Managing Authorizations

Objectives

After completing this lesson, you will be able to:
  • Outline user administration.
  • Outline authorizations in SAP PPM.

User Administration

There are several processes in which data from various systems are consolidated in SAP Portfolio and Project Management in S/4HANA (PPM). This means that project data and financial details can be uploaded from SAP Project System to PPM, or data from BI can be made available in PPM for evaluation purposes.

You can create and update business partner data by distributing data from SAP Human Capital Management (SAP HCM) systems. Even PPM itself is based on two systems – the PPM core system and SAP Enterprise Portal. By assigning your own users and roles in the relevant systems, you ensure that data security and authorizations can be managed separately in the individual systems.

Using the Single Sign On (SSO) technology, you can avoid the need for separate logon screens, despite the different system users. In the portal, you can also map portal users to the users and their passwords in other systems, which simplifies cross-system data processing in the portal.

Portfolios and their items in PPM are edited using SAP Enterprise Portal. To log on to the portal, you require a portal user. There are various options for logging on to the portal itself. The system uses the standard authentication method when you enter the user identification and password.

Portal users are created and managed in the portal user administration. By assigning portal roles to portal users, you determine which content a user can access and which navigation options should be available in the Web browser. For PPM, the showcase portal role com.sap.pct.cprxrpm.port_mgmt_showcase (Portfolio Management) is delivered in the standard system.

Creating PPM Users

Screenshot of SAP interface for setting up RPM user data. It includes options for reconciling users with business partners via user and via partner, alongside user attribute default settings.

The evaluation of PPM data in a BI system requires a user with the role SAP_BW_RPM_PORTFOLIO_MANAGER. To edit PPM objects, a user must also have the corresponding authorizations in the PPM core system. You can grant the authorizations required for PPM by assigning the roles SAP_XRPM_ADMINISTRATOR and SAP_XRPM_USER, which are delivered in the standard system.

If you also want to use a user as a resource or person responsible in Portfolio Management projects, there must also be a business partner for the user. Users and business partners can be created manually in PPM and assigned to each other (for example, on the Identification tab in business partner details). As described earlier, business partners and users can be automatically generated from HR data of an HCM system. In this case, the users are automatically assigned to the corresponding business partners.

To check the assignment of users to business partners, you can use the transaction RPMUSER in PPM Customizing. In this transaction, you can analyze which business partners have not yet been assigned users or vice versa. You can also add any missing assignments or even create new users in this transaction, or even create new users.

To make it easier to create new users from this transaction, you can first define default values, in terms of roles and authorizations that should be automatically assigned to new users.

How to Outline User Administration

DemoStart Demo

Authorizations in PPM

The PPM authorization concept is based on the authorizations that you assign to the users in the PPM core system and the authorizations that you make available to users in access control lists (ACLs) according to the object.

For the user to be able to actually edit objects in PPM, the SAP standard role SAP_XRPM_USER must be assigned to their user in the PPM core system. To be allowed to perform administrator functions in PPM, in particular for creating a portfolio, the SAP user must also include the role SAP_XRPM_Administrator.

However, a user must also have the relevant authorizations to display or edit an object in SAP PPM. These object-specific authorizations are implemented using the ACLs.

Authorizations that you give to a user for a portfolio object are also inherited to the subordinate objects. You can also change or completely remove the inherited authorizations in the subordinate objects. These changes are then inherited to the next subordinate objects in turn. You can grant object-specific authorizations directly for individual users, and you can also grant authorizations for user roles. All users with these user roles automatically have the corresponding authorizations.

You can assign the following activities to users or user roles for an authorization check:

  • Admin:

    All authorizations; this authorization is automatically assigned to the user who created the object.

  • Write:

    Authorization to change and display the object data.

  • Read:

    Authorization to display the object data.

  • None:

    No authorization for the object; used to remove inherited authorizations.

You can also define a substitute in PPM for portfolios, portfolio buckets and items, as well as for collections and reviews. Your substitute has the same authorizations in the assigned object as you. You can delete the name of your substitute when they are not required. If you are a substitute for a particular bucket, you will see the same information about the object as the delegating user.

Hint

Additional user roles and object-specific authorizations are required to edit Portfolio Management objects.

How to Outline Authorizations in SAP PPM

ExerciseStart Exercise

Learning

SAP FacebookSAP YoutubeSAP LinkedIn