role assignment in sap

You are using an outdated browser. Please upgrade your browser to improve your experience.

Technical Assistance

Request technical support from SAP

Non-Technical Assistance

Request non-technical support or provide feedback on SAP Support Portal site

Best Practices: Roles, Teams, and User Assignment

This page will provide information on best practices to be followed for a role, user, and team assignment in SAP Cloud ALM.

What is a Person, a Role, and a Team in a Project ?

There are three levels of duties that you can manage in a single project: Person, Role and Team. 

• First, as you might already assume, Person is the one who is going to do a certain task. In other words, an individual member of a project is the Person, and in SAP Cloud ALM world, we call it “Assignee” or “User”.  
• Next, when you create a Project in CALM, it comes with a pre-delivered set of roles, Please refer to the basics of Project Management in SAP Cloud ALM . The Roles we are talking about here are Project Roles such as Project Lead and Business Process Expert. You can create a new custom project role in case you cannot find a proper one from the default list of Project roles. All of these default Project and custom Roles are termed as “Assigned Role” in SAP Cloud ALM in the Task Management screen. The difference from the Person is that multiple users can perform the same Role.  
• Lastly, a Team is a group of the Roles or Persons. How to organize a Team completely depends on project characteristics and your needs. You can utilize the “PMO team” only which is created by default, or you can create multiple teams in a same project to track various areas of work differently. Just remember that “PMO team” is special as 
•     It is the only Team that contains the role “Project Lead” 
•     It can not be deleted 
• Now, let us see briefly how we can see all these levels easily in the Task List page. It's simple. You can click Setting at the top right side of the Task List page, and add these three levels in your filter. You can also create and save this view to access this view conveniently.  

Recommendations on how to work with Person, Role and Team

As we learned above, you, as a Project Lead, can assign different Person, Role and Team to each task to manage your project efficiently. This could be done in multiple ways depending on your specific strategy, but you can also think about some fundamental questions as follows. 

• How many teams or members need to engage in this project ?(e.g., a small-size project vs. a big-size project) 
• In which way you want the task to be done (e.g., explicit allocation to an individual member vs. implicit allocation to a team or a project role) 

Keeping these questions in your mind, let us go over some specific user scenarios to give you some ideas to utilize this function.  

First, suppose that you are a project lead of one small development project. You know every single member of the project and what they are doing. In this case, you don't need many different teams. You can simply have one PMO team and include all roles and members in this team. Furthermore, it would be easy to assign a certain task to a certain individual. 

In the other scenario, let's say that you are a project lead of a very big scale project. You can create different teams and roles according to their functions and assign them at a rather high level instead of an individual level. For example, you can assign a set of tasks to a Development Team and allocate to each Role, without assigning a specific person.

You can also assign either a Team or a Role. In the case below, for example, any Analytics Expert in the project can work on the task. In this way, the team members can work on the task more autonomically depending on their workload and goal.

Instructions to assign / re-assign Team, Role and Person to Task

Here, let us see step by step how to assign and re-assign the Team, Role and Person to each task.  

1) Team Assignment  

Assigning a team to a certain task is simply done by clicking the drop-down menu of Team column in the Task List view. It can also be done in a detail view of each task.  

2) Role Assignment (Assigned Role)  

Assigning a project role can be done in the exact same way as we did for the team above: Doing it from the task list page or doing it from the detail page of each task. 

3) Person Assignment (Assignee)  

Assigning a specific person to a task can also be done in the same way we have learned so far. Different from the team and role that you can only choose from the closed list (default or custom), you can assign any person in your organization by searching function as below. 

4) Re-assignment rules 

You can always easily re-assign Team, Role and Person which have been already assigned. You can basically repeat what you have done before. However, there are some rules for re-assignment that would be useful for you to be aware of.  

Let's say you have a project and set the Teams, Roles, and Assignees as you can see below from the table. You are Agatha, a Project Lead. 

And your current assignment status for three tasks is as follows. Please keep in mind that all changes will be made from this assignment status.

You can basically re-assign the Assignee to any other person, and the previous assignment of Team and Role remain same as before. As you can see below, when you change “Analytics Expert” from Bob to you (Agatha), the assignment of Team and Role remain same. 

However, when you re-assign the Role, the Team assignment will be cleared if the new Role is not included in the Team. Now, you have re-assigned the Role from “Business Process Expert” to “Project Lead”. Because the Role “Project Lead” is not included in the “Red team”, the Team assignment is cleared.

Lastly, when you change the Team, the previous assignment to Role and Assignee will be cleared if they are not in the new Team. As the picture below shows, you've changed the Team from “PMO team” to “Red team”. Then, the previous assignment of Role and Assignee is all cleared, since the Role “Project Lead” and the Person “Agatha Bauer” do not belong to “Red team”.

Similarly, let's see what happen when you re-assign all of the tasks to “PMO team”. Then, the second task assigned to “Business Process Expert” and Rachel remains same, because both the Role and the Person belong to PMO team. However, the Assignee is cleared for the third task, since Bob does not belong to PMO team.

• ABOUT AGLEA
• SAP SECURITY CONSULTANCY
• HANA & S/4HANA SECURITY
• SAP SECURITY CLOUD
• AUDITING SAP
• SAP CYBER SECURITY
• SEGREGATION OF DUTIES SAP
• CASE HISTORY

Tables, Roles, Profiles and Authorizations in SAP

Which are the main Security SAP Tables for SAP Roles and Profiles?

SAP contains hundreds of thousands of tables. In some cases the direct access to these tables allows one to retrieve data faster. Below a list of tables for each defined area:

SAP Profiles

• Authorizations
• Authorization objects

In the earlier SAP releases roles were called Activity Groups. That’s why tables that contain SAP Roles still today start with AGR in their name.

• AGR_1016 –Profile name of Activity Group
• Here you can find all authorization objects, authorizations and values, in addition to the status of the authorization object. This is one of the most frequently utilized tables!
• AGR_AGRS – Roles inside Composite Roles
• AGR_DEFINE – Roles definition
• AGR_TCODES – Roles attribution to TCodes
• AGR_TEXTS – archiving structure hierarchical menu – customer
• AGR_USERS – Roles attribution to users
• AGR_DATEU – Personal parameters for roles: in this table you can find out if SAP GUI parameters are active, for example if technical names are displayed, searching by ID = BROWSER_OPT and ATRIBUTES = X
• AGR_BUFFI – It contains the detail of the links inserted in the SAP Role Menu
• PRGN_STAT – Status Table Session Manager, here you can see the details of transaction SU25 steps (for a first SAP installation or for the following upgrades)

The above tables are not a complete list, but they are for sure the most useful and used by those who work on SAP Security! Write down in the comments if you think there might be other tables worth mentioning

Read here how to set up or review your SAP Security! 

Even if they’re not directly used anymore , authorization profiles are a fundamental technical component to the management of SAP authorizations.

• USR10 – User authorization profile master data
• USR21 – User Name ind. Key attribution
• UST04 – User Master Data
• UST10C – User Master data: global profiles
• UST10S – User Master Data: single profiles
• Inside USH* tables you can find the history of edits on profiles

SAP Authorizations

Even if roles, profiles and authorizations are often utilized as synonyms, they’re not. Every word has a specific meaning and represent a precise technical object. Authorizations are values of authorization objects.

• UST12 – User Master data: authorizations

Authorization Objects

• TOBJ – Authorization Objects
• TOBJT – Short texts of authorization objects
• TSTCA – Transaction codes authorizations values: this table allows you to see which are the authorization objects and their necessary values at the start of a transaction (Header Authorization)
• TACTZ – Valid activities for every authorization object: this table allows one to see the admitted activities by the ACTVT field of every object that contains that field.
• USOBT_C and USOBX_C – Transaction > Auth Obj. Relation (customer): These tables allow one to see the relation proposed by SAP and managed by the customer, between transactions and authorization objects with eventual pre-populated values
• USOBAUTHINACTIVE – Start authorization check inactive (‘X’) or active (SPACE): This table allows one to enable or disable the S_START authorization object control
• TDDAT – Update areas for tables: it allows to see the link SAP tables and authorization groups assigned (CCLAS field)
• TCDCOUPLES – Transaction callbacks
• USGRP – User Groups
• User Validity
• Block Status
• Password (Cryptography)
• USR05 – User Master Data, ID parameters
• USR06 – Additional data for users (here you can find the SAP License of Users)
• USR21 – Username ind. Key attribution
• V_USERNAME – Generated Table for View, in this view you can easily find the first and last name of users.
• SMEN_BUFFC – It contains the detail of user favorites.
• HRP1001 – DB table for info-type 1001: here you can see the link between users and HR objects (i.e. positions) inside the SAP organizational structure.

You need more information, or you can’t find the table you need?

Download the list in Excel Format:

Topics: SAP ECC , sap standard role , Profiles , SAP Table

Yes Subscribe!

Blog aglea, what you could find out.

Every Friday a new post, interview or content related to SAP Security.

• Tips on how to design SAP Security
• Common error and pitfall on security SAP
• Interview with experts
• Who we are and Aglea vision on SAP Security

Recent Posts

Post by topic.

• SAP Security (12)
• S4/HANA (6)
• SAP GRC (5)
• Segregation of duties (5)
• governance (5)
• SAP GRC (4)
• audit sap (4)
• auditing (4)
• sap consulenza security (4)
• sap password (4)
• SAP GDPR (3)
• UI logging (3)
• rfc security (3)
• sap cyber security (3)
• sap hana (3)
• sap_all (3)
• security audit log (3)
• sicurezza sap (3)
• HANA Security (2)
• Profiles (2)
• SAP ECC (2)
• SAP FIORI Security (2)
• SAP GDPR (2)
• SAP audit (2)
• Threat detection (2)
• UI Masking (2)
• access management (2)
• autorizzazioni sap (2)
• consulenti (2)
• e-learning (2)
• password policy (2)
• programmazione sicura (2)
• quality (2)
• sap access control (2)
• sap custom (2)
• sap etd (2)
• sap gui (2)
• sap query (2)
• sap security guidelines (2)
• sap siem (2)
• sap standard role (2)
• sap super user (2)
• security ams (2)
• supporto sap ams (2)
• test system (2)
• upgrade (2)
• FIORI Security (1)
• HANA Roles (1)
• PFCG SAP transaction (1)
• S/4HANA Security (1)
• S/4HANA migration (1)
• SAP Cloud Security (1)
• SAP Consulting (1)
• SAP DLP (1)
• SAP Fraud Management (1)
• SAP IDM (1)
• SAP LOG (1)
• SAP Security Documentation (1)
• SAP Table (1)
• SAP Transactions (1)
• Secure programming (1)
• Security Analyzer (1)
• Security Bridge (1)
• Statistiche security SAP (1)
• User Access Management (1)
• authorization concept (1)
• authorization model (1)
• biometric (1)
• chatGPT (1)
• codice sicuro SAP (1)
• consulenti sap security (1)
• consulenza sap security (1)
• crittografia SAP (1)
• custom transactions (1)
• cyber security (1)
• data loss prevention (1)
• data privacy (1)
• documentazione sap security (1)
• emergency users (1)
• identity management system (1)
• log sap (1)
• mail security sap (1)
• microsoft (1)
• parameter sap (1)
• processi security (1)
• profili (1)
• profili sap (1)
• progetti security sap (1)
• quotazione borsa (1)
• rfc destination (1)
• role translation (1)
• s_tabu_dis (1)
• s_tabu_nam (1)
• s_tabu_rfc (1)
• sap FIORI (1)
• sap btp (1)
• sap data masking (1)
• sap dati personali (1)
• sap developer (1)
• sap earlywatch (1)
• sap grc 12 (1)
• sap grc tables (1)
• sap gui history (1)
• sap gui security (1)
• sap gxp compliance (1)
• sap ilm gdpr (1)
• sap license auditing (1)
• sap logon (1)
• sap patch (1)
• sap security blog (1)
• sap security teal (1)
• sap sos (1)
• sap splunk (1)
• sap sso (1)
• sap tabelle custom (1)
• sap tdms (1)
• sap vulnerability (1)
• sap_all_only_view (1)
• secure coding sap (1)
• secure operation map (1)
• security awareness (1)
• sentinel (1)
• sicurezza codice ABAP (1)
• sicurezza dei dati sap (1)
• social engineering (1)
• super utenti sap (1)
• system users (1)
• tabelle (1)
• tabelle SAP grc access control (1)
• ticket management system (1)
• training (1)
• transazioni sap (1)
• zero trust security (1)

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy

Explaining the Provisioning of Users and Roles in SAP Build Work Zone

After completing this lesson, you will be able to:

• Distinguish between the role of SAP Cloud Identity Services and Identity Provisioning (IPS)
• List the available mechanisms to synchronize users and their authorization assignments into SAP Build Work Zone

SAP BTP Subaccount Users and Authorizations

To successfully log in to SAP Build Work Zone, users and assigned authorizations must be available across several components of the overall solution architecture. This includes the usual SAP BTP subaccount level user and role (collection) assignment. Furthermore, SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone require service-specific user persistence and role assignment, both on the service level (tenant) and in the Digital Workplace Service (DWS) layer.

To access SAP Build Work Zone, advanced edition or SAP SuccessFactors Work Zone, users must be assigned to one or more default role collections that are created upon subscribing to this service on the subaccount level. Additionally, an XSUAA shadow user (to which these role collections are assigned and mapped) on the SAP BTP subaccount → Security → Users .

Shadow Users can be created in three ways. Not all are specific to SAP Build Work Zone but are uniformly used and available when using any service on the SAP BTP multi-cloud (CF) environment:

• Manually create users through the admin UI on the SAP BTP subaccount cockpit.
• Create users via the XSUAA SCIM API, for example, using the SAP Cloud Identity Services, Identity Provisioning (IPS). For this setup, a dedicated target system type is available to create, update, and remove users.
• Automatically create and update users based on the login via the connected IdP. For this to work, the create shadow users flag for the IdP trust must be enabled.

Role collections can also be assigned in multiple ways, not all specific to SAP Build Work Zone but uniformly used and available when using any service on the SAP BTP multi-cloud (CF) environment:

• Manually assign through the admin UI on the SAP BTP subaccount cockpit.
• Use attribute mapping (for example, Groups) from the connected IdP, either relying on the SAML2 assertion or OIDC token values.
• Assign through the XSUAA SCIM API, for example, using the SAP Cloud Identity Services, Identity Provisioning (IPS). For this setup, a dedicated target system type is available to assign or unassign role collections to users.

SAP Build Work Zone Content Manager Role Assignment for Content Providers

As explained in previous units, specifically the unit on different integration scenarios, connecting to content providers is one key integration mechanism to make different business apps available to users in SAP Build Work Zone. In the context of this content provider configuration, the role assignment (referring to the roles in the source system mapped to roles in the SAP Build Work Zone content manager) is an important aspect. There are two options available for assigning those content provider roles inside SAP Build Work Zone:

• Roles are automatically created as role collections on the SAP BTP subaccount following a specific syntax or prefix. As outlined in an earlier lesson, the assignment to those roles is then done.
• Directly assign the roles inside SAP Build Work Zone, using a dedicated API. This presents one of two REST APIs based on the System for Cross-domain Identity Management (SCIM 2.0) specification.

For this second option, the SCIM API is used to create a base SCIM user record alongside the SCIM groups representing the required roles from the source system, for example, SAP S/4HANA. The default for using this API is the SAP Cloud Identity Services, Identity Provisioning (IPS) with a dedicated connector available for these role assignments. Alternatively, the API can be connected to from any other external client. It isn't limited to the usage of IPS. The figure, Content Manager Role Assignment Through SCIM API - For integrated Content Providers, outlines the different options the API provides for this purpose.

Note that the DWS URL relates to the overall SAP Build Work Zone URL as follows: