Hi,

S_ALR*...that's probably the basic question, although I would still like to pick the transactions individually -> so no need to include e.g. unnecessary country-specific reports in the display role.

For testing purposes I assigned TCD S_PL0_86000030 - G/L Account Balances (New) to a testuser and noticed that one needs quite extensive FI authorizations to be able to use it.

Then the question could be: should these kind of transactions be placed in a display role in the first place if users with limited authorizations are not able to use them?

Or if user can start the transaction, but not execute it any further due to missing authorizations, would there be any harm? This would need to be probably tested in combination with transactional roles.

I'm trying to keep this as simple and straightforward as possible, as I have a feeling that I'm not going to get much support when taking the design to transaction level..

So I would rather have one display role for FI than separate display roles for GL, AP and AR although not all transactions would be useful for all the users.

Edited by: Viljam on Jan 11, 2010 12:43 PM

Thanks for helpful answers, Julius!

My interpretation of this is that they are not meant to be used "on their own" but rather in combination with another or a set of related transactions.

Yes, seems to be so.

Try to keep the menu and the authorizations in the same role if you can for ease of maintenance and identifying where the authority is coming from (and needed for).
If the tcode is in the menu but should not be used, then you will confuse the user and will be in a "catch 22" in SU24 at some stage.

This makes a lot of sense.

I'll move the S_ALR/PL0/AC0.. transactions under corresponding functional roles (GL, AP, AR) for now, keep only the designated display transaction codes (document, account balance & master data display) in the FI display role, start from there and see/test how that plays out.

Design is still at "excel"-stage, so role scope changes are easily made

Just out of curiosity (and a bit for benchmarking), what would you Julius and other experts include in e.g. FI-display role if you had free hands? If I remember correctly Alex was talking about "display role per function" in Role Design sticky.

Not looking for a list of transactions, but in more general terms if it is possible e.g. would this "display role per function" include S_ALR/PL0 transactions?

This is my first role design assignment, therefore elementary-level questions... Thanks in advance for any input!

Thanks again Julius!

"The not visible ones are either pulled in from the SU24 proposals for the transaction -- or added as tcodes to be started from report trees (in PFCG use the "Authorization Defaults" option) which adds them to S_TCODE but not visible in the menu

So, if (S_ALR or other?) transaction can be executed through another t-code, it is ok to have it as "not visible". If t-code is pulled in from SU24 proposals I don't need to add it in the role's menu tree (best practice), otherwise t-code can be added (as not visible) to menu tree with "Authorization Defaults" option.

A few questions:

- How/where can I assess which t-codes can be executed through other transactions and therefore can be made not visible?

- And further, how to check which t-codes are pulled in from SU24 proposals and which are not?

- Could you give me an example as I'm not sure I understood this correctly?

For "display only" you should anyway be concentrating more on the application objects than the tcodes for the user. Make sure those tcodes don't pull in more than you want, because then the proposals are either too strong (or emtpy) or your choice of transaction is doubtfull.

I'll intend to do that, but I'll have to determine first the transactional scope of the role. If this role can be given to other than FI users as well, then I'll have to exclude the S_ALR* transactions from it and keep them in FI-functional roles.

Then one more general design question:

- Is it common practice to assign e.g. FI-display role to users of other modules? Or will I run into problems with authorization objects?

Thanks for examples!

I'll try to clarify (to myself as well) what I'm after.

Aiming to build simple functional and display roles:

- High-level functional roles for FI, CO, SD, MM and PP

- Display roles for each of the modules above

Scope of functional transactions is quite well defined, but I started to mull over the contents of display roles. And FI-display role was as far as I got.

I think the basic question now is:

- Do I want /is it good and common practice to assign display roles across modules e.g. to give FI-display role to MM users?

This could effect the design of display roles as:

1. If display roles are assigned across modules, then probably don't want to include e.g. FI -related S_ALR* t-codes to FI-display as users without strong FI authorizations cannot really use of them. Therefore display role would include only designated display transactions.

2. If it is common to have FI-display only for FI-users, then I could include at least some e.g. FI -related S_ALR* t-codes in the FI-display role.

Does this make any sense?

Hi Shekar and thanks for input.

What I meant with "high-level" roles is that I'm going to build bigger singles and not composites. So, I would have "GL Accountant" as a single role instead of having Task role1 + Task role 2 + Task role 3 + Task role x = GL accountant.

If you have a specific set of transactions on the different domains (FI,CO,SD.....) build the functional roles and i would prefer to build seperate reporting roles. Reporting role for FI, Reporting role for CO, Reporting role for SD

You mentioned you prefer to build separate reporting roles. Would you include display t-codes in your reporting roles or have separate roles for displaying?

I would like to combine "reporting" and "displaying" to one role, so that role combination for company's "Bookkeeper" = "GL Accountant" + "FI-display".

You also mentioned critical tasks such as printing of cheques. I wouldn't include all S_ALR* t-codes in my FI-display role, but e.g. relevant transactions from Information System nodes of GL, AR, AP (e.g. AR > Info system > Reports for AR > Customers: Items). The reports identified as critical could be placed in proper functional roles.

I wont put my head on the block - but the SD and MM reporting roles can be a relatively easier job than the FI and CO ones

I surely hope so

In any case, time and effort on the machine are crucial, design on excel can take us only .......so far 

You are right about this. However, I would like to have some sort of plan on paper before I start.

If you want to build high level roles for functions (people) within a process then forget about "modules" and "object classes" for authorizations.

Yes, high level roles for functions is what I'm trying to build, so I'm not worried about giving cross-module authorizations when needed. (e.g. FI accountants need to check "stock in transit" from MM).

They needs to model their process and tell you which transactions they want the functions to be able to start, or have to start otherwise they don't get paid 
They must provide this information to you, together with which behaviour the different functions are to expect after having started the transaction or navigated further from an report list, etc etc. Some might be display all behaviour for certain objects (like masterdata) and others more complex with various activities for combinations of fields (e.g. S_ARCHIVE) and will take you longer. But they are all in the same role, needed for function to be able to support their part of a business process.

Now this is more problematic. Processes have been mapped to some extent, but specific information about t-codes and wanted behaviour after t-code is started is not provided. I'll have to rely on functional consultants' suggestions which may not always reflect the real needs of the end-users.

=> I think the design/build is going to be such that the goal is to build roles for functions, but as there is no time/input for more detailed design, t-codes for roles have to be assigned more loosely (only critical functions separated). Composites are out of question already.

A display role per function is one way of doing it, in that respect it can contain all reporting required out of R/3 - that includes relevant S_ transactions (which aren't always display). It really depends on the data and how sensitive it is and also how the business is aligned. Some companies work in very silo'd (is that a real word?) environments along the lines of modules, others work on a process area (e.g. Order to Cash) that run across multiple modules. If your design supports giving wide display access then how you build it will align with how the company is organised.

Only some of the data is classified as sensitive (prices, margins), so wide display rights are no problem. I would say that the organization is not strictly "silo'd", so cross-module activities are done.

What I'm still wondering is this:

I build e.g. FI-display role that contains also all non-critical S_* t-codes (from GL, AR, AP) and because display rights can be wide I can assign it to all Finance people without problems.

Also as most of the data is not classified as sensitive, Sales personnel would like to be able to display some FI-AR reports, e.g. customer's payment history. But, because they're lacking needed FI authorizations, they're able to start the transaction but not go further.

So, is it common that users use only reports they get from their "main" module?

Or if sales people feel that FI-AR reports would be useful, but lack authorizations, how should these be cases be handled?

I think the design of roles/functions is already quite process-like, but these display-dilemmas keep throwing me off.

Maybe/hopefully this problem is related mainly to FI-reports..

Julius, Shekar and Alex, thanks for the dialogue so far, it has been most helpful!

Edited by: Viljam on Jan 14, 2010 9:09 AM