Find out about the minimal authorization customizations that you must implement in mySAP Supplier Relationship Management (SRM) so employees can browse online catalogs, create a shopping cart, and check its status when procuring supplies. In addition, learn how to configure the system so SRM managers can approve or reject shopping carts.
Key Concept
mySAP SRM uses authorization objects and their respective authorization fields to enact data security. An authorization object groups together up to 10 authorization fields to check whether a user is allowed to perform an action. The authorization fields’ values ensure the user’s access to sensitive information in the system. An authorization class groups authorization objects logically. Some examples of authorization classes are AAAB for cross-application authorization objects, HR for Human Resources, and BC_A for grouping Basis administration objects. Authorization profiles contain authorizations, which the system identifies by using the name of an authorization object and the name of an authorization.
I’ll explain which customizations you must implement in mySAP SRM to allow employees to shop online for
business needs. Then I will detail the customizations you must implement to enable managers to review employee purchases
and reject or approve them prior to finalizing the E-Procurement process. The authorization objects I’ll discuss
include:
- S_TCODE: Transaction code check at transaction start (authorization class
AAAB)
- PLOG: Personnel Planning (authorization class HR)
- C_DML: Data Manipulation Language (DML) object type (authorization class
BC_A)
My example scenario includes the minimum authorizations that the employee role requires for the rights to
shop online, check the shopping cart status, and accept manager changes to the shopping cart. I’ll also discuss the
minimum authorizations for the manager role. You must make all of these role changes in the development system.
Note
The screenprints in this article are from mySAP SRM 4.0, but the information also applies to mySAP SRM 5.0.
Business Scenario
When an employee submits a shopping cart for approval, the manager can change the number of items, delete items, or
reject the cart. When the manager changes an item in the shopping cart, the employee receives a work item in her inbox,
informing her of the change. The employee accepts the manager changes via the Accept Changes button. When
the employee accepts the change, the shopping cart moves to the next level of manager for approval — for example,
head of department (first level), chief accountant (second level), and top manager (top level). Alternatively, an employee
can choose not to accept the changes. In this case, the employee must resubmit the shopping cart to the manager for
approval.
Let’s say an employee (User A) shops for pens and pencils for his department using an online catalog and
places the selected items in a shopping cart. User A’s manager, User B, receives the shopping cart for approval.
User B reduces the number of pencils ordered and approves the order. This action sends a work item to User A’s
inbox. User A checks the status and accepts the shopping cart.
You configure the employee and manager roles via transaction PFCG (Profile Generator), a standard
SAP tool that manages user authorizations and profiles. The user role is a collection of activities (e.g., create data,
change data, delete data, display data) that a person performs in the system. Table 1 contains the
transaction codes for the menu and corresponding descriptions for both User A and User B with their relevant roles.
BBPSC02 |
Shop |
Z.SRM_EXPERT1 |
User A |
BBPSC04 |
Check status |
Z.SRM_EXPERT1 |
User A |
BBPBWSP_SIMPLE |
Approval |
Z.SRM_EXPERT1 |
User A |
BBPBWSP_SIMPLE |
Approval |
Z.SRM_MANAGER1 |
User B |
|
Table 1 |
mySAP SRM transaction codes for employee and manager roles |
Enter your role into a Customizing transport request via transaction PFCG. Follow menu
path Role>Transport and save the transport request. Release the transport request via Transport
Organizer (transaction SE10) to the Transport Management System (transaction STMS). In
STMS follow menu path Overview>Imports, select your production system, and then
follow menu path Import Queue>Display. After you display the import queue of requests, mark your
request (Edit>Select>Select/deselect request) and follow menu path
Request>Import. A screen appears in which you must specify the target client in the target system and
schedule your import. Press Enter and the system performs your transport according to your schedule. When you transport
roles, this also transports authorization profiles with authorizations.
However, if you want to transport only the role menu, its description, and the assigned users, you must
use a customizing option in the SAP system that prevents the system from transporting authorization profiles with roles.
In the source system from which you make the transport, enter the parameter PROFILE_TRANSPORT and the value NO in table
PRGN_CUST (via transaction SM30). If you want to exclude the transport of user
assignments to roles, specify this in the customizing table PRGN_CUST using the parameter
USER_REL_IMPORT and the value NO.
Tip!
In this business scenario I configured single roles. To simplify the user administration and the menu administration, you can use composite roles in the system, which you also configure via Profile Generator. The difference between single roles and composite roles is that composite roles do not contain authorization data, so you have to include single roles in composite roles to give authorization for access. No profiles are generated for composite roles. Although it is not mandatory, it is a good idea to distinguish single and composite roles by name (e.g., you can add CR to the end of the name of a composite role).
Tip!
SAP-created roles start with SAP_. Although you may create your own roles in the customer namespace, do not use the SAP namespace or change SAP standard roles because the next upgrade will overwrite all of your changes. You can generate authorization profiles for roles starting with SAP_, which the system will not overwrite during your next upgrade.
Figures 1 (employee) and 2 (manager) illustrate the menus that appear
after you start transaction PFCG. mySAP SRM users access a Web-based interface solution to log into
transactions for shopping and approval. Figure 3 illustrates the employee menu that User A sees when
logging onto the mySAP SRM Web- based interface. Figure 4 illustrates the manager menu that User B sees
when logging on. These screens are customized to offer the employee and manager the relevant selections they are
authorized to use. For example, if an employee wants to start shopping or searching for an item of goods or services, he
has to select Shop. If he wants to check the status of a shopping cart, he has to select Check
Status.

Figure 1
Change Roles configuration screen for mySAP SRM employee menu

Figure 2
Change Roles configuration screen for mySAP SRM manager menu

Figure 3
mySAP SRM employee menu

Figure 4
mySAP SRM manager menu
Tip!
When you are logged into mySAP SRM via the Web browser, the navigation icons for back, forward, and refresh remain visible. Do not use these icons because they may take you outside of mySAP SRM and you may lose your data.
Employee Authorizations: (User A)
For User A to be able to shop in mySAP SRM, your need to configure authorization object
S_TCODE. Then, perform an authorization test. Using transaction ST01, check for the
authority to access and manipulate data. If this is not present, then you must also add authorization objects
PLOG and C_DML to the user role.
Authorization Object S_TCODE
Let’s start the Profile Generator and configure the authorizations for User A with
S_TCODE as an authorization object. You manage its values (the transaction codes) via Profile Generator.
Whenever you start an SAP transaction, the kernel uses the transaction code as the value to check for data access.
The authorization object S_TCODE contains only one defined field (TCD)
for entering the transaction code. The S_TCODE object controls whether or not you can start a
transaction. When you start a mySAP SRM transaction in the Internet browser, the system checks authorization object
S_TCODE to see if the user has the proper authorization. To pass an authorization test for the
S_TCODE object, the user must satisfy the authorization check for the TCD field in the
object. Table 2 shows the transaction codes employees need to purchase goods and services. These
transaction codes are designed specifically for the Web browser — you cannot access them from the SAP Easy Access
menu.
BBPSC02 |
Shop |
BBPSC04 |
Check status |
BBPBWSP_SIMPLE |
Start enterprise buyer Inbox – Approval |
BBPAT05 |
Change user data |
BBPBWSP |
Start enterprise buyer inbox |
BBPGLOBAL |
Transaction for Internet transaction |
BBPSC08 |
Employee inbox |
|
Table 2 |
The core transaction codes in S_TCODE that employees
must have
authorization to access |
If you have only the view icon
in front of the
S_TCODE authorization object in transaction PFCG, you cannot edit S_TCODE. In
this case, you must manually include S_TCODE by clicking on the Manual entry of authorization
objects button or by pressing Ctrl-Shift-F9. Save by following menu path Authorizations>Save
and generate by following menu path Authorizations>Generate. You only have the view icon available if
you are in mode Display role or if you are in mode Change role and the system
automatically generates the authorization according to the default values for the transactions in the menu.
Let’s look at User A’s authorizations. Using Profile Generator, include transactions
BBPSC02, BBPSC04, and BBPBWSP_SIMPLE, which form the user menu, in the
TCD field. In this case, when User A logs on, the system responds with the following error message:
Error when processing your request (termination type RABAX_STATE).
The What can I do information that appears with the error message advises that, in this
case, you have to start transaction code ST22 (ABAP Dump Analysis) to get more detailed information about
the ABAP runtime error (Figure 5). With termination type RABAX_STATE you can view this
error when calling Web interface applications. It is one of the most frequent termination types that occur when the system
processes an HTTP/HTTPS file in the Internet Communication Framework (ICF).

Figure 5
First screen of transaction ST22
Note
The RDISP/VERBOSE_LEVEL profile parameter should be set to full (RDISP/ VERBOSE_LEVEL=FULL) via transaction RZ11. This parameter determines the level at which the system logs errors. The full level activates the logging of ABAP runtime errors. The default value of this parameter is RDISP/VERBOSE_LEVEL=SHORT. You need to check and set the profile parameter before running transaction ST22.
Enter the value User_A in the User field
and click on the Start button. This leads you to the List of Selected Runtime Errors
screen shown in Figure 6. Double-click on the ITS_ERRMSG_EXCEPTION error. The error
information provided by ABAP Dump Analysis in this case is The ITS-Service “bbpstart” is canceled,
because the Web Application Server has sent the following error message: “You are not authorized to use transaction
BBPGLOBAL.” This means that you must include the BBPGLOBAL transaction in the
authorization field via Profile Generator.

Figure 6
List of Selected Runtime Errors screen, transaction ST22
By manually adding the authorization for transaction BBPGLOBAL, User A can see the
employee menu, but cannot execute any transaction codes because you need to include additional authorization objects. At
this point, when User A clicks on the Shop button in the mySAP SRM screen, the user sees the screen shown
in Figure 7. To fix this, you need to perform a couple of steps. First check the user role for the
authority to access and manipulate data. If this authority is not in place, add authorization objects
PLOG and C_DML.

Figure 7
mySAP SRM error screen for User A
Note
Prior to starting the tests for the access of User A, make sure User A is generated via the transaction code for user generation USERS_GEN.
Test the User Role
The authorization expert tests the user role with the system trace in transaction ST01
(Figure 8). Double-click on the Trace Status field to filter the trace by User A.
Figure 9 provides a detailed view of this authorization check. If the return code (RC)
for object S_TCODE equals zero (RC=0), it means the authority check in the ABAP program
is successful. The user has the right to access and manipulate data and the user role is ready to transport to the
production system.

Figure 8
System trace screen, transaction ST01

Figure 9
Trace display screen, transaction ST01
If the return code value is not zero, then the check is unsuccessful — the user does not possess
the required authorization and the system displays an error message when the user tries to access the transaction, as
shown in Figure 6. At this point, you have to add authorization object PLOG manually in the Profile
Generator tool.
Authorization Object PLOG
The authorization check for Personnel Development (PD) data uses authorization object
PLOG. Table 3 shows this authorization object’s authorization fields, which relate
to the infotype. These values depend on your business needs. The values in Table 3 are values for the employee shopping
business scenario. They are minimal authorizations required to create and approve a shopping cart. They guarantee that the
role works and is secure. You can analyze the values one by one via the trace file (transaction ST01). In
my example, I must customize authorization object C_DML so User A can view the catalog and see
what’s available to order.
INFOTYP |
Infotype |
Defines the infotypes (attributes) of an object that the user may access |
* |
ISTAT |
Planning status |
Defines in which planning status the user may access information |
* |
OTYPE |
Object type |
Defines which object types the user may access |
* |
PLVAR |
Plan version |
Defines which plan versions the user may access |
01 |
PPFCODE |
Function code |
Defines for which type of information processing (display, change, copy, delete) the user is
authorized |
DISP |
SUBTYP |
Subtype |
Defines which subtypes the user may access for given infotypes |
* |
|
Table 3 |
Authorization fields for object PLOG and example
values |
Authorization Object C_DML
Authorization object C_DML controls all object types in the master data framework. It
has two fields: ACTVT (activity) and MDFOBJTYPE (DML object type). Via Profile
Generator, enter the value for display in the ACTVT field and an asterisk for the
MDFOBJTYPE field. In my example, I entered in Profile Generator in Figure 10
ACTVT=03 (display); MDFOBJTYPE=* (all DML object types) so that User A can view the
catalog and its items.

Figure 10
Change role: Authorizations screen for object C_DML, transaction PFCG
To allow User A to view the approval status, you must add transaction code BBPBWSP to
the TCD field of authorization object S_TCODE. BBPBWSP is a transaction
for starting the enterprise buyer’s inbox. To accept the manager’s change, User A needs transaction
BBPSC08 (employee’s inbox) in the TCD field of authorization object
S_TCODE. You also must add transaction BBPAT05 to the TCD field of
authorization object S_TCODE to allow the user to change his data.
Manager Authorizations: (User B)
Now, let’s have a look at the authorizations for User B (manager). So that User B can view the
approval status, you must add transaction code BBPBWSP in the TCD field of authorization
object S_TCODE. BBPBWSP_SIMPLE is the transaction code for the activity approval
(Table 4). These transaction codes are designed for the Web browser, so you cannot access them from the
SAP Easy Access menu. For User B to view the items in an employee shopping cart, you need to add transaction code
BBPSC07 to the TCD field of authorization object S_TCODE.
BBPBWSP_SIMPLE |
Start enterprise buyer inbox - Approval |
BBPAT05 |
Change user data |
BBPBWSP |
Start enterprise buyer inbox |
BBPGLOBAL |
Transaction for Internet transaction |
BBPSC07 |
Manager inbox |
BBP_BGRD_APPROVAL |
Background approval |
|
Table 4 |
mySAP SRM core transactions for the manager role |
To process approvals, User B needs authorization for object PLOG. Refer to Table 3 and
fill in the fields with the relevant example value, which is the last column of the table. You manage the approval process
via workflow. You can split this process into several levels if you have several managers (approvers) such as head of
department (first level), chief accountant (second level), and top manager (top level). For example, your company may
require that the IT manager, chief accountant, and top manager approve IT requisitions. For other service and material
requisitions, your company may require approvals from just the chief accountant and top manager.
You define in the system whether a shopping cart needs go through the approval process. For managers, you
define an approval limit that is the maximum amount for which a manager is authorized to approve shopping carts.
Transaction BBP_BGRD_APPROVAL starts the standard program to manage the approval workflow. In the Web
browser select the Start enterprise buyer inbox-Approval link (transaction
BBPBWSP_SIMPLE), which allows you to view the inbox where the system stores shopping cart approval or
rejection
notices.
Maria Nikolova
Maria Nikolova has worked as a senior SAP expert for the National Electricity Company (NEK) in Bulgaria since January 1999. Maria has a master’s degree in telecommunications as an engineer from the Technical University in Sofia, Bulgaria. She has experience with an MIS project implementation of SAP R/3 (headquarters and rollout), the authorization concept and user administration, SAP Customer Competence Center (SAP CCC) , SRM, and the SD, HR, CO, Asset Management (AM), MM, and PM modules. Prior to joining NEK, she worked as a manager of Equipment Engineering Ltd. for four years.
You may contact the author at searchsapmnikolova@yahoo.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.