Expand +



From Portal Roles to SAP Authorization Roles — Role Distribution with mySAP Enterprise Portals

by Dr. Jürgen Schneider | SAPinsider

July 1, 2002

by Dr. Jürgen Schneider, SAP AG SAPinsider - 2002 (Volume 3), July (Issue 3)

In SAP systems, roles provide a convenient way to structure a user’s daily tasks into groups of services and transactions, making them accessible from a personalized menu. Of course, it’s critical that the right user is accessing the right information — both for the user and as a matter of SAP system security. For that reason, users need to have the required role authorizations before they can access Financials, HR, SCM, and other information and functions from SAP systems.

Since portals are built around the notion of user-centric integration, it’s not surprising that roles are a central part of the new mySAP Enterprise Portal. The Enterprise Portal features its own role definition tool, in order to create portal roles that enable users to access services from a personalized portal interface. From this single point of entry, users can access services from any number of SAP and non-SAP systems. However, just as with SAP roles, if a portal role invokes services from SAP components, the right authorizations and user assignments need to be in place.

Both the mySAP Enterprise Portal and SAP systems provide powerful tools to help you set up and maintain roles and authorizations, ensuring that users experience seamless access to the information they need — and that your SAP business data remains secure.

An Introduction to Roles in the Enterprise Portal

From the mySAP Enterprise Portal, users can access services from several component systems, along with personalized content and user menus (see Figure 1). Portal roles define the services contained in the role, as well as the navigational structure and graphic information that make up the role content.

Figure 1 An Example of the Manager Role in mySAP Enterprise Portals

To compose a new role, the portal role administrator selects the Create -->Role function from the tool for central role management, PCDEditor. An example is given in Figure 2. To create a new role, like Warehouse Clerk, the role administrator chooses from the list of available services (Goods Receipt or Movement List in the example) and groups these services into different folders (Goods Movements or Reporting), which can be structured hierarchically.

Figure 2 Role Definition with mySAP Enterprise Portals

The services contained in a portal role can be external services, which can refer, for example, to transactions in SAP systems, Internet Application Components (IACs), or MiniApps. Each external service is bound to a single component system (although each portal role can include many services, even if they’re based in different systems).

Once a portal role is assigned to a user, all folders, along with the services contained in these folders, are displayed in the user’s portal menu. The user navigates through the menu and invokes a service, and the portal mediates the service request to the corresponding component system.

This article will focus on portal roles that access services from SAP systems. When the requested service is in an SAP system, a corresponding user account has to exist in the SAP system and necessary authorizations, in the form of authorization roles, have to be assigned to this user account. (See the sidebar “Creating Authorization Roles in the SAP System.”)

Creating Authorization Roles in the SAP System

Within SAP systems, when users execute transactions, reports, function modules, Business Server Pages (BSPs), and the like, they require the necessary authorizations. Authorizations are assigned to users via SAP authorization roles. The tool used to create SAP authorization roles, the SAP Profile Generator (transaction PFCG), is well known to SAP user and authorization administrators.

The Profile Generator can be used to copy and modify authorization roles included in SAP’s standard delivery as templates for different application areas, or to create customized roles from scratch. This is done by selecting the transactions that should be contained in a single role from the standard help values or from the SAP standard menu.

When a role is activated, the Profile Generator creates the SAP authorizations required for the selected transactions, resulting in authorization profiles that correspond to the role. The authorization field values for the generated authorizations can then be refined manually, if required, by the role administrator.

If only organizational field values have to be refined, but the role content with respect to the transactions and authorization objects contained in the role does not change, derived roles can be created from single roles. Several single roles can optionally be grouped together in composite roles.

Ensuring Role Consistency: Distribution of Roles and User Assignments

Obviously, the roles in portals1 and SAP authorization roles — those roles that contain the necessary authorizations for services in the component SAP systems — are strongly related to each other.

With mySAP Enterprise Portals and the role management tools for the portal and SAP systems, it is now possible to:

  • Distribute the relevant parts of portal role definitions from the portal to component SAP systems

  • Create corresponding authorization roles

  • Update or change user assignments or role definitions

New roles or any assignments of roles to users in the portal can be propagated to the relevant SAP systems and trigger corresponding changes there. Subsequent changes to portal roles are easily managed, since the relationships between portal roles and the resulting authorization roles are preserved within the component SAP systems.

Two main components are involved in the distribution process:

  • SAPAuthAdmin, the role distribution component in the Enterprise Portal

  • Transaction WP3R in the SAP system, available with the new Enterprise Portal Plug-In for SAP systems

From the Portal, Distribute Roles and User Assignments (SAPAuthAdmin)

The distribution process is similar whether you’re distributing role definitions or user assignments:

  1. In the portal, go to SAPAuthAdmin.default.

  2. For distributing role definitions, call Master iView SAPAuthAdmin.roleauthorizations in the portal. For distributing user assignments, use portal Master iView SAPAuthAdmin.roleuserassignment.2

  3. Choose the correct SAP Java Connector (JCo) destination for the component SAP system (more on this to follow).

  4. Select the desired roles or user assignments for distribution.

Note that the system you select in Step 3 is usually different for role definitions and user assignments (see Figure 3 for an example).

Figure 3 Typical System Distribution of Role Definitions and User Assignments

Role definitions are usually sent to the appropriate development systems (as in [1] in Figure 3), where corresponding authorization roles are created by your SAP role administrator [2a]. Then, the authorization roles are transported to the quality assurance system [2b] using the SAP Transport System and are tested there [2c]. Only after testing is completed, the authorization roles are transported to the production system [2d].

On the other hand, user assignments need to be sent to the SAP systems running SAP Central User Management (CUA) or to individual development or productive SAP systems [3] where the user assignment should be made [4].

The control information for these distribution processes — that is, which SAP systems are responsible for role maintenance and which are responsible for user assignments — needs to be customized in the component systems. (Responsibilities for user assignments are determined from CUA customizing; for role maintenance, use transaction SE16 to maintain customizing entries in table WP3ROLESYS.)

Then Follow Up in Your SAP System (WP3R)

Once roles and user assignments are distributed, you’ll follow up in the component SAP systems to assign authorization roles and perform role maintenance using transaction WP3R. To work on authorization roles, activate the option “Maintain authorization roles”; to assign authorization roles to users use option “Assign Authorization Roles To Users.”

When you activate “Maintain Authorization Roles,” for instance, you’ll see a list of portal roles received so far by the component SAP system. When selecting a portal role from the list, the following functions are available:

  • Create or Delete Authorization Roles

  • Show or Compare Services

  • Merge/Maintain Authorizations

An example of the screen used for maintaining authorization roles is shown in Figure 4. It displays a hierarchical list of the portal roles received in the SAP system (Purchasing, Warehouse Clerk), the logical systems for which there are services in the role (QW8CLT100), and the existing authorization roles (WAREHOUSE_CLERK_0001, PURCHASER_1000) with their inheritance relationships and status indicators (green circle, yellow triangle).

Figure 4 Follow-Up Processes for Roles and User Assignments in Component SAP Systems

In a component SAP system, an authorization role is a single role that corresponds to exactly one portal role. An authorization role administrator has to create the authorization role for a portal role. The content of the authorization role is then automatically generated from the list of services contained in the portal role definition (the pop-up screen in Figure 4).

When modified portal roles are received by a component SAP system, the content of the corresponding authorization roles can be automatically updated. Derived roles can be created from authorization roles by refining organizational values or by adjusting the set of authorizations contained in the authorization role. The administrator can do this directly from transaction WP3R, using the corresponding functions and subscreens of the SAP Profile Generator (transaction PFCG).

For user assignments, the follow-up processes are similar, and can also be left to the user administrator or can be automated with a corresponding background task.


The functionality provided for the central definition of roles and user assignments with the new mySAP Enterprise Portal, combined with the support for follow-up processes in component SAP systems, represents a powerful toolset for role management. Together, these components assist you in the setup and maintenance of a strong and consistent authorization concept for your whole SAP system landscape, which is clearly beneficial for the security of your business data and informational assets.

For more information on restrictions for earlier releases (R/3 4.0 and 4.5)3 and detailed instructions, see the mySAP Enterprise Portal online documentation at (Help for the Portal Administrator --> Administration Guide-->Roles -->Copy Roles and Users to SAP Systems).

1From this point on, portal roles will refer specifically to roles that access SAP systems.

2iViews (Integrated Views) are small applications that provide access to all kinds of information and tasks from the user’s portal menu. They are made accessible to users via portal roles, which also define the graphical appearance and placement of the information in the user’s portal menu.

3These known restrictions apply: automatic generation of authorization role content is only supported for SAP transactions (not for other types of programs, such as reports or function modules); automatic user assignment is not supported in SAP R/3 4.5 if global role assignment is activated; and in SAP R/3 4.0, only display functionality is provided.

Dr. Jürgen Schneider has been involved in the design and implementation of SAP security functions since 1996. Since 1998, he has been the Development Manager for Security in SAP’s Technology Development. He can be reached at

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!