Skip to Content

Dear readers,

this “how-to” post is about defining authorizations and role handling.

In general, the SAP TM collaboration portal knows three access types:

  1. Demo access without connection to the SAP TM back end
  2. Productive access by a carrier user
  3. Admin access from a shipper user to provide default layout settings for the carrier users

All of them have in common, that there are SAP standard roles delivered.

The process is as follows:

  1. Copy the role into the customer namespace
  2. Maintain authorization data
  3. Generate the authorization profile
  4. Assign the role to the user

The following roles are relevant for each of the scenarios described above:

  1. Demo access
  2. Productive access for carrier users
  3. Admin access for shipper users

For more information about the users mentioned above, see SAP Library for SAP Business Suite on SAP Help Portal at -> SAP Transportation Management -> SAP Transportation Management (SAP TM) -> Basic Functions -> Roles.

In case of Gateway hub deployment, you have two users: one user in the SAP TM back-end system and one in the Gateway system. The roles with präfix /TMUI/ have to be assigned in the system in which the software component SAPTMUI is deployed.

Visibility of worksets

To restrict the visibility of worksets for a specific user, proceed as follows:

  1. Open the application-specific role for /TMUI/COLL_PORTAL or /TMUI/COLL_PORTAL_DEMO created above in transaction PFCG.
  2. Go to tab Menu.
  3. Delete the workset folders that you don’t want a certain user to see.

The following table shows the relation between the workset folders and the worksets in the portal:

PFCG folder Workset in Portal
/SCMTMS/FRM Freight Order Management

Freight Requests for Quotation


Freight Quotations

/SCMTMS/FRM /SCMTMS/EVENT_NOT Freight Orders for Execution
/SCMTMS/FRS Freight Settlement
/SCMTMS/FRS /SCMTMS/SELF_BILLING Freight Orders for Self-Billing

Freight Orders for Invoice Submission



/SCMTMS/FRA Freight Agreement Management

Freight Agreement RFQs


Freight Agreements

If you delete a workset folder from role /TMUI/COLL_PORTAL, you must also restrict the Gateway service authorizations by removing the IWSV object from role /SCMTMS/COLL_PORTAL. Also, you must delete the corresponding IWSG object in role /TMUI/COLL_PORTAL.

Example role implementation

As the role /SCMTMS/COLL_PORTAL is the most complex one, the following step-by-step guide refers to this role. The steps have to be repeated for all relevant roles.

1. After a system upgrade you have to make sure that the newest authorization data is shown in the role. Therefore start transaction SU25 and execute at least step 2a.


2. Start transaction PFCG and enter role /SCMTMS/COLL_PORTAL.

3. Click “Copy role”.

copy role.png

4. Provide a “to role” name and click “Copy all”.

copy final.png

5. Click on change role.

Change role.png

6. In tab “Menu” provide your changes as described above for the visibility of worksets.

folder removal.png

7. In tab “Authorizations” click on “Change Authorization Data”.

maintain authorization data.png

8. Maintain all authorization data, so that all the traffic lights get green. Afterwards click on “Generate”.

authorization maintenance.png

9. Click on Execute.


10. Return to main screen.

11. Open the user in transaction SU01 and assign the newly created roles there.

Please let me know your opinion.



To report this post you need to login first.


You must be Logged on to comment or reply to a post.

    1. Jan Rumig Post author

      What do you mean exactly? Gateway system separated from the SAP TM instance? There is not a big difference. If you check the role documentation which is referenced above, there you will find the information which role to apply in which system. In addition, the following sentence provides the necessary information: “In case of Gateway hub deployment, you have two users: one user in the SAP TM back-end system and one in the Gateway system. The roles with präfix /TMUI/ have to be assigned in the system in which the software component SAPTMUI is deployed.”

        1. Jan Rumig Post author

          The collaboration portal only works with 1 TM instance and 1 Gateway system at the same time. Your use case is special for your customer and won’t be covered in this post.

  1. Former Member

    Hello Jan,

    I have maintained all the roles to the user ( did copy form standard) and activated all the setting in SICF

    fineĀ  but i am nodid a test workst able to see the Nodes just blank screen

    i have also checked menus in the roles ( sicf tcode) can you please guide me what is that i am missing

    i am getting error that sap tree menu not available.







Leave a Reply