PFCG - ROLES DEFINITION FOR ABAP TEAM

Dear SAP Professionals,
I would like to know your thoughts, ideas, templates and resources, on authorization objects and roles we should define and / or create in the company for ABAP development team.
Also, it will be very valuable being able to receive information about that definition, for BASIS team.
Look forward for your answer, and if you need further explanation pls feel free to make it.
Thanks in advance,
Rodolfo

The SAP_BC_DWB_WBDISPLAY is ABAP display only I think (pls correct me if I'm wrong) and this will give to little authorizations to display in production for them.
We used the display roles in production that we have created per module (FI, MM, et cetera). and assigned them to one composite display role.
The template roles can be a good start for the non production systems, but in our case they where to limited and they needed more authorizations, also for the functional modules. So we ended up creating a new developer composite role that was a combination of the basic ABAPdeveloper role with additional functional roles.
The result is that they have many authorizations in the non production system and  additional compensenating controls where needed to minimize the risk. The good thing is that they don't need critical authorizations in the production system and we can monitor the usage of the firefighter use in the production system.

Similar Messages

  • Functional spec.for ABAP team!!!

    Hi Guyz,
    I would appreciate if you could explain how to write the functional specifications for the ABAP team in order to do the configuration,I am working on a pallet pricing and I have to write some functional spec.  for the ABAP team.Thanks is advance.
    Regards.
    Mohammed.

    Hi,
    Functional Specification  is written by the functional consultants to give to the ABAPers where there will write technical specifications to meet the requirement.
    Regarding your issue, u have to first know
    whats the requirement is
    when to start with either T.Code and
    at what field
    who are authorized to do that
    How we do that
    How this integrated with other modules
    what implications it is going to reflect in other modules
    the approval from the repective supervisors
    and finally viewing the output
    and rectifying the same after going through the technical requirements.
    Mohan
    Award pointsif it helps.

  • Can anyone help me understanding the links between Launchpad roles, PFCG roles, and portal roles!?!

    Hi experts,
    I am looking at the newer EhP5 and EhP6 functionality for ESS and MSS, specifically the WD ABAP portal applications.  I've turned on all the business functions and services I think our team wants, however I'm confused on how to move forward in using them.  For a little tech info, we are on EhP6 for the backend, but our portal is 7.02.
    My first step was to assign the com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA portal role to our test ESS user group in our sandbox environment.  The ESS user got a new ESS tab in the portal and it's linked to the Launchpad role ESS, Instance MENU.  I'm comfortable with ESS at this point, still need to learn more about customizing the menu for different employee groups without creating additional Launchpad or SAP roles.
    Question 1: Correct me if I'm wrong, but is the Launchpad roll ESS, instance menu linked to the PFCG role SAP_EMPLOYEE_ESS_WDA_2?
    Next, I was looking to see if there was a similar portal role for MSS, but it seems I can't find one.  I implemented the MSS Addon 1.0 for ABAP and the portal and got a new MSS portal addon role, but it doesn't seem to be connected to any MSS Launchpad role.
    Question 2: Is there a portal role to assign to users/groups that is linked to one of the MSS Launchpad roles? If yes, what business function or service is it a part of?
    I'd like to use of the existing MSS Launchpad role to test some of the new portal functionality, but I'm not sure how to do it.
    Question 3: How is a Launchpad role assigned to a SAP role in PFCG?  Anyone have some documentation they can point me too?
    Kind regards,
    Garrett Meredith

    Thank you Samuli, this was very helpful in connecting many of the pieces.
    For now I have a very good understanding of how the new ESS is controlled and modified.
    It appears that FPM_LAUNCHPAD_UIBB could be used to develop a similar component to call a custom launchpad role for MSS containing a customized list of WDA applications.
    Is a MSS Launchpad a good way to pursue since we use a SAP enterprise portal?
    I found a PAOC_MSS package containing other MSS embedded packages.
    Could I use one of the embedded packages in there and by creating a Component configuration in the FPM_LAUNCHPAD_UIBB for one of the MSS WD applications?
    Based on the documentation link above, PFCG roles are for NWBC HTML or Desktop versions.
    Kind regards,
    Garrett

  • Pfcg roles behind ic webclient profiles

    Hi,
    Can anybody tell what are PFCG roles behind for each IC Webclient profiles like SALES B2B, SALES B2C, SERVICE.... (tx: crmc_ic_main)
    thanks
    Tim

    Hi Tim,
    Again, PFCG roles are a combination of authorisations, that define what the person linked to the role can do.
    e.g. An authorisation is defined that th role can create/change/read sales orders. Within the same role there is an authorisation that indicates that the role cannot create Service Contracts. and so on...
    These are standard authorisations that are used by the system.
    Hope this is clear now.
    ps. Don't forget to reward points if the answers are usefull and when you question is answered reward points and put the question to answered.
    Kind regards,
    Micha

  • Training New ABAP Team Members

    Hi All -
    Will be required to identify training for ABAP team members for fresh install of ECC/BI NW2004s (EP and XI out of scope for Phase I).  Is the content of these intro/intermediate courses (E.g. BC400, BC405, BC411,...)now drastically altered to the current release of NW2004s, or, as I have experienced in the past, is the change in these courses to consider NW2004s technology minor compared to the same courses as presented when current to say 4.6C?  I.e. is the incremental change in course content for the intro/intermediate level ABAP courses vast between the releases or rather minor?  Also, would the current version of these courses actually present NW2004s (AS 6.40) material?
    Additionally, comments on best approaches to training new ABAP developers appreciated.
    Thanks,
    Pat

    Your newbies really need to understand the system structure(3 teired)  what each part does and how they interact,  then move on to the development environment,  they need to understand the objects, what is a report, a module pool, a function module, a class, a method, etc.  They need to know the data dictionary and what that is all about.  Now comes the syntax,  data declarations, types, select statements, write statements, etc.  Then  start them off writing a simple program using the flight db. Selecting data and writing it out.  At the end of all of this "in house" training, you will be able to see who is going to take it and run with it(meaning who is going to be able to figure all of this out on his own) and who is going to struggle and need to take these basic courses.
    You can save a little money on those who are picking it up on there own.  Of course they may not like not being able to go for training. 
    Regards,
    Rich Heilman

  • How to find SAP  java realted roles for ABAP and Basis

    Hi Gurus,
    I am new in SAP Security First week, I got the assignment to find the SAP Roles and Trans for ABAP and Basis in all Systems like Ecc, BI, ......
    I use SE16 ->AGR_TCODES then SAP* in Table Name it give me all SAP Roles and Trans.
    Pls help me to get only SAP Java and Basis roles and Trans Seperately
    Thanks

    Hi,
    Are you speaking about the standrad SAP roles? If yes, you can have a look at BC and ABAP roles. However, if your question is about the created roles, you should see the convention that was followed in your organization to identify the roles.
    Rgds,
    Raghu Boddu

  • Eventing in Portal page between Team Viewer and Custom Webdynpro for ABAP

    We are trying to implement a new Portal page that contains a Team Viewer Iview and a custom Webdynpro for ABAP iview.
    The idea is that the when a manager select one of his direct report in the Team Viewer, the custom Webdynpro for ABAP would pick up the selection_changed event and retrieve the data for the selected employee.
    We followed the instruction provided by SAP in note 1112733 and it worked in our development environment. When we moved the iviews to our testing environment it stopped working.
    I also used the Diagnostic Iviews provided by SAP and I get the same result: Works in Dev, does not work in QA or in Prod.
    We also followed the troubleshooting steps of note 945516 and it still did not help us. We can not find a difference in our system set up.
    We are therefore looking for pointers as to what could be our problem.
    Thanks!
    Edited by: Benoit Fortin on Feb 20, 2009 2:28 PM

    Problem was solved internally:
    The reasons the eventing worked in Dev and not in QA or Prod, was that we had a different level of patch for ESS/MSS between instances, which I was not aware of.
    Dev was on ESS/MSS version 600 SP14 and QA and Prod was on a different level. Once we implemented ESS/MSS SP 14 accross the board, everything was good.
    Edited by: Benoit Fortin on Nov 13, 2009 11:57 AM

  • Role Mapping For Portal Role Assignment and ABAP Role Assignment

    Summary:
    - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
    - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
    - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
    Problem Description:
    Our Scenarios we tested:
    Scenario 1:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
    *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
    Scenario 2:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
    *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
    Questions:
    1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
    2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
    Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

    I tested this set up.
    1.  Defined ABAP role as Manin role
    2.  Defined Non-ABAP role as dependednt role
    3. ABAP role  is set up in initiator requiring business approval.
    4.  Non-ABAP role is set up in initiator with no approval required.
    Results Where Business Approver approves the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
    Results Where Business Approver rejects the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
    Thanks again for your help.

  • Cannot modify an authorization object in pfcg role for a business role

    Hi Experts,
    I have created two z pfcg roles from the standard business role CRM_UIU_SRV_PROFESSIONAL  lets say by names zagent and zmanager. My requirement is actually to map these two pfcg roles two a service professional agent and service professional manager custom business roles respectively( I have created these custome business roles from standard business role servicepro) . I have identified an authorization object by name CRM_CO_SE which is basically used to check whether the user is authorized to create service contract transactions. So, in the agent pfcg role, I need to de activate or deselect this particular authorization object so that the agent will not be able to create service contract. (This is not a real time requirement, but an internal assignment). When I change this object in the pfcg by deselecting 'Allow' check box and try to generate, it is not getting generated. I have selected all the options from the 'Expert mode for the profile generation' and still the traffic indicator for that authorization object is yellow.  Am I doing anything wrong?
    Please help me.
    Thanks
    Ajith C

    Hi Leon,
    Thanks for helping me, I have restricted the unauthorized user from creating a new order by disabling the 'New' button by checking the business role in  the code. The pfcg configuration, I am skipping it for now.  I have one mnore requirement. When one clicks on any items in the search result for the Service Contracts, it opens the details of that service contract with an 'edit' button. I can disable this button using do_output_preparation method for the some business roles. However, I want to disable this after checking a condition. The condition is that, edit button should be active, only if that service order was created by the employee who has currently logged on. I am relatively new to CRM and I could not figure how I can check it during run time. Could any one please help me with this?
    Thanks,
    Ajith

  • PFCG role for Campaign Management

    Hi ,
    In CRM 7.0 what is the PFCG role for Campaign Management - Thank you .

    HI Christophe,
    Unfortunately PFCG SAP_CRM_UIU_MKT_PROFESSIONAL is empty.
    You may want to create your own PFCG role. Below is authorization object that is responsible for Marketing :
    CRM_CPG
    CRM_CPGCTP
    CRM_CPGRES
    CRM_MPLCTP
    CRM_MPLRES
    CRM_MPT
    CRM_ORD_OP
    CRM_SEGTYP
    CRM_TXT_ID
    CRM_MKT_MC
    UIU_COMP
    etc.
    Hope it's help,
    Lina

  • Disable the buttons for creation using PFCG roles

    Hi SAP Experts,
       How to disable the buttons for creation using PFCG roles?
    Regards,
    Jaya

    Hi,
    u have to write the code in <b>at selection-screen output</b> event
    AT SELECTION-SCREEN OUTPUT.
      LOOP AT SCREEN.
        IF  <b>P_PRINT</b> = 'X'.  " this is radiobutton
          IF screen-name = 'P_RANGE'.
            SCREEN-INPUT = 0.
          ENDIF.
          modify screen.
        ELSE.
          IF screen-name = 'S_LFDAT-LOW'.
            SCREEN-INPUT = 0.
          ENDIF.
          IF screen-name = 'S_LFDAT-HIGH'.
            SCREEN-INPUT = 0.
          ENDIF.
          IF screen-name = 'S_WERKS-LOW'.
            SCREEN-INPUT = 0.
          ENDIF.
          IF screen-name = 'S_WERKS-HIGH'.
            SCREEN-INPUT = 0.
          ENDIF.
          IF screen-name = 'P_LIFNR'.
            SCREEN-INPUT = 0.
          ENDIF.
          IF screen-name = 'S_BUKRS'.
            SCREEN-INPUT = 0.
          ENDIF.
          modify screen.
        ENDIF.
      ENDLOOP.
    Hope it helps.
    Regards,
    Sonika

  • How to create a new user in Netweaver system for ABAP training?

    Hello,
    I had been learning ABAP using a trial version but recently purchased and installed a developer subscription of Netweaver 2004 SR3. Can someone please tell me the best way to create a new user for ABAP development and assign the needed transaction authorizations appropriate for a developer? I was able to create one in SU01 and assign a profile of S_ABAP_ALL but still could not get into SE80 with that logon. And the user had a license expiration of only one month, is there a way to obtain a permenant license for it from SAP?
    Thanks
    -Chris Piret

    Hi Chris,
    You can create a role in t-code pfcg with all required transaction and assign it to your user id or else You can assign profile sap_all to you for all authorization.
    Regarding license you can get it from sap.How to get it is explained in the document in the below link.
    https://websmp108.sap-ag.de/~sapidb/011000358700006339962006E
    For ABAP development you need developer key and that also you will get from sap marketplace
    Regards
    Ashok

  • How to create Transaction code for ABAP and execution by other user

    Hi All,
    Could someone please let me know how to create transaction code in detail for ABAP program. Step by step procedure expected. I would like to know how other user can execute the report using same transaction code which I have created.
    More about authorization.
    Thanks in advance.

    Hello,
    You can create transaction code from se80 as well.In object navigator,right click on your program name and create->transaction code.You can create transaction and select if it is only a report,a report with selection-screen depending on your requirement.You can run your report directly by entering the transaction code in the command field.
    You can authorise the users who can use your transaction:
    <b>Authorisation objects</b> are used to restrict certain transactions to users.Critical data must be protected from unauthorised users.For example,the head has access to certain data.But it cannot be accessed by his subordinate.For this we need to define <b>roles</b>.
    •Create an authorization object with transaction SU21.
    An object usually consists of the ACTVT (activity) field and one other field,which specifies the data type to be protected.By ACTVT, we can decide if the data is accessible for change,display only etc.
    •Add authorization fields to the authorization object created.
    •Assign the authorization object to the transaction using SE93.
    Attach the authorization object to the role using transaction PFCG.
    If you want <b>to assign roles</b>,use transaction PFCG.Create a new role.In the AUTHORIZATIONS tab,you can get a self generated profile name and a profile text by clicking on the icon next to it.Then go to the "Change Authorization data" and choose an authorization template.Then you can choose to display/change/create an activity and after the selection,click on the red and white circle.The profile will now be created.
    In the user tab,you can give the user details who can use this role.
    <b>Also check this link:</b>
    http://www.*********************/r3_security/r3_security_tips.htm
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.htm
    <b>Very helpful guide:</b>
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
    Regards,
    Beejal
    **Reward if answer is helpful

  • What is used for WebDynpro for ABAP?

    hi all friends,,
    what is used for WebDynpro for ABAP?
    Thanks,
    S.Suresh.
    Title was edited by:
            Alvaro Tejada Galindo

    Hi
    Web Dynpro for ABAP - Getting Started
    Web Dynpro for ABAP is SAP’s new standard UI technology for developing user interfaces in the ABAP environment. In the long term Web Dynpro for ABAP will be the successor of the traditional screen (“Dynpro”) based user interface technology which is based on the SAP GUI. Available with NetWeaver 7.0 (2004s) Web Dynpro for ABAP provides the same declarative UI development paradigm as Web Dynpro for Java directly out of the NetWeaver ABAP Application Server. Web Dynpro for ABAP allows the development of user interfaces directly within the ABAP Workbench (SE80) and the Web Dynpro runtime environment is a central part of the ABAP server and can be used in any SAP solution based on NetWeaver 7.0 (2004s) without the need of an additional server installation.
    Web Dynpro for ABAP allows the development of user interfaces in a declarative way by providing a mighty framework which abstracts the rendering technology from the core UI definition tasks. The Web Dynpro developer declares the layout and behavior of the UI without caring about HTML, JavaScript, browser specifics or the HTTP protocol. Instead the focus lies on designing graphically Web Dynpro components based on the Model View Controller model, which enforces a clear separation between the UI layer and the underlying business logic.
    This declarative Web Dynpro programming model enforces the developer to focus on the tasks of
    Designing the layout of the visible views (where should the table be placed, do I need tabs, how should the button look?)
    Declaring the flow and behavior of the application (flow between views, which event is triggered by which button click, etc)
    Defining the data binding (which internal table is displayed in a specific table, etc)
    Implementing the event handlers and controller methods.
    Without making any assumption about the used rendering technology, like which browser should be supported or if the Web Dynpro application will be later displayed in a web browser via HTML at all or in another kind of client with completely different rendering capabilities.
    The Web Dynpro Frameworks provides all important UI features directly out of the box:
    All elements (tables, buttons, trees, dropdown list boxes, etc) necessary for state of the art user interfaces are provided by the Web Dynpro Framework in the form of predefined UI element libraries.
    Complex features and behavior of UI elements.
    Internationalization of the UI. All visible strings in a Web Dynpro ABAP UI are handled by the translation system and are translated in the same translation environment like other ABAP language dependent resources. All texts are displayed automatically at runtime, dependent of the user’s credentials.
    Accessibility features are directly built into the framework and UI elements.
    A unified rendering engine generates at runtime the data which is sent to the specific client application, which is not limited to browsers but includes the NetWeaver Business Client.
    All this is available in the established environment of the ABAP application server and well known capabilities like the transportation and change management system, security environment, test and performance analysis tools or remote debugging can be used like in common ABAP development.
    Learn about the Web Dynpro for ABAP technology with the resources below, and post your related questions and answers to the Web Dynpro forum.
    Web Dynpro for ABAP: Sneak Preview  
    Download, License Key Documentation, and Installation Guide available here.
    Web Dynpro for ABAP: Tutorials for Beginners  
    SAP NetWeaver Product Management provides this set of tutorials for getting started with Web Dynpro for ABAP technology.
    SAP Help Portal: Web Dynpro for ABAP  
    This online SAP documentation goes into detail about Web Dynpro architecture and programming, Web Dynpro for ABAP administration and security, and more.
    Web Dynpro - Not Just for Java Developers Anymore   (PDF 3.8 MB)
    In this SAP Insider article, SAP Product Manager Karl Kessler describes the tools of Web Dynpro for ABAP and uses a simple flight report example to highlight new and updated tools in the familiar ABAP environment.
    Community Contribution: WDA Tutorial I - Getting Started with Web Dynpro for ABAP   (PDF 2.5 MB)
    Software Engineer Rich Heilman provides this step-by-step guide for developing a Web Dynpro for ABAP application.
    Going into Details
    Basic Concepts - Selection vs. LeadSelection  
    In this blog, Thomas Szuecs of the Web Dynpro for ABAP development team shows how selection and LeadSelection works in Web Dynpro for ABAP.
    Web Dynpro for ABAP: Recreate the SE16 Data Browser   (PDF 386 KB)
    In this tutorial, Thomas Jung of SAP NetWeaver Product Management shows how to create a data browser simulator using Web Dynpro for ABAP.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/80aef577-543f-2a10-d19c-d83a565efe37 [original link is broken]
    <b><REMOVED BY MODERATOR></b>
    Message was edited by:
            Alvaro Tejada Galindo

  • Importance / Relevance of PFCG Role - EHP5

    hello gurus,
    i am working on an ess implementation on ehp5 enviornment. i understand that in ehp5, roles are controlled through portal as well as through launchpad (pls correct my understandin if wrong) but i fail to understand the importance of PFCG role (say standard composite role: SAP_EMPLOYEE_XX_ESS_WDA_1)?
    Can someone pls explain me this and also pls help me understand the link between this role and the portal / launchpad role?
    request your help at the earliest...
    thks in anticipation
    regds,
    ss

    different employees types you can use badi or customisaiton of role menu using lpd_cust
    or pfcg which contols the access to the linls ect
    Proxy class has been replaced with the BADI HRESS_MENU. Proxy class
    is not used anymore for ESS ABAP applications.
    Henceforth this BADI can be implemented for all the dynamic changes for
    ESS Menu.
    You can find the documentation for BADI HRESS_MENU under
    Portal Role Employee Self-Service(WDA)->Employee
    Self-Services Menu (Application HRESS_A_MENU)->Dynamic
    Rendering of the Menu (BAdI HRESS_MENU).

Maybe you are looking for

  • Update Schedule line Delivery date using Bapi_po_Change

    Hi all, I am using Bapi_po_change to Update the Schedule line Delivery date(EKET-EINDT) for the PO based on the Item and the Schedule line. I am passing the PO number, Po header, Item structure, Schedule line Structure. But the Date is not getting up

  • XML to Internal table using XSLT by CALL TRANSFORMATION error

    Dear experts, I have to fetch the data from an XML file using XSLT into internal tables. The XML file is very big as following:- <?xml version="1.0" standalone="yes" ?> - <Shipment>   <shipmentID>25091203S000778</shipmentID>   <manifestDateTime>2009-

  • Copying sales data in sparepart tab in CRMD_order

    Hi experts, To copy the Sales parts to Spare parts tab during creation of confirmation from Service Order in Tcode: CRMD_Order. Please tell me which BADI I should use in order  copy the sales parts to spare part tab in CRMD_Order. Thanks in advance

  • Display Problem in E71

    I have a Nokia E71.... I have been useing is for about one and half yr with any problem....but suddenly last week the display went off.... i am getting incoming and can make out going calls but there is no display can some one advice me what could be

  • Spotlight with unsupported application - any answers?

    I find Spotlight very useful but have a backlog of files going back 15 years with a program that does not support Spotlight. I have asked the creators of the program repeatedly to implement Spotlight (metadata? or something like that) but they don't