The Booster for Central Maintenance of Authorizations and Roles in SAP APO

ByShaun Snapp

Executive Summary

  • Maintaining master data in APO is a headache for APO customers.
  • This article lays out the problems and how to account for these issues.

Introduction

Maintaining Authorization Activities and Roles is a high maintenance activity. The Authorization Objects and values have no documentation from SAP. Making Authorization Maintenance guesswork, wasting valuable consulting time. Roles in APO continue to be grossly mismanaged with risky authorizations assigned to users.

See our references for this article and related articles at this link.

The Booster for Roles and Authorizations Maintenance in SAP APO

Authorizations in SAP APO projects were always a low essential item. Neither the functional consultants nor the traditional BASIS person were experts at designing and implementing user Authorizations in APO. This often resulted in excessive authorizations to the planners and end users.

In most installations, unlimited access was given to /SAPAPO/MSDP_ADMIN and RSA1 (BW workbench). This means users and untrained consultants can inadvertently delete or change structural objects like the Planning area, Info-Objects, and Info-Providers. They may also have access to objects from other businesses/geographies that use the same APO box.

Such unlimited access not only causes enormous risk (A deleted info-object can corrupt the entire APO design). But can compromise the organization’s information related to Sales, Fulfillments, Capacities, Customers, Vendors, and the whole supply chain model that APO stores in BW and LiveCache.

SAP’s Authorization Documentation Problems

Lack of documentation from SAP with Authorization Objects and permissible activities within a T-Code/Program creates a need for guesswork when an organization needs to implement security policies of their own.

  • That is in most APO installation CVC Analysis Authorizations are not implemented.
  • It is also hard to implement if there are multiple planning object structures with shared info-objects.

Issues with Setting Up Authorizations and Roles in SAP APO

Difficulty arriving at a foolproof strategy of Roles for Users depending on the Supply Chain Organization of the firm.

  • Every T-Code has multiple Authorization Objects, Authorizations, Authorization Values, and Authorization Activities (create / change/ display), and it is not available in an Excel form.
  • Finding which T-Code has what Authorization embedded within the program is a tedious affair.
  • Labels of Authorization like S_SELE and C_SELID means nothing to a human in the absence of documentation.
  • Excessive Authorization to user poses security risks.
  • Authorizations of Analysis objects (RSECADMIN) like DP CVCs, if not implemented, causes a large amount of data to be locked.
  • Authorization in BW in APO is no one’s baby and hence almost always ignored, leaving the system at a significant risk of abuse. Not only to APO but also to connected systems. Examples of inadequate authorizations can be seen in the following screenshot.

The Booster for Roles and Authorizations Maintenance in SAP APO

LaunchPad Support has several man-decades of experience in designing and implementing Roles and Authorization Controls on APO projects. Our simple user interface for managing authorizations is based on the concept of division of responsibilities.

Examples of a role schema can be:

  • Demand and Supply Planners,
  • Planners assigned to specific geography or line of business
  • Super Users
  • Supply Chain Manager
  • Functional Support consultants,
  • Supply Chain Analyst
  • Category Head,
  • MRP Controllers
  • IT Director
  • Database Administrator
  • BASIS

Our Booster converts all the Authorizations right from T-Code level down to the lowest level activity that a role is authorized to carry out. In an Excel-like interface on a browser, a position like Category Demand Planner can have checks like the ones below:

  • Role: Category Demand Planner
  • Transaction: /SAPAPO/SDP94
  • Planning Area: ZDPMAIN
  • Planning Book: ZDPPBOOK1
  • Data View: ZDPDVIEW1
  • Can Edit the Data View: No
  • Can Edit the Key Figures Values: Yes
  • Cannot Edit Specific Key Fig Values: KF1, KF2
  • Can Create Selections: Yes
  • Can Executive a Forecast: No
  • Restrictions Apply on Characteristics: ZPRODUCT, P123, ZLOCATION, L345
  • Can View Macros: Yes
  • Can Execute Macros Manually: No
  • Can Download data: No
  • Can Upload Data from File: Yes
  • Can change notes: Yes

How to Get Access to this Booster?

You get his booster for free for any SAP customer who signs up for our Managed Support. This is unlike no other standard support offered in the market.

This presentation illustrates the problems with SAP support and how LaunchPad SAP Support addresses these shortcomings. 

What Kind of Support is This?

If this does not sound like standard support, you are right. And that is the point.

We designed our support to help our customers get the most out of SAP, not to maximize our margin or to try to protect previous sales inaccuracies. We know how to get your SAP applications working better.

To see the broader information about our SAP support see our main SAP Support Page.