Complex role-based approach with using vary authorization objects
The SAP Profitability and Performance Management solution comes with predefined role templates which you can see in the Administration guide’s Authorization and SAP Fiori Launchpad Application sections.
As these are just templates, like for example all roles with *ALL suffix if assigned directly to a user, the specific user will have then access and full authorization on ALL data records and environments in SAP Profitability and Performance Management.
Due to this it is likely needed that a security expert design a role structure more fitting to the business’ needs.
In this blog post, I wish to share with you a SAMPLE role setup for complex calculation process which hopefully give you a hint on how you can set up yours.
The complex process of calculations may demand a complex role-based approach with rigid responsibility division. In addition to the functional restrictions (transactions and services), usually analytical restriction (data access) in an organization.
In this case the predefined role templates should be used (by copying them) and adapted for business needs. As an example of adjustment, a Composite role which consists of separate Single roles may be created. The set of singles roles implements functional permissions (Functional Roles) and organizational constraints (Org Level Roles).
The Composite roles allow easier scaling by adding Org Level Roles. At the same time, Functional Roles are only changed in cases when employee’s responsibilities are extended.
Implementation of a complex role model is based on the following Authorization Objects groups.
|Authorization group||Description||Authorization Object Example|
|1||Access Authorization Objects||Authorizations to run transaction and services.||
|2||Authorization Objects NXI||Give permission to the particular Environment (Calculation Unit) and Function in SAP Profitability and Performance Management.||/NXI/P1F|
|3||Analysis Authorization Objects||Give data access permission for BI objects (queries, editable queries).||
|4||User Groups||Restrict authorizations for specific activities (calculation process steps) and enable Dual Control.||S_USER_AGR|
This implementation approach implies the next restrictions for configuration in SAP Profitability and Performance Management:
- Function ID must be defined by the pattern, which is referred to in NXI Authorization Object – /NXI/P1F. It concerns only functions used in Process Activities.
- Authorization relevant Info-objects must be set and used in Query function at least. Analysis Authorization Objects also refers to these Info-objects.
The User group (Teams) changes must consider restrictions that appear in case Central User Administration is used.
Authorization Objects NXI
NXI Authorization Object settings may be expanded by marking Authorization fields as Org. Levels for Profile Generator (transaction SUPO). For example, Environment or Version. This manipulation may be helpful in case of significant differences in calculation rules and algorithms between different company branches and org.units.
Analysis Authorization Objects
Configuration of Analysis Authorization Objects consist of two blocks (and set up with RSECAUTH transaction).
Data access permission is realized by Info-objects marked as Authorization Relevant – see picture below (presented screen from Eclipse)
Data activities permission is realized with next default Info-Objects:
- 0TCAACTVT Activity in Analysis Authorizations,
- 0TCAIFAREA Info-Area for Analysis Authorizations,
- 0TCAIPROV Authorizations for Info-Provider,
- 0TCAVALID Validity of an Authorization
In addition to READ and EDIT permission, data access activities may be extended according to the requirements of the process. For example, Ratification permission may be realized by using combination of the default and data access info-objects.
Analysis Authorization Objects that were created on the previous steps, should be included in Authorization Objects S_RS_AUTH (field BIAUTH). Default Authorization 0BI_ALL is mentioned in case no restrictions should be applied.(In PFCG transaction it looks like below)
The User groups are used in case Dual Control is activated to implement sequential execution and approval. This blog post shows Dual Control details https://blogs.sap.com/2020/09/03/sap-profitability-and-performance-management-dual-control-overview/ . For User, the available activity sequence depends on User group assignment. For example, as shown on the picture below, the sequence of 4 activities is presented for the User assigned to PAPM_RW01 group while the User assigned to PAPM_PR01 can see only 3 activities.
In case Central User Administration or GRC (Governance, Risk, and Compliance) is used, the User group (Teams) assignment cannot be changed by user with role /NXI/P1_ADMIN_USER and additional ABAP development may be needed.
Eventually, the set of Singles roles formed according to this approach consist of:
- The set of Functional Roles
- Access Authorization Objects
- Authorization Objects NXI with empty Org Levels
- Analysis Authorization Objects
- The set of Org Level Roles
- Analysis Authorization Objects
I am at the end of my blog post and I hope you now get a better understanding to at least 3 starting point in solving your challenges concerning roles’ adjustments and configuration.
- The roles delivered by SAP Profitability and Performance Management are templates that you may use to further enhance your authorization requirements
- Composite Roles may be handy to have a more organized role structure to easily give limitation to both functional and analytical restrictions.
- User Group or Teams can be used to further control the process through dual control mechanism.
- 727536 – FAQ | Using Customer Organizational Levels in PFCG
- BW465 SAP BW/4HANA – User Management and Authorizations