portal roles and authorizations

PRTL152: Portal Roles and Authorizations

Soledad Alvarado, SAP Labs, LLC. Vera Gutbrod, SAP AG Julia Levedag, SAP AG Elke Speliopoulos, SAP Labs, LLC

Learning Objectives

As a result of this workshop, you will be able to:Understand the two role concepts in SAP NetWeaver Understand the concept of portal roles and authorizations for backend systems Understand the concept of Portal permissions Understand the concept of User Management Permissions in the Portal environment

SAP AG 2004, SAP TechEd / PRTL152 / 3

Role Concepts in SAP NetWeaver Authorization Concepts Roles Upload to SAP Enterprise Portal Portal Roles Distribution to the Backend System Portal Roles and User Management Roles Gotchas and Key Points

SAP NetWeaver Powers mySAP Solutions Role-specific, Easy Access to All Systems

Manager Self Service Role (SAP ERP)

Employee Self Service Role (SAP ERP)


SAP NetWeaver Portal Infrastructure

Role-based,

Sales Manager

Line Manager

Business Developer

secure

Authentication

and web-based

SAP Enterprise Portal 6.0

Single Sign On

access to any kind of applications, information and services

ERP

CRM

Docs**covered by KM


Portal Role Concept: Why Create Roles?By creating roles are you able to assign different pieces of content to different groups of users. Role 1Group 1 User 1

Role 2Group 2

Content 1

Content 2

Content 3

Content 4

Content 5


Main Role Concepts in SAP NetWeaver

SAP Enterprise Portal

Portal Roles

Roles in ABAP-based Systems (Roles in Transaction PFCG)Single and Composite Roles in ABAP-based Systems


Roles in ABAP-Based SystemsA role is a collection of activities and functions that describes a certain work area of an SAP application. Roles are objects for generating authorizations so that the user can access the transactions, reports etc. contained in the SAP menu. The menus available to users after logon are implemented with roles (SAP Easy Access menu). There are single roles and composite roles. Roles are assigned to users.Role XYZ Transaction TA1 Transaction TA2 Transaction TA3 Report zzz Web Link 1 Web Link 2


Portal RolesA portal role is a container for applications and information that can be assigned to a particular group of users. The content of a role enables users to perform the tasks in their respective job description. The content of a portal role is based on the company structure and on the information needs of the portal users in the company. The portal navigation structure is defined by the sum of the roles assigned to the user. Technically, a role is a hierarchy of folders containing other portal content objects. Roles can be assigned to users or groups of users, i.e. the portal role connects users (or groups of users) to the portal content. Worksets are introduced as a new layer in a role hierarchy. User Group 1 User Group 2 Role Assignment

Role A


Portal Roles

Role Roles are the largest semantic units within content objects. They include folder hierarchies consisting of folders, worksets, pages and iViews. The role structure also defines the navigation structure of the portal. Roles are assigned to users.

Workset

iViews and Pages

Folder

Page

iView


ABAP Roles and Portal Roles: A Comparison (1)I. Contents of RolesABAP RolesThe content of a role always refer to a single SAP application.

Portal RolesThe content of portal roles do not depend on SAP applications, but may include them. They contain different kinds of information (heterogeneous content types). The role content depends on the company structure and the core processes of the company. They are complete job descriptions, not limited to objects of SAP Systems.

The role content depends on the users tasks in the SAP system.

II. What is defined by Roles?ABAP RolesSAP Easy Access Menu

Portal RolesTop-level navigation and detailed navigation


ABAP Roles and Portal Roles: A Comparison (2)III. Types of RolesABAP RolesThere are single and composite roles. Composite roles are optional.

Portal RolesRoles are not divided into different role types. The portal introduces the concept of "worksets.

IV. Administration EnvironmentABAP RolesAll actions connected with roles are performed in transaction PFCG: role creation and maintenance, role/user assignments and authorization generations.

Portal RolesRole administration by different webbased tools in the Portal administration environment.


ABAP Roles and Portal Roles: A Comparison (3)V. AuthorizationsABAP RolesRoles (single roles) carry the authorization information. Roles are authorization objects. The profile generator is part of role administration in Transaction PFCG.

Portal RolesA portal role is mainly a content object and not an authorization object. Portal roles cannot be used in the portal environment to create authorizations for the backend systems. Authorizations must still be maintained in the backend systems.


SAP Enterprise Portal as a Component of SAP NetWeaver Combines the Different Role Concepts Both roles concepts can be combined in the portal environment.

Conversion of ABAP-roles and their content into portal content objects

Roles in ABAPbased Systems

Portal Roles

Transfer of portal roles to the ABAPbased system in order to maintain the missing authorizations



Overview: Roles in the SAP NetWeaver EnvironmentEnd User Navigation Top Level Navigation User Management Definition Detailed Navigation Portal Content (Portal Content Directory)

Users User Groups

Assignment

Portal Assignment ROLES Roles ACLs

Worksets Pages iViews

Upload

Authorization Generation

Roles from ABAP based backend systems


SAP Enterprise Portal as the Leading SystemThe SAP Enterprise Portal can be used as the leading system for: Role creation Role maintenance Role/user assignment All tasks concerning content creation and user assignment can all be done at one place, and this is the SAP Enterprise Portal

Authorization generation must be done in the backend system !


Portal Roles and AuthorizationsIn SAP Enterprise Portal you maintain and create the role definitions. However you do not generate authorization profiles necessary for the backend system in the portal environment.

Enterprise Portal

Role Definition

If portal roles contain transactions and other objects that access objects in ABAP-based backend systems, you must still generate the authorization profiles in the backend system.

SAP Systems

Enterprise Apps

CM Systems

Others

Authorizations

Both SAP Enterprise Portal and the backend system have tools and functions that permit you to link the portal role with the ABAP authorization concept and to link the authorization profile in the backend system with the portal role concept. SAP AG 2004, SAP TechEd / PRTL152 / 19

Portal Content and Authorizations in the Backend System PortalContent objects from ABAP- based systems can be converted to Portal content objects. From now on object creation and maintenance is done in the Portal! Role/User assignment can also be migrated to the Portal From now on role/user assignment is done in the Portal!

Backend System Authorization must be maintained! Assignments roles to users should be synchronous with assignments in the Portal. SAP AG 2004, SAP TechEd / PRTL152 / 20


How to Migrate ABAP Roles and Their Content to SAP Enterprise Portal? Role Upload Tool in SAP Enterprise Portal

SAP Enterprise PortalPortal Role and Portal Content Objects + role/user assignment

ABAP-Based SAP System(Role Development System) Authorization Profiles

Migrated role and included objects + role/user assignments

Initial Role Upload

Single Role/ Composite Role

Included objects: transactions, MiniApps etc. and role/user assignments SAP AG 2004, SAP TechEd / PRTL152 / 22

Role Upload: AvailabilityFunctionality is available for:EP 6.0 SP2 Patch 4 (on Web AS 6.20) SAP NetWeaver 04 Support Package Stack 04 (EP on Web AS 6.40)


Features of Role UploadUser assignment can be uploaded to the Portal. Included services (MiniApps or transactions) are converted to iViews. First level folders can be set as entry point in the top-level navigation

When objects are uploaded again, you can define whether or not existing objects should be overwritten. SAP AG 2004, SAP TechEd / PRTL152 / 24

Single and composite roles are converted as either Portal roles or worksets with the corresponding menu hierarchy.

Prerequisites System RequirementsThe following requirements must be fulfilled before you can upload objects to the portal from SAP backend system:Import the SAP Enterprise Portal Plug-In 6.0You must import the SAP EP Plug-In 6.0 into each backend system from which you want to perform an upload. Only then are all the necessary functions for the upload available. For a Workplace system landscape, this means that you must import the plug-in to both the Workplace Server and all the component systems from which you want to upload objects.

Authorizations in the backend systemIn the backend system you need the authorization S_RFC for function group PWP2.

Configuration of the system landscape in EPIn the portal system landscape, you must create a system for each backend system from which you upload objects. You must define a connection to the backend system for this system.


Converted ObjectsConverted objects can be used as Portal objects in order to build portal content.ABAP-based SAP System SAP Enterprise Portal

Single Role R01 Transaction TA1 Transaction TA2 Transaction TA3 Report R01 Web Link W1 Web Link W2

Portal Role R01 iView TA1 iView TA2 iViews TA3 iView R01 iView W1 iView W2

The role/user assignment of a role can also uploaded to the portal. You therefore do not have to make this assignment again in the portal. An uploaded role is automatically assigned to a portal user. Prerequisite: backend user must have a corresponding user in the Portal. SAP AG 2004, SAP TechEd / PRTL152 / 26

Object Storage in Portal Catalog

Migrated and converted objects can be found in the Portal Catalog in a special folder Portal Content -> Migrated Content -> SAP Component Systems.


Working with Migrated Roles in the Portal (1)Single and composite roles have no pages. Therefore pages with iViews must be defined and assigned to the roles. Role hierarchy and navigation structure must be adjusted. The original migrated roles represent the menu of an ABAP-based SAP system and therefore could have deep navigation structures. It makes sense to remove unnecessary navigation levels. The top-level navigation must be checked. Single and composite roles often list more than 10 entries on the first level of their navigation structure. A 1:1 conversion in the portal would mean that the top-level navigation would be incomprehensibly large.


Working with Migrated Roles in the Portal (2)Preliminary consideration should be given as to where the right place for an ABAP role within a portal role structure is. In certain use cases it may be beneficial to migrate roles to worksets and assign them to a portal role. Sometimes it is better to migrate only single services (transactions) rather than a complete role. In the Portal administration environment these services can be grouped in a different way in a new role structure.


All Content is Created and Maintained in the Portal!iView Studio: www.iviewstudio.comDownload of Business Packages containing Portal Content

Portal Portal Content

ABAP-Based System 2Upload and Conversion of Content Objects

Roles Worksets Pages iViewsUpload and Conversion of Content Objects

Upload and Conversion of Content Objects

ABAP-Based System 1

ABAP-Based System 3 SAP AG 2004, SAP TechEd / PRTL152 / 30

Demo

Demo and Exercise Part I



How to Maintain Authorizations for Portal Content Objects? Role Distribution to the Backend System Enterprise PortalRole/user assignment Portal Role Included objects: iViews accessing transactions, MiniApps etc. in the backend system

ABAP-based SAP SystemRole/user assignment Generated authorization role List of transactions, etc.

Repetitive Authorization Generation

Authorization data

Generated auth. profiles

Generated authorizations


Role Distribution in DetailABAP-based SAP System Responsible for Creation of Authorization Roles Portal Role A

SAP Enterprise Portal Portal Role A Folder 1iView A Transaction T1 ---> System 1 iView B Transaction T2 ---> System 1 iView C Transaction T3 ---> System 2

System 1

Auth. Role A_1: T1, T2, T6 Auth. Role A_2: T1, T2, T6

Folder 2iView D Transaction T4 ---> System 2 iView E Transaction T5 ---> System 2 iView F Transaction T6 ---> System 1

System 2

Auth. Role A_3: T3, T4, T5 Auth. Role A_4: T3, T4, T5


Authorizations in ABAP-based Systems: OverviewThe following functionality is provided:Distribution of portal role definition from portal to backend systems Creation of corresponding authorization roles in backend system Update/change of user assignment

A tool in the Portal System Administration role enables the system administrator toTransfer role definition to an ABAP-based backend system Transfer role/user assignments to an ABAP-based backend system Report on transfer processes

Transaction WP3R in the ABAB-based system enables the administrator to create authorization roles on the basis of portal rolesTransaction WP3R: Follow up processes for portal roles Transaction WP3R is included in the Enterprise Portal Plug-In


Transfer of Portal Roles and User Assignments

Step 1: Transfer portal role information to a dedicated backend system SAP AG 2004, SAP TechEd / PRTL152 / 36

Step 2: Transfer portal user assignment to a dedicated backend system

Roles Distribution (1)

Select the system to which data shall be transferred

Select the roles that are to be transferred

The following data will be included: Role name including the logical system name Dependent transactions and services Metadata of the content objects SAP AG 2004, SAP TechEd / PRTL152 / 37

Transaction WP3R: Follow-up Process for Portal Roles (2)

ABAP-based SAP SystemTransaction WP3R SAP AG 2004, SAP TechEd / PRTL152 / 38

Transaction WP3R: Generation of Authorization Roles (3)


Transaction WP3R: Authorization Profile Generation (4)


Role/User Assignment Distribution (1)

The user ID will be transferred to the backend system. If user mapping is used, the mapped User ID will be published to the backend system.


Transaction WP3R: Follow-Up Process for Role Assignment (2)

ABAP-based SAP SystemTransaction WP3R SAP AG 2004, SAP TechEd / PRTL152 / 42

Transaction WP3R: Authorization Role Assignments (3)


Scenario: Role Distribution from EP 6.0 to ABAP-based SystemsSAP 4.6B Development System Creation of Authorization Role Role Transport SAP 4.6B Quality Assurance System Test of Authorization Role

Distribution of Role Definition

Role Transport SAP 4.6B Productive System (SAP CUA or component system) User Assignment Distribution of Role User Assignments

Role Definition User Assignment EP 6.0


Demo

Demo and Exercise Part II



Authorizations & Portal Roles + ACLs & UME RolesPFCG Roles and AuthorizationsBackend Authorizations Part of ABAP Roles Maintained in ABAP System Maintained in EP Content Administration Area Provide Navigation and Access to EP Content and Components

Portal RolesPCD Objects

ACLsMethodology to define permissions for EP objects Maintained in EP System Administration Area Provide End User Access and various levels of Administration access for portal objects.

UME RolesUME Objects

Maintained in User Admin WebConsole Provide Access to JAVA components

Grant access to ABAP objects


Preconfigured EP Administration RolesRoleSuper Administrator

Functionassigned to initial SAP* User Full Control access on whole Portal Content Catalog Tree Access on all admin tools of Content Administrator Role of System Administrator Role of User Administration Role

Content Administrator

access on all Content Administration tools for creation of roles, worksets, pages, iViews, layouts access on all editors to maintain content e.g. Permission Editor, Property Editor access on all parts of tree hierarchy of Portal Content Catalog if the right ACLs have been defined

System Administrator

access on all tools for system administration such as system configuration, transports, permissions, monitoring, support, portal display access on all parts of tree hierarchy of Portal Content Catalogs if the right ACLs have been defined

User Administrator

access on all tools for user administration to create and maintain users, administrate the role-user assignment, user mapping administration, user Replication, Group administration, etc.


Admin Roles and Portal Content ObjectsSuper admin Content admin 1 Content admin 2 Content admin 3 System admin 1 System admin 2 System admin 3 + ACL + ACL + ACL + ACL + ACL + ACL

Content administrators are responsible for content objects in the Portal Catalog.ACLs define the access and allowed action for content objects like folders, roles, worksets, pages, iViews and templates.

System administrators are responsible for system administration tasks and objects.ACLs define the access and allowed actions for objects like transport packages or systems.

User admin 1 User admin 2 User admin 3

Set Role Set Role Set Role

User administrators are responsible for users related tasks.Role-User Assignment can be controlled by permissions set for user management role.


Permissions and Delegated AdministrationThe concept of permissions is connected with the principles of delegated administration! Delegated Administration means to distribute administration tasks within an organization. You have to distribute and control...Administration and maintenance of content like portal roles Administration and maintenance of system configuration like UM configuration, monitoring configuration, service configuration, etc. Administration and maintenance of user information (e.g. Users, Groups, User-Role Assignment, ...)

Delegated Administration is realized by different tools like...Predefined customizable administration roles ACLs on folder hierarchies in the portal content catalog Special UME permissions on the User Administration role


Delegated Administration Scenario DiagramPermission Editor Portal Catalog Project 1 User management Content Roles Role A Role B Full Control Permission On Role A John Johns Interface of Portal Content Studio John has access to the Content Studio interface since he is assigned to the content administration role. He can edit only Role A according to the permission he got in the permission editor. Role List Content Administration

Assigned to Role Content Administration

Portal Content Studio Portal Catalog Role A Role Editor


Design Time Permission (Administration)Portal CatalogNONE READ

Create/ Delete ObjectsFolder & objects not visible Create from Templates with READ permission

Edit ObjectsFolder & objects not visible Folder & objects visible Copy objects No Edit Folder & objects visible Edit object properties Edit assigned delta links Folder & objects visible Edit object properties Edit assigned delta links Folder & objects visible Edit object properties Edit assigned delta links Edit permissions

Worksets Pages SystemsACL Check on Folder Level and on Object Level READ/ WRITE

No delete! Create from Templates with READ permission Delete objects Create from Templates with READ permission Delete objects Create from Templates with READ permission

FULL CONTROL

Administrator Permissions Check during creation process for objects Check when accessing objects

OWNER


Runtime Permissions (End User)Personalize PageUSE

NavigationNavigation iViews (TLN, detailed navigation, Drag&Relate targets, related links) only display roles and objects that have end-user permission. For display of objects in navigation the ACL is checked on the object level. Direct URL access to a component: Users may access portal components through URL without an intermediate iView if they are granted USE permission in the appropriate security zone. Direct access to an iView USE permission is required

PersonalizationUser Interfaces in the end user environment that display the portal content catalog (such as personalize page) only display objects that have end user permission.

Worksets Pages SystemsACL Check on Folder Level and on Object Level

End User Permissions Check for Navigation Check for in Personalize Page Component Check if calling component via URL


Demo

Demo and Exercise Part III


Role Concepts in SAP NetWeaver Authorization Concepts Roles Upload to SAP Enterprise Portal Portal Roles Distribution to the Backend System Gotchas and Key Points More Information

Gotchas and Other Good to Knows (1)

Uploading Roles From Backend Systems:Make sure users for whom you want to transfer assignments are identical in both, SAP EP and backend system. If you have complex back-end roles, remember the number of entry points you may be creating by setting the Select first folder level as entry point flag. In that case, it may be better to unselect the option. Make sure that you wait for status: Finished to indicate the role has been completely transported. Roles with deep navigation structure may take additional time to transport.


Gotchas and Other Good to Knows (2) Distributing the Portal Role to the Backend System:In order for the tool to access the logical systems, make sure there is an entry in the Table WP3ROLESYS pointing to the logical system name. Transaction SCC4 shows the client information of the backend system and via double click, the logical system name can be found. Use transaction SE16 for viewing and creating entries in the table. Make sure that you have the authorization S_RFC for function group PWP2 in the backend system. Use Transaction WP3R (which is included in the EP 6.0 Plug-In) to view the role and authorizations instead of PFCG. (Note: Due to organizational structures, some of these tasks may fall into the responsibility of an SAP System Administrator)


Role Concepts in SAP NetWeaver Authorization Concepts Roles Upload to SAP Enterprise Portal Portal Roles Distribution to the Backend System Gotchas and Key Points More Information

Further InformationPublic Web:www.sap.com SAP Developer Network: http://sdn.sap.com SAP HELP Portal: http://help.sap.com/nw04 Enterprise Portal

Related SAP Education Training Opportunitieshttp://www.sap.com/education/

Related Workshops/Lectures at SAP TechEd 2004SCUR01, User Management and Authorizations: Overview, Lecture SCUR351, User Management and Authorizations: the Details, Hands-On


SAP Developer NetworkLook for SAP TechEd 04 presentations and videos on the SAP Developer Network. Coming in December. http://www.sdn.sap.com/


Questions?

Q&A SAP AG 2004, SAP TechEd / PRTL152 / 61

Copyright 2004 SAP AG. All Rights ReservedNo part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP AG 2004, SAP TechEd / PRTL152 / 62

portal roles and authorizations

Documents