it service management roles and authorizations - sap it service management on sap solution manager -...

6/15/2014 IT Service Management Roles and Authorizations - SAP IT Service Management on SAP Solution Manager - SCN Wiki

http://wiki.scn.sap.com/wiki/display/SAPITSM/IT+Service+Management+Roles+and+Authorizations 1/22

Getting Started Newsletters Store

Search the Community

Welcome, Guest Login Register

Products Services & Support About SCN Downloads

Industries Training & Education Partnership Developer Center

Lines of Business University Alliances Events & Webinars Innovation

Added by Mariana Sebikova, last edited by Mariana Sebikova on Oct 22, 2013

SAP IT Service Management on SAP Solution Manager / ITSM Wiki - IT Service Management and ChaRM Wiki Homepage/ Configuration and Administration of ITSM

IT Service Management Roles and Authorizations

1. GENERAL INFORMATION

1.1 Information Sources

1.1.1 SAP Security Guide

1.1.2 SAP SDN Wiki

1.2 Prerequisites

1.3 How to Access the CRM WEBCLIENT UI

1.4 User groups in the ITSM Scenario

2. AUTHORIZATION (PFCG-) ROLES

2.1 Automatic Creation of Template Users Using Solman_Setup

2.2 Standard Authorization Roles

2.3 Assignment of User group-Specif ic PFCG Roles

3. BUSINESS ROLES

3.1 User group-Specif ic CRM WEBCLIENT UI Entries and Functionalities Corresponding to Technical Role Definition

3.1.1 CRM WebClient UI and Functionalities for Reporter / End User Web Service Self Portal

3.1.2 CRM WEBClient UI and Functionalities for Processor:

3.1.3 CRM WebClient UI and Functionalities for Dispatcher

3.1.4 CRM WebClient UI and Functionalities for Administrator

3.2 Copy and Assignment of User group-Specif ic Business Role

3.2.1 Copy of Business Role

4. HOW TO ADAPT BUSINESS ROLES AND TECHNICAL ROLES

4.1 Technical Roles

4.1.1 Mapping of Technical Roles and User group

4.2 Adapt a Business Role and Technical Roles According to Business Requirements

4.2.1 Create a Navigation Bar Profile

4.2.2 Create a Role Configuration Key

4.2.3 Create a Technical Profile

4.2.4 Create a Layout Profile

4.2.5 Create a Functional Profile

4.3 Additional Possibilities to Assign a Business Role to a User

4.3.1 Using Parameter

4.3.2 Using Organizational Model

4.3.2.1.1.1.1.1

5. APPENDIX

5.1 Copy an Authorization Role

5.2 Copy a Composite Authorization Role

5.3 Copy a Single Authorization Role

5.4 Adapt an Authorization Profile

5.5 Generate Authorization Profiles

1. GENERAL INFORMATION

To set up the SAP CRM WEBCLIENT UI for your system users, you need business roles and authorization roles. Using different business roles enables you to tailor the system for its users individually in

terms of profiles, screens, set of functionalities and authorizations.

This guide provides information on how to set up authorization roles and business roles for the different user groups of the SAP CRM WEBCLIENT UI in the scenario of IT Service Management.

1.1 Information Sources

This chapter provides an overview of the information sources regarding roles, authorizations and security in SAP Solution Manager.

1.1.1 SAP Security Guide

The SAP Security Guide is the primary documentation for establishing an authorization concept for SAP Solution Manager, and provides a collection of SAP guidelines and recommendations

pertaining to SAP System security.

http://service.sap.com/instguides/ SAP Components SAP Solution Manger



Release Operations SAP Solution Manager Security Guide

This document offers general guidelines for obtaining a medium level of security. The security of your ow n system landscape, and the use of softw are packages (SAP and non-SAP) are also important

factors in achieving overall system security, so analyze your ow n risks and needs and establish your ow n security policy (or policies). This guide assists you in this process, but cannot replace your ow n

customer-specif ic policies.

1.1.2 SAP SDN Wiki

The SAP Solution Manager Authorization Wiki, in the Softw are Developer Netw ork, is a complement to the SAP Solution Manager Security Guide. It is primarily valid for SAP Solution Manager release 7.1.

http://w iki.sdn.sap.com/w iki/display/SMAUTH/Home

It provides:

- Authorization object documentation

- Use cases

- Best practices

- Technical infrastructure

- Frequently asked questions

1.2 Prerequisites

- Installed and running Solution Manager 7.1 SPS 05

For more information, please see the SAP Solution Manager Installation Guide available in SAP Service Marketplace.

- The follow ing SAP Notes are relevant for the preparation of the SAP WebClient usage:

- SAP Solution Manager administration user

1.3 How to Access the CRM WEBCLIENT UI

To get access to the CRM WEBCLIENT UI, different master data must be combined:

- SU01 System User

- PFCG Role

- Business Role

As show n in the f igure above, the user must have a system user that is created using transaction SU01 and the user group specif ic PFCG roles as w ell as a business role assigned, to be able to perform

responsibility related activities in the CRM WEBCLIENT UI. The mapping of user group and responsibility related roles is explained in the follow ing section.

1.4 User groups in the ITSM Scenario

In the scenario of ITSM, several user groups and organizations exist:



Users and organizations are defined as Partner Function in the Incident Management scenario.To every user group (Reporter, Dispatcher, Processor, Administrator), standard roles on the one hand, and,

on the other hand, user group specif ic roles have to be assigned.

2. AUTHORIZATION (PFCG-) ROLES

Chapter tw o and three provide information on how to enable the standard authorization concept if you are going to use the standard and do not intend to change it.

Authorization roles (also called PFCG roles) are used to implement a comprehensive security concept. Using authorization roles, you protect the SAP system against unauthorized access at database,

netw ork and front end level.

2.1 Automatic Creation of Template Users Using Solman_Setup

Besides the manual creation of user and roles for the ITSM scenario w hich is explained in this guide, an automatic creation using transaction SOLMAN_SETUP is possible. To execute this automatic creation

of the follow ing template users:

Start transaction Solman_Setup IT Service Management 2. Perform Standard Configuration 2.5 Create Template Users

If you use BI Reporting, you need additional standard template users in the according BW system/client. If your BW system is in the same client as SAP Solution Manager, the relevant roles are assigned to

the standard user in the SAP Solution Manager system.

In Solman_Setup, you have the follow ing options:

- You can create a new user.

The system creates the new user, the corresponding business partner, if necessary, and assigns the relevant copied and SAP roles.

- You can use an existing user.

The system assigns the relevant copied roles and SAP roles to an existing user.



2.2 Standard Authorization Roles

Authorization roles can be divided into single and composite roles. For every user group, a composite role exists. Inside these composite roles, several user group-specif ic single roles are listed.

Follow ing composite roles are relevant for the Incident Management scenario:

2.3 Assignment of User group-Specific PFCG Roles

As already mentioned in section 2.2, every user group has its ow n composite role for their specif ic responsibilities. If you assign a composite role to a user, also the single roles are assigned automatically.

Example Composite role and single roles for Processor:



1. Start transaction SU01 and choose the specif ic user.

2. Select the roles tab and assign the composite role to the user.

3. Save your assignment.

Now the PFCG-Roles are successfully assigned to the user (message processor).As show n in the f igure above, the single role ZSM_SM_CRM_UIU_SOLMANPRO is part of the processor composite role.

This specif ic role is called PFCG-ROLE-ID and leads to the next chapter - the Business roles.

3. BUSINESS ROLES

In addition to PFCG roles, another type of role is necessary in the scenario of IT Service Management the business role. As explained in section 1.3, this type of role is required for the access to the CRM

WEBCLIENT UI and its customizing.

For every user group, a specif ic business role exists:

3.1 User group-Specific CRM WEBCLIENT UI Entries and Functionalities Corresponding to Technical Role

Definition

Because of different technical roles for every user group, the entries (e.g visible Work centers, Logical Links) in the CRM WEBCLIENT UI differ according to their responsibilities as show n in the f igures

below . In addition, the functional PFCG roles w hich manage the actions and functionalities to be performed.



3.1.1 CRM WebClient UI and Functionalities for Reporter / End User Web Service Self Portal

The CRM WebClient UI for the Reporter / End User is also called Web Self Service Portaland offers a quick and easy UI for message creation.

- Quick & user friendly creation of Incidents and Service requests

Guided procedure for Incident & Service request Creation

Quick buttons for Top 5 Service requests

Possibility to select other existing Service request Categories

Service request Category specif ic UI input parameter

- Interact w ith IT Help Desk

Add information and attachments

Confirm solutions

Send replies



- Enable search for know n solutions

Access to published Know ledge Articles

- Set ow n data

Personal Data (General and Communication Information)

Change Passw ord

My Objects

3.1.2 CRM WEBClient UI and Functionalities for Processor:

The UI for the Processor offers the possibility to open the Incident Management Work center and e.g search for and process Incidents or Problems. In addition, an overview of messages assigned to this

user group is accessible using My messages.



- Advanced f ilter mechanisms for f inding messages

Search for Incidents, Problems, Service requests, etc.

- Worklist for quick display of messages w ith involvement of the Processor

Me / My Team / My Group / My Company / My Responsibility Group



3.1.3 CRM WebClient UI and Functionalities for Dispatcher

The Dispatcher has the responsibility to dispatch unassigned messages to the correct service team w here these messages are forw arded by the Processor, e.g to the responsible service team employee.

For this reason, the dispatcher UI looks nearly similar to the Processor UI. The Dispatcher has access to the Incident Management Work center and a list of all unassigned messages.

- First level UI for a quick message processing (dispatching) w ith all necessary information

- Quick "Confirm" button in the menu

3.1.4 CRM WebClient UI and Functionalities for Administrator

The Administrator UI offers the possibility to perform basis-related activities such as master data maintenance (iBase, CMDB objects etc.), perform tasks in the Service Operations w ork center (maintain

categorization schemas, define rule policies etc.). In addition, this user group can search for Incidents, Problems and Service request.



3.2 Copy and Assignment of User group-Specific Business Role

At least one of the business roles must be assigned to a system user to have access to the CRM WEBCLIENT UI. But before a business role can be assigned to a user, you have to copy the business role

into your customer namespace for the same reason as you copy PFCG roles.

3.2.1 Copy of Business Role

To copy a business role, e.g SOLMANPRO, for the Processor, proceed as follow s:

1. Open the implementation guide by starting transaction SPRO and navigate to Customer Relationship Management UI Framework Business Roles Define Business Role.

2. Select business role SOLMANPRO and choose Copy as.

3. Enter a X,Y, or Z (this is your customer namespace) in front of SOLMANPRO.

4. Maintain the customer namespace PFCG ROLE ID in the business role. Confirm w ith Return.



5. The new business role is now visible in the overview . Save the table.

After the copying and assignment of PFCG roles and business roles, the standard CRM WEBCLIENT UI as w ell as the functionalities are usable.

If you w ant to do the follow ing, refer to the next chapter:

- Use a different type of business role assignment

- Know more about the technical roles behind the business roles

- Customize the visibility of the CRM WEBCLIENT UI (e.g Work center or logical links entries)

4. HOW TO ADAPT BUSINESS ROLES AND TECHNICAL ROLESIn addition to the standard CRM WEBCLIENT UI visibilities and functionalities, it is possible to customize business roles as w ell as technical roles according to customer needs. How to do so is explained in

detail in this chapter.

4.1 Technical Roles

With the help of business roles and the corresponding technical roles, it is possible to control the access to the CRM WEBCLIENT UI and customize the visibility of specif ic entries. This means that using

these roles, you can define the structure of the navigation bar and w hich links are available on the Work Center pages and the direct link group. Every business role has the follow ing technical roles

assigned:

- Navigation Bar Profile

- Role Configuration Key

- Layout Profile

- Technical Profile

- PFCG-Role-ID

The most important technical role is the Navigation Bar profile. Using this technical role, it is possible to control the Work center entries, the logical links as w ell as the direct link group in the CRM WEBCLIENT

UI (more information is provided in section 4.2.1).

The next f igure provides an overview of the previously listed elements of the CRM WEBCLIENT UI.



A work center describes and provides access to business content. The work center page is a collection of logical links for business content w hich are organized in link groups. Direct link group is

part of the navigation bar and provides direct access to specif ic business content w ith one click. Logical links can be used in direct link groups, second level navigation or on w ork center pages.

4.1.1 Mapping of Technical Roles and User group

The names of the technical roles are partly different for every specif ic user group:

The PFCG-Role-ID depends on the user group related PFCG role maintained in the user group composite role. The administrator is using the same business role as the Processor. For that reason, this user

group includes the same technical roles as the Processor.

As e.g the Dispatcher and the Processor are using the same navigation bar profile, it is recommended to copy them into a different customer namespace if customizing activities (section 4.2) are planned.

4.2 Adapt a Business Role and Technical Roles According to Business Requirements

This section explains how to adapt a business role according to your business requirements.

The follow ing f igure provides an overview on the profiles assigned to a business role.

A business role has the follow ing profiles assigned:

Navigation Bar Profile

Assignment of w ork centers, w ork center link groups, direct link groups and logical links

Layout Profile



Layout of the navigation frame, w hich includes header and footer area, w ork area and navigation bar

Technical Profile

Assignment of specif ic technical settings, e.g. disable the support of the Back button in the brow ser or frame sw apping (reduce noticeable screen f lickering)

Function Profile

Assignment of additional functional areas, e.g. links that appear in the navigation bar or used reporting framew ork (SAP BI or Interactive Reporting).

Role Configuration Key

Assignment of adapted UI view s (e.g. add/move/rename field) by using the UI configuration tool

The most important technical roles are the navigation bar profile and the functional profile. For both profiles, the copy and customizing process is explained in detail in the follow ing chapters. If you also plan

to customize the layout and technical profile or the role configuration key, please copy them into your customer namespace. Then, follow the explanations in the documentation w hich is available in the

specif ic Customizing section in transaction SPRO.

4.2.1 Create a Navigation Bar Profile

A navigation bar profile is a collection of logical links, w ork centers, w ork center link groups and direct link groups.

Use the standard navigation bar profile SOLMANPRO as a template to define the structure of your navigation bar:

1. Start transaction SPRO and go to Customizing activity Define Navigation Bar Profile.

2. Highlight the navigation bar profile SOLMANPRO and choose Copy As (recommended name for the new navigation profile is ZSOLMANPRO). Confirm w ith ENTER.

3. Save your settings.

Now you are able to adapt your navigation bar profile. In the Customizing activity Define Navigation Bar Profile, you get access to the shared lists of all logical links, w ork centers, w ork center link groups

and direct link groups. Furthermore, you can define navigation bar-specif ic customizing, such as assignment of w ork centers and direct link groups.

Choose Assign Work Centers To Navigation Bar Profile to specify w hich w ork centers should be part of the navigation bar (e.g. ZSOLMANPRO), as show n in the example below .



It is possible to add the Work centers using New Entries Assign Work centers To Navigation Bar Profile Save.

Choose Assign Direct Link Groups To Nav. Bar Profile to specify w hich w ork centers should be part of the navigation bar, as show n in the example below . In this example, the direct link group SM-

CREATE is assigned to the navigation bar profile ZSOLMANPRO.



Visibility of Customer-Specif ic Navigation Bar Links:

The example below show s customer-specif ic customizing according to direct links show n in the CRM WEBCLIENT UI.

To display direct links in the CRM WEBCLIENT UI: Save the changes.

4.2.2 Create a Role Configuration Key

The role configuration key is a unique identif ier used in the configuration of view s for the CRM WEBCLIENT UI. Certain changes can be stored under a role configuration key. For instance, a view can be

configured for a specif ic configuration key, w here f ields are removed or renamed in comparison to the original. This role configuration key is also assigned to the business role to identify the configuration

that is to be used for this role.

So only those users w ith the business roles assigned that carries the right key, see the configuration changes in the CRM WEBCLIENT UI. For all other users, no changes are visible. Thus, the role

configuration key provides the possibility of a role-dependent view configuration.



To create a role configuration key, do the follow ing:

1. Start transaction SPRO and go to Customizing activity Define Role Configuration Key.

2. Choose New Entries.

3. Add a new role configuration key, e.g. ZSOLMANPRO.


4.2.3 Create a Technical Profile

Use the standard technical profile DEFAULT_SOLMAN as a template to define your custom technical profile:

1. Start transaction SPRO and go to Customizing activity Define Technical Profile.



2. Highlight the technical profile DEFAULT_SOLMANPRO and choose Copy As.(the recommended name for the new layout profile is ZDEFAULT_SOLMANPRO). Confirm w ith ENTER.

3. Choose copy all.


Now you are ready to adapt the technical profile according to your business needs. For more information, please refer to the documentation of the Customizing activity Define Technical Profile.

4.2.4 Create a Layout Profile

Use the standard layout profile CRM_UIU_MASTER as a template to define the layout of the header and footer area, w ork area and navigation bar:

1. Start transaction SPRO and go to IMG activity Define Layout Profile.

2. Highlight the layout profile CRM_UIU_MASTER and choose Copy As.(recommended name for the new layout profile is ZCRM_UIU_MASTER). Confirm w ith ENTER.

3. Choose copy all.




Now you are ready to adapt the layout profile according to your business needs. For more information, please refer to the documentation of the Customizing activity Define Layout Profile.

4.2.5 Create a Functional Profile

Function profiles define special functions, such as the level of personalization, or the w orking context. In the Customizing activity Define Business Role, you can assign function profiles to your business

role.

For detailed information on how to create a function profile, please refer to the documentation of the Customizing activity Define Function Profile.

For more information on how to assign function profiles to business roles, please refer to the documentation of the Customizing activity Define Business Role.

4.3 Additional Possibilities to Assign a Business Role to a User

In section 3.2.1, the PFCG-Role-ID has been maintained in the business role in order to assign the business role to a user. This section provides an overview about the additional possibilities to assign a

business role to a user.

4.3.1 Using Parameter

Besides the PFCG-ROLE-ID, another possibility to assign a business role to a user is using the parameter tab in the system user maintenance.

1. Start transaction SU01 to maintain the specif ic user.

2. Select the parameter tab and maintain the details as show n in the f igure below . Save your settings.



Now , the business role ZSOLMANPRO is assigned to the user using the specif ic parameter.

4.3.2 Using Organizational Model

Users can be assigned to a business Role using the organizational model. The business role is assigned to an organizational unit or a position in the organizational model and the user/business partner is

assigned to a position in the organizational unit, as show n in the f igure below .

Assignment to an organizational unit:

1. Start transaction PPOMA_CRM.

2. To navigate to the corresponding organizational unit, choose Structure Search or Search Team.

3. From the menu, choose Goto -> Detail object -> Enhanced object description.



4. In the Active tab, select Business role from the list and choose Create infotype.

5. Enter the business role in the corresponding f ield, e.g. ZSOLMANPRO.


Assignment to a position:

1. Start transaction PPOMA_CRM.

2. To navigate to the corresponding position, choose Structure Search or Search Team.

3. Proceed w ith steps 3-6 on how to assign a business role to an organizational unit.

4.3.2.1.1.1.1.1

5. APPENDIXIn the Appendix, you f ind additional information, configuration steps and guidelines to adjust an IT Service Management related authorization concept according to your needs.

5.1 Copy an Authorization Role

This section provides information on how to copy composite or single authorization roles.

5.2 Copy a Composite Authorization Role

To copy a composite authorization role, do the follow ing:

1. Start transaction PFCG.

2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS_COMP) in the corresponding f ield.

3. Choose Copy role.



4. Enter a name for the new role, e.g. ZSM_SUPPDESK_PROCESS_COMP.

5. Choose Copy Selectively.

6. To copy also the single roles contained in the composite role, in the Query dialog box, choose Yes.

7. Enter target names for the copied single roles and confirm to start the copy process

5.3 Copy a Single Authorization Role


2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS) in the corresponding f ield.

3. Choose Copy role.

4. Enter a name for the new role, e.g. ZSM_SUPPDESK_PROCESS.

5. Choose Copy selectively.

5.4 Adapt an Authorization Profile

Role profiles contain authorization objects to specify user authorizations, such as change/display authorization for texts or transaction types.

The follow ing example show s how to adapt the authorization profile of the role SAP_SUPPDESK_PROCESS (ZSM_SUPPDESK_PROCESS) to allow users to create/change/display the business transaction

type ZMIN (copy of SMIN):


2. Enter the role name, e.g. SAP_SUPPDESK_PROCESS (ZSM_SUPPDESK_PROCESS) in the corresponding f ield and choose Change.

3. Go to the Authorizations tab and choose Change Authorization Data.

4. A list is displayed that contains all authorization objects that are included in the role.

5. Navigate to the authorization object CRM Order Business Transaction Type (technical name CRM_ORD_PR) and choose Change for the f ield Business Transaction type.

6. Enter ZMIN in the dialog box and proceed w ith Transfer (Enter).

7. Choose Generate to create the authorization profile.

8. Choose Back and then save your settings.



5.5 Generate Authorization Profiles

In this step, you have to generate the authorization profiles of the single roles contained in the composite role SAP_SUPPDESK_PROCESS_COMP. Copy this role also into customer namespace

ZSM_SUPPDESK_PROCESS_COMP before you perform the next steps!


2. Enter the role name ZSM_SUPPDESK_PROCESS in the corresponding f ield and choose Change.

3. Go to the tab Roles w here all single roles are listed.

4. Double-click to access a role (e.g. ZSM_SMWORK_BASIC_INCIDENT). The role opens in a new session.

5. In the new w indow , choose Display Change to sw itch to Edit mode.

6. Go to the Authorizations tab and choose Change Authorization Data.

7. Choose Generate to create the authorization profile of the role.

8. Choose Back and afterw ards save your settings.

9. Repeat steps 4-8 for the other roles contained in the composite role.

After you copied the composite role into the customer namespace and generated the various single roles, your composite role ZSM_SUPPDESK_PROCESS_COMP looks like this:

No labels

Follow SCNContact Us SAP Help Portal

Privacy Terms of Use Legal Disclosure Copyright

it service management roles and authorizations - sap it service management on sap solution manager -...

Documents

authorizations sap

sap crm webclient ui

different business roles

sap system security

sap security guide1

business roles3

mapping of technical

sap sdn wiki1