In SAP systems, roles provide a convenient way to structure a user’s
daily tasks into groups of services and transactions, making them accessible
from a personalized menu. Of course, it’s critical that the right
user is accessing the right information — both for the user and as
a matter of SAP system security. For that reason, users need to have the
required role authorizations before they can access Financials, HR, SCM,
and other information and functions from SAP systems.
Since portals are built around the notion
of user-centric integration, it’s not surprising that roles are a
central part of the new mySAP Enterprise Portal. The Enterprise Portal
features its own role definition tool, in order to create portal roles
that enable users to access services from a personalized portal interface.
From this single point of entry, users can access services from any number
of SAP and non-SAP systems. However, just as with SAP roles, if a portal
role invokes services from SAP components, the right authorizations and
user assignments need to be in place.
Both the mySAP Enterprise Portal and SAP
systems provide powerful tools to help you set up and maintain roles and
authorizations, ensuring that users experience seamless access to the
information they need — and that your SAP business data remains secure.
An Introduction to Roles in the Enterprise Portal
From the mySAP Enterprise Portal, users can access services from several
component systems, along with personalized content and user menus (see
Figure 1). Portal roles define the services contained in
the role, as well as the navigational structure and graphic information
that make up the role content.
||An Example of the Manager Role in mySAP Enterprise
To compose a new role, the portal role
administrator selects the Create -->Role function
from the tool for central role management, PCDEditor.
An example is given in Figure 2. To
create a new role, like Warehouse Clerk,
the role administrator chooses from the list
of available services (Goods
Receipt or Movement List in the
example) and groups these services into different
folders (Goods Movements or Reporting),
which can be structured hierarchically.
||Role Definition with mySAP Enterprise Portals
The services contained in a portal role
can be external services, which can refer, for example, to transactions
in SAP systems, Internet Application Components (IACs), or MiniApps. Each
external service is bound to a single component system (although each
portal role can include many services, even if they’re based in different
Once a portal role is assigned to a user,
all folders, along with the services contained in these folders, are displayed
in the user’s portal menu. The user navigates through the menu and
invokes a service, and the portal mediates the service request to the
corresponding component system.
This article will focus on portal roles
that access services from SAP systems. When the requested service is in
an SAP system, a corresponding user account has to exist in the SAP system
and necessary authorizations, in the form of authorization roles,
have to be assigned to this user account. (See the sidebar “Creating
Authorization Roles in the SAP System.”)
Creating Authorization Roles in the SAP System
Within SAP systems, when users execute transactions, reports, function
modules, Business Server Pages (BSPs), and the like, they require
the necessary authorizations. Authorizations are assigned to users
via SAP authorization roles. The tool used to create SAP
authorization roles, the SAP Profile Generator (transaction PFCG),
is well known to SAP user and authorization administrators.
The Profile Generator can be used
to copy and modify authorization roles included in SAP’s standard
delivery as templates for different application areas, or to create
customized roles from scratch. This is done by selecting the transactions
that should be contained in a single role from the standard
help values or from the SAP standard menu.
When a role is activated, the Profile
Generator creates the SAP authorizations required for the selected
transactions, resulting in authorization profiles that correspond
to the role. The authorization field values for the generated authorizations
can then be refined manually, if required, by the role administrator.
If only organizational field values
have to be refined, but the role content with respect to the transactions
and authorization objects contained in the role does not change,
derived roles can be created from single roles. Several single
roles can optionally be grouped together in composite roles.
Ensuring Role Consistency: Distribution of Roles and
Obviously, the roles in portals1 and SAP authorization roles — those
roles that contain the necessary authorizations for services in the component
SAP systems — are strongly related to each other.
With mySAP Enterprise Portals and the role
management tools for the portal and SAP systems, it is now possible to:
- Distribute the relevant parts of portal role definitions from the
portal to component SAP systems
- Create corresponding authorization roles
- Update or change user assignments or role definitions
New roles or any assignments of roles to
users in the portal can be propagated to the relevant SAP systems and
trigger corresponding changes there. Subsequent changes to portal roles
are easily managed, since the relationships between portal roles and the
resulting authorization roles are preserved within the component SAP systems.
Two main components are involved in the distribution process:
- SAPAuthAdmin, the role distribution component in the Enterprise
- Transaction WP3R in the SAP system, available with the new
Enterprise Portal Plug-In for SAP systems
From the Portal, Distribute Roles and User Assignments
The distribution process is similar whether you’re distributing
role definitions or user assignments:
- In the portal, go to SAPAuthAdmin.default.
- For distributing role definitions, call Master iView SAPAuthAdmin.roleauthorizations
in the portal. For distributing user assignments, use portal Master
- Choose the correct SAP Java Connector (JCo) destination for the component
SAP system (more on this to follow).
- Select the desired roles or user assignments for distribution.
Note that the system you select in Step
3 is usually different for role definitions and user assignments (see
Figure 3 for an example).
||Typical System Distribution of Role Definitions and
Role definitions are usually sent
to the appropriate development systems (as
in  in Figure
3), where corresponding authorization roles
are created by your SAP role administrator
[2a]. Then, the authorization
roles are transported to the quality assurance
system [2b] using
the SAP Transport System and are tested there [2c].
Only after testing is completed, the authorization
roles are transported to the production system
On the other hand, user assignments
need to be sent to the SAP systems running
SAP Central User Management (CUA) or to individual
development or productive SAP systems  where
the user assignment should be made .
The control information for these distribution
processes — that is, which SAP systems are responsible for role maintenance
and which are responsible for user assignments — needs to be customized
in the component systems. (Responsibilities for user assignments are determined
from CUA customizing; for role maintenance, use transaction SE16
to maintain customizing entries in table WP3ROLESYS.)
Then Follow Up in Your SAP System (WP3R)
Once roles and user assignments are distributed, you’ll follow up
in the component SAP systems to assign authorization roles and perform
role maintenance using transaction WP3R. To work on authorization
roles, activate the option “Maintain authorization roles”; to
assign authorization roles to users use option “Assign Authorization
Roles To Users.”
When you activate “Maintain Authorization
Roles,” for instance, you’ll see a list of portal roles received
so far by the component SAP system. When selecting a portal role from
the list, the following functions are available:
- Create or Delete Authorization Roles
- Show or Compare Services
- Merge/Maintain Authorizations
An example of the screen used for maintaining
authorization roles is shown in Figure 4. It displays a hierarchical
list of the portal roles received in the SAP system (Purchasing,
Warehouse Clerk), the logical systems for which there are services
in the role (QW8CLT100), and the existing authorization roles (WAREHOUSE_CLERK_0001,
PURCHASER_1000) with their inheritance relationships and status indicators
(green circle, yellow triangle).
||Follow-Up Processes for Roles and User Assignments in
Component SAP Systems
In a component SAP system, an authorization
role is a single role that corresponds to exactly one portal role. An
authorization role administrator has to create the authorization role
for a portal role. The content of the authorization role is then automatically
generated from the list of services contained in the portal role definition
(the pop-up screen in Figure 4).
When modified portal roles are received
by a component SAP system, the content of the corresponding authorization
roles can be automatically updated. Derived roles can be created from
authorization roles by refining organizational values or by adjusting
the set of authorizations contained in the authorization role. The administrator
can do this directly from transaction WP3R, using the corresponding
functions and subscreens of the SAP Profile Generator (transaction PFCG).
For user assignments, the follow-up processes
are similar, and can also be left to the user administrator or can be
automated with a corresponding background task.
The functionality provided for the central definition of roles and user
assignments with the new mySAP Enterprise Portal, combined with the support
for follow-up processes in component SAP systems, represents a powerful
toolset for role management. Together, these components assist you in
the setup and maintenance of a strong and consistent authorization concept
for your whole SAP system landscape, which is clearly beneficial for the
security of your business data and informational assets.
For more information on restrictions for
earlier releases (R/3 4.0 and 4.5)3 and
detailed instructions, see the mySAP Enterprise
Portal online documentation at
(Help for the Portal Administrator --> Administration
Roles and Users to SAP Systems).
this point on, portal roles will refer specifically to roles that access
(Integrated Views) are small applications
that provide access to all kinds of information
and tasks from the user’s portal menu. They are made
accessible to users via portal roles, which also define the graphical
appearance and placement of the information in the user’s
known restrictions apply: automatic generation of authorization role content
is only supported for SAP transactions (not for other types of programs,
such as reports or function modules); automatic user assignment is not
supported in SAP R/3 4.5 if global role assignment is activated; and in
SAP R/3 4.0, only display functionality is provided.
Dr. Jürgen Schneider has
been involved in the design and implementation
of SAP security functions since 1996. Since
1998, he has been the Development Manager
for Security in SAP’s Technology Development.
He can be reached at firstname.lastname@example.org.