SAP Business Planning and Consolidation is part of SAP Net Weaver and has a different authorization concept from SAP R/3 or ECC. It has both frontend and backend views and uses User Teams, Task Profiles & Data Access Profiles instead of User Groups,Transactions & Roles.
When every kind of User Administration is done in the front end BPC (User Addition, Task Profile & Data Access Profile creation), we cannot create a new user to the BPC frontend system, but add a user who is present in the ECC backend system. That means, the user should be created first in the backend and then only he/she be available to add in the frontend system.
Also, for the user to access BPC frontend from Web Login, two mandatory roles should be assigned to the user’s account in the backend! (Given in below table).
In the above two contexts, when a user account should be created and assigned with two mandatory roles, we can avoid the use of frontend system for giving access to a user (at least for the first time, as we already need to edit the user from SU01), by adding all thenecessary roles in one go! How it is done?
Usually, when we create an Environment, User Team, Data Access Profile and Task Profile from BPC frontend,a role is created in the backend system automatically. For administrating user from the backend, what we have to do is identify these automatically created roles. For this, we have some tables which maintain these data.
From SE16, access the following tables to get the data:
Now, let us look into the role naming convention here:
ZBPC_ : Common for all roles.
## : It is the APPSET (Environment) Prefix, which is specific to each environment. This can be found out from the table UJA_APPSET_INFO.
U/T/L/M/P : Denotes Environment, Team, Team Leader, Data Access Profile and Task Profile respectively.
XXXXXX : This is the number. (This number will be in sequence for Environment, Team, etc.)
These roles can be found out from the above tables and added to the users so that the frontend administration can be avoided. So in the end a user who wants to login through web, who is assigned with a Data Access Profile and Task Profile and a User Team in an environment will (should) have the following roles assigned to his profile.
/POA/BUI_FLEX_CLIENT | Role for Web login |
/POA/BUI_UM_USER | Role for Web login |
ZBPC_CMU000002 | Environment Role |
ZBPC_CMT000027 | User Team Role |
ZBPC_CMP000009 | Task Profile Role |
ZBPC_CMM000014 | Data Access Profile Role |
Note: If we have added a Task Profile & a Data Access Profile o a User Team from frontend, and added only the User Team role in the backend for a user, the user will not have access to the Task Profile and Data Access Profile. These two roles should be added explicitly!
Hope it helps!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.