PFCG :Bird’s-eye View from Quality Perpective
PFCG stands for Perfectly Functionally Co-coordinating Group. Let’s take a sneak peek into PFCG from the Quality test perspective with little overview on what PFCG is all about and how do we test it.
What is PFCG?
PFCG is a role maintenance administration to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions. SAP delivers the standard PFCG roles to customers and recommends to use the role maintenance functions and the profile generator (transaction code PFCG) to maintain the roles, authorizations, and profiles. Customers do not use the standard PFCG roles. They have to make a copy of the standard PFCG roles in order to use it.
So to ensure that authorizations brought via standard PFCG roles are functioning correctly, we can test the standard PFCG roles by creating a copy of the same and assigning it to the test user.
How to get started with PFCG role testing?
Creating a user:
- Create a user in t-code:su01 which has User Group as “Usertester” unlike a normal user with user group as “Tester”.
- The user created with usergroup “usertester” does not inherit by default any authorization profiles unlike the user created with usergroup “tester” which inherits “S_ENTW_SHOW” by default.
- Assign the business role under the parameter tab:
Setting up a new PFCG role as a copy of standard PFCG role:
Go to t-code:crmc_ui_profile and select the business role relevant to the application area
- For that role, make a note of the assigned standard PFCG role assigned
- Go to transaction PFCG
- Select your PFCG role (e.g. SAP_CRM_UIU_MKT_PROFESSIONAL) and click Copy button to copy the standard PFCG
role to a ‘Z’ PFCG role
- Initially the “Profile Name” and “Profile Text” in “Information About Authorization Profile” section will be empty
- Click “Change Authorization Data” button
Make sure that the authorization object S_SERVICE is set to inactive. An active authorization object S_SERVICE could interrupt the profile generation.
Hint: You can turn on the technical authorization object names via Utilities à Technical names on:
Search for the S_SERVICE object
- Search then for the business object relevant authorization object.For example: to test CRM Marketing Campaign, the authorization object would be “CRM_CPG”.
Change the values by clicking on the edit (pencil) icon to give user the authorization to create, change and delete campaigns.
- Save and generate the profile.
NOTE: PFCG role contains tailored authorizations for the Business Role. These authorizations are retrieved from SU22/SU24 traces (at SAP/Customer) based on the PFCG Role Menu at the time of profile generation.
PFCG Role Menu: Each Role Menu entry is linked to a su22/SU24 trace. The menu contains all traces and in turn all the authorizations needed to run a specific Business Role.
SU22 Trace: Authorization traces delivered by SAP. The CRM User Interface uses the external trace type UIU_COMP.
SU24 Trace: Authorization traces maintained by the customer. These traces are copied from the SAP name space (SU22) using transaction SU25.
- Now the Authorizations tab has a green traffic light.
- Finally a user comparison has to be performed. User Comparison will reconcile the PROFILES within a user’s account and make the necessary changes.
- Press the button “User Comparison” on the “User” tab and select “Complete Comparison”:
- User tab now has a green traffic light.
- In su01 , for this auth user “XAUTH”, you can see the PFCG role and Profile assigned after doing the user comparison.
- So now the new PFCG role is all set and we can perform authorization testing to ensure if the new role is functioning correctly.
Testing with Restricted Authorizations:
Here we need to run the application with restricted authorizations in order to find out whether the PFCG profile is set up correctly.
This authorization testing is carried out with a restricted user with respect to PFCG role. This restricted user is having limited authorization inherited by standard PFCG role. Normal user has full application testing rights as compared to restricted user. Limitation: With restricted user, we can perform limited actions in WEB UI. We can’t perform any transaction or action in SAP GUI.
- Login to CRM Web UI with the restricted user and the business role assigned
- Perform actions with respect to the authorizations maintained. For eg.: Say if the PFCG profile is generated with limited authorizations to view a CRM marketing Campaign, then the restricted user should only be able to view but should not be able to create/edit or delete the campaign. Similarly when the profile is regenerated by modifying the authorizations,say user has authorization objects enabled for creating and viewing the campaign only, then he should be able to only create and view but should not be able to edit or delete the campaign and so on.
How to find missing authorization object?
- SU53: This transaction shows the last failed authorization check. Unfortunately this method often fails because authorization checks are performed not at the time of error (e.g. but when starting the application) and the reported failed authorization check is not the one causing the problem
- ST01: The Authorization Trace can be used to get information on all performed authorization checks. This is the preferred way to analyze authorization issues
In case of an authorization issue:
- The issue needs to be brought to the notice of the application development colleagues (An authorization issue is a failure that happens for the restricted user but works fine for the unrestricted user.)
- If the failure occurs for both the restricted AND the unrestricted user, then it’s not an authorization issue and still needs to be reported.
- Development colleagues provides a fix to the issue and releases the correction request.
- After the correction request reaches the Q-system, run t-code: su25 which will transfer the new/updated authorization defaults from the su22 proposals.
- Thereafter, the standard PFCG role/profile needs to be regenerated.
- Finally a new copy of the standard PFCG role (as described above) needs to be made to perform authorization testing.
SAP Note 1244321 provides information on how to analyze authorization issues. For more information, see SAP Note 1244321 – Simplifying error analysis in CRM Web Client UI.