Scribd
Upload
632 views44 pages

IT Service Management Roles and Authorizations PDF

Uploaded by

Armando
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
632 views44 pages

IT Service Management Roles and Authorizations PDF

Uploaded by

Armando
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

www.sap.

com

IT Service Management Roles and Authorizations


Applicable Releases:
 SAP Solution Manager 7.1 SPS 05

SAP Solution Manager Scenarios:


- IT Service Management

Version 1.0

September 2012

© 2012 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP


BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany
and other countries.

Business Objects and the Business Objects logo, BusinessObjects,


Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP
company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL


Anywhere, and other Sybase products and services mentioned herein
as well as their respective logos are trademarks or registered
trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are
registered trademarks of Crossgate AG in Germany and other
countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials


are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if
any. Nothing herein should be construed as constituting an additional
warranty.
IT Service Management – Roles and Authorizations Guide

Document History

Document
Description Responsibilities
Version

1.10 Document Approval

1.00 First official release of this guide


IT Service Management – Roles and Authorizations Guide

Typographic Conventions

Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Emphasized words or phrases in body text, graphic titles, and table titles.
Example text

Example text File and directory names and their paths, messages, names of variables and
parameters, source text, and names of installation, upgrade and database tools.

Example text User entry texts. These are words or characters that you enter in the system exactly
as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and
characters with appropriate entries to make entries in the system.

Keys on the keyboard, for example, F2 or ENTER.


EXAMPLE TEXT

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip
IT Service Management – Roles and Authorizations Guide

Table of Contents
1 GENERAL INFORMATION ............................................................................................................... 5
1.1 Information Sources ........................................................................................................................ 5
1.1.1 SAP Security Guide ........................................................................................................................... 5
1.1.2 SAP SDN Wiki ................................................................................................................................... 5
1.2 Prerequisites .................................................................................................................................... 5
1.3 How to Access the CRM WEBCLIENT UI ...................................................................................... 6
1.4 User groups in the ITSM Scenario ................................................................................................. 6
2 AUTHORIZATION (PFCG-) ROLES ................................................................................................. 8
2.1 Automatic Creation of Template Users Using Solman_Setup .................................................... 8
2.2 Standard Authorization Roles ........................................................................................................ 9
2.3 Assignment of User group-Specific PFCG Roles ........................................................................ 9
3 BUSINESS ROLES ......................................................................................................................... 13
3.1 User group-Specific CRM WEBCLIENT UI Entries and Functionalities Corresponding to
Technical Role Definition .............................................................................................................. 13
3.1.1 CRM WebClient UI and Functionalities for Reporter / End User – Web Service Self Portal .......... 13
3.1.2 CRM WEBClient UI and Functionalities for Processor: ................................................................... 16
3.1.3 CRM WebClient UI and Functionalities for Dispatcher .................................................................... 18
3.1.4 CRM WebClient UI and Functionalities for Administrator ................................................................ 19
3.2 Copy and Assignment of User group-Specific Business Role ................................................. 19
3.2.1 Copy of Business Role .................................................................................................................... 20
4 HOW TO ADAPT BUSINESS ROLES AND TECHNICAL ROLES ............................................... 23
4.1 Technical Roles ............................................................................................................................. 23
4.1.1 Mapping of Technical Roles and User group .................................................................................. 24
4.2 Adapt a Business Role and Technical Roles According to Business Requirements ............ 24
4.2.1 Create a Navigation Bar Profile ....................................................................................................... 26
4.2.2 Create a Role Configuration Key ..................................................................................................... 30
4.2.3 Create a Technical Profile ............................................................................................................... 32
4.2.4 Create a Layout Profile .................................................................................................................... 33
4.2.5 Create a Functional Profile .............................................................................................................. 34
4.3 Additional Possibilities to Assign a Business Role to a User .................................................. 36
4.3.1 Using Parameter .............................................................................................................................. 36
4.3.2 Using Organizational Model............................................................................................................. 37
5 APPENDIX....................................................................................................................................... 41
5.1 Copy an Authorization Role.......................................................................................................... 41
5.2 Copy a Composite Authorization Role ........................................................................................ 41
5.3 Copy a Single Authorization Role ................................................................................................ 42
5.4 Adapt an Authorization Profile ..................................................................................................... 42
5.5 Generate Authorization Profiles ................................................................................................... 43
IT Service Management – Roles and Authorizations Guide

1 GENERAL INFORMATION

To set up the SAP CRM WEBCLIENT UI for your system users, you need business roles and authorization
roles. Using different business roles enables you to tailor the system for its users individually in terms of
profiles, screens, set of functionalities and authorizations.

This guide provides information on how to set up authorization roles and business roles for the different user
groups of the SAP CRM WEBCLIENT UI in the scenario of IT Service Management.

1.1 Information Sources

This chapter provides an overview of the information sources regarding roles, authorizations and security in
SAP Solution Manager.

1.1.1 SAP Security Guide

The SAP Security Guide is the primary documentation for establishing an authorization concept for SAP
Solution Manager, and provides a collection of SAP guidelines and recommendations pertaining to SAP
System security.

http://service.sap.com/instguides/  SAP Components  SAP Solution Manger 


Release <current release>  Operations  SAP Solution Manager Security Guide <current release>

This document offers general guidelines for obtaining a medium level of security. The security of your own
system landscape, and the use of software packages (SAP and non-SAP) are also important factors in
achieving overall system security, so analyze your own risks and needs and establish your own security
policy (or policies). This guide assists you in this process, but cannot replace your own customer-specific
policies.

1.1.2 SAP SDN Wiki

The SAP Solution Manager Authorization Wiki, in the Software Developer Network, is a complement to the
SAP Solution Manager Security Guide. It is primarily valid for SAP Solution Manager release 7.1.

http://wiki.sdn.sap.com/wiki/display/SMAUTH/Home

It provides:

- Authorization object documentation


- Use cases
- Best practices
- Technical infrastructure
- Frequently asked questions

1.2 Prerequisites

- Installed and running Solution Manager 7.1 SPS 05

For more information, please see the SAP Solution Manager Installation Guide available in SAP
Service Marketplace.

- The following SAP Notes are relevant for the preparation of the SAP WebClient usage:
IT Service Management – Roles and Authorizations Guide

Note Description
1115493 CRM WebClient UI: Mandatory SICF services for CRM framework
1144511 System parameters required for CRM WebClient
1676755 Performance optimization in Solution Manager IT Service Management
1244321 Activation of detailed CRM WebClient error analysis during the development phase
824554 ICM timeout errors

- SAP Solution Manager administration user

1.3 How to Access the CRM WEBCLIENT UI

To get access to the CRM WEBCLIENT UI, different master data must be combined:

- SU01 System User


- PFCG Role
- Business Role

As shown in the figure above, the user must have a system user that is created using transaction SU01 and
the user group specific PFCG roles as well as a business role assigned, to be able to perform responsibility
related activities in the CRM WEBCLIENT UI. The mapping of user group and responsibility related roles is
explained in the following section.

1.4 User groups in the ITSM Scenario

In the scenario of ITSM, several user groups and organizations exist:

User group / Description and Responsiblities


Organization
Reporter / End User End User or Key User who notify the problem from managed system incident
to customer Service Desk
Dispatcher Dispatching of messages to the Service Desk
Processor Is assigned to a service team at the organization model and is responsible for
message solving, e.g. for a specific SAP component
Administrator Responsible person for managed systems. E.g. implement patches or
maintain user authorization
Service Team Is assigned at the organization model and represent a specific units of
processors. E.g. 1.level / 2.level or SAP products / components
Customer (Sold-to-Party) This organization unit represents the responsible cost center and it is the
system owner.
IT Service Management – Roles and Authorizations Guide

Users and organizations are defined as Partner Function in the Incident Management scenario.To every
user group (Reporter, Dispatcher, Processor, Administrator), standard roles on the one hand, and, on the
other hand, user group specific roles have to be assigned.
IT Service Management – Roles and Authorizations Guide

2 AUTHORIZATION (PFCG-) ROLES

Chapter two and three provide information on how to enable the standard authorization concept if you are
going to use the standard and do not intend to change it.

The business roles and the authorization roles which will be handled in this guide are only
intended to be used as a template for
Best Practice scope. The roles have to be validated and adapted to the specific customer
requirements.

SAP recommends copying the business roles and the authorization roles into the customer
name space which must begin with Z or Y. This ensures that changes are not overwritten in
case of an upgrade (please refer to Chapter 5).

Authorization roles (also called PFCG roles) are used to implement a comprehensive security concept. Using
authorization roles, you protect the SAP system against unauthorized access at database, network and front
end level.

2.1 Automatic Creation of Template Users Using Solman_Setup

Besides the manual creation of user and roles for the ITSM scenario which is explained in this guide, an
automatic creation using transaction SOLMAN_SETUP is possible. To execute this automatic creation of the
following template users:

User group Standard ID


Reporter / End User IM_CREAT_<System ID>
Dispatcher IM_DIS _<System ID>
Processor IM_PROC _<System ID>
Administrator IM_ADM _<System ID>

Start transaction Solman_Setup  IT Service Management  2. Perform Standard Configuration  2.5


Create Template Users

If you use BI Reporting, you need additional standard template users in the according BW system/client. If
your BW system is in the same client as SAP Solution Manager, the relevant roles are assigned to the
standard user in the SAP Solution Manager system.
IT Service Management – Roles and Authorizations Guide

În Solman_Setup, you have the following options:

- You can create a new user.

The system creates the new user, the corresponding business partner, if necessary, and assigns
the relevant copied and SAP roles.

- You can use an existing user.

The system assigns the relevant copied roles and SAP roles to an existing user .

SAP recommends to perform the above mentioned automatic standard configuration only for testing
purpose. To implement a comprehensive and customer-specific IT Service Management Authorization
concept, please refer to the following chapters.

2.2 Standard Authorization Roles

Authorization roles can be divided into single and composite roles. For every user group, a composite role
exists. Inside these composite roles, several user group-specific single roles are listed.

Following composite roles are relevant for the Incident Management scenario:

Composite Role Description


SAP_SUPPDESK_ADMIN_COMP contains single roles relevant for Service Desk administrators
SAP_SUPPDESK_PROCESS_COMP contains single roles relevant for Service Desk processors
SAP_SUPPDESK_CREATE_COMP contains single roles relevant for Service Desk key users
SAP_SUPPDESK_DISPATCHER_COMP contains single roles relevant for Service Desk dispatcher

Please make sure that you copy all the composite and single roles into your customer
namespace and check if the profiles have been generated successful (green status of
Authorizations tab) before any type of customizing!

The reason to copy the SAP standard roles into your customer namespace is that you
ensure that changes are not overwritten during upgrade.
Further information on how to copy a PFCG role are provided in the Appendix (Chapter 5).

For a detailed description of the Incident Management authorizations roles, please refer to the Security
Guide for SAP Solution Manager available in SAP Service Marketplace and the SAP SDN Wiki. These
information sources are described in Chapter 1.

For more information on authorizations and authorization objects, please refer to SAP Note 1436270.

2.3 Assignment of User group-Specific PFCG Roles

As already mentioned in section 2.2, every user group has its own composite role for their specific
responsibilities. If you assign a composite role to a user, also the single roles are assigned automatically.
IT Service Management – Roles and Authorizations Guide

Example – Composite role and single roles for Processor:

1 – SAP_SMWORK_BASIC_INCIDENT and SAP_SMWORK_INCIDENT_MAN are basic work center roles


to
grant the user access to the SAP Solution Manager Incident Management Work center.

2 – SAP_SM_CRM_UIU_* Roles enable access to the CRM WEBCLIENT UI, define the appearance and
actions
that can be performed in the CRM WEBCLIENT UI.

3 – SAP_SUPPDESK_PROCESS is the functional role for the ITSM Processor in which you can define
specific authorization e.g which transaction type the user should be able to create or process
(Authorization Object CRM_ORD_PR).

Please note that the main working environment for every user group is the CRM WEBCLIENT UI.
The work center assignment is just an additional functionality to handle SAP Solution Manager 7.0
transaction e.g SLFN, SIVA.

1. Start transaction SU01 and choose the specific user.


IT Service Management – Roles and Authorizations Guide

2. Select the roles tab and assign the composite role to the user.

3. Save your assignment.


IT Service Management – Roles and Authorizations Guide

Another possibility to assign roles to a user is to assign the user directly out of the composite role
using the user tab. In this case, make sure that you perform a user comparison after the assignment.

Now the PFCG-Roles are successfully assigned to the user (message processor).
As shown in the figure above, the single role ZSM_SM_CRM_UIU_SOLMANPRO is part of the processor
composite role. This specific role is called PFCG-ROLE-ID and leads to the next chapter - the Business
roles.
IT Service Management – Roles and Authorizations Guide

3 BUSINESS ROLES

In addition to PFCG roles, another type of role is necessary in the scenario of IT Service Management – the
business role. As explained in section 1.3, this type of role is required for the access to the CRM
WEBCLIENT UI and its customizing.

For every user group, a specific business role exists:

User group Business Role Description


Report / End User SOLMANREQU Business Role for Reporter / End User
Dispatcher SOLMANDSPTCH Business Role for Dispatcher
Processor SOLMANPRO Business Role for Processor
Administrator SOLMANPRO Business Role for Administrator

3.1 User group-Specific CRM WEBCLIENT UI Entries and Functionalities Corresponding to Technical
Role Definition

Because of different technical roles for every user group, the entries (e.g visible Work centers, Logical Links)
in the CRM WEBCLIENT UI differ according to their responsibilities as shown in the figures below. In
addition, the functional PFCG roles which manage the actions and functionalities to be performed.

3.1.1 CRM WebClient UI and Functionalities for Reporter / End User – Web Service Self Portal

The CRM WebClient UI for the Reporter / End User is also called Web Self Service Portaland offers a quick
and easy UI for message creation.

- Minimized menu structure dedicated for End User


- Message creation for incident and service request via
guided procedure
- Home screen widgets
 My Messages – Reported By Me
 My Messages – Action Required by Me
IT Service Management – Roles and Authorizations Guide

- Quick & user friendly creation of Incidents and Service requests


 Guided procedure for Incident & Service request Creation
 Quick buttons for Top 5 Service requests
 Possibility to select other existing Service request Categories
 Service request Category specific UI input parameter
IT Service Management – Roles and Authorizations Guide

- Interact with IT Help Desk


 Add information and attachments
 Confirm solutions
 Send replies

- Enable search for known solutions


 Access to published Knowledge Articles
IT Service Management – Roles and Authorizations Guide

- Set own data


 Personal Data (General and Communication Information)
 Change Password
 My Objects

3.1.2 CRM WEBClient UI and Functionalities for Processor:

The UI for the Processor offers the possibility to open the Incident Management Work center and e.g search
for and process Incidents or Problems. In addition, an overview of messages assigned to this user group is
accessible using “My messages”.

- Optimized menu structure dedicated for Service Processors


- Home screen Widget
 My Messages – Assigned To Me
 My Messages – Assigned To My Team
IT Service Management – Roles and Authorizations Guide

- Advanced filter mechanisms for finding messages


 Search for Incidents, Problems, Service requests, etc.

- Worklist for quick display of messages with involvement of the Processor


 Me / My Team / My Group / My Company / My Responsibility Group
IT Service Management – Roles and Authorizations Guide

3.1.3 CRM WebClient UI and Functionalities for Dispatcher

The Dispatcher has the responsibility to dispatch unassigned messages to the correct service team where
these messages are forwarded by the Processor, e.g to the responsible service team employee.
For this reason, the dispatcher UI looks nearly similar to the Processor UI. The Dispatcher has access to the
Incident Management Work center and a list of all unassigned messages.

- Minimized menu structure dedicated for Dispatchers


- Home screen Widget
 My Messages – For Dispatching
 Result List for all unassigned messages

- First level UI for a quick message processing (dispatching) with all necessary information
- Quick "Confirm" button in the menu
IT Service Management – Roles and Authorizations Guide

3.1.4 CRM WebClient UI and Functionalities for Administrator

The Administrator UI offers the possibility to perform basis-related activities such as master data
maintenance (iBase, CMDB objects etc.), perform tasks in the Service Operations work center (maintain
categorization schemas, define rule policies etc.). In addition, this user group can search for Incidents,
Problems and Service request.

- Access to search, creation and maintenance of


 Master Data
 Service Operations

3.2 Copy and Assignment of User group-Specific Business Role

At least one of the business roles must be assigned to a system user to have access to the CRM
WEBCLIENT UI. But before a business role can be assigned to a user, you have to copy the business role
into your customer namespace for the same reason as you copy PFCG roles.
IT Service Management – Roles and Authorizations Guide

3.2.1 Copy of Business Role

To copy a business role, e.g SOLMANPRO, for the Processor, proceed as follows:

1. Open the implementation guide by starting transaction SPRO and navigate to Customer Relationship
Management  UI Framework  Business Roles  Define Business Role.

2. Select business role SOLMANPRO and choose Copy as.


IT Service Management – Roles and Authorizations Guide

3. Enter a X,Y, or Z (this is your customer namespace) in front of SOLMANPRO.

4. Maintain the customer namespace PFCG ROLE ID in the business role. Confirm with Return.

5. The new business role is now visible in the overview. Save the table.
IT Service Management – Roles and Authorizations Guide

After the copying and assignment of PFCG roles and business roles, the standard CRM WEBCLIENT UI as
well as the functionalities are usable.
If you want to do the following, refer to the next chapter:

- Use a different type of business role assignment


- Know more about the technical roles behind the business roles
- Customize the visibility of the CRM WEBCLIENT UI (e.g Work center or logical links entries)
IT Service Management – Roles and Authorizations Guide

4 HOW TO ADAPT BUSINESS ROLES AND TECHNICAL ROLES

In addition to the standard CRM WEBCLIENT UI visibilities and functionalities, it is possible to customize
business roles as well as technical roles according to customer needs. How to do so is explained in detail in
this chapter.

4.1 Technical Roles

With the help of business roles and the corresponding technical roles, it is possible to control the access to
the CRM WEBCLIENT UI and customize the visibility of specific entries. This means that using these roles,
you can define the structure of the navigation bar and which links are available on the Work Center pages
and the direct link group. Every business role has the following technical roles assigned:

- Navigation Bar Profile


- Role Configuration Key
- Layout Profile
- Technical Profile
- PFCG-Role-ID

The most important technical role is the Navigation Bar profile. Using this technical role, it is possible to
control the Work center entries, the logical links as well as the direct link group in the CRM WEBCLIENT UI
(more information is provided in section 4.2.1).

The next figure provides an overview of the previously listed elements of the CRM WEBCLIENT UI.

A work center describes and provides access to business content. The work center page is a collection of
logical links for business content which are organized in link groups. Direct link group is part of the
navigation bar and provides direct access to specific business content with one click. Logical links can be
used in direct link groups, second level navigation or on work center pages.
IT Service Management – Roles and Authorizations Guide

4.1.1 Mapping of Technical Roles and User group

The names of the technical roles are partly different for every specific user group:

User group Technical Role Name


Reporter / End User Navigation Bar Profile SOLMANREQU
Role Configuration Key SOLMANREQU
PFCG-ROLE-ID SAP_SM_CRM_UIU_SOLMANREQU

Dispatcher Navigation Bar Profile SOLMANPRO


Role Configuration Key SOLMANDSPT
PFCG-ROLE-ID SAP_SM_CRM_UIU_SOLMANDSPTCH

Processor Navigation Bar Profile SOLMANPRO


Role Configuration Key SOLMANPRO
PFCG-ROLE-ID SAP_SM_CRM_UIU_SOLMANPRO

Administrator Navigation Bar Profile SOLMANPRO


Role Configuration Key SOLMANPRO
PFCG-ROLE-ID SAP_SM_CRM_UIU_SOLMANPRO

The PFCG-Role-ID depends on the user group related PFCG role maintained in the user group composite
role. The administrator is using the same business role as the Processor. For that reason, this user group
includes the same technical roles as the Processor.

As e.g the Dispatcher and the Processor are using the same navigation bar profile, it is recommended to
copy them into a different customer namespace if customizing activities (section 4.2) are planned.

4.2 Adapt a Business Role and Technical Roles According to Business Requirements

This section explains how to adapt a business role according to your business requirements.
The following figure provides an overview on the profiles assigned to a business role.
IT Service Management – Roles and Authorizations Guide

A business role has the following profiles assigned:

 Navigation Bar Profile


o Assignment of work centers, work center link groups, direct link groups and logical links
 Layout Profile
o Layout of the navigation frame, which includes header and footer area, work area and navigation
bar
 Technical Profile
o Assignment of specific technical settings, e.g. disable the support of the Back button in the
browser or frame swapping (reduce noticeable screen flickering)
 Function Profile
o Assignment of additional functional areas, e.g. links that appear in the navigation bar or used
reporting framework (SAP BI or Interactive Reporting).
 Role Configuration Key
o Assignment of adapted UI views (e.g. add/move/rename field) by using the UI configuration tool

A PFCG Role ID is used to assign users to the business role.


SAP recommends using the business role SOLMANPRO and its profiles as templates for your new
business role. You should copy them into the customer naming space which must begin with Z or Y. The
recommended name for the new business role is ZSOLMANPRO.

The most important technical roles are the navigation bar profile and the functional profile. For both profiles,
the copy and customizing process is explained in detail in the following chapters.

If you also plan to customize the layout and technical profile or the role configuration key, please copy them
into your customer namespace. Then, follow the explanations in the documentation which is available in the
specific Customizing section in transaction SPRO.
IT Service Management – Roles and Authorizations Guide

4.2.1 Create a Navigation Bar Profile

A navigation bar profile is a collection of logical links, work centers, work center link groups and direct link
groups.

Use the standard navigation bar profile SOLMANPRO as a template to define the structure of your
navigation bar:
1. Start transaction SPRO and go to Customizing activity Define Navigation Bar Profile.

2. Highlight the navigation bar profile SOLMANPRO and choose Copy As… (recommended name for
the new navigation profile is ZSOLMANPRO). Confirm with ENTER.

3. Save your settings.

Now you are able to adapt your navigation bar profile. In the Customizing activity Define Navigation Bar
Profile, you get access to the shared lists of all logical links, work centers, work center link groups and direct
link groups. Furthermore, you can define navigation bar-specific customizing, such as assignment of work
centers and direct link groups.
IT Service Management – Roles and Authorizations Guide

Choose Assign Work Centers To Navigation Bar Profile to specify which work centers should be part of the
navigation bar (e.g. ZSOLMANPRO), as shown in the example below.

It is possible to add the Work centers using New Entries  Assign Work centers To Navigation Bar Profile 
Save.

Work centers can be activated or deactivated within a business role using the Customizing activity
Define Business Role. Highlight your business role (e.g. ZSOLMANPRO) and choose Adjust Work
Centers. The column Inactive controls the visibility of a work center.

Choose Assign Direct Link Groups To Nav. Bar Profile to specify which work centers should be part of the
navigation bar, as shown in the example below. In this example, the direct link group SM-CREATE is
assigned to the navigation bar profile ZSOLMANPRO.
IT Service Management – Roles and Authorizations Guide

Direct link groups and direct links can be set to visible or invisible within a business role using the
Customizing activity Define Business Role. Highlight your business role (e.g. ZSOLMANPRO) and
choose Adjust Direct Link Groups to define which direct link groups should be visible or choose Adjust
Direct Links to specify which direct links should be visible within a direct link group.

For more information on navigation bar customizing, please refer to the documentation of the
Customizing activity Define Navigation Bar Profile.

After you have created the new navigation bar profile, you must assign it to the business role that
you have defined before. You can do this in the Customizing activity Define Business Role.

.
IT Service Management – Roles and Authorizations Guide

Visibility of Customer-Specific Navigation Bar Links:

Once you copied the standard navigation bar profile, you must activate the links specifically within the
customizing of the business role. Therefore, navigate through the structure Define Business Role 
Adjust Direct Link Groups  Adjust Direct Links. It is necessary to select the group (e.g. SM-Create) for
which you want to adjust the direct links. Then, choose Adjust Direct Links. The Visible column controls
the links displayed in the CRM WEBCLIENT UI.

The example below shows customer-specific customizing according to direct links shown in the
CRM WEBCLIENT UI.

To display direct links in the CRM WEBCLIENT UI: Save the changes.
IT Service Management – Roles and Authorizations Guide

4.2.2 Create a Role Configuration Key


...

The role configuration key is a unique identifier used in the configuration of views for the CRM WEBCLIENT
UI. Certain changes can be stored under a role configuration key. For instance, a view can be configured for
a specific configuration key, where fields are removed or renamed in comparison to the original. This role
configuration key is also assigned to the business role to identify the configuration that is to be used for this
role.

So only those users with the business roles assigned that carries the right key, see the configuration
changes in the CRM WEBCLIENT UI. For all other users, no changes are visible. Thus, the role
configuration key provides the possibility of a role-dependent view configuration.

To create a role configuration key, do the following:

1. Start transaction SPRO and go to Customizing activity Define Role Configuration Key.
IT Service Management – Roles and Authorizations Guide

2. Choose New Entries.

3. Add a new role configuration key, e.g. ZSOLMANPRO.

4. Save your settings.

After you have created the new role configuration key, you must assign it to the business role that
you have defined before. You can do this in the Customizing activity Define Business Role.
IT Service Management – Roles and Authorizations Guide

4.2.3 Create a Technical Profile

Use the standard technical profile DEFAULT_SOLMAN as a template to define your custom technical profile:

1. Start transaction SPRO and go to Customizing activity Define Technical Profile.

2. Highlight the technical profile DEFAULT_SOLMANPRO and choose Copy As….(the recommended
name for the new layout profile is ZDEFAULT_SOLMANPRO). Confirm with ENTER.

3. Choose copy all.

4. Save your settings.

Now you are ready to adapt the technical profile according to your business needs. For more information,
please refer to the documentation of the Customizing activity Define Technical Profile.

After you created the new technical profile, you must assign it to the business role which you have
defined before. You can do this in the Customizing activity Define Business Role.
IT Service Management – Roles and Authorizations Guide

4.2.4 Create a Layout Profile

Use the standard layout profile CRM_UIU_MASTER as a template to define the layout of the header and
footer area, work area and navigation bar:

1. Start transaction SPRO and go to IMG activity Define Layout Profile.


IT Service Management – Roles and Authorizations Guide

2. Highlight the layout profile CRM_UIU_MASTER and choose Copy As….(recommended name for the
new layout profile is ZCRM_UIU_MASTER). Confirm with ENTER.

3. Choose copy all.


4. Save your settings.

Now you are ready to adapt the layout profile according to your business needs. For more information,
please refer to the documentation of the Customizing activity Define Layout Profile.

After you created the new layout profile, you must assign it to the business role which you have defined
before. You can do this in the Customizing activity Define Business Role.

4.2.5 Create a Functional Profile

Function profiles define special functions, such as the level of personalization, or the working context. In the
Customizing activity Define Business Role, you can assign function profiles to your business role.

For detailed information on how to create a function profile, please refer to the documentation of the
Customizing activity Define Function Profile.
IT Service Management – Roles and Authorizations Guide

For more information on how to assign function profiles to business roles, please refer to the documentation
of the Customizing activity Define Business Role.

After completing all steps from chapter 4, the new business role ZSOLMANPRO looks as follows:
IT Service Management – Roles and Authorizations Guide

4.3 Additional Possibilities to Assign a Business Role to a User

In section 3.2.1, the PFCG-Role-ID has been maintained in the business role in order to assign the business
role to a user. This section provides an overview about the additional possibilities to assign a business role
to a user.

4.3.1 Using Parameter

Besides the PFCG-ROLE-ID, another possibility to assign a business role to a user is using the parameter
tab in the system user maintenance.

1. Start transaction SU01 to maintain the specific user.

2. Select the parameter tab and maintain the details as shown in the figure below. Save your settings.

Now, the business role ZSOLMANPRO is assigned to the user using the specific parameter.
IT Service Management – Roles and Authorizations Guide

4.3.2 Using Organizational Model

Users can be assigned to a business Role using the organizational model. The business role is assigned to
an organizational unit or a position in the organizational model and the user/business partner is assigned to
a position in the organizational unit, as shown in the figure below.

For more information on how to create and adapt an organizational model, please refer to the guide
Support Team Determination via Business Rule Framework plus (BRFplus) available at:

http://wiki.sdn.sap.com/wiki/display/SAPITSM/ITSM%20Homepage

My Home  SAP IT Service Management on SAP Solution Manager  ITSM Homepage 


Information for Administrators
IT Service Management – Roles and Authorizations Guide

Assignment to an organizational unit:

1. Start transaction PPOMA_CRM.

2. To navigate to the corresponding organizational unit, choose Structure Search or Search Team.

3. From the menu, choose Goto -> Detail object -> Enhanced object description.

4. In the Active tab, select Business role from the list and choose Create infotype.
IT Service Management – Roles and Authorizations Guide

5. Enter the business role in the corresponding field, e.g. ZSOLMANPRO.

6. Save your settings.

If you assign a business role to an organization unit that includes other units, then all users from these
lower units will also have the business role assigned to.

Assignment to a position:

1. Start transaction PPOMA_CRM.

2. To navigate to the corresponding position, choose Structure Search or Search Team.

3. Proceed with steps 3-6 on how to assign a business role to an organizational unit.
IT Service Management – Roles and Authorizations Guide

Each position can have exactly one business role assigned to.
IT Service Management – Roles and Authorizations Guide

5 APPENDIX
In the Appendix, you find additional information, configuration steps and guidelines to adjust an IT Service
Management related authorization concept according to your needs.

5.1 Copy an Authorization Role

This section provides information on how to copy composite or single authorization roles.

5.2 Copy a Composite Authorization Role


To copy a composite authorization role, do the following:

1. Start transaction PFCG.


2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS_COMP) in the corresponding field.
3. Choose Copy role.

4. Enter a name for the new role, e.g. ZSM_SUPPDESK_PROCESS_COMP.


5. Choose Copy Selectively.
6. To copy also the single roles contained in the composite role, in the Query dialog box, choose Yes.
IT Service Management – Roles and Authorizations Guide

7. Enter target names for the copied single roles and confirm to start the copy process

5.3 Copy a Single Authorization Role

1. Start transaction PFCG.


2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS) in the corresponding field.
3. Choose Copy role.

4. Enter a name for the new role, e.g. ZSM_SUPPDESK_PROCESS.


5. Choose Copy selectively.

5.4 Adapt an Authorization Profile

Role profiles contain authorization objects to specify user authorizations, such as change/display
authorization for texts or transaction types.

The following example shows how to adapt the authorization profile of the role
SAP_SUPPDESK_PROCESS (ZSM_SUPPDESK_PROCESS) to allow users to create/change/display the
business transaction type ZMIN (copy of SMIN):
IT Service Management – Roles and Authorizations Guide

1. Start transaction PFCG.


2. Enter the role name, e.g. SAP_SUPPDESK_PROCESS (ZSM_SUPPDESK_PROCESS) in the
corresponding field and choose Change.
3. Go to the Authorizations tab and choose Change Authorization Data.
4. A list is displayed that contains all authorization objects that are included in the role.
5. Navigate to the authorization object CRM Order – Business Transaction Type (technical name
CRM_ORD_PR) and choose Change for the field Business Transaction type.

6. Enter ZMIN in the dialog box and proceed with Transfer (Enter).
7. Choose Generate to create the authorization profile.
8. Choose Back and then save your settings.

5.5 Generate Authorization Profiles

In this step, you have to generate the authorization profiles of the single roles contained in the composite
role SAP_SUPPDESK_PROCESS_COMP. Copy this role also into customer namespace
ZSM_SUPPDESK_PROCESS_COMP before you perform the next steps!

You do not need to perform the following instructions for the roles ZSM_SMWORK_INCIDENT_MAN
and ZSM_SM_CRM_UIU_SOLMANPRO as they do not contain any active authorization objects.

1. Start transaction PFCG.


2. Enter the role name ZSM_SUPPDESK_PROCESS in the corresponding field and choose Change.
3. Go to the tab Roles where all single roles are listed.
4. Double-click to access a role (e.g. ZSM_SMWORK_BASIC_INCIDENT). The role opens in a new
session.
5. In the new window, choose Display <-> Change to switch to Edit mode.
6. Go to the Authorizations tab and choose Change Authorization Data.
IT Service Management – Roles and Authorizations Guide

7. Choose Generate to create the authorization profile of the role.

8. Choose Back and afterwards save your settings.


9. Repeat steps 4-8 for the other roles contained in the composite role.

After you copied the composite role into the customer namespace and generated the various single
roles, your composite role ZSM_SUPPDESK_PROCESS_COMP looks like this:

You might also like