this “how-to” post is about defining authorizations and role handling.
In general, the SAP TM collaboration portal knows three access types:
- Demo access without connection to the SAP TM back end
- Productive access by a carrier user
- Admin access from a shipper user to provide default layout settings for the carrier users
All of them have in common, that there are SAP standard roles delivered.
The process is as follows:
- Copy the role into the customer namespace
- Maintain authorization data
- Generate the authorization profile
- Assign the role to the user
The following roles are relevant for each of the scenarios described above:
- Demo access
- Productive access for carrier users
- Admin access for shipper users
For more information about the users mentioned above, see SAP Library for SAP Business Suite on SAP Help Portal at http://help.sap.com -> SAP Transportation Management -> SAP Transportation Management (SAP TM) -> Basic Functions -> Roles.
In case of Gateway hub deployment, you have two users: one user in the SAP TM back-end system and one in the Gateway system. The roles with präfix /TMUI/ have to be assigned in the system in which the software component SAPTMUI is deployed.
Visibility of worksets
To restrict the visibility of worksets for a specific user, proceed as follows:
- Open the application-specific role for /TMUI/COLL_PORTAL or /TMUI/COLL_PORTAL_DEMO created above in transaction PFCG.
- Go to tab Menu.
- Delete the workset folders that you don’t want a certain user to see.
The following table shows the relation between the workset folders and the worksets in the portal:
|PFCG folder||Workset in Portal|
|/SCMTMS/FRM||Freight Order Management|
|/SCMTMS/FRM – /SCMTMS/TENDERING||
Freight Requests for Quotation
|/SCMTMS/FRM – /SCMTMS/EVENT_NOT||Freight Orders for Execution|
|/SCMTMS/FRS – /SCMTMS/SELF_BILLING||Freight Orders for Self-Billing|
|/SCMTMS/FRS – /SCMTMS/INV_SUBMISSION||
Freight Orders for Invoice Submission
|/SCMTMS/FRA||Freight Agreement Management|
|/SCMTMS/FRA – /SCMTMS/FRT_PROCUREMENT||
Freight Agreement RFQs
If you delete a workset folder from role /TMUI/COLL_PORTAL, you must also restrict the Gateway service authorizations by removing the IWSV object from role /SCMTMS/COLL_PORTAL. Also, you must delete the corresponding IWSG object in role /TMUI/COLL_PORTAL.
Example role implementation
As the role /SCMTMS/COLL_PORTAL is the most complex one, the following step-by-step guide refers to this role. The steps have to be repeated for all relevant roles.
1. After a system upgrade you have to make sure that the newest authorization data is shown in the role. Therefore start transaction SU25 and execute at least step 2a.
2. Start transaction PFCG and enter role /SCMTMS/COLL_PORTAL.
3. Click “Copy role”.
4. Provide a “to role” name and click “Copy all”.
5. Click on change role.
6. In tab “Menu” provide your changes as described above for the visibility of worksets.
7. In tab “Authorizations” click on “Change Authorization Data”.
8. Maintain all authorization data, so that all the traffic lights get green. Afterwards click on “Generate”.
9. Click on Execute.
10. Return to main screen.
11. Open the user in transaction SU01 and assign the newly created roles there.
Please let me know your opinion.