The SE03 transaction (Transport Organizer Tools) is certainly not a security specific application. However it provides at least one report which I find to be invaluable in managing security transports. Basically the report provides all transports (modifiable/ released) which contain a particular role.
We start with the initial screen for SE03 which is really a kind of cockpit to run various applications for transports.
We chose the report “Search for Objects in Requests/Tasks” which gets us to the next screen. To search for roles we need to enter a line with object type ACGR (Activity Group which is old SAP terminology for role), check the relevant boxes as shown and click the execute button.
The output of the report display all transports which contained the affected role.
Though we have just used it for search for roles, we can search for any development objects like Programs, Tables, Org Criterions to ensure that the latest transports are all moved to Production or that no unreleased transports for an object remains in the system.
SAP CRM allows role assignment in two basic ways, indirectly through Business Roles in PPOMA_CRM or directly through security roles assigned to user masters in SU01.
Indirecty role assignment is recommended by SAP as for large organisations with many CRM users and business roles it can lead to significant reduction in maintenance effort. For indirect maintenace, the Business Roles are maintained on a position for a user.
To maintain the business role for an OM object like a position, we select the position in PPOMA_CRM and the menu path goto>detail object>Enhanced Object Description which opens transaction PP01.
From the initial PP01 screen, we can maintain the appropriate value for Business Role for the chosen position.
With the position linked to a user and a business role assigned to the position we are now in a position to assign a security role to the user. While its also possible to directly assign a security role to the user at this stage, SAP provides the report CRMD_UI_ROLE_ASSIGN to make our job easier.
The report can be run for both users or user groups. It basically looks up positions linked to the respective users, checks the business roles assigned to these positions and finally assigns the security roles corresponsing to them to the user masters. The report log after role assignment is shown below
It is also possible to directly assign a security role to a user rather than go through these intermediate steps outlines above. To make this work, in addition to the security role the user parameter CRM_UI_PROFILE needs to be maintained with the correct business role as part of the user master. This removes the need of maintaining the Business Role on the position. However, since all CRM users need to be part of OM structure, it makes sense to use the indirect assignement rather than the direct one.
New t-codes can be created through the transaction SE93. In the example below, the t-code is created to call a program during execution. We can also create parameter transactions to which call standard sap transactions (like SE16 or SM30) or launch an ABAP query.
From the security perspective SE93 allows us to add a value for the authorization object field. This authorization object with the values specified for its fields, will be checked in addition to S_TCODE before the transaction is started.
Below we see the Se93 entry for the common HR t-code PP01. To start this transaction an user would need P_TCODE with TCD value PP01 in his user buffer, in addition to S_TCODE entry.