SAP TM authorization development & POWL config Insights

Are you working with SAP TM security – experiencing pain in designing the correct worklist access for users and confused with too many POWL tables? This guide explains the SAP TM Security insights, POWL tables co-relations, and their run-time usage.  The audience relevant to this document includes but is not limited to security consultants who are working on Personalized Object Worklist (POWL) queries configuration for SAP Transportation Management, SAP Supplier Relationship Management, or SAP Governance, Risk and Compliance solutions.

Topics:

  • The detailed process of POWL role creation
  • Steps for POWL queries creation (including parameter changes and query settings), query mapping, configuration for role/User. POWL queries and worklists
  • Details about the different authorization objects in SAP Transportation Management and it’s usage.
  • The ownership and the grey area concerning ownership.

Knowledge Prerequisite:

  • SAP application security authorization development

POWL Authorization Development

1. The relevance of POWL queries, Web Dynpro applications, PFCG role & different auth objects in TM

Unlike usual SAP application security authorizations, POWL query access is developed by adding the below elements to the PFCG role:

  • BSP Applications
  • Authorization Defaults for Transaction codes, TADIR Services, etc.
  • Web Dynpro Applications (primary element in POWL/TM authorization development)
  • Transaction codes

Below is the relevance of the NWBC screen entities in SAP TM/SRM with the fields/items in the Role PFCG screen. Understanding the significance of the query elements to PFCG role items can make it very easy for security consultants to understand the business requirements and provide the solutions.

SAP software delivers multiple standard roles for various jobs in SAP TM business processes like Transportation Manager, Planner, and Dispatcher, etc. However, not all these jobs are relevant to all businesses. If they are, the standard Role would still need heavy authorization data maintenance as, by default, they are not maintained.

SCTS – ‘Transport Management Solution’ is the authorization class that holds all the TM relevant auth objects, including critical ones like – T_TM_ALL, T_TORACT, T_TORNODE, T_TOR*, and T_TRQ*.

Let’s look at practical usage information about these auth objects that cannot be found in SU21.

ClassAuth ObjectInfo about auth object’s usage
SCTST_TM_ALLThis authorization is analogous to SAP_ALL; but within the TM process scope.
If a user has 63 activity for this auth object, system supersedes all the authorization restrictions within the TM scope and provides the access to user.
SCTST_TORACT &
T_TORNODE
There are multiple document types and master data items in the TM system. Although SAP software provides explicit auth objects for regulating access to these items, T_TORACT & T_TORNODE are used to control specific business actions that a user can take on any TM document or master data item.
SCTST_TOR* & T_TRQ*This set of authorization objects can be used to regulate the access for various TM documents like freight order, forwarding order based on type, and category.
AAABCA_POWLIn simple terms, this authorization object helps you regulate user access for a query ‘views’.
Changes to the views like creating new queries/categories and editing queries/categories can be controlled using this auth object.

2. Role development process for POWL access provisioning

2.1 Role development

Task: Web Dynpro Application addition in roles and role generation

Task Ownership: SAP Security Consultants

The entities (T-code, WDA, BSP Appln.) are added to the role like transaction codes. While addition, few more details are to be maintained depending on the kind of access needed, based on business requirements. We can also define and modify SU24 checks for Web Dynpro applications to achieve desired control, with respect to certain parameter.

Steps:

1. Add the required Web Dynpro Application, modify the description to suit the node name, and select/add the relevant configuration ID.

2. Few more parameters can be added and set: Parameters like CHANGE_MODE and APPLID for worklist nodes etc. depending on the requirement.

3. We can also add BSP application and authorization defaults (they provide access for the required tcode from NetWeaver Business Client screen)

4. Once we add all the required Web Dynpro applications, tcodes, etc. generate the role authorization profile as usual.

5. ‘Object Worklist type’ Web Dynpro applications need more configuration in POWL tables for providing access to the relevant queries.

2.2 POWL Table configuration

Task: Updating config tables – POWL_QUERYR & POWL_TYPER, or POWL_QUERYU & POWL_TYPEU

Task Ownership: SAP Security/GRC Consultants                 

There are multiple tables to be updated to provide access for a required POWL Query or Worklist through a role. Table details are as below,

POWL_CATDefine Categories with the required descriptions
POWL_QUERYQueries can be defined/modified.
Custom queries can be created using predefined POWL Types.
The created query can be configured with the help of parameters and customising settings based on business requirements
POWL_QUERYRDefines the relation between Query and Role for an application, using category.
This table is used widely because of the ease of defining access to jobs and roles.
POWL_QUERYUDefines the relation between Query and User for an application, using category.
This table is NOT used as it is not feasible to define access levels based on the User.
POWL_TYPEDefines the relationship of Query type with the Feeder class.
POWL_TYPERDefines the relation between POWL type and Role for the application.
This table is used widely because of the ease of defining access to jobs and roles.
POWL_TYPEUDefines the relation between POWL type and the User for the application.
This table is NOT used as it is not feasible to define access levels based on the User.

The tables, their fields, and those that are relevant for a table are explained in a table in section 3 POWL Tables, table fields relevance, and relationship.

2.3 Custom POWL query creation

Task: Creation of new queries in POWL_QUERY table

Task Ownership: Grey Area – SAP Security Consultants or Relevant SAP Functional Consultant or ABAP Consultants (TM/SRM)

Steps

  • Execute Tcode POWL_QUERY and click on New Entries. Select the POWL Type ID, depending on the type of query you need to create.
  • Use Query Parameters and Query Settings options to define and configure the query behaviour.
  • Query parameters would be pulled-in depending on the POWL type ID used to define the query.
  • Query settings can be used for settings including – mandatory field, read-only fields, hidden fields, quick search field visibility, etc.

3. POWL Tables / Fields relevance

TcodeTableTalks AboutFields           
Query IDPOWL Type IDCategoryApplicationRoleUserFeeder ClassRelevant DescriptionRefresh TypeCategory Seq No.Query Seq No.Tab Seq No.
POWL_CATPOWL_CATEGORYCategory Definition -
Category Text and Description
xx
POWL_QUERYPOWL_QUERYPOWL Query Definition -
Query Text, type of Query and Parameter setting/values
xxxx
POWL_QUERYRPOWL_QUERY_ROLPOWL Query - Role Assignment
Relationship - Role, POWL Query, Application ID and Category

For the mentioned Role, Query belongs to relevant Application and should be placed in specified Category in NetWeaver Business Client
xxxxxxxx
POWL_QUERYUPOWL_QUERY_USRPOWL Query - User Assignment
Relationship - User, POWL Query, Application ID and Category

For the mentioned User, Query belongs to relevant Application and should be placed in specified Category in NetWeaver Business Client
xxxxxxxx
POWL_TYPEPOWL_TYPEPOWL Type Definition -
Query Type belongs to this Feeder Class
xxx
POWL_TYPERPOWL_TYPE_ROLPOWL Type - Role Assignment
Relationship - Role, POWL Type and Application ID

For the mentioned Role, POWL type belongs to this Application
xxxx
POWL_TYPEUPOWL_TYPE_USRPOWL Type - User Assignment
Relationship - User, POWL Type and Application ID

For the mentioned User, POWL type belongs to this Application
xxxx

The above table shows the common fields across the POWL config tables, making it easier to understand how the POWL table configuration enables the query/worklist access. It is not necessary to maintain ALL these tables; the tables to maintain depends upon the approach used for authorization design and POWL configuration (User-based or Role-based)

The below graphic shows how entries in config tables POWL_QUERYR & POWL_TYPER use data from query definition is maintained in table POWL_QUERY; when an NWBC page with a worklist is loaded.

Conclusion

Additional information can be found in the ‘Security Guide for SAP TM.’

Rishi is an awarded senior SAP security and GRC specialist consultant with 11 years experience in security, authorisations, governance risk and compliance (GRC). He has worked in multiple industries, including but not limited to Utilities / Power & Energy, Mining, Pharmaceuticals, Retail, Transport and Government.

Rishi has consulted and led SAP security projects for all types of implementation scenarios, and designed SAP security frameworks for multiple SAP systems including but not limited to ECC, BI, HR, TM and HANA. He is known for his strength in quickly building rapport with his clients and being able to effectively communicate at all business levels. He successfully uses his experience and business knowledge, and packaged solution expertise to effectively integrate protected data from unauthorised access. His business acumen and communication skills have helped him to embed the standards and compliance framework into the business in an effective way to be the security standard adopted by the client.

Comments are closed.

Social media & sharing icons powered by UltimatelySocial