC_FN_ALL): In addition to the authorizations of the business user, a power user also has authorization for administrative functions through the Customizing activities, such as the definition of organizations.

    Caution Caution

    Authorization granted to power users through the role SAP_GRC_FN_ALL cannot be delegated to business users. If the power user needs to delegate his authorization to others, he must ask the IT department to assign the PFCG role SAP_GRC_FN_ALL to that user. This delegation is not entity dependent. For more information, see My Delegation Overview.

    End of the caution.

  • Display User (SAP_GRC_FN_DISPLAY): A user with this role can display all data in the portal. This role is useful for external auditors, for example. We recommend using this role in addition to the business user role.

Note Note

For more information, see the documentation on the individual roles in transaction PFCG, for example, Changing Standard Roles.

End of the note.

Activities

To work with user roles, the following steps are necessary:

  1. The system administrator assigns the basic role SAP_GRC_FN_BASE to all users working with the application. This role contains the technical authorizations required to run the application. Without this role, assigned users cannot run the application.

  2. The system administrator copies the delivered power user role SAP_GRC_FN_ALL, makes any necessary adjustments, and assigns the modified copy of the standard role to a user who then becomes a power user for the application. Alternatively, the delivered standard role can be used directly.

  3. The system administrator copies the delivered display user role SAP_GRC_FN_DISPLAY, makes any necessary adjustments, and assigns the modified copy of the standard role to other users who become display users for the application. Alternatively, the delivered standard role can be used directly.

  4. The system administrator copies the delivered business user role SAP_GRC_FN_BUSINESS_USER, makes any necessary adjustments, and assigns the modified copy of the standard role to other users who become business users for the application. Alternatively, the delivered standard role can be used directly. The business users' authorizations within the application can be defined further by the application roles.

  5. The portal administrator copies the delivered roles, makes any necessary adjustments, and assigns the modified copy of the enterprise portal roles to the end users to grant them the required access to the Risk Management application. Alternatively, the delivered standard role can be used directly.