Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Authorisations Made Easy 4.6 A/B Questions

Former Member
0 Kudos

Hi,

I'm a SAP Access Administrator with some security skills looking to move into the Security Arena.

I'm currently working through the SAP Authorisations Made Easy 4.6 A/B document however I am using CRM 7 IDES.

When working through the step by step documentation, I'm encountering  few problems as follows -

1.  The documentation asks me to initiate the Implementation assistant however there are no directions as to how I do this.

2.  When directing to access the Profile Generator, tx PFCG, I access it but the documentation refers to the Activity Group Maintenance screen however I'm unaware how I access this screen, none of the Icons/Menus appear relevant and there are no other tabs on the PFCG screen.

Any assistance on the above would be appreciated i.e. directions on how to access the above, links to relevant SAP notes, documentation or transactions that assist in clarifying where the above screens and similar are located if I encounter no path/directions.

Finally, although I've worked through about a third of the document, whilst I understand the relationships between modules, roles, transactions, reports and users, I haven't fully grasped the necessity for Authorisation Objects and Profiles, i.e. if the available transactions, reports web links are present in a Users Roles, what is the need for the associated Authorisation Objects and Profiles, what additional value do these layers add to a secure system?  Couldn't a user just log in and attempt to access a transaction/report, why doesnt a simple check occur to see if the user has a role with the said tx/report and if so permit the access, where does the object and Profile come in?  I appreciate I could be well missing the point on this one.

Would really appreciate as layman response as possible?

Many thanks in advance,

Tom

5 REPLIES 5

Former Member
0 Kudos

Hi,

Please ignore my comments in point as I know appreciate Activity Groups are known as Roles in CRM 7.

I'd still appreciate responses regarding my first and final point.

Thanks,

Tom

0 Kudos

Tom,

Can you please mention the page # for point (1) and (2).

Regards,

Shivraj

0 Kudos

Implementation assistent is a myriad or SPRO nodes and objects. Any in ancient times an Excel file to accompany it (without integration back into SAP) called BPML.

You are welcome to start your project using Excel files, but you will spend about a year doing that, and then still only have bigger Excel files and longer meetings... (in my humble opinion).

There are more modern ways of doing this, but you seem to mix the CRM requirements with the ancient ABAP PFCG roles methodology for R/3. The document you found will have limited use for you. You will be better off reading the CRM security guide.

Regarding # 3, (which is why I suspect you are from a Java background...) is that roles (PFCG) is just a modelling framework. It has to generate the profiles with authorization instances for the objects because ABAP programs use these. It is not a meta data modelling concept usinging attributes of the roles. The real music (bar personalizations) are generated by the role itself. You must also transport those dependent generated objects - otherwise the role does not work.

But CRM also uses ABAP objects as entry points to services and applications. So you will need them.

I would suggest that you go on a ADM940 and CRM training, otherwise you will cause a lot of stress for yourself and even SAP_ALL for your own user will not work.... Just being honest.

Cheers,

Julius

martin_voros
Active Contributor
0 Kudos

Hi,

SAP doco has a nice picture that captures basic relationship between roles, objects and so on. Your book is pretty old so you might have some other similar issues with names. You can try to google for ADM960 docs which are IMO better way to learn about authorization concept in SAP. There are some other books about authorization concepts but you will have to buy them.

Implementation assistant seems to be an old concept. I've never used it but you should be able to launch it by running program SASAP02_START (I got this program from googling).

Cheers

0 Kudos

If you look at the code then you will see that it does not actually do anything for roles and just starts a SPRO project and has navigation into PFCG from SPRO.

OK... but that does not help much for content. Just an attempt at a wizard with Project filter for steps that need to be done.

What with Solman wizards and templates and role based menus, very few customers use SPRO projects anymore. It is just a handfull of people needing the access, and for role building SPRO is virtually useless. At most via EC01 you cal build some org. sets for the org. fields.

But I understood the OPs question here to be CRM and Web UI related. 4.5B Authorizations made easy is not the prefered choice of weapon and it is understandable that it has caused confusion.

Cheers,

Julius