Skip to Content
Author's profile photo Jan Rumig
Jan Rumig
August 14, 2015 3 minute read

How-to: Define Authorizations

Dear readers,

this “how-to” post is about defining authorizations and role handling.

In general, the SAP TM collaboration portal knows three access types:

  1. Demo access without connection to the SAP TM back end
  2. Productive access by a carrier user
  3. Admin access from a shipper user to provide default layout settings for the carrier users

All of them have in common, that there are SAP standard roles delivered.

The process is as follows:

  1. Copy the role into the customer namespace
  2. Maintain authorization data
  3. Generate the authorization profile
  4. Assign the role to the user

The following roles are relevant for each of the scenarios described above:

  1. Demo access
    1. /TMUI/COLL_PORTAL_DEMO
  2. Productive access for carrier users
    1. /TMUI/COLL_PORTAL
    2. /SCMTMS/COLL_PORTAL
  3. Admin access for shipper users
    1. /TMUI/COLL_PORTAL
    2. /SCMTMS/COLL_PORTAL
    3. /TMUI/COLL_PORTAL_ADMIN
    4. /SCMTMS/COLL_PORTAL_ADMIN

For more information about the users mentioned above, see SAP Library for SAP Business Suite on SAP Help Portal at http://help.sap.com -> SAP Transportation Management -> SAP Transportation Management (SAP TM) -> Basic Functions -> Roles.

In case of Gateway hub deployment, you have two users: one user in the SAP TM back-end system and one in the Gateway system. The roles with präfix /TMUI/ have to be assigned in the system in which the software component SAPTMUI is deployed.

Visibility of worksets

To restrict the visibility of worksets for a specific user, proceed as follows:

  1. Open the application-specific role for /TMUI/COLL_PORTAL or /TMUI/COLL_PORTAL_DEMO created above in transaction PFCG.
  2. Go to tab Menu.
  3. Delete the workset folders that you don’t want a certain user to see.

The following table shows the relation between the workset folders and the worksets in the portal:

PFCG folder Workset in Portal
/SCMTMS/HOME Home
/SCMTMS/FRM Freight Order Management
/SCMTMS/FRM /SCMTMS/TENDERING

Freight Requests for Quotation

and

Freight Quotations
/SCMTMS/FRM /SCMTMS/EVENT_NOT Freight Orders for Execution
/SCMTMS/FRS Freight Settlement
/SCMTMS/FRS /SCMTMS/SELF_BILLING Freight Orders for Self-Billing
/SCMTMS/FRS /SCMTMS/INV_SUBMISSION

Freight Orders for Invoice Submission

and

Invoices
/SCMTMS/FRA Freight Agreement Management
/SCMTMS/FRA /SCMTMS/FRT_PROCUREMENT

Freight Agreement RFQs

and

Freight Agreements

If you delete a workset folder from role /TMUI/COLL_PORTAL, you must also restrict the Gateway service authorizations by removing the IWSV object from role /SCMTMS/COLL_PORTAL. Also, you must delete the corresponding IWSG object in role /TMUI/COLL_PORTAL.


Example role implementation


As the role /SCMTMS/COLL_PORTAL is the most complex one, the following step-by-step guide refers to this role. The steps have to be repeated for all relevant roles.

1. After a system upgrade you have to make sure that the newest authorization data is shown in the role. Therefore start transaction SU25 and execute at least step 2a.

SU25.png

2. Start transaction PFCG and enter role /SCMTMS/COLL_PORTAL.

3. Click “Copy role”.

copy role.png

4. Provide a “to role” name and click “Copy all”.

copy final.png

5. Click on change role.

Change role.png

6. In tab “Menu” provide your changes as described above for the visibility of worksets.

folder removal.png

7. In tab “Authorizations” click on “Change Authorization Data”.

maintain authorization data.png

8. Maintain all authorization data, so that all the traffic lights get green. Afterwards click on “Generate”.

authorization maintenance.png

9. Click on Execute.

/wp-content/uploads/2015/08/generate_770800.png

10. Return to main screen.

11. Open the user in transaction SU01 and assign the newly created roles there.

Please let me know your opinion.

Cheers,

Jan




Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks Jan for a great post. It would be great if you can also add details about authorization for 2 back ends & 1 common portal.

      Author's profile photo Jan Rumig
      Jan Rumig
      Blog Post Author

      What do you mean exactly? Gateway system separated from the SAP TM instance? There is not a big difference. If you check the role documentation which is referenced above, there you will find the information which role to apply in which system. In addition, the following sentence provides the necessary information: "In case of Gateway hub deployment, you have two users: one user in the SAP TM back-end system and one in the Gateway system. The roles with präfix /TMUI/ have to be assigned in the system in which the software component SAPTMUI is deployed."

      Author's profile photo Former Member
      Former Member

      I was asking about the details for "2 TM instances using 1 single (common) gateway instance."

      Author's profile photo Jan Rumig
      Jan Rumig
      Blog Post Author

      The collaboration portal only works with 1 TM instance and 1 Gateway system at the same time. Your use case is special for your customer and won't be covered in this post.

      Author's profile photo Santhosh Rukmandaran
      Santhosh Rukmandaran

      Hello Jan,

      I have maintained all the roles to the user ( did copy form standard) and activated all the setting in SICF

      fineĀ  but i am nodid a test workst able to see the Nodes just blank screen

      i have also checked menus in the roles ( sicf tcode) can you please guide me what is that i am missing

      i am getting error that sap tree menu not available.