SAP ABAP IMG Activity WCF_PFCG_COPY (Define Authorization Role)
Hierarchy
WEBCUIF (Software Component) SAP Web UI Framework
   CA-WUI (Application Component) WebClient UI
     WCF_IMG_STRUCTURE (Package) Structure and Activities for WEBCUIF IMG
IMG Activity
ID WCF_PFCG_COPY Define Authorization Role  
Transaction Code S_A0F_96000078   (empty) 
Created on 20090424    
Customizing Attributes WCF_PFCG_COPY   Define Authorization Role 
Customizing Activity WCF_PFCG_COPY   Define Authorization Role 
Document
Document Class SIMG   Hypertext: Object Class - Class to which a document belongs.
Document Name WCF_PFCG_COPY    

Use

In this IMG activity, you can define authorization roles for business roles. Every authorization role contains a certain authorization profile (PFCG profile). To obtain the necessary authorizations for your business role, you need to perform the steps described below.

After the authorization profiles are generated, the corresponding business role has the required authorizations.

Requirements

Before you can start working with your business role, the following prerequisites must be fulfilled:

  • You have created the necessary navigation bar profiles in the IMG activity Define Navigation Bar Profile. If you use or copy an existing business role, you can use the existing profiles.
  • You have created the positions and assigned the business role to these positions in the IMG activity Define Organizational Assignment. You have also assigned the users to the right positions in this IMG activity.
  • You have activated the trace function to determine all authorization objects. If you use or copy an existing business role, you do not need to run the trace.
    Note
    For more information about the initial setup of authorizations, see SAP Library under help.sap.com -> SAP R/3 and R/3 Enterprise -> SAP R/3 and R/3 Enterprise 4.70 -> SAP NetWeaver Components -> SAP Web Application Server -> Security -> Users and Roles -> First Installation Procedure and Upgrade Procedure.
  • You have checked if the authorization role has been assigned to the corresponding business role in the IMG activity Define Business Role .
    In this IMG activity, you can find out which authorization role is assigned to each business role.

Standard settings

In the standard system, the following authorization roles are delivered:

  • Authorization roles assigned to business roles (see Define Business Role )
  • SAP_CRM_UIU_FRAMEWORK (Framework Role)

Activities

The following two approaches to working with business roles are described below:

  • Use existing business roles
  • Copy existing business roles

Use Existing Business Roles

  1. If you want to use an existing business role, proceed as follows to select the appropriate authorization role:
  2. Start transaction Upgrade Tool for Profile Generator (SU25).
    1. Choose Installing the Profile Generator -> Initially fill the customer tables.
      All proposals for traces in the transaction Auth. Object Usage in Transactions (SU22) are copied to the customer namespace.
    2. In transaction Auth. Object Check Under Transactions (SU24), verify the traces.

  • Select Type of Application: External Service.
  • Select Type of External Service: UIU_COMP.
  • In the External Service field, enter: ' * '.
  • In the Selection Result list, select any service at random by double-clicking it.
  1. You can also maintain and change the standard values for specific traces in transaction Auth. Object Check Under Transactions (SU24).

  1. Create the authorizations in the IMG activity Define Authorization Role .
    1. Select the authorization role SAP_CRM_UIU_*.
    2. Choose Change role.
    3. Choose tab page Authorizations.
    4. Choose Change Authorization Data.
      Caution
      Make sure that the authorization object S_SERVICE is set to inactive. An active authorization object S_SERVICE could interrupt the profile generation.
    5. Choose Generate and save your role.
  2. Start report CRMD_UI_ROLE_ASSIGN with transaction ABAP Editor (SE38).
  3. You use this report to assign authorization roles, based on the organizational assignments, to users.
    1. Select a user or a user group.
    2. Select the Framework Authorization Role.
      Do not change the technical name (SAP_CRM_UIU_FRAMEWORK) of this role. You only need to change the technical name if you have changed the name of the Framework Authorization Role. This role is a special role that is assigned to every user. It contains the authorizations that are necessary to use the UI Framework.
    3. Select one of the following options:

  • To start the update of the assignments, choose Update Role Assignments.
  • To start the report in simulation mode, choose Only Simulation.
  • To check the current assignments, choose Check Current Role Assignments.
  1. Select the log level. The higher the log level, the more information is logged.

Copy Existing Business Roles

If you have copied an existing business role, proceed as follows to select the appropriate authorization role:

  1. Start transaction Upgrade Tool for Profile Generator (SU25) and proceed as described in step 1 under "Use Existing Business Roles."
  2. You need a separate authorization role for the business role that you have copied. You copy the delivered authorization role that corresponds to the business role, or you create a new authorization role in this IMG activity.
  3. Copy the business role in the IMG activity Define Business Role and use the authorization role created in step 2.
  4. After you have completed the definition of your business role, for example, added or deleted links or work centers, start report CRMD_UI_ROLE_PREPARE with transaction ABAP EDITOR (SE38).
    1. Select the business role that you created in step 3.
    2. Alternatively, you can directly select authorization roles that you created in step 2.
    3. Select the language that is used for the authorization menu entries.
    4. Select the log level. The higher the log level, the more information is logged.

      A file is created and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
      Notes
      This report cannot be run in batch mode, nor used for multiple business roles or authorization roles.

  5. To import the locally saved file to your authorization role, use IMG activity Define Authorization Role.
    1. Select the authorization role created in step 2.
    2. Choose Edit mode.
    3. Choose tab page Menu.
    4. Delete the existing role menu.
    5. Choose Import from file under Copy menus.
    6. Select the file that has the same name as the authorization role and the extension .txt from the SAP working directory that you created in the previous step.

      The file is imported to your authorization role. To check if the file was correctly imported, verify the entries in the Role menu. For more information, see the documentation under Information in this IMG activity.

  6. Create the authorizations with the IMG activity Define Authorization Role .
    1. Select the newly created authorization role.
    2. Choose Change role.
    3. Choose tab page Authorizations.
    4. Choose Change Authorization Data.
      Caution
      Make sure that the authorization object S_SERVICE is set to inactive. An active authorization object S_SERVICE could interrupt the profile generation.
    5. Choose Generate and save your role.
  7. To start report CRMD_UI_ROLE_ASSIGN, use transaction ABAP Editor (SE38).
    You use this report to assign authorization roles, based on the organizational assignments, to users.
    1. Select a user or a user group.
    2. Select the Framework Authorization Role.
      Do not change the technical name (SAP_CRM_UIU_FRAMEWORK) of this role. You only need to change the technical name if you have changed the name of the Framework Authorization Role. This role is a special role that is assigned to every user. It contains the authorizations that are necessary to use the UI Framework.
    3. Select one of the following options:

  • To start the update of the assignments, choose Update Role Assignments.
  • To start the report in simulation mode, choose Only Simulation.
  • To check the current assignments, choose Check Current Role Assignments.
  1. Select the log level. The higher the log level, the more information is logged.

  1. Assign the new business role to an organizational unit or position in the IMG activity Define Organizational Assignment.

Further notes

If you encounter any difficulties with authorizations at runtime, we recommend that you:

  1. Check the user authorizations in the transaction Analyze User Buffer (SU56).
  2. Compare users, if necessary, in the IMG activity Define Authorization Role. Proceed as follows:
    1. Select an authorization role.
    2. Choose tab page User.
    3. Choose User comparison.

Assign Business Roles from Partner Channel Management

For Partner Channel Management, the following business roles and authorization roles are available:

  • Business role 'CRM UIU Partner Manager' and authorization role 'SAP_CRM_UIU_CHM_PARTNERMANAGER'
  • Business role 'CRM UIU Channel Manager' and authorization role 'SAP_CRM_UIU_CHM_CHANNELMANAGER'

If you want to assign the business roles to a user, the process is as follows:

Business Attributes
ASAP Roadmap ID 201   Make global settings 
Mandatory / Optional 2   Optional activity 
Critical / Non-Critical 2   Non-critical 
Country-Dependency A   Valid for all countries 
Assigned Application Components
Documentation Object Class Documentation Object Name Current line number Application Component Application Component Name
SIMG WCF_PFCG_COPY 0 PNF0000011 WebClient UI 
Maintenance Objects
Maintenance object type C   Customizing Object 
Assigned objects
Customizing Object Object Type Transaction Code Sub-object Do not Summarize Skip Subset Dialog Box Description for multiple selections
IMGDUMMY D - Dummy object PFCG  
History
Last changed by/on SAP  20090424 
SAP Release Created in 701