user to role assignment table sap

Assign the User Roles

• How to create and assign a role collection in the SAP BTP subaccount.

Prerequisites

• You have an enterprise global account in SAP BTP. To use services for free, you can sign up for a CPEA (Cloud Platform Enterprise Agreement) or a Pay-As-You-Go for SAP BTP global account and make use of the free tier services only. See Using Free Service Plans .
• You have an S-user or P-user. See User and Member Management .
• You are an administrator of the global account in SAP BTP.
• You have a subaccount in SAP BTP to deploy the services and applications.
• Mozilla Firefox
• Google Chrome
• Microsoft Edge
• You have deployed your application in either the SAP BTP, Cloud Foundry runtime or the SAP BTP, Kyma runtime. See Deploy in SAP BTP, Cloud Foundry Runtime for deploying to the SAP BTP, Cloud Foundry runtime and Deploy in SAP BTP, Kyma Runtime for deploying to the SAP BTP, Kyma runtime.

Open the SAP BTP cockpit and navigate to your subaccount.

Choose Security → Role Collections , and then choose Create .

In the Create Role Collection popup, enter Incident Management Support in the Name field and choose Create .

Choose the role collection Incident Management Support from the list of role collections and choose Edit on the right.

Open the value help in the Role Name field.

Search for the role support , select it, and choose Add .

Choose Save .

Choose Security → Users , and then choose a user from the list.

Under Role Collections on the right, choose Assign Role Collection .

In the Assign Role Collection dialog, select the Incident Management Support role collection and choose Assign Role Collection .

You have assigned the Incident Management Support role collection to your user.

You might need to log out and log back in to make sure your new role collection is taken into account.

What is the name of the role that's created in your SAP BTP account as part of your application's deployment?

• Create a role collection and add role
• Assign a role collection to a user

• ABOUT AGLEA
• SAP SECURITY CONSULTANCY
• HANA & S/4HANA SECURITY
• SAP SECURITY CLOUD
• AUDITING SAP
• SAP CYBER SECURITY
• SEGREGATION OF DUTIES SAP
• CASE HISTORY

Tables, Roles, Profiles and Authorizations in SAP

Which are the main Security SAP Tables for SAP Roles and Profiles?

SAP contains hundreds of thousands of tables. In some cases the direct access to these tables allows one to retrieve data faster. Below a list of tables for each defined area:

SAP Profiles

• Authorizations
• Authorization objects

In the earlier SAP releases roles were called Activity Groups. That’s why tables that contain SAP Roles still today start with AGR in their name.

• AGR_1016 –Profile name of Activity Group
• Here you can find all authorization objects, authorizations and values, in addition to the status of the authorization object. This is one of the most frequently utilized tables!
• AGR_AGRS – Roles inside Composite Roles
• AGR_DEFINE – Roles definition
• AGR_TCODES – Roles attribution to TCodes
• AGR_TEXTS – archiving structure hierarchical menu – customer
• AGR_USERS – Roles attribution to users
• AGR_DATEU – Personal parameters for roles: in this table you can find out if SAP GUI parameters are active, for example if technical names are displayed, searching by ID = BROWSER_OPT and ATRIBUTES = X
• AGR_BUFFI – It contains the detail of the links inserted in the SAP Role Menu
• PRGN_STAT – Status Table Session Manager, here you can see the details of transaction SU25 steps (for a first SAP installation or for the following upgrades)

The above tables are not a complete list, but they are for sure the most useful and used by those who work on SAP Security! Write down in the comments if you think there might be other tables worth mentioning

Read here how to set up or review your SAP Security! 

Even if they’re not directly used anymore , authorization profiles are a fundamental technical component to the management of SAP authorizations.

• USR10 – User authorization profile master data
• USR21 – User Name ind. Key attribution
• UST04 – User Master Data
• UST10C – User Master data: global profiles
• UST10S – User Master Data: single profiles
• Inside USH* tables you can find the history of edits on profiles

SAP Authorizations

Even if roles, profiles and authorizations are often utilized as synonyms, they’re not. Every word has a specific meaning and represent a precise technical object. Authorizations are values of authorization objects.

• UST12 – User Master data: authorizations

Authorization Objects

• TOBJ – Authorization Objects
• TOBJT – Short texts of authorization objects
• TSTCA – Transaction codes authorizations values: this table allows you to see which are the authorization objects and their necessary values at the start of a transaction (Header Authorization)
• TACTZ – Valid activities for every authorization object: this table allows one to see the admitted activities by the ACTVT field of every object that contains that field.
• USOBT_C and USOBX_C – Transaction > Auth Obj. Relation (customer): These tables allow one to see the relation proposed by SAP and managed by the customer, between transactions and authorization objects with eventual pre-populated values
• USOBAUTHINACTIVE – Start authorization check inactive (‘X’) or active (SPACE): This table allows one to enable or disable the S_START authorization object control
• TDDAT – Update areas for tables: it allows to see the link SAP tables and authorization groups assigned (CCLAS field)
• TCDCOUPLES – Transaction callbacks
• USGRP – User Groups
• User Validity
• Block Status
• Password (Cryptography)
• USR05 – User Master Data, ID parameters
• USR06 – Additional data for users (here you can find the SAP License of Users)
• USR21 – Username ind. Key attribution
• V_USERNAME – Generated Table for View, in this view you can easily find the first and last name of users.
• SMEN_BUFFC – It contains the detail of user favorites.
• HRP1001 – DB table for info-type 1001: here you can see the link between users and HR objects (i.e. positions) inside the SAP organizational structure.

You need more information, or you can’t find the table you need?

Download the list in Excel Format:

Topics: SAP ECC , sap standard role , Profiles , SAP Table

Yes Subscribe!

Blog aglea, what you could find out.

Every Friday a new post, interview or content related to SAP Security.

• Tips on how to design SAP Security
• Common error and pitfall on security SAP
• Interview with experts
• Who we are and Aglea vision on SAP Security

Recent Posts

Post by topic.

• SAP Security (12)
• S4/HANA (6)
• SAP GRC (5)
• Segregation of duties (5)
• governance (5)
• SAP GRC (4)
• audit sap (4)
• auditing (4)
• sap consulenza security (4)
• sap password (4)
• SAP GDPR (3)
• UI logging (3)
• rfc security (3)
• sap cyber security (3)
• sap hana (3)
• sap_all (3)
• security audit log (3)
• sicurezza sap (3)
• HANA Security (2)
• Profiles (2)
• SAP ECC (2)
• SAP GDPR (2)
• SAP audit (2)
• Threat detection (2)
• UI Masking (2)
• access management (2)
• autorizzazioni sap (2)
• consulenti (2)
• e-learning (2)
• password policy (2)
• programmazione sicura (2)
• quality (2)
• sap access control (2)
• sap custom (2)
• sap etd (2)
• sap gui (2)
• sap query (2)
• sap security guidelines (2)
• sap siem (2)
• sap standard role (2)
• sap super user (2)
• security ams (2)
• supporto sap ams (2)
• test system (2)
• upgrade (2)
• FIORI Security (1)
• HANA Roles (1)
• PFCG SAP transaction (1)
• S/4HANA Security (1)
• S/4HANA migration (1)
• SAP Cloud Security (1)
• SAP Consulting (1)
• SAP DLP (1)
• SAP FIORI Security (1)
• SAP Fraud Management (1)
• SAP IDM (1)
• SAP LOG (1)
• SAP Security Documentation (1)
• SAP Table (1)
• SAP Transactions (1)
• Secure programming (1)
• Security Analyzer (1)
• Security Bridge (1)
• Statistiche security SAP (1)
• User Access Management (1)
• authorization concept (1)
• authorization model (1)
• biometric (1)
• chatGPT (1)
• codice sicuro SAP (1)
• consulenti sap security (1)
• consulenza sap security (1)
• crittografia SAP (1)
• custom transactions (1)
• cyber security (1)
• data loss prevention (1)
• data privacy (1)
• documentazione sap security (1)
• emergency users (1)
• identity management system (1)
• log sap (1)
• mail security sap (1)
• microsoft (1)
• parameter sap (1)
• processi security (1)
• profili (1)
• profili sap (1)
• progetti security sap (1)
• quotazione borsa (1)
• rfc destination (1)
• role translation (1)
• s_tabu_dis (1)
• s_tabu_nam (1)
• s_tabu_rfc (1)
• sap btp (1)
• sap data masking (1)
• sap dati personali (1)
• sap developer (1)
• sap earlywatch (1)
• sap grc 12 (1)
• sap grc tables (1)
• sap gui history (1)
• sap gui security (1)
• sap gxp compliance (1)
• sap ilm gdpr (1)
• sap license auditing (1)
• sap logon (1)
• sap patch (1)
• sap security blog (1)
• sap security teal (1)
• sap sos (1)
• sap splunk (1)
• sap sso (1)
• sap tabelle custom (1)
• sap tdms (1)
• sap vulnerability (1)
• sap_all_only_view (1)
• secure coding sap (1)
• secure operation map (1)
• security awareness (1)
• sentinel (1)
• sicurezza codice ABAP (1)
• sicurezza dei dati sap (1)
• social engineering (1)
• super utenti sap (1)
• system users (1)
• tabelle (1)
• tabelle SAP grc access control (1)
• ticket management system (1)
• training (1)
• transazioni sap (1)
• zero trust security (1)

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy

You are using an outdated browser. Please upgrade your browser to improve your experience.

Technical Assistance

Request technical support from SAP

Non-Technical Assistance

Request non-technical support or provide feedback on SAP Support Portal site

Best Practices: Roles, Teams, and User Assignment

This page will provide information on best practices to be followed for a role, user, and team assignment in SAP Cloud ALM.

What is a Person, a Role, and a Team in a Project ?

There are three levels of duties that you can manage in a single project: Person, Role and Team. 

• First, as you might already assume, Person is the one who is going to do a certain task. In other words, an individual member of a project is the Person, and in SAP Cloud ALM world, we call it “Assignee” or “User”.  
• Next, when you create a Project in CALM, it comes with a pre-delivered set of roles, Please refer to the basics of Project Management in SAP Cloud ALM . The Roles we are talking about here are Project Roles such as Project Lead and Business Process Expert. You can create a new custom project role in case you cannot find a proper one from the default list of Project roles. All of these default Project and custom Roles are termed as “Assigned Role” in SAP Cloud ALM in the Task Management screen. The difference from the Person is that multiple users can perform the same Role.  
• Lastly, a Team is a group of the Roles or Persons. How to organize a Team completely depends on project characteristics and your needs. You can utilize the “PMO team” only which is created by default, or you can create multiple teams in a same project to track various areas of work differently. Just remember that “PMO team” is special as 
•     It is the only Team that contains the role “Project Lead” 
•     It can not be deleted 
• Now, let us see briefly how we can see all these levels easily in the Task List page. It's simple. You can click Setting at the top right side of the Task List page, and add these three levels in your filter. You can also create and save this view to access this view conveniently.  

Recommendations on how to work with Person, Role and Team

As we learned above, you, as a Project Lead, can assign different Person, Role and Team to each task to manage your project efficiently. This could be done in multiple ways depending on your specific strategy, but you can also think about some fundamental questions as follows. 

• How many teams or members need to engage in this project ?(e.g., a small-size project vs. a big-size project) 
• In which way you want the task to be done (e.g., explicit allocation to an individual member vs. implicit allocation to a team or a project role) 

Keeping these questions in your mind, let us go over some specific user scenarios to give you some ideas to utilize this function.  

First, suppose that you are a project lead of one small development project. You know every single member of the project and what they are doing. In this case, you don't need many different teams. You can simply have one PMO team and include all roles and members in this team. Furthermore, it would be easy to assign a certain task to a certain individual. 

In the other scenario, let's say that you are a project lead of a very big scale project. You can create different teams and roles according to their functions and assign them at a rather high level instead of an individual level. For example, you can assign a set of tasks to a Development Team and allocate to each Role, without assigning a specific person.

You can also assign either a Team or a Role. In the case below, for example, any Analytics Expert in the project can work on the task. In this way, the team members can work on the task more autonomically depending on their workload and goal.

Instructions to assign / re-assign Team, Role and Person to Task

Here, let us see step by step how to assign and re-assign the Team, Role and Person to each task.  

1) Team Assignment  

Assigning a team to a certain task is simply done by clicking the drop-down menu of Team column in the Task List view. It can also be done in a detail view of each task.  

2) Role Assignment (Assigned Role)  

Assigning a project role can be done in the exact same way as we did for the team above: Doing it from the task list page or doing it from the detail page of each task. 

3) Person Assignment (Assignee)  

Assigning a specific person to a task can also be done in the same way we have learned so far. Different from the team and role that you can only choose from the closed list (default or custom), you can assign any person in your organization by searching function as below. 

4) Re-assignment rules 

You can always easily re-assign Team, Role and Person which have been already assigned. You can basically repeat what you have done before. However, there are some rules for re-assignment that would be useful for you to be aware of.  

Let's say you have a project and set the Teams, Roles, and Assignees as you can see below from the table. You are Agatha, a Project Lead. 

And your current assignment status for three tasks is as follows. Please keep in mind that all changes will be made from this assignment status.

You can basically re-assign the Assignee to any other person, and the previous assignment of Team and Role remain same as before. As you can see below, when you change “Analytics Expert” from Bob to you (Agatha), the assignment of Team and Role remain same. 

However, when you re-assign the Role, the Team assignment will be cleared if the new Role is not included in the Team. Now, you have re-assigned the Role from “Business Process Expert” to “Project Lead”. Because the Role “Project Lead” is not included in the “Red team”, the Team assignment is cleared.

Lastly, when you change the Team, the previous assignment to Role and Assignee will be cleared if they are not in the new Team. As the picture below shows, you've changed the Team from “PMO team” to “Red team”. Then, the previous assignment of Role and Assignee is all cleared, since the Role “Project Lead” and the Person “Agatha Bauer” do not belong to “Red team”.

Similarly, let's see what happen when you re-assign all of the tasks to “PMO team”. Then, the second task assigned to “Business Process Expert” and Rachel remains same, because both the Role and the Person belong to PMO team. However, the Assignee is cleared for the third task, since Bob does not belong to PMO team.

• Securing HCM

Role Inheritance

When you assign data and abstract roles to users, they inherit all of the data and function security associated with those roles. You can explore the complete structure of a job or an abstract role on the Security Console.

Each role is a hierarchy of other roles:

HCM data roles inherit job roles.

Job and abstract roles inherit many aggregate privileges. They may also inherit a few duty roles.

In addition to aggregate privileges and duty roles, job and abstract roles are granted many function security privileges and data security policies directly.

Duty roles can inherit other duty roles and aggregate privileges.

Role Inheritance Example

This example shows how roles are inherited. The figure shows a few representative aggregate privileges and a single duty role. In reality, job and abstract roles inherit many aggregate privileges. Any duty roles that they inherit may themselves inherit duty roles and aggregate privileges.

In this example, user Bob Price has two roles:

HR Specialist Vision Corporation, a data role

Employee, an abstract role

This table describes the two roles.