Skip to Content

Role Management - Copy or standard roles

I had a query regarding the Role Management in SAP. I know it is common practice to copy standard roles and use 'Z' roles in SAP and this makes lot of sense for end-user roles. My question is with regards to roles for Communication users where the role is used 'AS-IS' lot of times. What is the recommended best practice for such roles. Do we copy even such roles to 'Z' roles (for sake of uniformity, even if roles are not modified)

What would be the pro's and con's of using Standard roles (instead of copying to Z roles when there are no changes)?

Also, What about other products from SAP (SLT, GRC, EHS, SolMan, Portal)?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Aug 18, 2016 at 02:18 AM

    Hi Krish

    Not really best practise. Thsose roles are for guidelines only

    If using SAP roles, you have to do something with them as they come ungenerated. By themselves, the role can't be used. A lot of these roles have unmaintained authorisations or don't match SU24 so not sure how you can have a scenario where they don't require changing

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Krish Gopalan

      I have been optimizing communication users for many years and SAP does as well (See SAP Note 1682316). I can confirm that there are only 3 places in this area where you should keep the SAP standard roles:

      1) User SAPJSF because the roles have UME group mappings on the JAVA stack. Use the "read only role" - it is OK. To be safe create a 2nd role for the user anyway and assign it exactly that which it actually uses, just incase SAP change the standard roles and send you one in an upgrade without a profile generated - which is what they will do if they ever change the role.

      2) The users generated by transaction SOLMAN_SETUP. These have release dependent expected roles which they don't really need, but the SOLMAN monitor will turn red if they don't have at least those. Easiest is to assign them, delete the profiles because the quality of the roles is not ideal, and then create your own roles with generated profiles for that which they actually do use on your system. Or change the SOLMAN_SETUP to expect your roles... but just making it happy and the basis guys stop complaining works easier.. :-)

      3) In double-stack PI systems up until release 7.3 a similar situation as with SAPJSF arises for the channel users in the JAVA stack. Often the roles do not have profiles or are mostly OK from authorizations perspective, but also not the real authorizations you want. So here also copy the roles but be careful when taking all the standard ones away. Rather just delete the profiles.

      All other SAP roles you should avoid as far as possible. Even making a copy of the most of them is a mistake IMO -> build roles for your current scenario and maintain it yourself.

      Cheers,

      Julius

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.