by Irina Ivanova, Senior consultant at msg Plaut Russia
SAP PaPM (Profitability and Performance Management) solution comes with predefined role templates, which you can find in the Administration guide (sections Authorization and SAP Fiori Launchpad Application).
These are just templates – if used «as is», they might give certain users excessive authorizations. For example, if you assign all roles with *ALL suffix to a user, you will grant them access and full authorization for ALL data records and environments in SAP Profitability and Performance Management.
Security managers will then most likely need to design their own role structure, meeting specific business requirements.
In this blog post, I’m going to share with you a SAMPLE role setup for a calculation process, which I hope will give you a hint on how to set up yours.
A sophisticated process of calculations may demand a complex role-based approach with clear division of responsibility. In addition to functional restrictions (transactions and services), there is usually an analytical restriction (data access policies) in an organization.
It is recommended to copy predefined role templates and adapt them to your business needs. To give you an idea of how to proceed with it, let me show you a Composite role which consists of separate Single roles. The set of single roles considers functional permissions (Functional Roles) and organizational constraints (Org Level Roles).
Composite roles allow easier scaling by adding Org Level Roles. At the same time, Functional Roles are only changed in case the employee’s responsibilities are extended.
Implementation of a complex role model is based on the following Authorization Objects groups.
Authorization group |
Description |
Authorization Object Example |
|
1 |
Access Authorization Objects |
Authorizations to run transactions and services. |
S_TCODE S_SERVICE |
2 |
Authorization Objects NXI |
Give permission for the particular Environment (Calculation Unit) and Function in SAP Profitability and Performance Management. |
/NXI/P1F |
3 |
Analysis Authorization Objects |
Give data access permission for BI objects (queries, editable queries). |
S_RS_AUTH S_RS_PLSE |
4 |
User Groups |
Restrict authorizations for specific activities (calculation process steps) and enable Dual Control. |
S_USER_AGR |
This implementation approach implies the following restrictions to configuration in SAP Profitability and Performance Management:
- Function ID should be defined by the pattern, which is referred to in NXI Authorization Object – /NXI/P1F. This is only applicable to functions used in Process Activities.
- Authorization relevant Info-objects should be set up and used at least in a Query function. Analysis Authorization Objects also refer to these Info-objects.
If Central User Administration is used, there are some extra restrictions to be taken into account when making User group (Teams) changes.
Authorization Objects NXI
NXI Authorization Object settings can be expanded by marking Authorization fields as Org. Levels for Profile Generator (transaction SUPO). For example, Environment or Version. This can be helpful in case of significant differences in calculation rules and algorithms between different company branches and org.units.
Analysis Authorization Objects
Configuration of Analysis Authorization Objects consists of two blocks (settings are done in RSECAUTH transaction).
Data access permission can be managed if you mark Info-objects as Authorization-Relevant – see the picture below (Eclipse screen)
Data activities permission can be maintained using the following default Info-Objects:
- 0TCAACTVT Activity in Analysis Authorizations,
- 0TCAIFAREA Info-Area for Analysis Authorizations,
- 0TCAIPROV Authorizations for Info-Provider,
- 0TCAVALID Validity of an Authorization
In addition to READ and EDIT permission, data access activities can be extended according to the process requirements. For example, Ratification permission can be set up using a combination of default and custom data access info-objects.
Analysis Authorization Objects created at previous steps should be included in Authorization Objects S_RS_AUTH (field BIAUTH). Default Authorization 0BI_ALL can be usedin case no restrictions apply. In PFCG transaction it looks as follows:
User Groups
User groups are used in case Dual Control is activated to implement sequential execution and approval. More information about Dual Control here: https://blogs.sap.com/2020/09/03/sap-profitability-and-performance-management-dual-control-overview/ . For a User, the available activity sequence depends on the User group assignment. As shown in the picture below, a sequence of 4 activities is available to a User assigned to PAPM_RW01 group, whereas a User assigned to PAPM_PR01 can only see 3 activities.
In case Central User Administration or GRC (Governance, Risk, and Compliance) is used, the User group (Teams) assignment cannot be changed by a user with role /NXI/P1_ADMIN_USER, and additional ABAP development might be required.
Eventually, the set of Singles roles, built according to this approach, includes:
- The set of Functional Roles
- Access Authorization Objects
- Authorization Objects NXI with empty Org Levels
- Analysis Authorization Objects
- The set of Org Level Roles
- Analysis Authorization Objects
I am at the end of my blog post now, and I hope you’ve got a better understanding of roles’ adjustments and configuration in SAP PaPM.
Key takeaways:
- Roles delivered by SAP Profitability and Performance Management are templates that you can use to further enhance your authorization structure.
- Composite Roles prove to be very handy: by design, they are easy to adjust, and cover both functional and analytical restrictions.
- User Groups or Teams can be used to further control the process via the dual control mechanism.
References:
- https://help.sap.com/viewer/56471df1959f4cfd9e3bf7a6d2d5be42/3.11/en-US/4016e42d53ea499fa09de7e99b435c7a.html
- 727536 – FAQ | Using Customer Organizational Levels in PFCG
- BW465 SAP BW/4HANA – User Management and Authorizations
- https://blogs.sap.com/2020/09/03/sap-profitability-and-performance-management-dual-control-overview/
- https://blogs.sap.com/2020/08/04/the-impact-of-teams-on-papm-process-management-and-execution/
Source: https://blogs.sap.com/2020/11/26/complex-role-based-approach-with-using-vary-authorization-objects/