Portal Roles and Authorizations

PRTL152:
Portal Roles and

Authorizations
Soledad Alvarado, SAP Labs, LLC.
Vera Gutbrod, SAP AG
Julia Levedag, SAP AG
Elke Speliopoulos, SAP Labs, LLC

Learning Objectives
As a result of this workshop, you will

be able to:
Understand the two role concepts in SAP NetWeaver

Understand the concept of portal roles and authorizations for
backend systems
Understand the concept of Portal permissions
Understand the concept of User Management Permissions in
the Portal environment
© SAP AG 2004, SAP TechEd / PRTL152 / 3

Role Concepts in SAP NetWeaver
Authorization Concepts
Roles Upload to SAP Enterprise Portal
Portal Roles Distribution to the Backend System
Portal Roles and User Management Roles
Gotchas and Key Points
SAP NetWeaver Powers mySAP Solutions
Role-specific, Easy Access to All Systems
Manager Self Service Role

(SAP ERP)
Employee Self Service Role

(SAP ERP)

SAP NetWeaver Portal Infrastructure
Role-based, … Sales Line Business

Manager Manager Developer
…secure… Authentication
…and web-based… SAP Enterprise Portal 6.0
Single Sign On
…access to any kind

of applications,
information and ERP CRM … Docs*
services
*covered by KM

Portal Role Concept: Why Create Roles?
By creating roles are you able to assign different pieces of

content to different groups of users.
Role 1 Role 2
Group 1 User 1 Group 2
Content 1 Content 2 Content 3 Content 4 Content 5

Main Role Concepts in SAP NetWeaver
SAP Enterprise Portal
Portal
Roles
Roles in ABAP-based Systems

(Roles in Transaction PFCG)
Single and
Composite
Roles in
ABAP-based
Systems

Roles in ABAP-Based Systems
A role is a collection of activities and functions that describes a

certain work area of an SAP application.
Roles are objects for generating authorizations so that the user

can access the transactions, reports etc. contained in the SAP
menu.
The menus available to users after logon are implemented with

roles (SAP Easy Access menu).
There are single roles and composite roles. Role XYZ
Roles are assigned to users. Transaction TA1

Transaction TA2
Transaction TA3
Report zzz
Web Link 1
Web Link 2

Portal Roles
A portal role is a container for applications

and information that can be assigned to a
Role A
particular group of users.
The content of a role enables users to
perform the tasks in their respective job
description.
The content of a portal role is based on the
company structure and on the information
needs of the portal users in the company.
The portal navigation structure is defined by Role Assignment
the sum of the roles assigned to the user.
Technically, a role is a hierarchy of folders
containing other portal content objects.
Roles can be assigned to users or groups of
users, i.e. the portal role connects users (or
groups of users) to the portal content.
Worksets are introduced as a new layer in a User Group 1 User Group 2
role hierarchy.

Portal Roles
Role Workset iViews and

Pages
Roles are the largest
semantic units within
content objects.
They include folder
hierarchies consisting
of folders, worksets,
pages and iViews.
The role structure also
defines the navigation
structure of the portal.
Roles are assigned to
users.
Folder Page iView

ABAP Roles and Portal Roles: A Comparison (1)
I. Contents of Roles
ABAP Roles Portal Roles
The content of a role always refer to The content of portal roles do not depend
a single SAP application. on SAP applications, but may include them.
They contain different kinds of information
(heterogeneous content types).
The role content depends on the The role content depends on the company
user’s tasks in the SAP system. structure and the core processes of the
company. They are complete job
descriptions, not limited to objects of SAP
Systems.
II. What is defined by Roles?

SAP Easy Access Menu Top-level navigation and detailed
navigation

III. Types of Roles

There are single and composite roles. Roles are not divided into different role
Composite roles are optional. types. The portal introduces the concept
of "worksets“.
IV. Administration Environment

All actions connected with roles are Role administration by different web-
performed in transaction PFCG: role based tools in the Portal administration
creation and maintenance, role/user environment.
assignments and authorization
generations.

V. Authorizations
Roles (single roles) carry the A portal role is mainly a content object and
authorization information. Roles are not an authorization object. Portal roles
authorization objects. The profile cannot be used in the portal environment
generator is part of role to create authorizations for the backend
administration in Transaction PFCG. systems.
Authorizations must still be maintained in

the backend systems.

SAP Enterprise Portal as a Component of SAP NetWeaver
Combines the Different Role Concepts
Both roles concepts can be combined in the portal environment.
Conversion of
ABAP-roles and
their content into
portal content
objects Roles in
ABAP- Portal Transfer of portal
based Roles roles to the ABAP-
Systems based system in
order to maintain
the missing
authorizations

Overview: Roles in the SAP NetWeaver Environment
End User Navigation

Top Level Navigation Detailed Navigation
User Management Definition Portal Content

(Portal Content
Directory)
Users Assignment Portal Assignment

ROLES Worksets
User Groups Roles ACLs
Pages
iViews
Authorization
Upload Generation
Roles from ABAP based backend systems

SAP Enterprise Portal as the Leading System
The SAP Enterprise Portal can be used as the leading system for:
Role creation
Role maintenance
Role/user assignment
All tasks concerning content creation and user assignment can

all be done at one place, and this is the SAP Enterprise Portal
Authorization generation must be

done in the backend system !

Portal Roles and Authorizations
In SAP Enterprise Portal you maintain and create the role
definitions. However you do not generate authorization
profiles necessary for the backend system in the portal
environment.
Role
Enterprise Definition
Portal
If portal roles contain transactions and other objects that access

objects in ABAP-based backend systems, you must still generate
the authorization profiles in the backend system.
Authorizations
SAP Enterprise CM Others
Systems Apps Systems
Both SAP Enterprise Portal and the backend system have tools and functions
that permit you to link the portal role with the ABAP authorization concept and
to link the authorization profile in the backend system with the portal role concept.
Portal Content and Authorizations in the Backend System
Portal
Content objects from ABAP- based
systems can be converted to Portal
content objects.
From now on object creation and
maintenance is done in the Portal!
Role/User assignment can also be

migrated to the Portal
From now on role/user assignment
is done in the Portal!
Backend System
Authorization must be maintained!

Assignments roles to users should be synchronous with
assignments in the Portal.

How to Migrate ABAP Roles and Their Content to SAP
Enterprise Portal?
Role Upload Tool in SAP Enterprise Portal
SAP Enterprise ABAP-Based SAP

Portal System
Portal Role and Portal (Role Development
Content Objects + System)
role/user assignment
Authorization Profiles
Migrated role and Initial Role Upload Single Role/

included objects + Composite Role
role/user
assignments
Included objects:
transactions, MiniApps
etc. and
role/user assignments

Role Upload: Availability
Functionality is available for:

EP 6.0 SP2 Patch 4 (on Web AS 6.20)
SAP NetWeaver ‘04 Support Package Stack 04 (EP on Web AS 6.40)

Features of Role Upload
User assignment can

be uploaded to the
Portal.
Included services
(MiniApps or
transactions) are
converted to iViews.
First level folders can

be set as entry point
in the top-level
navigation
Single and
composite roles are
converted as either
When objects are uploaded again, Portal roles or
you can define whether or not worksets with the
existing objects should be corresponding menu
overwritten. hierarchy.

Prerequisites – System Requirements
The following requirements must be fulfilled before you can

upload objects to the portal from SAP backend system:
Import the SAP Enterprise Portal Plug-In 6.0
You must import the SAP EP Plug-In 6.0 into each backend system from
which you want to perform an upload. Only then are all the necessary
functions for the upload available.
For a Workplace system landscape, this means that you must import the
plug-in to both the Workplace Server and all the component systems from
which you want to upload objects.
Authorizations in the backend system
In the backend system you need the authorization S_RFC for function group
PWP2.
Configuration of the system landscape in EP
In the portal system landscape, you must create a system for each backend
system from which you upload objects. You must define a connection to the
backend system for this system.

Converted Objects
Converted objects can be used as Portal objects in order to build

portal content.
SAP Enterprise
ABAP-based
Portal
SAP System
Single Role R01 Portal Role R01
Transaction TA1 iView TA1

Transaction TA2 iView TA2
Transaction TA3 iViews TA3
Report R01 iView R01
Web Link W1 iView W1
Web Link W2 iView W2
The role/user assignment of a role can also uploaded to the portal. You
therefore do not have to make this assignment again in the portal. An
uploaded role is automatically assigned to a portal user. Prerequisite:
backend user must have a corresponding user in the Portal.

Object Storage in Portal Catalog
Migrated and converted objects

can be found in the Portal Catalog
in a special folder Portal Content
-> Migrated Content -> SAP Component
Systems.

Working with Migrated Roles in the Portal (1)
Single and composite roles have no pages. Therefore pages with

iViews must be defined and assigned to the roles.
Role hierarchy and navigation structure must be adjusted. The

original migrated roles represent the menu of an ABAP-based SAP
system and therefore could have deep navigation structures. It
makes sense to remove unnecessary navigation levels.
The top-level navigation must be checked. Single and composite

roles often list more than 10 entries on the first level of their
navigation structure. A 1:1 conversion in the portal would mean
that the top-level navigation would be incomprehensibly large.

Working with Migrated Roles in the Portal (2)
Preliminary consideration should be given as to where the right

place for an ABAP role within a portal role structure is. In certain
use cases it may be beneficial to migrate roles to worksets and
assign them to a portal role.
Sometimes it is better to migrate only single services

(transactions) rather than a complete role. In the Portal
administration environment these services can be grouped in a
different way in a new role structure.

All Content is Created and Maintained in the Portal!
iView Studio:
www.iviewstudio.com
Portal ABAP-Based System 2
Download of
Business Packages Portal Content Upload and Conversion of
containing Portal Content Content Objects
Roles
Worksets
Pages
iViews Upload and Conversion of

Content Objects
Upload and Conversion of

Content Objects ABAP-Based System 1
ABAP-Based System 3

Demo
Demo and
Exercise Part I

How to Maintain Authorizations for Portal Content Objects?
Role Distribution to the Backend System

ABAP-based SAP
Enterprise Portal System
Role/user assignment Role/user assignment
Portal Role Generated authorization role

Included objects: List of transactions, etc.
iViews accessing
transactions, Repetitive
Authorization data
MiniApps etc. in Authorization
the backend system Generation
Generated auth. profiles
Generated authorizations

Role Distribution in Detail
ABAP-based SAP System

Responsible for Creation of
SAP Enterprise Portal Authorization Roles
Portal Role A Portal Role A
Folder 1
System 1 Auth. Role A_1:
iView A T1, T2, T6
Transaction T1 ---> System 1
iView B Auth. Role A_2:
Transaction T2 ---> System 1 T1, T2, T6
iView C
Folder 2 System 2 Auth. Role A_3:

T3, T4, T5
iView D
Auth. Role A_4:
iView E T3, T4, T5
iView F

Authorizations in ABAP-based Systems: Overview
The following functionality is provided:

Distribution of portal role definition from portal to backend systems
Creation of corresponding authorization roles in backend system
Update/change of user assignment
A tool in the Portal System Administration role enables the

system administrator to
Transfer role definition to an ABAP-based backend system
Transfer role/user assignments to an ABAP-based backend system
Report on transfer processes
Transaction WP3R in the ABAB-based system enables the

administrator to create authorization roles on the basis of portal
roles
Transaction WP3R: “Follow up processes for portal roles“
Transaction WP3R is included in the Enterprise Portal Plug-In

Transfer of Portal Roles and User Assignments
Step 1: Step 2:
Transfer portal role Transfer portal user
information to a assignment to a
dedicated backend dedicated backend
system system
Roles Distribution (1)
Select the system to which data

shall be transferred
Select the roles that are to be

transferred
The following data will be included:

Role name including the logical system
name
Dependent transactions and services
Metadata of the content objects

Transaction WP3R: Follow-up Process for Portal Roles (2)
ABAP-based
SAP System
Transaction WP3R
Transaction WP3R: Generation of Authorization Roles (3)

Transaction WP3R: Authorization Profile Generation (4)

Role/User Assignment Distribution (1)
The user ID will be transferred to the backend

system. If user mapping is used, the mapped
User ID will be published to the backend
system.

Transaction WP3R: Follow-Up Process for Role
Assignment (2)
ABAP-based
SAP System
Transaction WP3R

Transaction WP3R: Authorization Role Assignments (3)

Scenario: Role Distribution from EP 6.0 to ABAP-based
Systems
SAP 4.6B Role SAP 4.6B

Development System Transport Quality Assurance System
Creation of Authorization Role Test of Authorization Role
Distribution of
Role Definition Role
Transport
SAP 4.6B
Productive System
(SAP CUA or
Role Definition
component system)
User Assignment
User Assignment
Distribution of
EP 6.0 Role User
Assignments

Demo
Demo and
Exercise Part II

Authorizations & Portal Roles + ACLs & UME Roles
PFCG Roles and

Portal Roles ACLs UME Roles
Authorizations
Backend PCD Objects Methodology to UME Objects

Authorizations define
permissions for
Part of ABAP EP objects
Roles
Maintained in Maintained in EP Maintained in EP Maintained in User
ABAP System Content System Admin
Administration Administration WebConsole
Area Area
Grant access to Provide Navigation Provide End User Provide Access to
ABAP objects and Access to EP Access and JAVA components
Content and various levels of
Components Administration
access for portal
objects.

Preconfigured EP Administration Roles
Role Function
Super assigned to initial SAP* User
Administrator „Full Control“ access on whole Portal Content Catalog Tree
Access on all admin tools
of Content Administrator Role
of System Administrator Role
of User Administration Role
Content access on all Content Administration tools for creation of roles,
Administrator worksets, pages, iViews, layouts
access on all editors to maintain content e.g. Permission Editor,
Property Editor
access on all parts of tree hierarchy of Portal Content Catalog if the right
ACLs have been defined
System access on all tools for system administration such as system
Administrator configuration, transports, permissions, monitoring, support, portal
display
access on all parts of tree hierarchy of Portal Content Catalogs if the
right ACLs have been defined
User access on all tools for user administration to create and maintain users,
Administrator administrate the role-user assignment, user mapping administration,
user Replication, Group administration, etc.

Admin Roles and Portal Content Objects
Super admin Content administrators are

responsible for content objects in
Content admin 1
+ ACL the Portal Catalog.
Content admin 2 ACLs define the access and
+ ACL allowed action for content objects
Content admin 3 like folders, roles, worksets,
+ ACL
pages, iViews and templates.
System admin 1
+ ACL System administrators are
System admin 2 responsible for system
+ ACL administration tasks and objects.
System admin 3 ACLs define the access and
+ ACL
allowed actions for objects like
transport packages or systems.
User admin 1
Set Role
User administrators are
User admin 2
Set Role responsible for users related tasks.
User admin 3 Role-User Assignment can be
Set Role
controlled by permissions set for
user management role.

Permissions and Delegated Administration
The concept of permissions is connected with the principles of

delegated administration!
Delegated Administration means
to distribute administration tasks within an organization.
You have to distribute and control...
Administration and maintenance of content like portal roles
Administration and maintenance of system configuration like UM
configuration, monitoring configuration, service configuration, etc.
Administration and maintenance of user information (e.g. Users,
Groups, User-Role Assignment, ...)
Delegated Administration is realized by different tools like...

Predefined customizable administration roles
ACLs on folder hierarchies in the portal content catalog
Special UME permissions on the User Administration role

Delegated Administration – Scenario Diagram
Permission Editor Role List

Portal Catalog Content Administration
Project 1
User management
Content Assigned to Role
Roles “Content
Administration”
Role A
Role B Full Control
… Permission
On Role A John
John’s Interface of Portal Content Studio

John has access to the Content Studio
interface since he is assigned to the
content administration role. Portal Content Studio
Portal
He can edit only Role A according to Catalog
the permission he got in the Role A
Role Editor
permission editor.

Design Time Permission (Administration)
Portal Catalog Create/ Delete Edit Objects

Objects
NONE Folder & objects Folder & objects not
not visible visible
READ Create from Folder & objects

Templates with visible
READ permission Copy objects
Worksets
ACL Check No Edit
Pages on Folder
Level and on READ/ No delete! Folder & objects
Systems WRITE visible
Object Level Create from
Templates with Edit object properties
READ permission Edit assigned delta links
FULL Delete objects Folder & objects
CONTROL Create from visible
Templates with Edit object properties
READ permission Edit assigned delta links
Administrator Permissions
Check during creation OWNER Delete objects Folder & objects
process for objects Create from visible
Check when accessing Templates with Edit object properties
objects READ permission Edit assigned delta links
Edit permissions

Runtime Permissions (End User)
Personalize Page Navigation Personalization
USE Navigation iViews (TLN, detailed User Interfaces in

navigation, Drag&Relate targets, the end user
related links) only display roles environment that
and objects that have end-user display the portal
permission. content catalog
Worksets (such as personalize
For display of objects in page) only display
ACL Check navigation the ACL is checked
Pages on Folder objects that have
on the object level. end user permission.
Systems Level and on
Object Level Direct URL access to a
component: Users may access
portal components through URL
without an intermediate iView if
they are granted USE
permission in the appropriate
security zone.
Direct access to an iView – USE
End User Permissions permission is required
Check for Navigation
Check for in Personalize
Page Component
Check if calling component
via URL

Demo
Demo
and
Exercise Part III

More Information
Gotchas and Other Good to Knows (1)
Uploading Roles From Backend Systems:

Make sure users for whom you want to transfer assignments are
identical in both, SAP EP and backend system.
If you have complex back-end roles, remember the number of entry

points you may be creating by setting the “Select first folder level as
entry point” flag. In that case, it may be better to unselect the option.
Make sure that you wait for status: “Finished” to indicate the role has
been completely transported. Roles with deep navigation structure may
take additional time to transport.

Gotchas and Other Good to Knows (2)
Distributing the Portal Role to the Backend System:

In order for the tool to access the logical systems, make sure there is an
entry in the Table WP3ROLESYS pointing to the logical system name.
Transaction SCC4 shows the client information of the backend system
and via double click, the logical system name can be found.
Use transaction SE16 for viewing and creating entries in the table.
Make sure that you have the authorization S_RFC for function group
PWP2 in the backend system.
Use Transaction WP3R (which is included in the EP 6.0 Plug-In) to view
the role and authorizations instead of PFCG.
(Note: Due to organizational structures, some of these tasks
may fall into the responsibility of an SAP System Administrator)

More Information
Further Information
Î Public Web:
www.sap.com
SAP Developer Network: http://sdn.sap.com Î Enterprise Portal
SAP HELP Portal: http://help.sap.com/nw04
Î Related SAP Education Training Opportunities

http://www.sap.com/education/
Î Related Workshops/Lectures at SAP TechEd 2004

SCUR01, User Management and Authorizations: Overview, Lecture
SCUR351, User Management and Authorizations: the Details, Hands-On

SAP Developer Network
Look for SAP TechEd ’04 presentations and videos on

the SAP Developer Network.
Coming in December.
http://www.sdn.sap.com/

Questions?
Q&A

Copyright 2004 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

Portal Roles and Authorizations

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Portal Roles and Authorizations

Uploaded by

Copyright:

Available Formats

PRTL152:

Portal Roles and

Vera Gutbrod, SAP AG

Julia Levedag, SAP AG

Elke Speliopoulos, SAP Labs, LLC

As a result of this workshop, you will

 Understand the two role concepts in SAP NetWeaver

© SAP AG 2004, SAP TechEd / PRTL152 / 3

Manager Self Service Role

Employee Self Service Role

© SAP AG 2004, SAP TechEd / PRTL152 / 5

Role-based, … Sales Line Business

…and web-based… SAP Enterprise Portal 6.0

…access to any kind

© SAP AG 2004, SAP TechEd / PRTL152 / 6

By creating roles are you able to assign different pieces of

Group 1 User 1 Group 2

Content 1 Content 2 Content 3 Content 4 Content 5

© SAP AG 2004, SAP TechEd / PRTL152 / 7

SAP Enterprise Portal

Roles in ABAP-based Systems

© SAP AG 2004, SAP TechEd / PRTL152 / 8

 A role is a collection of activities and functions that describes a

 Roles are objects for generating authorizations so that the user

 The menus available to users after logon are implemented with

 There are single roles and composite roles. Role XYZ

 Roles are assigned to users. Transaction TA1

© SAP AG 2004, SAP TechEd / PRTL152 / 9

 A portal role is a container for applications

© SAP AG 2004, SAP TechEd / PRTL152 / 10

Role Workset iViews and

Folder Page iView

© SAP AG 2004, SAP TechEd / PRTL152 / 11

II. What is defined by Roles?

© SAP AG 2004, SAP TechEd / PRTL152 / 12

III. Types of Roles

IV. Administration Environment

© SAP AG 2004, SAP TechEd / PRTL152 / 13

Authorizations must still be maintained in

© SAP AG 2004, SAP TechEd / PRTL152 / 14

Both roles concepts can be combined in the portal environment.

© SAP AG 2004, SAP TechEd / PRTL152 / 15

End User Navigation

User Management Definition Portal Content

Users Assignment Portal Assignment

Roles from ABAP based backend systems

© SAP AG 2004, SAP TechEd / PRTL152 / 17

All tasks concerning content creation and user assignment can

Authorization generation must be

© SAP AG 2004, SAP TechEd / PRTL152 / 18

If portal roles contain transactions and other objects that access

Role/User assignment can also be

Authorization must be maintained!

© SAP AG 2004, SAP TechEd / PRTL152 / 20

SAP Enterprise ABAP-Based SAP

Migrated role and Initial Role Upload Single Role/

© SAP AG 2004, SAP TechEd / PRTL152 / 22

Functionality is available for:

© SAP AG 2004, SAP TechEd / PRTL152 / 23

User assignment can

First level folders can

© SAP AG 2004, SAP TechEd / PRTL152 / 24

The following requirements must be fulfilled before you can

Understand the two role concepts in SAP NetWeaver

A role is a collection of activities and functions that describes a

Roles are objects for generating authorizations so that the user

The menus available to users after logon are implemented with

There are single roles and composite roles. Role XYZ

Roles are assigned to users. Transaction TA1

A portal role is a container for applications

Single and composite roles have no pages. Therefore pages with

Role hierarchy and navigation structure must be adjusted. The

The top-level navigation must be checked. Single and composite

Preliminary consideration should be given as to where the right

Sometimes it is better to migrate only single services

The following functionality is provided:

A tool in the Portal System Administration role enables the

Transaction WP3R in the ABAB-based system enables the

READ Create from Folder & objects

If you have complex back-end roles, remember the number of entry