People working with SAP Solution Manager Implementation Projects and Change Request Management (ChaRM) are probably used to set up authorization object S_PROJ_GEN to control authorizations in project functions such as lock blueprint, assign logical components to the project landscape, create and assign task list to a project. These functions are currently well documented rather in SAP Notes, SAP Solution Manager Security Guide or here in SCN. Authorization object S_PROJ_GEN has the following fields:
- PROJECT_ID Name of the project
- PROJ_FUNC Project administration functions
Those users working with Quality Gate Management, specialy in SolMan 7.0, can face some difficulties to understand how to set up this authorization object since there is no documentation explaning the meaning of the new PROJ_FUNC codes related to QGM. QGM functions such as Create Change, Create Transport Order, Release Transport Order, Reassign Transport Order and so on have a corresponding PROJ_FUNC field to allow the user to define who can do each task in the QGM webdynpro.
SAP Solution Manager Security Guide for 7.0 and 7.1 mention the standard roles relevant for QGM. There are four standard authorization roles in SolMan 7.0:
- SAP_SM_QGM_ALL: For all authorizations in QGM
- SAP_SM_QGM_TRANSPORT: Authorization for Transport Delivery
- SAP_SM_QGM_STATUS_QM: Set Quality Gate status as Quality Manager
- SAP_SM_QGM_STATUS_QAB: Set Quality Gate status as Quality Advisory Board
SolMan 7.1 has the above roles and one more:
- SAP_SM_QGM_CHANGE: Quality Gate: Change Manager Role
These roles in SolMan 7.1 have many authorization objects not used by QGM before because release 7.1 included new functionalities such as a new CRM transaction type called SMQC. They use authorization object S_PROJ_GEN with default values for project function field PROJ_FUNC. If you need to create your own role to distribute the different activities to different people or group of people, instead of using only the standard roles, you will need to understand the meaning of each PROJ_FUNC field. You will find listed in the SAP Security Guide for 7.1 some of the new fields (not all) created for QGM, but will not have any explanation of what they mean. In the SAP Security Guide for Solution Manger 7.0 SP23 these new fields are not mentioned.
Below I show two figures that are screenshots from transaction PFCG, one with a list of the PROJ_FUNC field values in SolMan 7.0 and another list with the PROJ_FUNC field values existing in SolMan 7.1. Most of them are related to QGM. People using SolMan 7.1 has a little bit more information about the QGM values if comparing to SolMan 7.0 users - more field values with description- but there are still some values with no description:
Figure 1 - PROJ_FUNC fields in SolMan 7.0 SP23:
Figure 2 - PROJ_FUNC fields in SolMan 7.1 SP3:
Table below shows the description of each field value related to QGM and whether they are related to SolMan 7.1, including 3 new fields already considered in the QGM authorization routines in SolMan 7.1, but not yet included in the list of existing entries for authorization object S_PROJ_GEN, at least not in the two SolMan versions that I checked. If someone using a different SolMan Support Package finds these missing field values, please leave a comment.
PROJ_FUNC value | Description | SolMan 7.1 | Not in list |
CHCR | Create Change Document |
|
|
CHCH | Modify Change Document |
|
|
CHDE | Delete Change Document |
|
|
CHRA | Reassign Change Document |
|
|
CHRL | Release Change Document |
|
|
CHFI | Change Document | X |
|
CHWD | Withdraw Change Document | X |
|
MCCR | Create a maintenance cycle for QGM | X |
|
QBAP | Approve Q Gates as Quality Advisory Board |
|
|
QMAP | Approve Q Gates as Quality Manager |
|
|
TACR | Create Task |
|
|
TRAS | Assign Transport Request | X | X |
TRCH | Modify Transport Request |
|
|
TRCR | Function: Create Transport Request |
|
|
TRDC | Decouple Transport Request | X | X |
TRDE | Delete Transport Request |
|
|
TRRA | Reassign Transport Request |
|
|
TRRL | Release Transport Request |
|
|
TRTP | Create Transport of Copies for Production system | X | X |
TRTT | Create Transport of Copies |
|
|
If you check Figure 2 you will note that 3 values listed in the table above are missing in the list of entries: TRAS, TRDC and TRTP. But they are included in standard role SAP_SM_QGM_TRANSPORT for SolMan 7.0 SP23 and SolMan 7.1 SP3. TRAS (Assign Transport Request) and TRDC (Decouple Transport Request) are not available functions in SolMan 7.0 QGM and the source codes for authorization checks do not consider them, so they are not relevant in this SolMan release. In SolMan 7.1 they are all being checked.
Figure 3 shows authorization object S_PROJ_GEN in standard role SAP_SM_QGM_TRANSPORT of SolMan 7.0:
If you want to check the source code of authorization routines, go to transaction SE24 and check class CL_TD_AUTHORIZATION.
The list of existing project functions are stored in table SPR_ADM, and the descriptions in different languages are stored in SPR_ADMT. If you want to see all the descriptions in the authorization object S_PROJ_GEN values list while creating your roles in PFCG, update table SPR_ADMT and include the missing texts in the relevant languages.
Comments