This new super user role concept is only available in Project Management and below some items relating to this are listed:
- Super users are the users that are assigned to special user roles (called ‘Super Roles’).
- Each user to be super user is given a certain PFCG role instead of the current authorization object ACO_SUPER.
- The new Super User concept is not based on classical authorizations any more, i.e. the Authorization object ACO_SUPER will not be considered anymore.
- The old authorization super user concept is based on the classical authorization Object ACO_SUPER with 2 parameters (Activity , ObjectType). Distinction via Object Types is not supported any more. It´s only possible to define this for projects in the customizing. (Object Type: "DPO")
- First you should think about which user roles (PFCG roles) you want to use for super users. You can plan to use one role as super role for all projects or create several roles, each to be used for different project types.
- In user role administration (transaction PFCG), you can define the roles that you want to use as superuser roles.
- You do not need to define an authorization profile for a superuser role in role administration.
- Each operative project gets automatically authorizations for these special super roles via Customizing-Settings:
SPRO > SAP Portfolio and Project Management > Common Functions > Define Superuser Authorizations
- This customizing allows to specify the super roles depending on the project type and the responsible organizational unit of the project.
- When the project type or the responsible organizational unit are not specified (remain empty) in the customizing, the roles are assigned to projects of all project types or organizational units.
- The customizing allows to specify the authorization activities: "Admin", "Write" or "Read".
- Then the superusers are users who are automatically granted Read, Write or Admin authorization for all projects or for projects with a specific project type or organizational unit based on the customizing.
- The pre-definition of authorization activities like "Accounting", "Resource Management",... for the super user role isn´t available.
- Then each operative project will automatically get authorizations for these special super roles at creation.
- Changes of superuser role customizing do not affect existing superuser role assignments of existing projects. (See Report below)
- Only the change of the project type or the responsible organizational unit of a project the superuser roles of this project are adapted according to the customizing.
- It´s not allowed to manually change or delete the automatically assigned super roles in the Project.
- The simplified authorization management is active by default in SAP Portfolio and Project Management for SAP S/4HANA. You can revert back to the previous authorization concept by making the appropriate setting in Customizing for SAP Portfolio and Project Management for the Switch:
Area 0007 / Name 0053 - Deactivate Simplified Authorization Management ('X'=Yes, ' '=No)
- Note, this setting is only effective in the Web Dynpro application. The SAP Fiori Apps only support the simplified authorization management. This Switch does not de-activate the new Super User concept, but then both the old super user and the new super user concept work in parallel.
Information concerning Authorizations in Project Management in S/4 Hana can you find under:
SAP Help Portal https://help.sap.com/viewer/d645ce2eb36c4609bbb95cc540bdc67e/1.0.00/en-US/49921b8e39901131e10000000a421138.html
|SAP Note No.||Description|
|2374026||Report to enable projects for new super user in Simplified Authorizations|
|2368248||New Super User corrections - simplified Authorizations|
|2367520||Visual and functional improvements of report /S4PPM/AUTHORIZATION_ANALYSIS|
|2343374||S4TWL - Simplified ACLs (Access Control Lists) concept in SAP Portfolio and Project Management for SAP S/4HANA|
|2321885||S4TC CPRXRPM Master Check for S/4 System Conversion Checks|
|KBA Note No.||Description|
|2547862||Resource Management with new Super User Concept|
|2524092||You require authorization to display Project|
|Report /S4PPM/ASSIGN_SUPER_USER_AUTH||For the Migration of old projects. |
This report enables you to update superuser authorizations in operative projects as configured in Customizing. The system automatically adds or updates superuser authorizations in a project when you create the project or when you change its project type or organizational unit. This report can be used to remove obsolete superuser roles as specified.
|Report DPR_PRE_CHECK_S4MIG_AUTHREF||See SAP Note 2343374 and 2321885.|
This report can be used to analyze the authorizations in detail in your system.
|Report /S4PPM/AUTHORIZATION_ANALYSIS||This report provides the functionality to visualize the authorizations of a user for all project elements of the specified project(s). When a specified user is assigned to a project role - the report shows the authorizations on that role. The report shows the authorizations on basis of the old authorization concept as well as the authorizations on basis of the simplified authorization concept.|