Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

 

 

1. GENERAL INFORMATION

 

To set up the SAP CRM WEBCLIENT UI for your system users, you need business roles and authorization roles. Using different business roles enables you to tailor the system for its users individually in terms of profiles, screens, set of functionalities and authorizations.

This guide provides information on how to set up authorization roles and business roles for the different user groups of the SAP CRM WEBCLIENT UI in the scenario of IT Service Management.

1.1          Information Sources

This chapter provides an overview of the information sources regarding roles, authorizations and security in SAP Solution Manager.

1.1.1       SAP Security Guide

The SAP Security Guide is the primary documentation for establishing an authorization concept for SAP Solution Manager, and provides a collection of SAP guidelines and recommendations
pertaining to SAP System security.

http://service.sap.com/instguides/ à SAP Components à SAP Solution Manger à
Release <current release>
à Operations à SAP Solution Manager Security Guide <current release>

This document offers general guidelines for obtaining a medium level of security. The security of your own system landscape, and the use of software packages (SAP and non-SAP) are also important factors in achieving overall system security, so analyze your own risks and needs and establish your own security policy (or policies). This guide assists you in this process, but cannot replace your own customer-specific policies.

1.1.2       SAP SDN Wiki

The SAP Solution Manager Authorization Wiki, in the Software Developer Network, is a complement to the SAP Solution Manager Security Guide. It is primarily valid for SAP Solution Manager release 7.1.

http://wiki.sdn.sap.com/wiki/display/SMAUTH/Home

It provides:

    -    Authorization object documentation

    -    Use cases

    -    Best practices

    -    Technical infrastructure

    -    Frequently asked questions

1.2          Prerequisites

      -    Installed and running Solution Manager 7.1 SPS 05

            For more information, please see the SAP Solution Manager Installation Guide available in SAP Service Marketplace.

      -    The following SAP Notes are relevant for the preparation of the SAP WebClient usage:

      -    SAP Solution Manager administration user

1.3          How to Access the CRM WEBCLIENT UI

To get access to the CRM WEBCLIENT UI, different master data must be combined:

     -    SU01 System User

     -    PFCG Role

     -    Business Role

As shown in the figure above, the user must have a system user that is created using transaction SU01 and the user group specific PFCG roles as well as a business role assigned, to be able to perform responsibility related activities in the CRM WEBCLIENT UI. The mapping of user group and responsibility related roles is explained in the following section.

1.4          User groups in the ITSM Scenario

In the scenario of ITSM, several user groups and organizations exist:

Users and organizations are defined as Partner Function in the Incident Management scenario.To every user group (Reporter, Dispatcher, Processor, Administrator), standard roles on the one hand, and, on the other hand, user group specific roles have to be assigned.

 

 

2. AUTHORIZATION (PFCG-) ROLES

Chapter two and three provide information on how to enable the standard authorization concept if you are going to use the standard and do not intend to change it.

Authorization roles (also called PFCG roles) are used to implement a comprehensive security concept. Using authorization roles, you protect the SAP system against unauthorized access at database, network and front end level.

 

2.1          Automatic Creation of Template Users Using Solman_Setup

Besides the manual creation of user and roles for the ITSM scenario which is explained in this guide, an automatic creation using transaction SOLMAN_SETUP is possible. To execute this automatic creation of the following template users:

 

Start transaction Solman_Setup à IT Service Management à 2. Perform Standard Configuration à 2.5 Create Template Users

 If you use BI Reporting, you need additional standard template users in the according BW system/client. If your BW system is in the same client as SAP Solution Manager, the relevant roles are assigned to the standard user in the SAP Solution Manager system.

In Solman_Setup, you have the following options:

     -       You can create a new user.

             The system creates the new user, the corresponding business partner, if necessary, and assigns the relevant copied and SAP roles.

     -       You can use an existing user.

             The system assigns the relevant copied roles and SAP roles to an existing user.

 

2.2          Standard Authorization Roles

Authorization roles can be divided into single and composite roles. For every user group, a composite role exists. Inside these composite roles, several user group-specific single roles are listed.

Following composite roles are relevant for the Incident Management scenario:

 

2.3          Assignment of User group-Specific PFCG Roles

As already mentioned in section 2.2, every user group has its own composite role for their specific responsibilities. If you assign a composite role to a user, also the single roles are assigned automatically.

Example – Composite role and single roles for Processor:

1. Start transaction SU01 and choose the specific user.

 

2. Select the roles tab and assign the composite role to the user.

 

3. Save your assignment.

Now the PFCG-Roles are successfully assigned to the user (message processor).As shown in the figure above, the single role ZSM_SM_CRM_UIU_SOLMANPRO is part of the processor composite role. This specific role is called PFCG-ROLE-ID and leads to the next chapter - the Business roles.

 

3. BUSINESS ROLES

In addition to PFCG roles, another type of role is necessary in the scenario of IT Service Management – the business role. As explained in section 1.3, this type of role is required for the access to the CRM WEBCLIENT UI and its customizing.

For every user group, a specific business role exists:

 

3.1          User group-Specific CRM WEBCLIENT UI Entries and Functionalities Corresponding to Technical Role Definition

Because of different technical roles for every user group, the entries (e.g visible Work centers, Logical Links) in the CRM WEBCLIENT UI differ according to their responsibilities as shown in the figures below. In addition, the functional PFCG roles which manage the actions and functionalities to be performed.

3.1.1       CRM WebClient UI and Functionalities for Reporter / End User – Web Service Self Portal

The CRM WebClient UI for the Reporter / End User is also called Web Self Service Portaland offers a quick and easy UI for message creation.

 

 

 

      -    Quick & user friendly creation of Incidents and Service requests

        • Guided procedure for Incident & Service request Creation
        • Quick buttons for Top 5 Service requests
        • Possibility to select other existing Service request Categories
        • Service request Category specific UI input parameter

      -    Interact with IT Help Desk

        • Add information and attachments
        • Confirm solutions
        • Send replies

     -    Enable search for known solutions

        • Access to published Knowledge Articles

    -    Set own data

        • Personal Data (General and Communication Information)
        • Change Password
        • My Objects

 

3.1.2       CRM WEBClient UI and Functionalities for Processor:

The UI for the Processor offers the possibility to open the Incident Management Work center and e.g search for and process Incidents or Problems. In addition, an overview of messages assigned to this user group is accessible using “My messages”.

 

 

 

   -    Advanced filter mechanisms for finding messages

        • Search for Incidents, Problems, Service requests, etc.

    -    Worklist for quick display of messages with involvement of the Processor

        • Me / My Team / My Group / My Company / My Responsibility Group

 

 

3.1.3       CRM WebClient UI and Functionalities for Dispatcher

The Dispatcher has the responsibility to dispatch unassigned messages to the correct service team where these messages are forwarded by the Processor, e.g to the responsible service team employee.

For this reason, the dispatcher UI looks nearly similar to the Processor UI. The Dispatcher has access to the Incident Management Work center and a list of all unassigned messages.

 

-    First level UI for a quick message processing (dispatching) with all necessary information

-    Quick "Confirm" button in the menu

 

 

3.1.4       CRM WebClient UI and Functionalities for Administrator

The Administrator UI offers the possibility to perform basis-related activities such as master data maintenance (iBase, CMDB objects etc.), perform tasks in the Service Operations work center (maintain categorization schemas, define rule policies etc.). In addition, this user group can search for Incidents, Problems and Service request.

 

 

 

3.2          Copy and Assignment of User group-Specific Business Role

At least one of the business roles must be assigned to a system user to have access to the CRM WEBCLIENT UI. But before a business role can be assigned to a user, you have to copy the business role into your customer namespace for the same reason as you copy PFCG roles.

 

3.2.1       Copy of Business Role

To copy a business role, e.g SOLMANPRO, for the Processor, proceed as follows:

          1.     Open the implementation guide by starting transaction SPRO and navigate to Customer Relationship Management à UI Framework à Business Roles à Define Business Role.

 

           2.    Select business role SOLMANPRO and choose Copy as.

 

           3.    Enter a X,Y, or Z (this is your customer namespace) in front of SOLMANPRO.

 

           4.    Maintain the customer namespace PFCG ROLE ID in the business role. Confirm with Return.

 

            5.    The new business role is now visible in the overview. Save the table.

 

After the copying and assignment of PFCG roles and business roles, the standard CRM WEBCLIENT UI as well as the functionalities are usable.

If you want to do the following, refer to the next chapter:

          -       Use a different type of business role assignment

          -       Know more about the technical roles behind the business roles

          -       Customize the visibility of the CRM WEBCLIENT UI (e.g Work center or logical links entries)

 

 

4. HOW TO ADAPT BUSINESS ROLES AND TECHNICAL ROLES

In addition to the standard CRM WEBCLIENT UI visibilities and functionalities, it is possible to customize business roles as well as technical roles according to customer needs. How to do so is explained in detail in this chapter.

 

4.1          Technical Roles

With the help of business roles and the corresponding technical roles, it is possible to control the access to the CRM WEBCLIENT UI and customize the visibility of specific entries. This means that using these roles, you can define the structure of the navigation bar and which links are available on the Work Center pages and the direct link group. Every business role has the following technical roles assigned:

         -    Navigation Bar Profile

         -    Role Configuration Key

         -    Layout Profile

         -    Technical Profile

         -    PFCG-Role-ID

The most important technical role is the Navigation Bar profile. Using this technical role, it is possible to control the Work center entries, the logical links as well as the direct link group in the CRM WEBCLIENT UI (more information is provided in section 4.2.1).

The next figure provides an overview of the previously listed elements of the CRM WEBCLIENT UI. 

A work center describes and provides access to business content. The work center page is a collection of logical links for business content which are organized in link groups. Direct link group is part of the navigation bar and provides direct access to specific business content with one click. Logical links can be used in direct link groups, second level navigation or on work center pages.

 

4.1.1       Mapping of Technical Roles and User group

The names of the technical roles are partly different for every specific user group:

The PFCG-Role-ID depends on the user group related PFCG role maintained in the user group composite role. The administrator is using the same business role as the Processor. For that reason, this user group includes the same technical roles as the Processor.

As e.g the Dispatcher and the Processor are using the same navigation bar profile, it is recommended to copy them into a different customer namespace if customizing activities (section 4.2) are planned.

 

4.2          Adapt a Business Role and Technical Roles According to Business Requirements

This section explains how to adapt a business role according to your business requirements.

The following figure provides an overview on the profiles assigned to a business role.

A business role has the following profiles assigned:

  •  Navigation Bar Profile

        ° Assignment of work centers, work center link groups, direct link groups and logical links

  • Layout Profile

       ° Layout of the navigation frame, which includes header and footer area, work area and navigation bar

  • Technical Profile

       ° Assignment of specific technical settings, e.g. disable the support of the Back button in the browser or frame swapping (reduce noticeable screen flickering)

  • Function Profile

       ° Assignment of additional functional areas, e.g. links that appear in the navigation bar or used reporting framework (SAP BI or Interactive Reporting).

  • Role Configuration Key

        ° Assignment of adapted UI views (e.g. add/move/rename field) by using the UI configuration tool

The most important technical roles are the navigation bar profile and the functional profile. For both profiles, the copy and customizing process is explained in detail in the following chapters. If you also plan to customize the layout and technical profile or the role configuration key, please copy them into your customer namespace. Then, follow the explanations in the documentation which is available in the specific Customizing section in transaction SPRO.

 

4.2.1       Create a Navigation Bar Profile

A navigation bar profile is a collection of logical links, work centers, work center link groups and direct link groups.

Use the standard navigation bar profile SOLMANPRO as a template to define the structure of your navigation bar:

  1. Start transaction SPRO and go to Customizing activity Define Navigation Bar Profile.
  2. Highlight the navigation bar profile SOLMANPRO and choose Copy As… (recommended name for the new navigation profile is ZSOLMANPRO). Confirm with ENTER.

  3. Save your settings.

Now you are able to adapt your navigation bar profile. In the Customizing activity Define Navigation Bar Profile, you get access to the shared lists of all logical links, work centers, work center link groups and direct link groups. Furthermore, you can define navigation bar-specific customizing, such as assignment of work centers and direct link groups.

Choose Assign Work Centers To Navigation Bar Profile to specify which work centers should be part of the navigation bar (e.g. ZSOLMANPRO), as shown in the example below.

It is possible to add the Work centers using New Entries à Assign Work centers To Navigation Bar Profile à Save.

 

Choose Assign Direct Link Groups To Nav. Bar Profile to specify which work centers should be part of the navigation bar, as shown in the example below. In this example, the direct link group SM-CREATE is assigned to the navigation bar profile ZSOLMANPRO.

 

Visibility of Customer-Specific Navigation Bar Links:

 

The example below shows customer-specific customizing according to direct links shown in the CRM WEBCLIENT UI. 

 

 

To display direct links in the CRM WEBCLIENT UI: Save the changes.

 

4.2.2       Create a Role Configuration Key

The role configuration key is a unique identifier used in the configuration of views for the CRM WEBCLIENT UI. Certain changes can be stored under a role configuration key. For instance, a view can be configured for a specific configuration key, where fields are removed or renamed in comparison to the original. This role configuration key is also assigned to the business role to identify the configuration that is to be used for this role.

So only those users with the business roles assigned that carries the right key, see the configuration changes in the CRM WEBCLIENT UI. For all other users, no changes are visible. Thus, the role configuration key provides the possibility of a role-dependent view configuration.

To create a role configuration key, do the following:

  1. Start transaction SPRO and go to Customizing activity Define Role Configuration Key.
  2. Choose New Entries.
  3. Add a new role configuration key, e.g. ZSOLMANPRO.
  4. Save your settings.

     

 

4.2.3       Create a Technical Profile

Use the standard technical profile DEFAULT_SOLMAN as a template to define your custom technical profile:

  1. Start transaction SPRO and go to Customizing activity Define Technical Profile.
  2. Highlight the technical profile DEFAULT_SOLMANPRO and choose Copy As….(the recommended name for the new layout profile is ZDEFAULT_SOLMANPRO). Confirm with ENTER.

  3. Choose copy all.

  4. Save your settings.

Now you are ready to adapt the technical profile according to your business needs. For more information, please refer to the documentation of the Customizing activity Define Technical Profile.

 

 

4.2.4       Create a Layout Profile

Use the standard layout profile CRM_UIU_MASTER as a template to define the layout of the header and footer area, work area and navigation bar:

  1. Start transaction SPRO and go to IMG activity Define Layout Profile.
  2. Highlight the layout profile CRM_UIU_MASTER and choose Copy As….(recommended name for the new layout profile is ZCRM_UIU_MASTER). Confirm with ENTER.

  3. Choose copy all.

  4. Save your settings.

Now you are ready to adapt the layout profile according to your business needs. For more information, please refer to the documentation of the Customizing activity Define Layout Profile.

 

4.2.5       Create a Functional Profile

Function profiles define special functions, such as the level of personalization, or the working context. In the Customizing activity Define Business Role, you can assign function profiles to your business role.

For detailed information on how to create a function profile, please refer to the documentation of the Customizing activity Define Function Profile.

For more information on how to assign function profiles to business roles, please refer to the documentation of the Customizing activity Define Business Role.

 

4.3          Additional Possibilities to Assign a Business Role to a User

In section 3.2.1, the PFCG-Role-ID has been maintained in the business role in order to assign the business role to a user. This section provides an overview about the additional possibilities to assign a business role to a user.

4.3.1       Using Parameter

Besides the PFCG-ROLE-ID, another possibility to assign a business role to a user is using the parameter tab in the system user maintenance.

  1. Start transaction SU01 to maintain the specific user.
  2. Select the parameter tab and maintain the details as shown in the figure below. Save your settings.

Now, the business role ZSOLMANPRO is assigned to the user using the specific parameter.

 

4.3.2       Using Organizational Model

Users can be assigned to a business Role using the organizational model. The business role is assigned to an organizational unit or a position in the organizational model and the user/business partner is assigned to a position in the organizational unit, as shown in the figure below.

 

 

Assignment to an organizational unit:

 

  1. Start transaction PPOMA_CRM.

  2. To navigate to the corresponding organizational unit, choose Structure Search or Search Team.
  3. From the menu, choose Goto -> Detail object -> Enhanced object description.
  4. In the Active tab, select Business role from the list and choose Create infotype.
  5. Enter the business role in the corresponding field, e.g. ZSOLMANPRO.
  6. Save your settings.

 

Assignment to a position:

  1. Start transaction PPOMA_CRM.
  2. To navigate to the corresponding position, choose Structure Search or Search Team.
  3. Proceed with steps 3-6 on how to assign a business role to an organizational unit.

4.3.2.1.1.1.1.1       

  

5. APPENDIX

In the Appendix, you find additional information, configuration steps and guidelines to adjust an IT Service Management related authorization concept according to your needs.

5.1          Copy an Authorization Role

This section provides information on how to copy composite or single authorization roles.

5.2          Copy a Composite Authorization Role

To copy a composite authorization role, do the following:

  1. Start transaction PFCG.
  2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS_COMP) in the corresponding field.
  3. Choose Copy role.

     
  4. Enter a name for the new role, e.g. ZSM_SUPPDESK_PROCESS_COMP.
  5. Choose Copy Selectively.
  6. To copy also the single roles contained in the composite role, in the Query dialog box, choose Yes.

     
  7. Enter target names for the copied single roles and confirm to start the copy process

5.3          Copy a Single Authorization Role

  1. Start transaction PFCG.
  2. Enter the role name (e.g. SAP_SUPPDESK_PROCESS) in the corresponding field.
  3. Choose Copy role.

     
  4. Enter a name for the new role, e.g. ZSM_SUPPDESK_PROCESS.
  5. Choose Copy selectively.

 

5.4          Adapt an Authorization Profile

Role profiles contain authorization objects to specify user authorizations, such as change/display authorization for texts or transaction types.

The following example shows how to adapt the authorization profile of the role SAP_SUPPDESK_PROCESS (ZSM_SUPPDESK_PROCESS) to allow users to create/change/display the business transaction type ZMIN (copy of SMIN):

  1. Start transaction PFCG.
  2. Enter the role name, e.g. SAP_SUPPDESK_PROCESS (ZSM_SUPPDESK_PROCESS) in the corresponding field and choose Change.
  3. Go to the Authorizations tab and choose Change Authorization Data.
  4. A list is displayed that contains all authorization objects that are included in the role.
  5. Navigate to the authorization object CRM Order – Business Transaction Type (technical name CRM_ORD_PR) and choose Change for the field Business Transaction type.

     
  6. Enter ZMIN in the dialog box and proceed with Transfer (Enter).
  7. Choose Generate to create the authorization profile.
  8. Choose Back and then save your settings.

5.5          Generate Authorization Profiles

In this step, you have to generate the authorization profiles of the single roles contained in the composite role SAP_SUPPDESK_PROCESS_COMP. Copy this role also into customer namespace ZSM_SUPPDESK_PROCESS_COMP before you perform the next steps!

 

 

  1. Start transaction PFCG.
  2. Enter the role name ZSM_SUPPDESK_PROCESS in the corresponding field and choose Change.
  3. Go to the tab Roles where all single roles are listed.
  4. Double-click to access a role (e.g. ZSM_SMWORK_BASIC_INCIDENT). The role opens in a new session.
  5. In the new window, choose Display <-> Change to switch to Edit mode.           
  6. Go to the Authorizations tab and choose Change Authorization Data.
  7. Choose Generate to create the authorization profile of the role.

     
  8. Choose Back and afterwards save your settings.
  9. Repeat steps 4-8 for the other roles contained in the composite role.

    After you copied the composite role into the customer namespace and generated the various single roles, your composite role ZSM_SUPPDESK_PROCESS_COMP looks like this:

 

 

 

  • No labels