SE03 – Objects in Transports

The SE03 transaction (Transport Organizer Tools) is certainly not a security specific application. However it provides at least one report which I find to be invaluable in managing security transports. Basically the report provides all transports (modifiable/ released) which contain a particular role.

We start with the initial screen for SE03 which is really a kind of cockpit to run various applications for transports.

SE03 - Transport Organizer Tools
SE03 - Transport Organizer Tools

We chose the report “Search for Objects in Requests/Tasks” which gets us to the next screen. To search for roles we need to enter a line with object type ACGR (Activity Group which is old SAP terminology for role), check the relevant boxes as shown and click the execute button.

SE03 - Search for Objects in Transports
SE03 - Search for Objects in Transports

The output of the report display all transports which contained the affected role.

SE03 - Search for Objects in Transports Report
SE03 - Search for Objects in Transports Report

Though we have just used it for search for roles, we can search for any development objects like Programs, Tables, Org Criterions to ensure that the latest transports are all moved to Production or that no unreleased transports for an object remains in the system.

Assign Roles in CRM

SAP CRM allows role assignment in two basic ways, indirectly through Business Roles in PPOMA_CRM or directly through security roles assigned to user masters in SU01.

Indirecty role assignment is recommended by SAP as for large organisations with many CRM users and business roles it can lead to significant reduction in maintenance effort. For indirect maintenace, the Business Roles are maintained on a position for a user.

Define OM structure - PPOMA_CRM
Define OM structure - PPOMA_CRM

To maintain the business role for an OM object like a position, we select the position in PPOMA_CRM and the menu path goto>detail object>Enhanced Object Description which opens transaction PP01.

PP01 - Initial Screen
PP01 - Initial Screen

From the initial PP01 screen, we can maintain the appropriate value for Business Role for the chosen position.

PP01 - Assigning Business Roles
PP01 - Assigning Business Roles

With the position linked to a user and a business role assigned to the position we are now in a position to assign a security role to the user. While its also possible to directly assign a security role to the user at this stage, SAP provides the report CRMD_UI_ROLE_ASSIGN to make our job easier.

Report CRMD_UI_ROLE_ASSIGN
Report CRMD_UI_ROLE_ASSIGN

The report can be run for both users or user groups. It basically looks up positions linked to the respective users, checks the business roles assigned to these positions and finally assigns the security roles corresponsing to them to the user masters. The report log after role assignment is shown below

Report CRMD_UI_ROLE_ASSIGN - Log
Report CRMD_UI_ROLE_ASSIGN - Log

It is also possible to directly assign a security role to a user rather than go through these intermediate steps outlines above. To make this work, in addition to the security role the user parameter CRM_UI_PROFILE needs to be maintained with the correct business role as part of the user master. This removes the need of maintaining the Business Role on the position. However, since all CRM users need to be part of OM structure, it makes sense to use the indirect assignement rather than the direct one.

Maintain T-codes with SE93

New t-codes can be created through the transaction SE93. In the example below, the t-code is created to call a program during execution. We can also create parameter transactions to which call standard sap transactions (like SE16 or SM30) or launch an ABAP query.

From the security perspective SE93 allows us to add a value for the authorization object field. This authorization object with the values specified for its fields, will be checked in addition to S_TCODE before the transaction is started.

Below we see the Se93 entry for the common HR t-code PP01. To start this transaction an user would need P_TCODE with TCD value PP01 in his user buffer, in addition to S_TCODE entry.

SE93 - Auth Obj for Transaction Start
SE93 - Auth Obj for Transaction Start