Currently Being Moderated

Updated on 31.01.2014 to include information from SolMan 7.1 SP05 onwards.

 

People working with SAP Solution Manager Implementation Projects and Change Request Management (ChaRM) are probably used to set up authorization object S_PROJ_GEN to control authorizations in project functions such as lock blueprint, assign logical components to the project landscape, create and assign task list to a project. These functions are currently well documented rather in SAP Notes, SAP Solution Manager Security Guide or here in SCN. Authorization object S_PROJ_GEN has the following fields:

 

 

 

  • PROJECT_ID      Name of the project

 

  • PROJ_FUNC      Project administration functions
       

 

Those users working with Quality Gate Management, specialy in SolMan 7.0, can face some difficulties to understand how to set up this authorization object since there is no documentation explaning the meaning of the new PROJ_FUNC codes related to QGM. QGM functions such as Create Change, Create Transport Order, Release Transport Order, Reassign Transport Order and so on have a corresponding PROJ_FUNC field to allow the user to define who can do each task in the QGM webdynpro.

 

SAP Solution Manager Security Guides for 7.0 and 7.1 mention the standard roles relevant for QGM. There are four standard single authorization roles in SolMan 7.0:

  • SAP_SM_QGM_ALL: For all authorizations in QGM

 

  • SAP_SM_QGM_TRANSPORT: Authorization for Transport Delivery

 

  • SAP_SM_QGM_STATUS_QM: Set Quality Gate status as Quality Manager

 

  • SAP_SM_QGM_STATUS_QAB: Set Quality Gate status as Quality Advisory Board

 

 

 

SolMan 7.1 has the above single roles and some more.

From SP01:

  • SAP_SM_QGM_CHANGE: Quality Gate: Change Manager Role

 

From SP05 on:

  • SAP_QGM_MANAGED_CHANGEMAN: QG Management on managed systems (Change Manager)

 

From SP08 on:

  • SAP_SM_QGM_CM_ALL: Change Management for QGM (Administrator)

 

  • SAP_SM_QGM_CM_CHANGE: Change Management for QGM (Change Manager)

 

  • SAP_SM_QGM_CM_QAB: Change Management for QGM (QAB)

 

  • SAP_SM_QGM_CM_QM: Change Management for QGM (Quality Manager)

 

  • SAP_SM_QGM_CM_TRANSPORT: Change Management for QGM (Transport)

 

There are composite roles in 7.1 for QGM:

 

  • SAP_QGM_ADMIN_COMP

 

  • SAP_QGM_CHANGE_MANAGER_COMP

 

  • SAP_QGM_QAB_COMP

 

  • SAP_QGM_QM_COMP

 

  • SAP_QGM_TRANSPORT_COMP

 

These roles in SolMan 7.1 have many authorization objects not used by QGM before because release 7.1 included new functionalities such as a new CRM transaction type called SMQC (QGM: Change) and SMQU (QGM: Urgent Change). They use authorization object S_PROJ_GEN with default values for project function field PROJ_FUNC. If you need to create your own role to distribute the different activities to different people or group of people, instead of using only the standard roles, you will need to understand the meaning of each PROJ_FUNC field. You will find listed in the SAP Security Guide for 7.1 some of the new fields (not all) created for QGM, but will not have any explanation of what they mean. In the SAP Security Guide for Solution Manger 7.0 SP23 these new fields are not mentioned.

 

Below I show three figures that are screenshots from transaction PFCG, one with a list of the PROJ_FUNC field values in SolMan 7.0 and another 2 lists with the PROJ_FUNC field values existing in SolMan 7.1. Most of them are related to QGM. People using SolMan 7.1 has a little bit more information about the QGM values if comparing to SolMan 7.0 users - more field values with description- but there are still some values with no description:

Figure 1 - PROJ_FUNC fields in SolMan 7.0 SP23:

 

Proj_Func values in SolMan 7.0

 

Figure 2 - PROJ_FUNC fields in SolMan 7.1 SP3:

Proj_Func values in SolMan 7.1

 

Figure 3 - PROJ_FUNC fields in SolMan 7.1 SP10:

s_proj_gen_sp10.jpg

 

Table below shows the description of each field value related to QGM and whether they are related to SolMan 7.1, including new fields already considered in the QGM authorization routines in SolMan 7.1, but not yet included in the list of existing entries for authorization object S_PROJ_GEN, at least not in SolMan versions that I checked. If someone using a different SolMan Support Package finds these missing field values, please leave a comment.

 

PROJ_FUNC   value

Description

SolMan 7.1

Not in list

CHCR

Create   Change Document

 

 

CHCH

Modify   Change Document

 

 

CHDE

Delete   Change Document

 

 

CHDT

Decouple a transport request from a  Change

X

 

CHRA

Reassign Change Document

CHRL

Release Change Document

 

 

CHFI

Change Document

X

 

CHWD

Withdraw Change Document

X

 

MCCR

Create a maintenance cycle for QGM

X

 

QBAP

Approve   Q Gates as Quality Advisory Board

 

 

QMAP

Approve   Q Gates as Quality Manager

 

 

TACR

Create   Task

 

 

TRAPApprove/revoke Critical ObjectX

 

TRAS

Assign Transport Request

X

X

TRCH

Modify Transport Request

 

 

TRCR

Create Transport Request

 

 

TRDC

Decouple  Transport Request

X

X

TRDE

Delete  Transport Request

 

 

TRIMImport LockX

X

TRRA

Reassign   Transport Request

 

 

TRRL

Release   Transport Request

 

 

TRTP

Create   Transport of Copies for Production system

X

X

TRTT

Create   Transport of Copies

 

 

UCCAApprove Urgent Change as Quality Advisory BoardX
UCMAApprove Urgent Change as Quality ManagerX

 

If you check Figure 2 you will note that 3 values listed in the table above are missing in the list of entries: TRAS, TRDC and TRTP. But they are included in standard role SAP_SM_QGM_TRANSPORT for SolMan 7.0 SP23 and SolMan 7.1 SP03. TRAS (Assign Transport Request) and TRDC (Decouple Transport Request) are not available functions in SolMan 7.0 QGM and the source codes for authorization checks do not consider them, so they are not relevant in this SolMan release. In SolMan 7.1 they are all being checked.

 

In SolMan 7.1 SP05 two new functionalities were added to QGM: Approve/Revoke Critical Objects and Set/Unset Import Lock. The corresponding value for Import Lock (TRIM) is not in the PFCG list either, even in SP10, but it was included in the standard QGM roles.

 

Figure 4 shows authorization object S_PROJ_GEN in standard role SAP_SM_QGM_TRANSPORT of SolMan 7.0:

 

Role SAP_SM_QGM_TRANSPORT

 

If you want to check the source code of authorization routines, go to transaction SE24 and check class CL_TD_AUTHORIZATION.

 

The list of existing project functions are stored in table SPR_ADM, and the descriptions in different languages are stored in SPR_ADMT. If you want to see all the descriptions in the authorization object S_PROJ_GEN values list while creating your roles in PFCG, update table SPR_ADMT and include the missing texts in the relevant languages.

Comments

Actions

Filter Blog

By author:
By date:
By tag: