This document is for those who “hate” to use the out of box roles and menus that are delivered with any SAP implementation because they usually provide way more access then is needed by differing user types, and are a pain to figure out how to turn items off with all of the back-end PFCG manual role entries.
Many times you are left with links or Menu items that are not configured in your system visible for all of your user base, which then usually ends up with a help desk call to fix something when our curious user base starts to search around your new site.
My goal was to create Group specific PFCG roles that would be tailored to those groups requirements based on internal and external audit recommendations.
After spending a couple of weeks searching through all of the differing posts in regards to creating your own customized Menu items in GRC 10.1 I have complied a hopefully very easy walk-through on how to accomplish this on your own.
I would like to give credits to both Colleen Hebbert and @Manik Saldi for these initial SAP blogs/wiki documents that helped explain the concepts but I thought could use some clarification as some things have changed since they were originally written.
Requirements: SAP GRC access to SE80 and an SAP Developers key for your environment.
Step 1. Copy the FPM configuration
Create copies of FPM Application configurations in the GRFN_ACESS package:
In this step you are going to use SE80 to search for the standard SAP package of GRFN_ACCESS where the web-dynpro application lives.
From there I drilled down to the “FPM Application Configurations” folder and created the following two copies of Menus I am going to update.
Step 2. Creating Custom Config Roles
Next I created my new Menu Roles that I will be linking to the relevant configurations in the Web-Dynpro configuration screens later in this article.
to do this you can either go to SPRO to the “GRC -> General Settings -> Maintain Customer Specific Menu -> Configure Launchpad Menus” OR execute Tcode LPD_CUST
Since I am working on the “Menu” and “Access Management” tabs I will make copies of those two Roles using the “copy” function.
You will then be requested to enter a new value/name for the role that you want to create. Please be aware that there are length restrictions to the name so you may have to adjust. (exm: GRCACCMGMT had to be renamed to ZGRCACMGMT for me to fit)
(you do not have to assign this to a namespace. just click through the “yes” confirmation if you do not)
Step 3. Launch Pad Roles Config
Once you create your duplicate Roles then you can add or Remove whatever you want to your custom “launch pad” to suit your needs. (there are some very interesting articles on how to add all kinds of non-GRC entries to these if you search)
For my Home, I did not want my users performing any of the password management functions as we have a 3rd party application for this or using the SAP Support functions that would redirect them to Marketplace.
Please note that for every folder that you create, that is a new “Heading” on that page to add URLs and other Web Dynpro apps to. The Column Break is to separate it to the other side of the page (left to Right)
above config makes the following display tab:
Step 4. The PFCG Role
Now that we have our Menu tabs set up the way that we want, we will need to add them to our ZGRAC_FPM_AC_LPD* custom configuration. (I am working with the “Home” tab)
First create a test role with the NWBC Tcode, and a Folder Name for the Tab you want to create. In my example I am working on the “My Home” tab.
***** If you add Tcodes directly to this or any Webynpro role you will need to do so at the root of the role menu and not inside any sub-folders. If you put the Tcode in the sub-folder it will show up as a option for the user on the page.
Generate the role and update the S_START authorization as follows:
AUTHOBJNAM = GRFN_SERVICE_MAP
AUTHOBJTYP = WDYA
AUTHPGMID = R3TR
This will allow you to at a minimum launch the web-dynpro application to validate you config and menu changes.
******** Links in the menu can be worked on later using ST01 traces to identify link authorization requirements.
Now that you have saved and Genereated the role, go back to the “Menu” tab of the role and right click on the Web Dynpro service and select the “Details” screen.
Next you will click on “application configuration” button to enter the Web Dynpro configuration screen.
***** Please note that you CANNOT copy any of the SAP standard configs after this via SE80. You MUST use the Application Configuration button below. If you try and copy the FPM_OVP_COMPONENT in SE80 NONE of the SAP provided config will come over in the copy.
Step 5: WebDynpro Configuration ID copy
You should now be in the Web Dynpro component configuration screen. On this screen you should see the origina SAP configuration ID “GRAC_FPM_AC_LPD_HOME”.
Click on the Copy button and then in the next screen change it to a custom name. (I added Z* for my example)
NOTE** If you do not see a “copy” button click on the “New Window” button.
You will then be prompted to assign it to a package and also to create a Transport for this if one has not already been created.
I would suggest creating a Transport package just for this config so you know what you are moving into your QAS and PRD systems.
If you do not have a custom package for your system. Work with your basis team to create one.
Once created you should now be able to continue on in “change” mode to update your new custom configuration.
Click on the configuration ID in Edit/Change mode and that will take you to the Configuration ID Main Page.
Step 6. UIBB Configuration ID copy
You must now create a copy of the GRAC_FPM_UIBB_LPD* configuration that you are working on. (again I am working on “HOME”)
In the “Overview Page Schema” section select the UIBB for the FPM_LAUNCHPAD_UIBB and then click on the “Configure UIBB” button.
NOTE***** If you get prompted to provide a Object Registration Key then click CANCEL. you will be making a copy and should not change SAP provided configuration. The configuration screen automatically prompts you before you can choose copy.
Next click on the “Copy” Icon:
Then create a custom name for your new component configuration ID (I used Z* for my home)
You will again be prompted to save it to a custom package and transport. Use the ones you set up for the first configuration ID copy.
Once you copy the Confuguration you will then be taken to the “Component Configuration” page.
Here you will need to click on the “Edit” button and then select the Search button next to Role.
This will allow you to update the SAP provided role with the one that you created in LPD_CUST. (ZGRACHOME in my case) and then click the “Save” icon
NOTE**** In this screen you can also see the preview of what the page looks like before you update to the custom role. Take note so you can see the change.
NOTE*** There is not “Close” button so at this point you can just close out the screen. You configuration is completed.
Step 7: Test your Page!!!
If you have followed all of the above steps then you should be ready to test your page in the role you created.
Go back to the PFCG role that you created and right click on the Web Dynpro Application and select “Execute”
This will bring up your final page.
You can now assign this role to a test user and start to identify what may required authorizations to populate any of the links that need them.
In my case I will need to go back and identify the authorizations to populate the “My Profile” links via ST01 and my own ID.
I hope this article helps the future GRC admins of the world and I look forward to creating more documents later on other topics I find could use some clarification.
Update**** to clarify some items others have pm’d me about.
Please note that if you are having issues getting to the “Copy” screens for the subsequent Web Dynpro Components you can find them and copy via SE80 in the Repository browser under “Web Dynpro Comp. /intf. and looking for:
FPM_OVP_COMPONENT – Configuration Name (this is updated in the Config ID)
FPM_LAUNCHPAD_UIBB – A configurable Luanchpad UIBB (this is to update the UIBB Configuration)
Once there you can find find available components under the “Component Configurations” folder
Find the Configuration you want to copy and then right click and display in Same/New window
then at the top click on the “Start Configuration” button to launch the HTML configuration screen.
Now you are at a screen that will allow you to copy the SAP standard configuration in Step 5 and 6 to a custom configuration without having to deal with the “caching” that happens when jumping through multiple browsers.