security guide sap solution manager7.1

7/27/2019 Security Guide SAP Solution Manager7.1

1/28

Business & Authorization Roles

Applicable Releases:

SAP Solution Manager 7.1 SPS 01

SAP Solution Manager Scenarios:

Incident Management

Change Request Management

Version 1.0

April 2011


2/28

Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained

herein may be changed without prior notice.Some software products marketed by SAP AG and its

distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,

i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation.Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAP

Group products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided as is without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver How-to Guides are intended to simplify

the product implementation. While specific product

features and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (Code)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable forerrors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java Source Code delivered with this product is only

to be used by SAPs Support Services and may not be

modified or altered in any way.


3/28

Document History

Document Version Description

1.00 First official release of this guide


4/28

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 orENTER.

Icons

Icon Description

CautionNote or Important

Example

Recommendation or Tip


5/28

Table of Contents

1. General Information............................................................................................................. 12.

Prerequisites ........................................................................................................................ 1

3. Overview of SAP Standard Roles ...................................................................................... 1

3.1 Business Role SOLMANPRO ....................................................................................... 23.2 Standard Authorization Roles ....................................................................................... 33.3 How to Enable the Standard Authorization Concept .................................................... 3

3.3.1 Assign Business Role SOLMANPRO to System Users .................................. 33.3.2 Authorization Roles Set-up .............................................................................. 4

4. How to Adapt a Business Role ........................................................................................... 64.1 Define a Customer specific Business Role .................................................................. 74.2

Create a Role Configuration Key .................................................................................. 8

4.3 Create a Navigation Bar Profile .................................................................................. 10

4.3.1 Visibility of Customer specific Navigation Bar Links ...................................... 124.4 Define a Layout Profile ............................................................................................... 134.5 Create a Technical Profile .......................................................................................... 144.6 Assign an Authorization Role ..................................................................................... 154.7 Assign a Function Profile ............................................................................................ 16

5. How to Assign Users to a Business Role ....................................................................... 175.1 Assignment via Authorization Role ............................................................................. 175.2 Organizational Assignment ......................................................................................... 175.3 Assignment via User Parameter ................................................................................. 20

6. How to Adapt Authorization Roles .................................................................................. 216.1 Copy an Authorization Role ........................................................................................ 21

6.1.1 Copy a Composite Authorization Role ........................................................... 216.1.2 Copy a Single Authorization Role .................................................................. 22

6.2 Adapt an Authorization Profile .................................................................................... 226.3 Assign Users to an Authorization Role ....................................................................... 23


6/28

How to Adapt Business & Authorization Roles

April 2011 1

1. General Information

To set up the SAP WebClient for your system users you need business roles and authorization roles. Using

different business roles enables you to tailor the system for its users individually in terms of profiles, screens,set of functionalities and authorizations.

This guide provides information on how to set up authorization roles and business roles for the different users

of the SAP WebClient.

2. Prerequisites

installed and running Solution Manager 7.1 SPS 01

For more information, please see the SAP Solution Manager Installation Guide available in SAP

Service Marketplace.

the following SAP Notes are relevant for the preparation of the SAP WebClient usage

o 1115493 - CRM Web UI: Mandatory SICF services for CRM framework

o 1144511: System parameters required for CRM WebClient

o 1244321: Activation of detailed CRM WebClient error analysis during the development phase

o 824554: ICM timeout errors

SAP Solution Manager admin user

3. Overview of SAP Standard Roles

This chapter provides an overview on the relevant SAP standard roles required for the configuration of the

SAP WebClient and the set-up of an authorization concept.

The business role SOLMANPRO and the authorization roles are only intended to be used as a template for

Best Practices scope. The roles have to be validated and adapted to the specific customer requirements.

SAP recommends copying the business role SOLMANPRO and the authorization roles into the customer

naming space which must begin with Z or Y. This will ensure that changes will not be overwritten in case

of an upgrade.


7/28


April 2011 2

3.1 Business Role SOLMANPRO

Use the business role SOLMANPRO to control the navigation bar and logical links in the SAP WebClient. Via

this role you can define the structure of the navigation bar and which links are available on the Work Centerpages and the Direct Link group.

A work centerdescribes and provides access to business content. The work center page is a collection of

logical links for business content which are organized in link groups. Direct link group is part of the navigation

bar and provides direct access to specific business content with one click. Logical links can be used in direct

link groups, second level navigation or on work center pages.

The figure below provides an overview of the previously described elements of the SAP WebClient screen.


8/28


April 2011 3

3.2 Standard Authorization Roles

Authorization roles (also called PFCG roles) are used to implement a comprehensive security concept. Via

authorization roles you protect the SAP system against unauthorized access at database, network andfrontend level.

Following composite roles are relevant for the Incident Management scenario:

SAP_SUPPDESK_ADMIN_COMP: contains single roles relevant for Service Desk administrators

SAP_SUPPDESK_PROCESS_COMP: contains single roles relevant for Service Desk processors

SAP_SUPPDESK_CREATE_COMP: contains single roles relevant for Service Desk key users

For a detailed description of the Incident Management authorizations roles, please refer to the Security

Guide for SAP Solution Manager. This guide is available in SAP Service Marketplace.

For more information on authorizations and authorization objects, please refer to SAP Note

1436270.

3.3 How to Enable the Standard Authorization Concept

This chapter provides information on how to enable the standard authorization concept in case that you are

going to use the standard and do not intend to change it.

If you need to adapt the roles to your business requirements, you should copy them into the customer

naming space to ensure that changes will not be overwritten during upgrade. In this case, please proceed

as described in chapter 4 and 6.

3.3.1 Assign Business Role SOLMANPRO to System Users

SAP Solution Manager users need the business role SOLMANPRO to get access to the SAP WebClient and

be able to use it. The role SOLMANPRO is assigned to the PFCG role SAP_SM_CRM_UIU_SOLMANPRO.This means that users who are assigned to this authorization role will also have SOLMANPRO assigned.

To assign the role SAP_SM_CRM_UIU_SOLMANPRO to system users, please do the following:

1. Start transaction PFCG.

2. Enter the role name in the corresponding field and choose Change, as shown in the next figure.


9/28


April 2011 4

3. Go to the tab User.

4. Enter the user ID in the table User Assignments.

You can include several users at the same time, for example, all users in a particular user group or all

users in the SAP System. To do this, first choose Selection and then additional value selection

pushbuttons.

5. Save your settings.

3.3.2 Authorization Roles Set-up

This section explains how to configure a standard authorization role by an example. It provides step-by-step

instructions on how to set-up the standard composite role SAP_SUPPDESK_PROCESS_COMP which

contains authorizations for the Service Desk Message Processor.

3.3.2.1 Generate Authorization Profiles

In this step, you have to generate the authorization profiles of the single roles contained in the composite role

SAP_SUPPDESK_PROCESS_COMP.

You do not need to perform the following instructions for the roles SAP_SMWORK_INCIDENT_MAN and

SAP_SM_CRM_UIU_SOLMANPRO as they do not contain any active authorization objects.


2. Enter the role name SAP_SUPPDESK_PROCESS_COMP in the corresponding field and choose

Change.3. Go to the tab Roles where all single roles are listed.

4. Do a double click to access a role (e.g. SAP_SMWORK_BASIC_INCIDENT). The role will be open in

a new session.

5. In the new window, choose Display Change to switch to Edit mode.

6. Go to the tabAuthorizations and choose Change AuthorizationData, as shown in the next figure.


10/28


April 2011 5

7. Choose Generate to create the authorization profile of the role, as shown in the figure below.

8. Choose the Backbutton and afterwards save your settings.

9. Repeat steps 4-8 for the rest of the roles contained in the composite role.

3.3.2.2 Assign Users

In this step, you assign User to the composite role.


2. Enter the role name (SAP_SUPPDESK_PROCESS_COMP) in the corresponding field and choose

Change.


4. Enter the user ID in the table User Assignments.

You can include several users at the same time, for example, all users in a particular user group or all

users in the SAP System. To do this, first choose Selection and then additional value selection

pushbuttons.


3.3.2.3 Execute User Comparison

After you have assigned system users to the composite role, you must execute user comparison. Please do

the following:

1. In the composite role definition, go to the tab User.2. Choose User comparison to compare the user master record, as shown in the figure below.


11/28


April 2011 6

4. How to Adapt a Business Role

This chapter explains how to adapt a business role according to your business requirements.

The next figure provides an overview on the profiles assigned to a business role.

A business role has the following profiles assigned:

Navigation Bar Profile

o Assignment of work centers, work center link groups, direct link groups and logical links

Layout Profile

o Layout of the navigation frame, which includes header and footer area, work area and navigationbar

Technical Profile

o Assignment of specific technical settings, e.g. disable the support of the browser's Backbutton orframe swapping (reduce noticeable screen flickering)

Function Profile

o Assignment of additional functional areas, e.g. links that appear in the navigation bar or usedreporting framework (SAP BI or Interactive Reporting).

Role Configuration Key

o Assignment of adapted UI views (e.g. add/move/rename field) by using the UI configuration tool

A PFCG Role ID is used to assign users to the business role.


12/28


April 2011 7

SAP recommends you to use the business role SOLMANPRO and its profiles as templates for your new

business role. You should copy them into the customer naming space which must begin with Z or Y. The

recommended name for the new business role is ZSOLMANPRO.

4.1 Define a Customer specific Business Role

Use the standard business role SOLMANPRO as template to define the new business role:

1. Start transaction SPRO and go to IMG activity Define Business Role.

2. Highlight the business role SOLMANPRO and choose Copy As, as shown in the figure below.


13/28


April 2011 8

3. Choose copy all.

4. ENTER.


The new business role ZSOLMANPRO should look like this:

After you copied the role SOLMANPRO, you have to copy and adapt the profiles/keys, as described in the

next sections of this chapter:

4.2 Create a Role Configuration Key

...

The role configuration key is a unique identifier used in the configuration of views for the SAP WebClient.

Certain changes can be stored under a role configuration key. For instance, a view can be configured for a

specific configuration key, where fields are removed or renamed compared to the original. This role

configuration key is also assigned to the business role to identify the configuration that is to be used for this

role.

So only those users with business roles assigned, which carries the right key, will see the configuration

changes in the SAP WebClient. For all other users no changes will be visible. Thus, the role configuration key

provides the possibility of a role-dependent view configuration.

To create a role configuration key, please do the following:

1. Start transaction SPRO and go to IMG activity Define Role Configuration Keyas shown below.


14/28


April 2011 9

2. Choose New Entries, as shown below.

3. Add a new role configuration key, e.g. ZSOLMANPRO.


After you created the new role configuration key, you must assign it to the business role which you have

defined before. You can do this in the IMG activity Define Business Role as shown below.


15/28


April 2011 10

4.3 Create a Navigation Bar Profile

A navigation bar profile is a collection of logical links, work centers, work center link groups and direct link

groups.

Use the standard navigation bar profile SOLMANPRO as template to define the structure of your navigation

bar:

1. Start transaction SPRO and go to IMG activity Define Navigation Bar Profile.


16/28


April 2011 11

2. Highlight the navigation bar profile SOLMANPRO and choose Copy As(recommended name for the

new navigation profile is ZSOLMANPRO).

3. Choose copy all.

If you get warning messages for the section Define Generic Outbound Plug Mappings during thecopy process, choose Skip .


Now you are able to adapt your navigation bar profile. In the IMG activity Define Navigation Bar Profile, you

get access to the shared lists of all logical links, work centers, work center link groups and direct link groups.

Furthermore, you can define navigation bar specific customizing, such as assignment of work centers and

direct link groups.

Choose Assign Work Centers To Navigation Bar Profile to specify which work centers should be part of the

navigation bar (e.g. ZSOLMANPRO), as shown in the example below.

Work centers can be activated or deactivated within a business role via the IMG activity Define Business

Role. Highlight your business role (e.g. ZSOLMANPRO) and choose Adjust Work Centers. The column

Inactive controls the visibility of a work center.

Choose Assign Direct Link Groups To Nav. Bar Profile to specify which work centers should be part of the

navigation bar, as shown in the example below. In this example the direct link group SM-CREATE is assigned

to the navigation bar profile ZSOLMANPRO.


17/28


April 2011 12

Direct link groups and direct links can be set to visible or invisible within a business role via the IMG

activity Define Business Role. Highlight your business role (e.g. ZSOLMANPRO) and chooseAdjust Direct

Link Groups to define which direct link groups should be visible or choose Adjust Direct Links to specify

which direct links should be visible within a direct link group.

For more information on navigation bar customizing, please refer to the documentation of the IMG activity

Define Navigation Bar Profile.

After you created the new navigation bar profile, you must assign it to the business role which you

have defined before. You can do this in the IMG activity Define Business Role.

4.3.1 Visibility of Customer specific Navigation Bar Links

Once you copied the standard Navigation Bar Profile you must activate the links specifically within the

customizing of the Business Role. Therefore, navigate through the structure Define Business Role

Adjust Direct Link GroupsAdjust Direct Links. The column Visible controls the links displayed in the

CRM WEB UI.

The example below shows customer specific customizing according to direct links shown in the CRM WEB

UI.


18/28


April 2011 13

Direct Links shown in the CRM WEB UI:

4.4 Define a Layout Profile

Use the standard layout profile CRM_UIU_MASTER as template to define the layout of the header and footer

area, work area and navigation bar:

1. Start transaction SPRO and go to IMG activity Define Layout Profile as shown below.


19/28


April 2011 14

2. Highlight the layout profile CRM_UIU_MASTER and choose Copy As.(recommended name for the

new layout profile is ZCRM_UIU_MASTER).

3. Choose copy all.


Now you are ready to adapt the layout profile according to your business needs. For more information, please

refer to the documentation of the IMG activity Define Layout Profile.

After you created the new layout profile, you must assign it to the business role which you have defined

before. You can do this in the IMG activity Define Business Role.

4.5 Create a Technical Profile

Use the standard technical profile DEFAULT_SOLMAN as template to define your custom technical profile:

1. Start transaction SPRO and go to IMG activity Define Technical Profile as shown below.


20/28


April 2011 15

2. Highlight the technical profile DEFAULT_SOLMANPRO and choose Copy As.(recommended name

for the new layout profile is ZDEFAULT_SOLMANPRO).

3. Choose copy all.


Now you are ready to adapt the technical profile according to your business needs. For more information,

please refer to the documentation of the IMG activity Define Technical Profile.

After you created the new technical profile, you must assign it to the business role which you have defined

before. You can do this in the IMG activity Define Business Role.

4.6 Assign an Authorization Role

The authorization role is used to assign users to the business role. As default, the business role SOLMANPRO

is assigned to the authorization role SAP_SM_CRM_UIU_SOLMANPRO.

SAP recommends you to copy the role SAP_SM_CRM_UIU_SOLMANPRO into the customer naming

space which must begin with Z or Y.

The recommended name for the new authorization role is ZSAP_SM_CRM_UIU_SOLMANPRO.

For more information on how to copy an authorization role, please refer to chapter 6 of this guide.


21/28


April 2011 16

After you created the new authorization role, you must assign it to the business role which you have

defined before. You can do this in the IMG activity Define Business Role.

4.7 Assign a Function Profile

Function Profiles define special functions, such as the level of personalization, or the working context. Via the

IMG activity Define Business Role you can assign function profiles to your business role.

For more information on how to assign function profiles to business roles, please refer to the documentation of

the IMG activity Define Business Role.

For detailed information on how to create a function profile, please refer to the documentation of the IMGactivity Define Function Profile.

After completing all steps from chapter 4, the new business role ZSOLMANPRO should look like this:


22/28


April 2011 17

5. How to Assign Users to a Business Role

This chapter provides information on how to assign users to business roles. You can assign users to a

business role by using a PFCG role, via an organizational model or a user parameter.

SAP recommends you to use an authorization role to assign users to a business role.

5.1 Assignment via Authorization Role

A business role is assigned to an authorization role. Users who are assigned to such an authorization role

have also the business role assigned.

For example:

The standard business role SOLMANPRO is assigned to the PFCG role SAP_SM_CRM_UIU_SOLMANPRO.

This means, that each user who has this role assigned is also assigned to the business role SOLMANPRO.

For more information on how to assign an authorization role to a business role, please refer to section 4.6

of this guide.

For more information on how to assign users to authorization roles, please refer to section 6.3 of this

guide.

5.2 Organizational Assignment

Users can be assigned to a business role via the organizational model. The business role is assigned to an

organizational unit or a position in the organizational model and the user/business partner is assigned to a

position in the organizational unit, as shown in the figure below.


23/28


April 2011 18

For more information on how to create and adapt an organizational model, please refer to the guide

Support Team Determination via Business Rule Framework plus (BRFplus) available in SAP Service

Marketplace.

To assign a business role to an organizational unit, please do the following:

1. Start transaction PPOMA_CRM.

2. Navigate to the corresponding organizational unit via the option Structure Search orSearch Team, as

shown in the figure below.

3. From the menu, select Goto -> Detail object-> Enhanced object description

4. In theActive tab, select Business role from the list and choose Create infotype, as shown in the next

figure.


24/28


April 2011 19

5. Enter the business role in the corresponding field, e.g. ZSOLMANPRO, as shown in the figure below.


If you assign a business role to an organization unit which includes other units, then all users from these

lower units will also have the business role assigned to,

To assign a business role to a position in the organizational model, please do the following:

1. Start transaction PPOMA_CRM.


25/28


April 2011 20

2. Navigate to the corresponding position via the option Structure Search orSearch Team.

3. Proceed with steps 3-6 on how to assign a business role to an organizational unit.

Each Position can have exactly one business role assigned to.

5.3 Assignment via User Parameter

A business role can be assigned directly to a system user. In the user maintenance (transaction SU01) assign

Parameter ID CRM_UI_PROFILE with Parameter Value on the Parameters tab to the

user, e.g.:

In this case, the assignment within the organizational model will not be taken into account.


26/28


April 2011 21

6. How to Adapt Authorization Roles

6.1 Copy an Authorization Role

This section provides information on how to copy composite or single authorization roles.

6.1.1 Copy a Composite Authorization Role

To copy a composite authorization role, please do the following:

1. Start transaction PFCG.2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS_COMP) in the corresponding field.

3. Choose Copy role, as shown in the next figure.

4. Enter a name for the new role, e.g. ZSAP_SUPPDESK_PROCESS_COMP.

5. Choose Copy All.

6. Choose Yes in the Querydialog box to copy also the single roles contained in the composite role.

7. Enter target names for the copied single roles.


27/28


April 2011 22

6.1.2 Copy a Single Authorization Role


2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS) in the corresponding field.3. Choose Copy role, as shown in the next figure.

4. Enter a name for the new role, e.g. ZSAP_SUPPDESK_PROCESS.5. Choose Copy All.

6.2 Adapt an Authorization Profile

Role profiles contain authorization objects to specify user authorizations, such as change/display authorization

for texts or transaction types.

The following example shows how to adapt the authorization profile of the role ZSAP_SUPPDESK_PROCESS

to allow users to create/change/display the business transaction type ZMIN (copy of SMIN):


2. Enter the role name, e.g. ZSAP_SUPPDESK_PROCESS in the corresponding field and choose

Change.

3. Go to the tabAuthorizations and choose Change AuthorizationData.

4. You get a list of all authorization objects which are included in the role.

5. Navigate to the authorization object CRM Order Business Transaction Type (technical name

CRM_ORD_PR) and choose Change for thefield Business Transaction type, as shown in the figure

below.

6. Enter the value ZMIN in the dialog box and proceed with Transfer (Enter).

7. Choose Generate to create the authorization profile.

8. Choose Backand afterwards save your settings.


28/28


6.3 Assign Users to an Authorization Role

After you generated the authorization profile, you have to assign system users to the role and execute user

comparison:


2. Enter the role name, e.g. ZSAP_SUPPDESK_PROCESS in the corresponding field and choose

Change.


4. Enter the user ID(s) in the table User Assignments.

5. Choose User comparison.


security guide sap solution manager7.1

Documents