topic Re: Authorization based on profile parameters in Application Development and Automation Discussions

Authorization based on profile parameters

Former Member — Wed, 12 Aug 2015 02:35:40 GMT

Dear colleagues,

I have had this challenge for a couple of years already and I am assuming that other mid-size implementations have this as well.

Problem description:

Based on the functional area and entity defined in a given role, it is always possible to assign a number of users in SAP. However, in mid-size organization, maintenance of several roles with identical transaction assignments is a significant challenge. I initially thought that it might be possible to assign the restrictions based on profile parameters. However, this doesn't seem to be effective.

As an example, if I have 5 regional controllers (all having same t-codes), I would have preferred to create one role Z_RG_FI_CONTROLLER and assign the users to the role above. While creating/updating the user account(s), I would have assigned the BUKRS to the relevant users (0011, 0012, 0013, etc). Please note that I am not interested in creating Z_0011_FI_CONTROLLER, Z_0012_FI_CONTROLLER, Z_0013_FI_CONTROLLER etc.

I tried searching for notes but it seems we don't have any solutions in the space. Would anyone know of options to solve the challenge above?

Thanks and best regards,

Kaushik

Re: Authorization based on profile parameters

radhakrishnan_r — Wed, 12 Aug 2015 03:19:32 GMT

Kaushik Das,

Your requirement is there are 5 locations with different company code values all of those users have same tcode access except organizational values if i understood correct.

This requirement can be done using master role and derived role concept.

Create a master role with all tcodes(since its same for all users) Z_RG_FI_CONTROLLER except organizational values
Create a derived role/child role Z_FI_CONTROLLER_LOC1, Z_FI_CONTROLLER_LOC2,etc and add Z_FI_CONTROLLER in Derive role from option so it will derive all the menu and authorization structure from master role you only need to maintain org values in child roles
by this way you can maintain all tcodes in single place and which will be automatically pulled down to all child roles except org values
Check online document for derived role concept which will give you more details

Regards,

Re: Authorization based on profile parameters

Former Member — Wed, 12 Aug 2015 05:36:21 GMT

Hello Radhakrishnan,

Thanks for your advise. I see some issues here - while I have the t-codes copied over into the derived roles, I need to recreate the profiles all over again. I see this as bit of help but this doesn't solve the entire issue.

With best regards,

Kaushik

Re: Authorization based on profile parameters

Bernhard_SAP — Wed, 12 Aug 2015 06:49:42 GMT

No, you don't need to . You only need to maintain the org.level field for BUKRS once for every role. Maintain the other authorizations only once in the inheriting role. That is, how it works. Its described at help:sap.com..... Please check.

your approach with parameters doe snot owrk in standard. Maybe there exist some applicaitons, which verify the parameters. But its a security issue, as many users are allowed to change their own parameters and might get therefore wider access by assignming mor parametr values...

b.rgds, Bernhard

Re: Authorization based on profile parameters

radhakrishnan_r — Wed, 12 Aug 2015 08:36:18 GMT

Kaushik,

You need to maintain org values alone in derived role and yes you need to create authorization and profile but you no need to enter any other values in derived role where you can centrally maintain the menu structure which can be pushed to all child roles.

But there is no other ways to do it.

Regards,

Re: Authorization based on profile parameters

Former Member — Wed, 12 Aug 2015 09:12:56 GMT

Thanks Bernhard, I get your point. I was hoping for a smaller set of roles since it looks quite unusual for a 150 (active) user organization to have 130 roles. Yes it is risk to expose parameters since users are generally given certain powers to adjust parameters for pre-filling entries and layouts