Composite Roles
Till now, all our discussion on role administration has been concentrated on creation and maintenance of single roles. A single role as we have seen till now is a collection of tcodes and/or authorization objects. However in addition to these, SAP also allows to create composite roles which contain one or more single roles. In this post, we will discuss the tecnical and business reasons for working with composite roles.
During role creation, the PFCG initial screen allows us to choose whether we create a single or composite roles. Once created, there is no way to changing a single role to a composite or vice versa. In the screen below, we look at the role definition of the SAP_AUDITOR composite role provided by SAP to allow the use Audit Information System (AIS). You will notice that the individual tabs inside PFCG are different from those for a single role. for ex, we do not have the common transaction or authorization tabs. Instead we have the Roles tab and also a menu tab. The roles tab allows us to specify any number of single roles that constitute the composite role as well as the system for the roles. This is important in a SAP system with CUA installed as a composite role defined in the central CUA system can point to roles defined in the child systems.
Even though transactions can not be directly added to a composite role, a composite role can have its own menu structure. We display the same through the Auditor role provided by SAP
Depending on role design or user assignment strategies, composite roles can be used in a number of ways. Lets look at a few scenarios using composite roles.This is not an exhaustive list in any way but just meant to give an idea of the common uses for composites
- Single roles are mapped to tasks performed by users . Since a typical user performs multiple tasks, the total access for a user is represented through a composite role which includes the individual task roles.
- Access is divided into transaction role ( which contain transactions but no authorization object access ) and value/controller roles (authorization objects but no transactions). Complete access is represented through a composite role with the transaction and value roles.
- The entire system landscape consists of a number of separate SAP systems (like ECC, BW, SRM, CRM etc.) and users are administered through a CUA connecting the individual systems. A user getting role A in ECC will need the corresponding role B in BW and role C in CRM. This can be achieved through a composite role created in the central system which links the individual roles in the different systems.
Aninda,
A special request please. Before you leave and get settled into ur new job, can you please throw some light on extended maintainance button in authorization tab of role please.
Hi Rakesh,
I can not recall any option for extended maintenance from the top of my end. Do you mean authorization maintenance through the expert mode?
Regards,
Aninda
hi aninda
can u please explain the process of transportation of composite role
thankyou
Hi Ramesh,
While transporting composites, the system offers you the option whether you want to include the single roles making up the composite in the new transport. Unless the singles are new or have been changed since their last transport, you can just transport the composite role.
Regards,
Aninda
Hi Aninda,
i have defined a new role and added to a composite role, but when i try to generate a transport req., it shows me 2 check boxes, which one(s) should i set so that the other single roles keep their settings !!
Will be pleased for a tip.
Kumar/Germany
In this case, it ll be necessary for you to transport the single role(since it is a newly created one) as well as the composite role(after the addition of the new role). So mass transport has to be used.
So, Only the second check box has to be checked.
Hi Aninda, thanks for the information about the composite and single roles. But can you please tell me something more about the difference between composite and Single roles in PFCG? That will be so nice of you if you can help me out on this topic…!!!!
Thanks… Mel(AUS)
Hi Mel,
As I have mentioned in my post as well, single roles are a collection of authorizations (tcodes/authorization objects) while composite roles are collections of single role. A composite role doesn’t contain any authorizations by itself, but is the sum total of the authorizations of the component roles.
There are different buttons in the PFCG initial screen for creation of composite and single roles.
Let me know if you still have some queries on the subject as I would have thought the material in the post answered most of the features of single/composite roles.
Regards,
Aninda
Hi Aninda,
Mass Generation of Composite role option is available? Same like we use to perform Mass generation of Single Roles. If so, can you please share with us.
Surya/India
Hi Surya,
A composite role doesn’t have a profile. How will generate a role without a profile?
Regards,
Aninda
Hello,
any one know how to assign composite role in CUA parent system. It exist in PFCG but not in SU01, Text comparison not working as its a parent system
Rashid
You would still need to a text comparison for the role created in the CUA central system. But you do this from PFCG> Environment>CUA text comp for central system
Hi Aninda,
Thanks for the detail explaination of the concepts.Can you also start a topic for SAP R/3 security interview questions and answers.
Thanks in advance.
Regards,
Sindhura.
Hi Sindhura,
I certainly don’t intend to start a topic for SAP interview questions as the intention of starting the site is to help SAP consultants learn SAP security concepts. I am certainly not trying to help you memorise answers as I don’t believe that is the way for succeeding in interviews.
Regards,
Aninda
Hello Aninda,
Could you please explain about the taps in creating Composite and single roels.like Description,Roles,User,Personalizatin etc… Because I am new to SAP SECURITY..
Regards,
Ramesh
1.Composite Role
Description : Its the area where you enter details of changes done for better understanding in the future, for ex addition or deletion of a role.
Roles : this conatins all the single roles a composite role conatins. any number of single roles can be added to the composite role.
User: this is the list of users who have access to the particular composite role.
2. Single role:
Description:Its the area where you enter details of changes that are done, for ex new org values updated.
Menu : List of transactions that a single role has access to.
Authorization : Here by clicking on “Change authorisation data” the org values(like plant,company code etc) can be updated or removed.
this tab also conatins the profile name (profile is generated after the org values are updated)
User: this contains the list of users who have access to the particular single role.
hi aninda,
when we include two single roles in a composite role, we see check boxes adjacent to the roles inserted, can you please tell me what happens if we check or uncheck them and how does it affect when we create a transport request checking or unchecking them.
regards,
vinod
Dear guys,
please let me know when can we expect sap security openings
hi i am the new one to sap,i am willing to lerarn sap security and i have knowledge in sap abap,please which are the topics i need to cover for this security.
is this sap basis and sap security both are same
Basis and security is certainly not same. However samller organisations without too much security requirements might not have a separate security department. To learn the basics, please go through the “getting started” section of this blog. Best of luck!
hi am new security, suppose if we give roles in ecc system and also in Bi and CRM ,so here my question is can we map these roles in to composite,if yes how it happens..
You can map roles from multiple sap systems to a single composite. However, you need to search on the web about the actual steps.