Create Roles for Functional Tasks - A Shortcut

Every project requires the creation of SAP Security Roles for the various Functional Tasks that are part of their ERP process. This is a laborious task and requires quite a bit of planning and coordination.

One primary task for Role Design is to list down the relevant Transaction Codes for a particular Role that you need to design.

What if I told you there is an easy way to build your Roles?

Let's say you need to build an Accounts Payable Role. You can take help from SPRO for this.

Here's how:

1.  Tcode SPRO_ADMIN: Create a new IMG project

2. Click on 'Change Selection'

3. Select the relevant IMG Node. In our case, we will select Accounts Payable

4. Next, we need to Generate the new project

5. Now, we go to PFCG, to add this new project in a Role.
    Create a new Role - Do not add anything in the Role Menu.
    Go to Utilities -> Customizing Auth

6. Select IMG Project and select the project that you created

7. The Role will be populated with all the relevant Tcodes needed for Accounts Payable.

Now you can analyze these Tcodes and modify/trim the Role according to your requirements.

S_TABU_LIN - Table Access at Row Level

S_TABU_DIS allows access to Tables of a particular Authorization Group
S_TABU_NAM provisions access to particular tables
But, what if you want to restrict access to particular rows within a table?

This is where Authorization Object S_TABU_LIN comes into picture. You must have already heard about. But implementing the Authorization check using S_TABU_LIN is a bit tricky.

Let's go through with the process of applying a check on S_TABU_LIN on particular rows within a Table:

The Authorization Object has 3 Fields: Activity, Organizational Criteria and Attribute

The first step in implementation of line authorization is defining an Organizational Criterion. 

As an example, we will put a restriction on Table - T77DB - Shift Groups. So, only Roles with access specific Shift groups will be able to view/change the data for these shifts.

You can define then using Tcode - S_BCE_68001484 OR via SPRO

We create a new Criteria: SHIFTGROUP

Now we create the Attribute. We will call the Attribute as SHIFTGROUP as well:

Next step is to link it to the table T77DB and the Field - DIENSTGR (Shift group)

Now we go to Role and add the values to the the Object S_TABU_LIN

Now, this Role will hav eChange access to Shifts of ERP-TMC only.

Change Log for HR Organizational Structure Changes

SAP provides the option of activating Change Logs on HR Organizational Structure. So if an error or an oversight occurs or you change or delete some data, you can refer to change logs and rectify the issue.

Setting up Change Logs 

In SM30, go to table T77CDOC_CUST. In this table, enter the Plan Version and Infotype for which you want to activate the logging by using the New Entry button.

We will enable logging for all Role assignment changes to a Position and all Person assignment changes for a Position. So, the relationships are B007 for Role assignment and A008 for Person assignment.

Check the 'Active' Check-boxes and Save.

Now, let's make a change to a Position

So, I changed the End date of a Person 20000428 to 31.12.2016. Earlier the End date was 31.12.9999.

Checking the Change Logs

To check the Change logs we Report RHCDOC_DISPLAY
Go to SE38 and execute this Report.

Enter the Plan Version, and the Position number for which you need to check the logs

The logs shows that the Relationship A008 was deleted for the time period 31.12.9999 and created for 31.12.2016

Now you can easily track all Organizational changes.

Composite Profiles

312 is a somewhat famous number in SAP Security. It is the maximum number of Profiles that can be assigned to a User.

A bit of detail around this fascinating number:

The relationship between a user ID and authorization profiles is of type one to many (1:n, meaning one user can have many profiles assigned). From a technical point of view, you expect (behind the scene) that there’s a table in which there are many records that show the number of profiles assigned to the user. Unfortunately there is only one record in Table USR04, and the profiles are all concatenated in the PROFS field. If you divide the length of field PROFS by the length of a single profile, you'll come up with the number 312.

It ever so happens that sometimes you end with users having so many Roles (especially in Development system) that the number of Profiles exceeds 312 and the user doesn't get the required Authorization due to some of the Profiles not being available in USR04.

Unfortunately, there is no system parameter you can use to avoid this limit.

But there is a workaround, albeit it's somewhat sketchy and has disadvantages.

Enter - Composite Profiles

Just like Composite Roles, you also have Composite Profiles. 

With Composite Profiles, you can combine multiple Profiles into one and assign it to the User, thereby reducing the number of Profiles.

The reason why this is not used and also the reason why you haven't heard of this before is that SAP best practice is to use only the “roles concept” thorough Transaction PFCG (Role Maintenance), and direct Profile assignment is not encouraged.

Reason 2 for this being discouraged - if PFUD (Compare User Assignments) is run with the 'Cleanups' option selected, then the direct profile assignments will be removed. 

But, let me take you through the process of creating profiles so that you can use it if ever needed.

• Execute Transaction SU02, enter your profile name, and press Enter

• Select 'Create' from the Menu

• Select 'Composite Profile'

• Enter the list of existing Profiles that you want to to add and Save.

         You can find the Profiles for a particular Role from table - AGR_PROF

There you go. Your Composite Profile is now ready and you can assign it to the User. But don't forget the reasons listed above.

On a different note - Did you know Mars is called the Red Planet because during the Cold War it sided with the Communists...... No that's not true. I was just pulling your leg. Keep scrolling.