• Gruppenweite Einführung, IHR PROFIL

Weiterentwicklung und Support von SAP

• Abgeschlossenes Studium im Bereich
gestützten Prozessen und Anwendungen
zur Optimierung der Geschäftsprozesse Wirtschaftsingenieurwesen, der
• Weltweite SAP Modul- / -informatik oder eine vergleichbare

-Prozessverantwortung und SAP- Ausbildung

• Mindestens fünf Jahre Erfahrung in der
Standardisierung
• Prozessberatung und Business Implementierung und im Support der

Consulting in engster Abstimmung mit den entsprechenden SAP Module und SAP

Fachbereichen Integration - vorzugsweise in

• Ausarbeitung von Prozessen und Unternehmen der Fertigungsindustrie
• Fundierte Erfahrungen in der
selbstständige Konfiguration sowie
Testing im SAP System Projektabwicklung - auch im
• Projektleitung / Projektmitarbeit in internationalen Arbeitsumfeld
• Fundierte Kenntnisse in der SAP-
nationalen und internationalen SAP
Projekten Anlagenbuchhaltung sowie im Modul
• Serviceorientierte Beratung, Betreuung Controlling (CO-PA Profitability Analysis /

und Schulung der Anwenderbereiche / CO-OM Overhead Cost / CO-PC Product

Key User Costing)

• Mitarbeit bei konzeptionellen SAP • Fließende Deutsch- und

Fragestellungen Englischkenntnisse
• Kenntnisse in ABAP von Vorteil

BASIC UNDERSTANDING OF ROLES AND AUTHORIZATION

FollowRSS feedLike
3 Likes 50,839 Views 16 Comments

Many of the Functional Consultants face issues in understanding what are the Roles and what
are Authorizations in SAP. This is a document which would help people who are curious to know
what is exactly the concept behind this and how does it work.
Functional Consultants have a lot of questions in mind regarding this concept and one of the
main questions here is why should Functional Consultants worry about Roles and Authorization
when it is a job of BASIS team.
Well, to answer this, it is not solely a job of BASIS team rather it is also like other activities, it an
integrated activity which should be performed by both BASIS team and Functional team.
BASIS team have a know how about the User Management, Roles Creation, Profile Creation,
Roles and Profile assignment, Authorization assignments etc. but main concern in most of the
cases arises when the below questions are unanswered by BASIS team:
1. Whom to Assign the Roles or transactions
2. What to Restrict in a transaction and for whom
3. How to authorize Custom transactions
and many more such questions cannot be answered by BASIS team. Hence, it becomes the role
of a Functional Consultant to guide them with the exact process flow and exact organizational
chart.
Explaining with a small example here, suppose we have a maintenance team as below:
 1. Supervisor – He is responsible for notifying the breakdown or Corrective Maintenance requirements
2. Maintenance In-charge – He is responsible for assigning the above tasks to Engineers
3. Head of the department – He is responsible for approving the Maintenance tasks.
Now, Functional Consultant is very well aware that for Supervisor would require only the
transactions related to Notifications (say IW21, IW22, IW28, IW29 etc), Maintenance In-charge
would require some of the notification related transactions (say IW22, IW28, IW29) and also
order related transactions (IW31, IW32, IW38, IW39 etc) and the Head of the department would
require notifications and order transactions (say IW28, IW29, IW38, IW39) and also along with
this he require special permissions like releasing orders, approving permits, technical
completions etc.
Looking from BASIS team’s perspective they are not clear with these requirements and they
thus cannot take the decision for this and should be provided by Functional Consultants.
But, the main issue in most of the cases arises when Functional Consultants are not aware
about the concept of Roles and Authorizations.
Hereby, this document will explain the basic concept of Roles and Authorizations:
WHAT IS ROLES AND AUTHORIZATION CONCEPT:
Roles and Authorizations allow the users to access SAP Standard as well as
custom Transactions in a secure way.
SAP provides certain set of generic Standard roles for different modules and
different scenarios.
We can also define user defined roles based on the Project scenario keeping
below concept in mind:
There are basically two types of Roles:
1. Master Roles – With Transactions, Authorization Objects and with all organizational level
management.
2. Derived Roles –With organizational level management and Transactions and Authorization
Object copied from Master Role.
The reason behind this concept is to simplify the management of Roles.
WHAT ARE THE COMPONENTS OF A ROLE:
A Master Role or a Derived Role is having below components inside it:
1. Transaction Codes
2. Profile
3. Authorization Objects
4. Organization level
Transaction Codes: SAP Transaction codes (Standard or custom)
Profile: Profiles are the objects that actually store the authorization data and Roles are the
Container that contains the profile authorization data.
Authorization Objects: Objects that define the relation between different fields and also helps in
restricting/ allowing the values of that particular field (For ex: Authorization
objectI_VORG_ORD: PM: Business Operation for Orders, contains relation between fields:
AUFART = Order Type and BETRVORG Business Transaction).
Authorization objects are actually defined in programs that are executed for any particular
transactions. We can also create custom authorization objects for any particular transaction
(generally custom transaction).
Organization level: This defines actually the organizational elements in SAP for ex: Company
Code, Plant, Planning Plant, Purchase organization, Sales organization, Work Centers, etc.
Suppose we take an example of creating a role for Maintenance In-charges in a particular
industry who are responsible for different maintenance plants. Consider the Scenario as under:
Company = C1, Maintenance Plants = M1, M2, M3 and M4 (Hence assuming 4 Shift In-charges).
As mentioned before, Maintenance In-charge will have rights to following transactions – IW22,
IW23, IW28, IW29, IW31, IW32, IW38 and IW39 but he will not have rights to release the
Maintenance order.
EXPLAINING WITH AN EXAMPLE:
Hence, considering the above situation, we will create a common Master role for all 4
Maintenance In-charges say ZMPM_MAIN_IN_CHARGE_ROLE (Here the role name starts
withZMPM to make us understand that it is a Z Master Role for Plant Maintenance ) with
transaction mentioned above with all rights (with value “*”) inside the transactions but only
restricting release of Maintenance order with the help of authorization object I_VORG_ORDand
removing value: BFRE and field: BETRVORG but with all any organizational level (sayplant)
assignment.
Now based on this Master Role we have to create derived Roles for all 4 Maintenance In-
charges individually say for first Maintenance In-Charge we create a derived
roleZDPM_MAIN_IN_CHARGE_ROLE_MI1 referring the above Master
RoleZMPM_MAIN_IN_CHARGE_ROLE. This will copy all the transactions and authorization objects
from Master Role but will not copy the organizational level assignments which we have
assigned in Master Role. Hence, we need to maintain the organizational level for the derived
role (say Plant P1).
Here once we save (& Generate) the Master as well as Derived Role we can assign this role to
the User ID for the particular Maintenance In-charge.
•