I’ll explain which customizations you must implement in mySAP SRM to allow employees to shop online for business needs. Then I will detail the customizations you must implement to enable managers to review employee purchases and reject or approve them prior to finalizing the E-Procurement process. The authorization objects I’ll discuss include:

• S_TCODE: Transaction code check at transaction start (authorization class AAAB)
  
  
• PLOG: Personnel Planning (authorization class HR)
  
  
• C_DML: Data Manipulation Language (DML) object type (authorization class BC_A)

My example scenario includes the minimum authorizations that the employee role requires for the rights to shop online, check the shopping cart status, and accept manager changes to the shopping cart. I’ll also discuss the minimum authorizations for the manager role. You must make all of these role changes in the development system.

Business Scenario

When an employee submits a shopping cart for approval, the manager can change the number of items, delete items, or reject the cart. When the manager changes an item in the shopping cart, the employee receives a work item in her inbox, informing her of the change. The employee accepts the manager changes via the Accept Changes button. When the employee accepts the change, the shopping cart moves to the next level of manager for approval — for example, head of department (first level), chief accountant (second level), and top manager (top level). Alternatively, an employee can choose not to accept the changes. In this case, the employee must resubmit the shopping cart to the manager for approval.

Let’s say an employee (User A) shops for pens and pencils for his department using an online catalog and places the selected items in a shopping cart. User A’s manager, User B, receives the shopping cart for approval. User B reduces the number of pencils ordered and approves the order. This action sends a work item to User A’s inbox. User A checks the status and accepts the shopping cart.

You configure the employee and manager roles via transaction PFCG (Profile Generator), a standard SAP tool that manages user authorizations and profiles. The user role is a collection of activities (e.g., create data, change data, delete data, display data) that a person performs in the system. Table 1 contains the transaction codes for the menu and corresponding descriptions for both User A and User B with their relevant roles.

Enter your role into a Customizing transport request via transaction PFCG. Follow menu path Role>Transport and save the transport request. Release the transport request via Transport Organizer (transaction SE10) to the Transport Management System (transaction STMS). In STMS follow menu path Overview>Imports, select your production system, and then follow menu path Import Queue>Display. After you display the import queue of requests, mark your request (Edit>Select>Select/deselect request) and follow menu path Request>Import. A screen appears in which you must specify the target client in the target system and schedule your import. Press Enter and the system performs your transport according to your schedule. When you transport roles, this also transports authorization profiles with authorizations.

However, if you want to transport only the role menu, its description, and the assigned users, you must use a customizing option in the SAP system that prevents the system from transporting authorization profiles with roles. In the source system from which you make the transport, enter the parameter PROFILE_TRANSPORT and the value NO in table PRGN_CUST (via transaction SM30). If you want to exclude the transport of user assignments to roles, specify this in the customizing table PRGN_CUST using the parameter USER_REL_IMPORT and the value NO.

Figures 1 (employee) and 2 (manager) illustrate the menus that appear after you start transaction PFCG. mySAP SRM users access a Web-based interface solution to log into transactions for shopping and approval. Figure 3 illustrates the employee menu that User A sees when logging onto the mySAP SRM Web- based interface. Figure 4 illustrates the manager menu that User B sees when logging on. These screens are customized to offer the employee and manager the relevant selections they are authorized to use. For example, if an employee wants to start shopping or searching for an item of goods or services, he has to select Shop. If he wants to check the status of a shopping cart, he has to select Check Status.

Figure 1

Change Roles configuration screen for mySAP SRM employee menu

Figure 2

Change Roles configuration screen for mySAP SRM manager menu

Figure 3

mySAP SRM employee menu

Figure 4

mySAP SRM manager menu

Employee Authorizations: (User A)

For User A to be able to shop in mySAP SRM, your need to configure authorization object S_TCODE. Then, perform an authorization test. Using transaction ST01, check for the authority to access and manipulate data. If this is not present, then you must also add authorization objects PLOG and C_DML to the user role.

Authorization Object S_TCODE

Let’s start the Profile Generator and configure the authorizations for User A with S_TCODE as an authorization object. You manage its values (the transaction codes) via Profile Generator. Whenever you start an SAP transaction, the kernel uses the transaction code as the value to check for data access.

The authorization object S_TCODE contains only one defined field (TCD) for entering the transaction code. The S_TCODE object controls whether or not you can start a transaction. When you start a mySAP SRM transaction in the Internet browser, the system checks authorization object S_TCODE to see if the user has the proper authorization. To pass an authorization test for the S_TCODE object, the user must satisfy the authorization check for the TCD field in the object. Table 2 shows the transaction codes employees need to purchase goods and services. These transaction codes are designed specifically for the Web browser — you cannot access them from the SAP Easy Access menu.

If you have only the view icon in front of the S_TCODE authorization object in transaction PFCG, you cannot edit S_TCODE. In this case, you must manually include S_TCODE by clicking on the Manual entry of authorization objects button or by pressing Ctrl-Shift-F9. Save by following menu path Authorizations>Save and generate by following menu path Authorizations>Generate. You only have the view icon available if you are in mode Display role or if you are in mode Change role and the system automatically generates the authorization according to the default values for the transactions in the menu.

Let’s look at User A’s authorizations. Using Profile Generator, include transactions BBPSC02, BBPSC04, and BBPBWSP_SIMPLE, which form the user menu, in the TCD field. In this case, when User A logs on, the system responds with the following error message: Error when processing your request (termination type RABAX_STATE).

The What can I do information that appears with the error message advises that, in this case, you have to start transaction code ST22 (ABAP Dump Analysis) to get more detailed information about the ABAP runtime error (Figure 5). With termination type RABAX_STATE you can view this error when calling Web interface applications. It is one of the most frequent termination types that occur when the system processes an HTTP/HTTPS file in the Internet Communication Framework (ICF).

Figure 5

First screen of transaction ST22

Enter the value User_A in the User field and click on the Start button. This leads you to the List of Selected Runtime Errors screen shown in Figure 6. Double-click on the ITS_ERRMSG_EXCEPTION error. The error information provided by ABAP Dump Analysis in this case is The ITS-Service “bbpstart” is canceled, because the Web Application Server has sent the following error message: “You are not authorized to use transaction BBPGLOBAL.” This means that you must include the BBPGLOBAL transaction in the authorization field via Profile Generator.

Figure 6

List of Selected Runtime Errors screen, transaction ST22

By manually adding the authorization for transaction BBPGLOBAL, User A can see the employee menu, but cannot execute any transaction codes because you need to include additional authorization objects. At this point, when User A clicks on the Shop button in the mySAP SRM screen, the user sees the screen shown in Figure 7. To fix this, you need to perform a couple of steps. First check the user role for the authority to access and manipulate data. If this authority is not in place, add authorization objects PLOG and C_DML.

Figure 7

mySAP SRM error screen for User A

Test the User Role

The authorization expert tests the user role with the system trace in transaction ST01 (Figure 8). Double-click on the Trace Status field to filter the trace by User A. Figure 9 provides a detailed view of this authorization check. If the return code (RC) for object S_TCODE equals zero (RC=0), it means the authority check in the ABAP program is successful. The user has the right to access and manipulate data and the user role is ready to transport to the production system.

Figure 8

System trace screen, transaction ST01

Figure 9

Trace display screen, transaction ST01

If the return code value is not zero, then the check is unsuccessful — the user does not possess the required authorization and the system displays an error message when the user tries to access the transaction, as shown in Figure 6. At this point, you have to add authorization object PLOG manually in the Profile Generator tool.

Authorization Object PLOG

The authorization check for Personnel Development (PD) data uses authorization object PLOG. Table 3 shows this authorization object’s authorization fields, which relate to the infotype. These values depend on your business needs. The values in Table 3 are values for the employee shopping business scenario. They are minimal authorizations required to create and approve a shopping cart. They guarantee that the role works and is secure. You can analyze the values one by one via the trace file (transaction ST01). In my example, I must customize authorization object C_DML so User A can view the catalog and see what’s available to order.

Authorization Object C_DML

Authorization object C_DML controls all object types in the master data framework. It has two fields: ACTVT (activity) and MDFOBJTYPE (DML object type). Via Profile Generator, enter the value for display in the ACTVT field and an asterisk for the MDFOBJTYPE field. In my example, I entered in Profile Generator in Figure 10 ACTVT=03 (display); MDFOBJTYPE=* (all DML object types) so that User A can view the catalog and its items.

Figure 10

Change role: Authorizations screen for object C_DML, transaction PFCG

To allow User A to view the approval status, you must add transaction code BBPBWSP to the TCD field of authorization object S_TCODE. BBPBWSP is a transaction for starting the enterprise buyer’s inbox. To accept the manager’s change, User A needs transaction BBPSC08 (employee’s inbox) in the TCD field of authorization object S_TCODE. You also must add transaction BBPAT05 to the TCD field of authorization object S_TCODE to allow the user to change his data.

Manager Authorizations: (User B)

Now, let’s have a look at the authorizations for User B (manager). So that User B can view the approval status, you must add transaction code BBPBWSP in the TCD field of authorization object S_TCODE. BBPBWSP_SIMPLE is the transaction code for the activity approval (Table 4). These transaction codes are designed for the Web browser, so you cannot access them from the SAP Easy Access menu. For User B to view the items in an employee shopping cart, you need to add transaction code BBPSC07 to the TCD field of authorization object S_TCODE.

To process approvals, User B needs authorization for object PLOG. Refer to Table 3 and fill in the fields with the relevant example value, which is the last column of the table. You manage the approval process via workflow. You can split this process into several levels if you have several managers (approvers) such as head of department (first level), chief accountant (second level), and top manager (top level). For example, your company may require that the IT manager, chief accountant, and top manager approve IT requisitions. For other service and material requisitions, your company may require approvals from just the chief accountant and top manager.

You define in the system whether a shopping cart needs go through the approval process. For managers, you define an approval limit that is the maximum amount for which a manager is authorized to approve shopping carts. Transaction BBP_BGRD_APPROVAL starts the standard program to manage the approval workflow. In the Web browser select the Start enterprise buyer inbox-Approval link (transaction BBPBWSP_SIMPLE), which allows you to view the inbox where the system stores shopping cart approval or rejection notices.

Maria Nikolova

Maria Nikolova has worked as a senior SAP expert for the National Electricity Company (NEK) in Bulgaria since January 1999. Maria has a master’s degree in telecommunications as an engineer from the Technical University in Sofia, Bulgaria. She has experience with an MIS project implementation of SAP R/3 (headquarters and rollout), the authorization concept and user administration, SAP Customer Competence Center (SAP CCC) , SRM, and the SD, HR, CO, Asset Management (AM), MM, and PM modules. Prior to joining NEK, she worked as a manager of Equipment Engineering Ltd. for four years.

You may contact the author at searchsapmnikolova@yahoo.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.