Role maintenance lets you group application transactions together in single roles and composite roles. You can group the transactions together in roles to define authorization profiles. This lets you ensure that only specific users at a company are authorized to access certain transactions. To achieve this, you create roles and assign transactions to them in role maintenance.
The system for Global Trade Services (GTS) includes both single roles and composite roles. Remember that the supplied roles are intended for use as copy templates only; you need to modify them to meet your company's specific requirements. You can copy the provided roles and modify them to meet your specific needs.
If you want to assign authorizations in line with the supplied roles, but restrict the specialists' work to specific organizational units or legal regulations, you can restrict the role assignment to the corresponding levels when you define the authorization data. To do so, select the role in the authorization maintenance transaction and choose Org. Level.
In a later step, when you determine which users will use the GTS system, you can assign them the respective roles. At the same time, the respective authorizations that you assigned to the roles are automatically assigned to the users. This ensures that your users can only execute the functions that are defined - together with the
corresponding authorizations - in the assigned roles. You can also assign the authorization profiles directly to user IDs.
Note
You do not assign the users in this step. When you create users, the system assigns the roles automatically. You can use the user administration functions to change the roles.
For more information about the provided authorization roles and authorizations, see the Security Guide for GTS at the SAP Service Marketplace, which is available under the following path:
service.sap.com/swdc Installations and Upgrades Installation and Upgrade Guides SAP Business Suite Applications SAP Governance, Risk, Compliance (GRC) Global Trade Services
Prerequisites
If you want to use the functions for sanctioned party list screening within the user-friendly information structure of the Web Dynpro application and the Web UI, you have already configured the settings for the authorization groups. For more information, see Configuring Authorization Groups for Web Dynpro Applications [page 163].
Procedure
1. Open the Customizing tree and choose Global Trade Services General Settings Authorization Management Define Authorizations
2. Enter a role and its description and then save your entries. 3. Enter the desired transaction in the Menu tab page.
4. The following options are available, depending on whether you are maintaining a single role or a composite role:
○ Single role: Generate the authorization profile on the Authorizations tab page. ○ Composite role: Enter the single roles on the Roles tab page.
Example
You can choose between roles for Compliance Management that cover the following profiles: 1. Specialist for export control
2. Specialist for import control
3. Specialist for sanctioned party list screening
The GTS manages user authorizations at the transaction and authorization profile levels. The authorizations are based on legal regulations and, therefore, determine whether a user is allowed to execute sanctioned party list screening functions or not. In addition, there are authorizations for customs documents for each organizational unit (foreign trade organization and legal unit).
However, you can also assign user authorizations at country and country group level. This option is provided because some countries have stricter data protection laws than others. This is relevant, for example, for the new integration between the GTS system and SAP ERP Human Capital Management (SAP ERP HCM) . The following functions benefit from the new authorization assignments:
1. Scenarios A1, B1, C1, and S1: Business Partner Master Data 2. Scenarios A2, B2, C2, and S2: Customs Document
3. Audit trail for sanctioned party list screening of business partners and customs documents 4. List of blocked business partners
5. Lists of blocked customs documents
6. Lists of customs documents for manual release lists 7. List of existing customs documents
More Information
You can use roles, which you create with transaction code PFCG, as content in the SAP NetWeaver Portal. For more information, see the SAP Library for SAP NetWeaver under SAP NetWeaver by Key Capability People Integration by Key Capability Portal Portal Administration Guide System Administration Transport, Upload, and Content Mirroring Upload of Roles from ABAP-Based Systems .
5.26.1 Configuring Authorization Groups for Web Dynpro
Applications
You have to use authorization groups in the authorization checks for Web Dynpro applications to enable use of these functions in a Web UI. You can assign several functions to the authorization groups by entering the corresponding program names. In doing so, you group together the functions for which the system performs the same checks. You can assign a program to multiple groups during assignment.
Activities
Open the Customizing tree and choose Global Trade Services General Settings Authorization Management .
Defining Authorization Groups
1. Choose Define Authorization Groups for Web Dynpro Application .
Assigning Programs to Authorization Groups
6
Customizing for Compliance Management
This section contains information about the Customizing settings needed in the respective systems. The aim of the business Customizing settings is to adapt the system functions that are shipped in an industry-neutral form to the specific requirements of your company.
This includes:
● Customizing of organizational units ● Customizing of master data ● Customizing of processes
Perform the steps described in this guide in the precise sequence in which they are listed.