cancel
Showing results for 
Search instead for 
Did you mean: 

SAP PPM Authorization Control Requirements

former_member225123
Participant
0 Kudos
1,616

Hello Experts,

I have basic query, I am aware that this question have been raised multiple times, but still I am confused. Please assist.

My requirement is basic and clear.
We have 2 portfolio's and one central IT team to provide access to user's

Portfolio A
Portfolio B

Central IT Team should have Admin Role and Authorization to provide Access to user's respective to their Portfolio
Portfolio A user's should not be able to access/open Portfolio B Item details.

Which Authorization model should be used here, As I understand Admin can maintain user's in miscellaneous tab in Portfolio which can be copied to Bucket and then to Item level.

I want bit more understanding and Roles details.

Central IT Team
Which roles should be assigned to them so that they can assign User's and authorizations
(e.g. SAP_XRPM_ADMINISTRATOR ???) I am not sure.. pls advise

User's
Which roles should be assigned to them (& which role should not) so that they can only access Items of the portfolio they are working.
( e.g SAP_BPR_PPM & SAP_XRPM_USER ???) I am not sure.. pls advise

Prerequisites
Any configuration to be done in PPM SPRO / Global settings / Switches / Item type/Portfolio to enable ACL authorization functionality??

If any other way to control this requirement, please advise, it would be really appreciable.

I believe their is no way to control authorization in PPM based on Portfolio Type, Item Type particularly like in SAP PS, we have objects to control through Project Profile. Please assist in this regard.

Regards

Gaurav

Accepted Solutions (1)

Accepted Solutions (1)

mconvertino
Explorer
0 Kudos

Hi Gaurav,

If you use SAP Project and Portfolio Management without the Fiori user interface, authorizations are controlled in the following ways:

ABAP authorization objects and roles: This is the standard method for controlling access to transactions and programs in an SAP ABAP system. Authorizations are combined in an authorization profile that is associated with a role. User administrators can then assign the corresponding roles via the user master record, so that the user can access the appropriate transactions for his or her tasks. An example:

  • The role SAP_BPR_PPM provides the navigation menu definition
  • The role SAP_XRPM_USER should be assigned to all users.
  • The role SAP_XRPM_ADMINISTRATOR should be assigned to portfolio administrators who should have for example the authority to create portfolios and to maintain all portfolio objects.

Access control lists (ACL). These allow you to add another level of security by controlling authorization at object level. For example, you can control who has authorization to view a particular Portfolio or to create Item within a particular Bucket. You can do so from the Portfolio Management UI on the object’s miscellaneous à Authorizations tab page, there you can set Admin, Write, Read or Create authorization to users or to Z* Role to be assigned to particular users.

An example of implementation could be:

Central IT Team
If they IT team as SAP_ALL authorization they do not need addition authorization, otherwise you can give them SAP_XRPM_ADMINISTRATOR, SAP_BPR_PPM and you can set them Admin in both Portfolios

User's
Give them ZSAP_BPR_PPM (adapt the standard with the requirement) & SAP_XRPM_USER, then create at least two Z* role to control the authorizations based on portfolio. Assign the “ZPORTFOLIOVIEWX” to the users in the backend and to the portfolio from the user interface.

You can adapt this draft to your requirements.

Kind regards,

Matteo

Answers (1)

Answers (1)

former_member225123
Participant
0 Kudos

acl.png

Hi matteo,

Apologies for my late response!

I have few queries over here.

Query 1

There are 2 responsibility's.

1. User A - Should be able to create Item, Trigger project from PPM to PS by selecting Template.

2. User B - Should be able to View, change item created by User A but should not be able to trigger project in PS by selecting template (Create Project on Saving Checkbox). How this can be done ??

Query 2

Adding an additional field at item level, what is recommendable -

Custom Component tab (Key data - refer attached image) or adding an additional field in standard tabs like

(Basic Information, Additional Information, Financial Information)

please advise reason and benefits also?

Also advise if I add field in table (/rpm/item_d) and assign to additional information group through customization -

1. How this fields be visible in one item type and not for other item type's?

2. How F4 values in field can be added?

Regards

Gaurav Ahuja