Exercise 5: Maintain Role and Standard Roles

_________________________________________________
Assign your role to all users that you have created with the user name “GR##*”, with your
group ID (the users GR##-FI1, GR##-FI2, GR##-SD1, GR##-SD2, GR##-MM1, GR##-
MM2 should exist with the user group ZGR##, from another lesson of the SAP course
ADM940).
Check the settings for the user comparison (menu: Utilities → User Settings). Ensure that
a user master adjustment (record comparison) is automatically performed when you
save.

6. Save your role and perform a user comparison

What happens to the status of the "User" tab after you have saved.
__________________________________________________________

7. Assign the role ADM940_PLUS to all of your users (“GR##-*”).

Save your user assignments, and perform a master record comparison.

Hint:
With this exercise, it is possible that participants lock each other when saving
the settings. If this happens, wait a moment and try again. After the
comparison, exit the transaction PFCG.

© Copyright. All rights reserved. 37

 Unit 4
Solution 5
Maintain Role and Standard Roles

Business Example
This role maintenance exercise deals with “basic maintenance” using Role Maintenance
(Goto / Settings in the menu). The following tasks should familiarize you with the basic role
maintenance functions and the automatic generation of SAP Easy Access user menus for
various work centers and the associated authorizations, profiles, and user assignments. If you
are attending SAP course ADM940, the next two lessons deal with special role types and the
subtleties of authorization maintenance.
Prerequisites

Note:
In the prerequisites of this exercise, you familiarize yourself with the authorization
concept that you implement in this and the following exercises. You do not create
all the roles at once. This is done in the course for the individual subtasks.

When you see “Use the transactions in accordance with the example authorization concept”,
you need to refer to the following tables: distribution of roles for transaction codes and
distribution of job roles for roles.

Name of the Role Transactions for this Role

GR##_MM_MAT_ANZ MM03, MM04, MM19

GR##_FI_ACCREC_MAINT FD01, FD02, FD03
GR##_SD_CUST_MAINT VD01, VD02, VD03
GR##_SD_SALES VA21, VA22, VA23, VA25, VA01, VA02, VA03, V.01
GR##_MM_IM_POST MB1C, MB90, VL21
GR##_FI_IP_POST F-18, F-26, F-28

Role/Transaction Distribution (Table 1: Example Authorization Concept)

Business area>>> FI SD SD MM
Work Place Description>>> AccRec SDClerk SDMan Whouse
SAP R/3 Links: Scope Scope Scope Scope
T Code

MM01
MM02
MM03 x x x x

© Copyright. All rights reserved. 38

 Solution 5: Maintain Role and Standard Roles

Business area>>> FI SD SD MM
Work Place Description>>> AccRec SDClerk SDMan Whouse
SAP R/3 Links: Scope Scope Scope Scope
T Code

MM19 x x x x
MM04 x x x x

FD01 x x
FD02 x x
FD03 x x
VD01 x x
VD02 x x
VD03 x x

VA21 x x
VA22 x x
VA23 x x
VA25 x x

VA01 x x
VA02 x x
VA03 x x
V.01 x x

MB1C x
MB90 x
VL21 x

F-18 x
F-26 x
F-28 x

Job Role/Roles (Table 2: Example Authorization Concept)

Task 1: Create a Role to Display a Material Master

Create a role GR##_MM_MAT_ANZ to display a material master.

1. Start the Role Maintenance transaction and create the predefined role. Enter a short
description, and save.
a) SAP Menu:

© Copyright. All rights reserved. 39

Unit 4: Working with the Role Maintenance

Tools → Administration → User Maintenance → Role Administration → Roles,

(transaction code PFCG).

b) Enter the name for the role GR##_MM_MAT_ANZ in the Role field.

c) Choose Create Single Role.

d) Under the Role Name, in the field Description enter: Display a material master .

e) Then choose Save (CTRL+S) to save your role.

2. Add the corresponding transactions in accordance with the sample authorization concept
(Roles for Transaction Codes table from the prerequisites of this exercise).
A brief extract from the table in the prerequisites is provided here to make the task more
comprehensible.

Name of the Role Transactions for this Role

GR##_MM_MAT_ANZ MM03, MM04, MM19

a) Go to the Menu tab page.

b) Choose the Transaction button and enter the following transaction codes in the
Transaction code field:
MM03
MM04
MM19

c) Choose Assign Transactions.

d) Then choose Save (CTRL+S) to save your role.

3. Create a folder with the name WWW Links and add a Web address with the name SAP and
the URL http://www.sap.com to this folder.
a) Choose the Create Folder button.

b) Enter WWW Links in the Folder Name field:

c) Choose Continue (Enter).

d) Next to the button Transaction, use the black triangle to choose Other → Web address
or file in the context menu of the Transaction button.

e) Enter the description SAP.com in the Text field.

f) Enter the URL https://www.sap.com in the Web address or file field.

g) Choose Copy (Enter).

h) Then choose Save (CTRL+S) to save your role.

4. Maintain Authorizations - Maintain authorization values for the organizational levels.

a) Go to the Authorizations tab page.

b) Choose Change Authorization Data.

c) Enter the following values in the Define Organizational Levels window:

© Copyright. All rights reserved. 40

 Solution 5: Maintain Role and Standard Roles

When you maintain organizational levels, you usually only see those lines where values
have been assigned. If an organizational level field has not yet been maintained, only
one line is displayed. You can display multiple lines by choosing the More Values
button.
- Company code: 1010,
- Warehouse number/complex: *,
- Sales organization: 1010,
- Distribution Channel: *,
- Plant: 1000, 1010, 1020.

d) Choose Save (CTRL+S) to save the authorization values for the organizational levels.

5. Maintain Authorizations - Check the traffic light symbol status.

For which authorization object class are all authorization field contents maintained?
Authorization object class:
_________________________________________________
For which authorization objects of the object class MM_G do you have to supply
authorization values?
Authorization Objects:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
a) Check the Group/object/Authorization Field column for authorization object class
where all authorization field contents are maintained.
Object class: AAAB, Cross-application Authorization Objects

b) Check the Group/object/Authorization Field column for authorization objects of the

object class MM_G with a yellow traffic light.
Authorization objects whose authorization field values are not completely maintained
are flagged with a yellow traffic light.
The following authorization objects are not completely maintained:

● M_MATE_MAR

● M_MATE_MAT

● M_MATE_STA

● M_MATE_WGR

6. Maintain Authorizations - Set the authorization for the maintenance status in the
authorization object M_MATE_STA to full authorization.
What is the status of the authorization after your change?
_________________________________________________
a) Expand Authorization Object M_MATE_STA.

© Copyright. All rights reserved. 41

Unit 4: Working with the Role Maintenance

b) In the context menu (click the right-mouse button) of the STATM field and choose Set
field Values to '*'' .
Status: Maintained, traffic light: Green.

7. Maintain Authorizations - Set all open authorization values to full authorization.

Set all open authorization values to full authorization (top set of traffic lights).
What happens to the traffic light symbol for object class MM_G after you have assigned
values to all open fields?
_________________________________________________
a) Choose the Status button.

b) Choose Execute (Enter)in the Assign Full Authorization of Subtree window.

The traffic light symbol for object class MM_G then switches the structure to Green.

8. Maintain Authorizations - Generate the authorization profile for your role.

a) Choose the Generate icon.

b) In the Assign Profile Name for Generated Authorization Profile window, accept the
proposed profile name and choose Execute (Enter).

c) Choose Back (F3) to return to the Change Roles screen.

9. Check the status of your authorization profile in the information section of the
Authorizations tab and complete the maintenance of this role and return to the initial
screen of transaction PFCG.
What is the status of your authorization profile?
_________________________________________________
a) Check the Status field on the Authorizationstab
Status: Authorization profile is current.

b) Choose Back (F3) to return to the initial screen of Role Maintenance.

Task 2: Create a Role with Authorizations for a Warehouse Supervisor

Create a role GR##_MM_IM_POST with authorizations for a warehouse supervisor.

1. Start the role maintenance transaction and create the predefined role. Enter a short
description, and save.
a) SAP Menu:
Tools → Administration → User Maintenance → Role Administration → Roles,
(transaction code PFCG).

b) Enter the name for the role GR##_MM_IM_POST in the Role field.

c) Choose Create Single Role.

d) Under the Role Name, in the field Description enter Warehouse supervisor.

e) Then choose Save (CTRL+S) to save your role.

2. Add the corresponding transactions in accordance with the sample authorization concept
(Roles for Transaction Codes table from the prerequisites of this exercise).
a) Go to the Menu tab page.

© Copyright. All rights reserved. 42

 Solution 5: Maintain Role and Standard Roles

b) Choose the Transaction button and enter the following transaction codes in the
Transaction code field:
MB1C
MB90
VL21

c) Choose Assign Transactions.

d) Then choose Save (CTRL+S) to save your role.

3. Maintain Authorizations - Maintain authorization values for the organizational levels.

a) Go to the the Authorizations tab page.

b) Choose Change Authorization Data.

c) Enter the following values in the Define Organizational Levels window:

When you maintain organizational levels, you usually only see those lines where values
have been assigned. If an organizational level field has not yet been maintained, only
one line is displayed. You can display multiple lines by choosing the More Values
button.
- Shipping Point: *,
- Plant: 1000, 1010, 1020.

d) Choose Save (CTRL+S) to save the authorization values for the organizational levels.

4. Maintain Authorizations - Add the authorization values 561 and 562 to the authorization
values for the Movement Type field of the authorization object M_MSEG_BWA.
a) Expand Object Class MM_B.

b) Expand Authorization Object M_MSEG_BWA.

c) Expand Authorization T-T1########.

d) Choose the Pencil button on the right side of the BWART field.

e) Enter 561 and 562 in the Field values window.

f) Choose Transfer (Enter).

5. Maintain Authorizations - Set all open authorization values to full authorization.

a) Choose the Status button.

b) Choose Execute (Enter) in the Assign Full Authorization of Subtree window.

6. Maintain Authorizations - Generate the authorization profile for your role.

a) Choose the Generate icon.

b) In the Assign Profile Name for Generated Authorization Profile window, accept the
proposed profile name and choose Execute (Enter).

c) Choose Back (F3) to return to the Change Roles screen.

7. Complete the maintenance of this role and return to the initial screen of transaction PFCG.
a) Choose Back (F3) to return to the initial screen of the Role Maintenance.

Task 3: Copy a Role

The following exercise is optional.

© Copyright. All rights reserved. 43

Unit 4: Working with the Role Maintenance

Use the role GR##_MM_IM_POST as a template to create the role GR##_MM_IM_POST1020.

To do this, choose the Copy Role icon and copy all settings from the template.

1. Create the role GR##_MM_IM_POST1020 as a copy of the role GR##_MM_IM_POST.

a) While still in the Role Maintenance transaction, enter the name for the role
GR##_MM_IM_POST in the Role field.

b) Choose Copy Role (Shift + F11).

c) Enter GR##_MM_IM_POST1020 in the to role field.

d) Choose Copy All (Enter).

e) Choose Change on the Role Maintenance screen.

2. Maintain Authorizations - Check the status of the authorization profile.

Check the status of the authorization profile in the information section of the tab page.
What is the status of the authorization profile?
_________________________________________________
a) Go to the Authorizations tab page.

b) Check the Status field on the Authorizations tab.

Status: Current version not generated.

3. Maintain Authorizations - Check the authorization values of the authorization profile.

Did the system copy the authorizations of the copy template?
_________________________________________________
a) Choose Change Authorization Data on the Authorizations tab.
Did the system copy the authorizations of the copy template?
Yes, they were copied too.

4. Maintain Authorizations - Assign only the value 1200 to the organizational level Plant.
a) Choose Organizational levels (Ctrl+F8).
Plants 1000, 1010, and 1020 have been copied

b) Delete the entries for plants 1000 and 1010.

c) Choose Save (Ctrl+S).

5. Maintain Authorizations - Generate the authorization profile for your role and check the
status of the authorization profile.
What is the status of the authorization profile?
_________________________________________________
a) Choose the Generate icon.

b) In the Assign Profile Name for Generated Authorization Profile window, accept the
proposed profile name and choose Execute (Enter).

c) Choose Back (F3) to return to the Change Roles screen.

d) Check the Status field on the Authorizations tab.

Status: Authorization profile is current.

© Copyright. All rights reserved. 44

 Solution 5: Maintain Role and Standard Roles

6. Complete the maintenance of this role and return to the initial screen of transaction PFCG.
a) Choose Back (F3) to return to the initial screen of Role Maintenance.

Task 4: Create a Role and Assign it to All Users

Create a role GR##_BC_PORTALS. The content of the role should be copied by choosing
From Other Role on the "Menu" tab page. This role should then be assigned to all “GR##*”
users and contain functions of general interest.

1. Start the role maintenance transaction and create the predefined role. Enter a short
description, and save.
a) While still in the Role Maintenance transaction, enter the name for the role
GR##_BC_PORTALS in the Role field.

b) Choose Create Single Role.

c) Under the Role Name, in the field Description enter General role for
communication, workflow, and so on.

d) Then choose Save (Ctrl+S) to save your role.

2. Go to the Menu tab page and copy the menu from the predefined role
SAP_BC_SRV_USER by selecting all transactions.
a) Go to the Menu tab page.

b) Choose From Menus → From Anther Role → Local.

c) Enter SAP_BC_SRV_USER in the Single Role field.

d) Choose Start Search.

e) Choose Copy.

f) Select all items and choose Add.

g) Then choose Save (Ctrl+S) to save your role.

3. Maintain Authorizations - Set all open authorization values to full authorization.

a) Go to the Authorizations tab page.

b) Choose Change Authorization Data.

c) Choose the Status button.

d) Choose Execute (Enter) in the Assign Full Authorization of Subtree window.

4. Maintain Authorizations - Generate the authorization profile for your role.

a) Choose the Generate icon.

b) In the Assign Profile Name for Generated Authorization Profile window, accept the
proposed profile name and choose Execute (Enter).

c) Choose Back (F3) to return to the Change Roles screen.

5. Assign the role to all users.

What is the status of the User tab page?
_________________________________________________

© Copyright. All rights reserved. 45

Unit 4: Working with the Role Maintenance

Assign your role to all users that you have created with the user name “GR##*”, with your
group ID (the users GR##-FI1, GR##-FI2, GR##-SD1, GR##-SD2, GR##-MM1, GR##-
MM2 should exist with the user group ZGR##, from another lesson of the SAP course
ADM940).
Check the settings for the user comparison (menu: Utilities → User Settings). Ensure that
a user master adjustment (record comparison) is automatically performed when you
save.
a) Check the status of the User tab page.
The User tab page is “red”, which means that no users have yet been assigned to this
role.

b) Go to the User tab page.

c) Assign the following users by entering the names into the User ID column.

User name

GR##-FI1
GR##-FI2
GR##-SD1
GR##-SD2
GR##-MM1
GR##-MM2

6. Save your role and perform a user comparison

What happens to the status of the "User" tab after you have saved.
__________________________________________________________
a) Choose Save (Crtl+S)
The status display of the tab page is yellow.

b) Choose User Comparison.

The user comparison enters the generated profiles for a role (if the validity period
includes today's date), and the role itself, in the user master record.

c) Choose Full Comparison on the Compare Role User Master Record window.
The Status field indicates: Comparison of user master record completed.

d) Choose Cancel (F12) on the Compare Role User Master Record window.
You can activate automatic user adjustment when saving a role by choosing
Utilities → User Settings and selecting the appropriate checkbox (Automatic User
Adjustment when Saving Role).
The status display of the tab page is green.

e) Choose Back (F3) to return to the Role Maintenance screen.

7. Assign the role ADM940_PLUS to all of your users (“GR##-*”).

Save your user assignments, and perform a master record comparison.

© Copyright. All rights reserved. 46