How to Assign SAP Business Planning and Consolidation Authorizations via the SAP Governance%2c Risk%2c and Compliance (GRC) Access Control Compliance User Provisioning Product

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2012 SAP AG 1

How to Assign SAP Business Planning &

Consolidation Authorizations via the SAP

GRC Access Control Compliance User

Provisioning Product

Applies to:

SAP Business Planning and Consolidation 10.0, version for SAP NetWeaver.

Summary

This paper describes how to keep the technical names of the roles for the SAP Business Planning and Consolidation version for SAP NetWeaver consistent across the different systems in the SAP NetWeaver Business Warehouse landscape so that they can subsequently be assigned via the SAP GRC Access Control Compliance User Provisioning product. For simplification, the SAP Business Planning and Consolidation product, the SAP GRC Access Control Compliance User Provisioning product, and the SAP NetWeaver Business Warehouse product will be referred to in this paper as “BPC”, “CUP”, and “BW”, respectively. Please download relevant files here.

Authors: Colleen Cunningham and Peter Bruns

Company: SAP Americas, Inc.

Created on: February 17, 2012

Author Bio

Colleen Cunningham is a Solution Architect in the Global Business Intelligence team within SAP IT. She is also a member of the Identity Access Management BI Authorization Center of Excellence. She has developed, implemented, and supported authorization concepts for BI solutions based upon SAP NetWeaver BW as well as BusinessObjects Enterprise. Additionally, she has developed complete BI reporting solutions from the backend BW data load processes (e.g. creation of BW InfoObjects, DSOs, InfoCubes, Transformations, and Process Chains) to the frontend solutions using BEx Query Designer, Web Application Designer, Xcelsius, and Webi.

Peter Bruns is a certified SAP NetWeaver BW consultant that has been working for SAP as an external consultant for more than 7 years. His primary departments within SAP AG are the SAP Value Prototyping team as a BI/BO & Planning expert and the SAP CSA team for Mobile Solutions. During his past assignments in the RIG EMEA team, he was responsible for the technical aspects of BPC customer implementations during the Ramp-Up process. Today, Peter is the Solution Architect of one of the first productive BPC 10 version for SAP NetWeaver implementations at SAP, done on a BW HANA system.

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/a0cd444f-939a-2f10-9cb9-a3e8ae4e1c6b


© 2012 SAP AG 2

Table of Contents

Conventions ........................................................................................................................................................ 3

Business Scenario .............................................................................................................................................. 3

BPC Background Information ............................................................................................................................. 3

Prerequisites ....................................................................................................................................................... 5

Access to NetWeaver Transactions ................................................................................................................ 5

BPC-Related Notes for BPC 10, version for SAP NetWeaver SP03 .............................................................. 5

Overview of Step-by-Step Procedure ................................................................................................................. 5

Detailed Step-by-Step Procedure ....................................................................................................................... 6

Copying the Standard Roles to Desired Namespace & Assigning Them to BPC Service User ..................... 6 Copying the Standard Roles to Desired Namespace ................................................................................................... 6

Transporting the Newly Copied Standard Roles .......................................................................................................... 8

Assigning the Newly Copied Roles to the BPC Service User..................................................................................... 10

Creating the BPC Task Profiles, Data Access Profile, and Team Profiles via the BPC interface ................ 11 Creating the BPC Task Profile(s) ............................................................................................................................... 11

Creating the Data Access Profiles ............................................................................................................................. 12

Creating the Team Profiles ........................................................................................................................................ 13

Copying the BPC Generated Roles .............................................................................................................. 18 Determining the AppSet Prefix for the BPC environment ........................................................................................... 18

Copying the Generated Roles for the Specific BPC Environment .............................................................................. 19

Creating BPC Composite Roles .................................................................................................................... 21 Download the Contents of the UJE_* Security Tables ............................................................................................... 22

Analyzing the Downloaded Files to Determine the Composite Roles to Create ......................................................... 24

Creating the Actual Composite Roles ........................................................................................................................ 25

Transporting BPC Authorizations .................................................................................................................. 27 BPC Transport Connection Object ............................................................................................................................. 27

Transporting the Manually Created Roles .................................................................................................................. 30

Keeping the BPC Technical Role Names Consistent ................................................................................... 31 For BPC 10 version SAP NetWeaver, SP4 or earlier: ................................................................................................ 31

For BPC 10 version for SAP NetWeaver, SP5: .......................................................................................................... 31

Replacing the Technical Role Names in the UJE_* Security Tables with the Desired Namespace ............ 31

Adding the Composite Roles into CUP ......................................................................................................... 32

ABAP Programs ................................................................................................................................................ 32

ZBPC_EXPORT ABAP Program .................................................................................................................. 32

ZBPC_IMPORT ABAP Program ................................................................................................................... 33

ZBPC_CUP ABAP Program.......................................................................................................................... 35

Related Content ................................................................................................................................................ 40

Copyright........................................................................................................................................................... 41


© 2012 SAP AG 3

Conventions

The following table summarizes the conventions used in this document:

Format Description

<<Text>> Placeholders, which should be replaced by the reader’s specific information

Italics Field names, button labels/names, dialog box titles, and referenced section titles

“Text” Literal values

//This is a code sample block

Sample Code

highlights Highlights are used in screenshots to identify which buttons should be clicked and to emphasize information in the screenshots

Business Scenario

The IT Security team within company XYZ, Inc. has the requirement that standard delivered roles cannot be assigned to any userID in the BW systems. Instead, IT Security insists that all authorizations that are assigned must be in the company’s authorization namespace. Additionally, IT Security requires that all authorizations must be requested and assigned via CUP. As the BPC product has its own standard delivered roles and also generates its own roles in the product namespace, this document describes how to overcome these facts in order to satisfy the IT Security requirements described above.

BPC Background Information

There are a few important concepts/conventions to keep in mind about BPC that will help you understand BPC authorizations and the contents of this paper.

1. BPC uses a proxy user to generate SAP NetWeaver BPC roles and BPC objects in the SAP NetWeaver environment in the ZBPC_* and /CPMB/* namespaces, respectively. As such, the proxy user, also known as the BPC service user, must be assigned the equivalent of the standard delivered roles required to perform the tasks in the SAP NetWeaver environment. The BPC service userID is configurable (i.e. the technical name is determined during setup) and must be assigned the same rights in all BW systems. In this paper, the BPC service userID is named ZBPC_SERVICE.

Note: The BPC product refers to the SAP NetWeaver roles as BPC profiles within the product. The generated

authorizations are actual SAP NetWeaver roles.

2. BPC also uses the ALEREMOTE userID to perform post-processing steps when transporting BPC objects and BPC generated roles. As such, the standard delivered roles must also be assigned to the ALEREMOTE userID in all BW systems.

Note: Some companies use a different ID from the ALEREMOTE ID. Whatever ID is used in the company for such tasks

will need to have the standard delivered roles assigned to it in all BW systems in the landscape.


© 2012 SAP AG 4

3. BPC requires explicit deny rights. Since SAP NetWeaver analysis authorizations do NOT allow for

explicit deny rights, this product requirement is achieved with the use of internal UJE_* security tables and virtual analysis authorizations. The following are the most relevant security-related tables: BPC 10.0 Table Comment

UJA_APPSET_INFO Contains the Appset IDs, Prefix, InfoArea, and Description. The appset prefixes will be used in the name of the generated roles (e.g. ZBPC_XX*).

UJE_MEMACCESS Contains the profile ID for each environment for which security has been setup. It will show the name of the profile (as it is known within BPC) and the dimension for which security has been enabled.

UJE_PROFILE_AGR Maintains the relationship between the appset and the task profile & data access profile

UJE_TASK Contains the task IDs and descriptions

UJE_TEAM_AGR Maintains the relationship between the team and the profile that belongs to the team as well as the profile that belongs to the leader of the team.

UJE_TEAM_MULTAGR Maintains the relationship between the team and the profile that belongs to the team

UJE_USER_AGR Maintains the relationship between the appset and the user role assignments

UJE_USER_SPECAGR This table is populated ONLY if the profile assignment is inherited by the team assignment AND assigned directly to the user via the BPC front-end. NOTE: This table should NOT be populated in production as the assignments will

be made via CUP!

4. The naming convention for standard and generated BPC roles are as follows:

a. Standard Delivered Roles i. SAP_BPC_* SAP BPC roles needed by the BPC service user ONLY ii. /POA/BUI_* roles required for the FLEX component to work for all BPC users

b. Generated BPC Roles i. ZPBC_<<Appset_Prefix>><<Role_Type_Abbreviation>><<6-digit-number>> ii. Appset_prefixes are defined in table UJA_APPSET_INFO and are unique across

ALL BPC appsets iii. Role_Type_Abbreviation are as follows

1. User: U 2. Team: T 3. Team Leader: L 4. Task Profile: P 5. Data Access Profile: M

5. The naming convention for composite BPC roles that were created during the implementation was as follows:

a. <<Company Namespace>>_<<XXXX>>_<<DEV or PRD>>_<<Region or User Type>> b. <<Company Namespace>> represents the company’s namespace for roles c. XXXX represents the 4-character BPC environment (formerly appset) d. DEV is used to represent the development version of the role (which should ONLY be

assigned in development) e. PRD is used to identify the production version (i.e. non-development version) of the role,

which should ONLY be assigned in non-development systems (e.g. BWV, BWP). f. Region or User Type is used to identify the specific region (e.g. GLOBAL, APJ, NA, etc.) or

type of user (e.g. Admin, PowerUser, etc.)

Note: BPC Composite roles in the development system contain the original single roles that were generated by the BPC product! Composite roles in the non-development systems contain the appropriate copies of the generated BPC roles!


© 2012 SAP AG 5

Prerequisites

Access to NetWeaver Transactions

The administrator setting up the authorizations will require access to the following SAP NetWeaver transactions:

Transaction Description

PFCG Role Maintenance

RSA1 Data Warehousing Workbench

SE01 (or SE09 or SE10)

Transport Organizer Extended View (Transport Organizer)

SU01 User Maintenance

BPC-Related Notes for BPC 10, version for SAP NetWeaver SP03

The following Notes MUST be installed in the BW systems: Note # Comment

Note # 1634986 This note allows the BPC product to recognize composite roles

Note # 1610249 This note allows the users to see the data that they just entered. This also requires that the follow-up activities listed in the Note be performed. Specifically, after implementing Note # 1610249, then someone that is assigned the role ZBPC_APPSET_MANAGER (i.e. or its equivalent role in the company-specific namespace) must run the program Z_MIRGRATE_BI_AUTH in the system. The content of that program is attached to the Note. The program will remove 0BI_ALL from the generated roles.

Overview of Step-by-Step Procedure

This How-to-Guide provides the procedure for creating BPC roles in your own namespace and keeping the technical names of the roles consistent across multiple BW systems so that they can be assigned via CUP. Overall, the steps are as follows:

1. Copying the standard delivered roles and assigning them to the BPC service user 2. Creating the BPC Task Profiles, Data Access Profile, and Team Profiles via the BPC interface 3. Copying the BPC Generated Roles

a. Create teams in BPC front-end b. Copy ZBPC* generated roles into new namespace

4. Creating BPC Composite Roles a. Review the contents of the relevant UJE_* security tables b. Create composite roles with the appropriate roles that should be assigned together

5. Transporting BPC Authorizations a. Use the BPC transport mechanism to transport the BPC roles b. Transport the composite roles and single roles that were created in the desired namespace

to the target system 6. Keeping the BPC Technical Role Names Consistent Between the Source and Target Systems 7. Replacing the technical role names in the UJE_* security tables with the desired namespace

a. Implement the ZBPC_EXPORT ABAP and ZBPC_IMPORT ABAP code & transport it to all of the BW systems

b. Execute the code in the target system ONLY 8. Adding the composite roles into CUP with the appropriate approval workflow

Detailed step-by-step instructions for how to do the above steps are in the subsequent sections.


© 2012 SAP AG 6

Detailed Step-by-Step Procedure

Copying the Standard Roles to Desired Namespace & Assigning Them to BPC Service User

Copying the Standard Roles to Desired Namespace

1. Log into BW via the SAP GUI 2. Go to transaction PFCG 3. Click on the Views button and then select Single Roles

4. Click on the Set Filter button to filter the list of Single Roles

a. On the pop-up screen that appears, enter the following pattern: SAP_BPC* b. Click the green arrow to execute the search

5. From the list that is returned, click once on the role SAP_BPC_ADMIN 6. From the toolbar, click the icon to copy the role

7. In the pop-up screen that appears, replace the “SAP” prefix with the desired namespace and then

click the Copy all button

8. For the /POA/* roles, replace the 1

st slash (i.e. “/”) with the desired namespace and the 2

nd slash

with an underscore (i.e. “_”)


© 2012 SAP AG 7

9. Repeat steps 5 – 8 for each of the standard delivered roles in the following table that should be copied to Company XYZ’s namespace: Standard Roles

(Do NOT Assign)

New Roles

(Can Assign) Short Descriptions

SAP_BPC_ADMIN <<company namespace>>_BPC_ADMIN BPC Administrator

SAP_BPC_BICS_REPORTER

<<company

namespace>>_BPC_BICS_REPORTER

BPC role for user to allow

connection using BICS

SAP_BPC_BTCH_JOB

<<company

namespace>>_BPC_BTCH_JOB

Authorization for BPC CLM

background job

SAP_BPC_CLM_EXPORT

<<company

namespace>>_BPC_CLM_EXPORT

Authorization for exporting to

CLM

SAP_BPC_CLM_IMPORT

<<company

namespace>>_BPC_CLM_IMPORT

Authorization for importing

from CLM

SAP_BPC_MDX_REPORTER

<<company

namespace>>_BPC_MDX_REPORTER


connection using MDX

SAP_BPC_SERVICE <<company namespace>>_BPC_SERVICE

Reference role for BPC

service user

SAP_BPC_SYSADMIN

<<company

namespace>>_BPC_SYSADMIN BPC System Administration

SAP_BPC_TABU_DIS

<<company

namespace>>_BPC_TABU_DIS

BPC Role for Authorization

Object S_TABU_DIS

SAP_BPC_USER <<company namespace>>_BPC_USER BPC user

SAP_BPC_WS_USER

<<company

namespace>>_BPC_WS_USER


SOAP webservice access

/POA/BUI_FLEX_CLIENT

<<company

namespace>>_POA_BUI_FLEX_CLIENT

A role that is required to start

the Flex client

/POA/BUI_UM_USER <<company namespace>>_POA_BUI_UM_USER

A role that is required to work with user management in particular for retrieving roles and user information

Note: The last two roles in the 2nd column MUST be assigned to ALL BPC users; whereas, the other roles in the 2nd

column should be assigned to the BPC service user ONLY. The roles in the 1st column should not be assigned to any user ID in the system at all. It should be noted that since the SAP_BPC_* roles are only for the BPC service user and the ALEREMOTE user, the equivalent roles should not be listed in CUP as none of the BPC users should request or be granted those roles.


© 2012 SAP AG 8

Transporting the Newly Copied Standard Roles

1. From within PFCG, select one of the new roles that was created in the last step of the previous section Copying the Standard Roles to Desired Namespace

2. Click the Transport role button to add the role to a transport

3. On the pop-up screen that appears, click the Execute icon

4. On the Information pop-up screen that appears, click the Continue button (i.e. the green checkmark)

5. On the Choose objects pop-up screen that appears, click the green checkmark


© 2012 SAP AG 9

6. On the Prompt for Customizing Request pop-up screen that appears, click the Own Transport button

Note: A new transport can be created either by clicking the paper icon (i.e. the 2nd

icon) on the screenshot above OR by clicking the Own Requests button and then the paper icon from that subsequent screen. However, although a new

transport can be created directly from the screen above (via the 2nd

button with the paper icon), it is a good idea to click the Own Requests button because it provides an opportunity to first review the existing transports for a

suitable transport to use before creating a new one.

7. On the subsequent screen that appears, if a suitable transport already exists, then click on the

transport number and then click the green checkmark. If a suitable transport does not already exist, then go to Step 8.


© 2012 SAP AG 10

8. Click the paper icon to create a new Customizing Request, enter a description in the Short Description field, select a value from the pick list for the Project field (if required), and then click the Save button. Finally, from the lists of transports, click the newly created transport number, and then click the green checkmark.

9. Repeat steps 1 – 7 for the remaining roles that were previously created in Step 9 of the previous

section Copying the Standard Roles to Desired Namespace 10. Go to transaction SE01 (or SE09 or SE10) 11. Expand the transport to see the tasks in the transport 12. For each task in the transport, click on the task number and then press {F9} on the keyboard to

release the individual task 13. Click on the transport number, and then press {F9} on the keyboard to release the transport

Note: It is assumed that the company already has a defined process for importing released transports into subsequent

NetWeaver systems in the BW landscape.

Assigning the Newly Copied Roles to the BPC Service User

1. Go to transaction SU01 2. In the User field, enter the BPC Service User ID ZBPC_SERVICE 3. Click the Edit icon 4. Click on the Roles tab 5. Enter the names of the roles that were copied to the desired namespace

Note: Assigning roles to the BPC service user may need to be done by the company’s Central User Administration team

(depending upon the company’s specific internal policies about authorization assignments).


© 2012 SAP AG 11

Creating the BPC Task Profiles, Data Access Profile, and Team Profiles via the BPC interface

Creating the BPC Task Profile(s)

1. Go to the BPC interface 2. From the Home tab, click the Planning and Consolidation Administration link in the Launch section

on the far right-side of the screen

3. On the Administration tab, expand the Security node and click Task Profiles

4. Click the New link to create a Task profile

5. In the Add Task Profiles window, enter a name and description for the task profile that will be

created, and click the Next button

6. Select the specific tasks that the user should be allowed to do, click the Add button, and then click

Next


© 2012 SAP AG 12

7. On the next screen, click the Finish button

Creating the Data Access Profiles

1. On the Administration tab, expand the Security node and click Data Access Profiles

2. Click the New link to create a Data Access Profile

3. Enter a name and description for the Data Access Profile, select the members for each dimension

and set the access rights on the Member Access tab, click the Save button and then click the Close button.


© 2012 SAP AG 13

Creating the Team Profiles

1. From the Administration tab, expand the Security node and click Teams

2. Click the New link to create a Team

3. On the Add Team screen that appears, enter the name and description of the Team to create and

click the Next button.


© 2012 SAP AG 14

4. Do NOT add any users on the next screen (as all user assignments will be done via CUP; instead,

click Next

5. On the summary screen, click the Finish button.

6. On the subsequent screen, click the Task Profiles tab and click Add/Remove


© 2012 SAP AG 15

7. On the next screen, click the desired Task profile(s) that the Team should have, click the Add button,

and then click the OK button.

8. Click the Data Access Profiles tab and then click Add/Remove


© 2012 SAP AG 16

9. On the subsequent screen, click the Data Access Profile(s) that the Team should have, click the Add

button, and then click OK.


© 2012 SAP AG 17

10. Click the Save button, and then the Close button.


© 2012 SAP AG 18

Copying the BPC Generated Roles

After the BPC implementation team creates the teams within the BPC front-end, the generated roles for the specific BPC environment needs to be copied to the desired namespace. The default naming convention (as described in Section BPC Background Information) can be used to identify the subset of generated roles that need to be copied for the BPC environment via the following steps:

Determining the AppSet Prefix for the BPC environment

1. Go to transaction SE16 2. Enter “UJA_APPSET_INFO” in the Table Name field and click the Table Contents button

3. On the subsequent screen, enter the technical name of the BPC environment (formerly AppSet) in

the APPSET_ID field and then click the Execute button (or press {F8} on the keyboard). For the example captured by the screenshot below, “ADRM” is used as the BPC environment.

4. From the subsequent results screen, make a note of the value in the AppSet_Prefix field as it will be

used in all of the generated roles for the specific BPC environment

Note: In the example above, all of the generated roles for the ADRM BPC environment will start with ZBPC_IR*. This

information will be used to search for the generated roles that need to be copied to a new namespace in the following sub-section.


© 2012 SAP AG 19

Copying the Generated Roles for the Specific BPC Environment

1. Go to transaction PFCG 2. Click on the Views button and then select Single Roles

3. Click on the Set Filter button to filter the list of Single Roles

a. On the pop-up screen that appears, enter the following pattern: ZBPC_<<AppSet_Prefix>>* b. Click the green arrow to execute the search

4. From the list that is returned, click once on one of the ZBPC_<<AppSet_Prefix>>* roles 5. From the toolbar, click the icon to copy the role 6. In the pop-up screen that appears, replace the “Z” prefix with the desired namespace followed by an

underscore (i.e. _), and then click the Copy all button

Note: When copying the generated BPC environment roles, only replace the first letter “Z” with the desired namespace

followed by an underscore (i.e. _). Do not replace or change the remaining characters/sequential numbers. This will make the source for the newly created roles clear, and will also make it easier to understand which roles should be combined into composite roles (which is described in the Section “Creating BPC Composite Roles”).

7. Click the Edit button to edit the newly copied role 8. Click on the Authorization tab, and then click the Change Authorization Data button.


© 2012 SAP AG 20

9. On the Information dialog screen that appears, click the green checkmark. 10. Click the Generate icon

Note: To display the technical names, select the following menu path: Utilities Technical names on

11. In the Assign Profile Name for Generated Authorization Profile pop-up screen that appears, click the

green checkmark.

Note: In the screenshot above, the user-specified namespace will appear for the <<Namespace>> placeholder.


© 2012 SAP AG 21

12. Click the green Back button twice

13. Repeat steps 4 – 12 for each of the generated roles that follow the naming convention in the

following table that should be copied to Company XYZ’s namespace:

Generated Role New Role Description

ZBPC_<<appset_prefix>>U* <<company

namespace>>_BPC_<<appset_prefix>>U*

Generated

USER roles for

the specific

appset

ZBPC_<<appset_prefix>>T* <<company

namespace>>_BPC_<<appset_prefix>>T*

Generated

TEAM roles for

the specific

appset

ZBPC_<<appset_prefix>>L* <<company

namespace>>_BPC_<<appset_prefix>>L*

Generated

LEADER roles

for the specific

appset

ZBPC_<<appset_prefix>>P* <<company

namespace>>_BPC_<<appset_prefix>>P*

Generated

TASK roles for

the specific

appset

ZBPC_<<appset_prefix>>M* <<company

namespace>>_BPC_<<appset_prefix>>M*

Generated

MEMBER

ACCESS roles

for the specific

appset (access

to the data)

Creating BPC Composite Roles

Composite roles are manually created in order to simplify the process for requesting and approving authorizations for specific types of users in specific environments. In order to determine which BPC single roles should be grouped together in a composite role, evaluate the contents of the PROFILE_ID field in the UJE_MEMACCESS and UJE_PROFILE_AGR tables as well as the TEAM_ID field in the UJE_TEAM_AGR and UJE_TEAM_MULTAGR tables. The overall steps are summarized below:

1. Download the contents of the UJE_* security tables to Excel spreadsheets. 2. Merge the Excel files 3. Every distinct value in the TEAM_ID/PROFILE_ID columns in the UJE* security table will become a

separate composite role. 4. Using the included Excel file, analyze the contents of the UJE_* security tables to determine which

roles should be grouped together in the composite roles.


© 2012 SAP AG 22

Download the Contents of the UJE_* Security Tables

1. Start transaction SE16 2. Enter the name of the UJE_* security table in the Table Name field and click the Table Contents

icon. In the example below, the table name “UJE_TEAM_AGR” was used.

3. Enter the ID for the appset in the APPSET_ID field and click the Execute button

Note: Before clicking the Execute button, click the Number of Entries button to confirm that the number of records found is less than the value in the Maximum No. of Hits field. If necessary, increase the value in the Maximum No. of

Hits field before clicking the Execute button.


© 2012 SAP AG 23

4. From the Data Browser results screen, click the following menu path: Table Entry List Export Local File

5. In the Save list in file pop-up screen, select Spreadsheet and click the green checkmark

6. In the subsequent pop-up screen, specify the path where the exported file should be saved in the

Directory field and the filename in the File Name field; and then click the Generate button


© 2012 SAP AG 24

7. Click the green Back button once

8. Repeat steps 2 – 7 for the following UJE_* security tables:

BPC 10.0 Table

UJE_MEMACCESS

UJE_PROFILE_AGR

UJE_TEAM_AGR

UJE_TEAM_MULTAGR

UJE_USER_AGR

Analyzing the Downloaded Files to Determine the Composite Roles to Create

1. Two separate composite roles will be created for every distinct TEAM_ID/PROFILE_ID in the UJE* security tables UJE_TEAM_MULTAGR, UJE_TEAM_AGR, UJE_PROFILE_AGR: one for the development system and one for the non-development systems.

Note: BPC Composite roles for the development system contain the original single roles that were generated by the BPC

product! Composite roles for the non-development systems contain the appropriate copies of the generated BPC roles!

2. Add the following columns at the end of the data range in each of the files that were exported:

File that was exported from table… Add the following columns at the end…

UJE_TEAM_AGR EquivalentTeamRole

EquivalentTeamLeadRole

CompositeRole_DEV

CompositeRole_PRD

UJE_TEAM_MULTAGR EquivalentRole

CompositeRole_DEV

CompositeRole_PRD

UJE_PROFILE_AGR EquivalentRole

CompositeRole_DEV

CompositeRole_PRD

Note:

The columns in the above table can be described as follows… Equivalent*Role: Use to specify the equivalent role (e.g. role for Team, Lead, etc.) that was copied from the generated

Team role CompositeRole_DEV: Used to specify the name of the composite role that should be used in the development system

for the specific team CompositeRole_PRD: Used to specify the name of the composite role that should be used in the non-development

system for the specific team


© 2012 SAP AG 25

3. Using the naming convention for the equivalent BPC roles that were copied and the naming convention for the composite roles, populate the additional columns in the Excel files with the specific names of the equivalent roles and composite roles for the development and non-development systems.

4. Filter the TEAM_ID/PROFILE_ID columns in each sheet for the specific BPC team for which the composite role needs to be created.

5. In the next section, the composite roles for the non-development systems (e.g. <<Company Namespace>>_<<XXXX>_PRD_<<Region or User Type >>) will be created by including all of the equivalent roles that appear for the specific team in the different filtered Excel files. The composite roles for the development system (e.g. <<Company Namespace>>_<<XXXX>_DEV_<<Region or User Type >>) will be created by including all of the original roles that appear for the specific team in the different filtered Excel files.

Note: The included Excel file is a template that can be used to simplify the analysis of the exported data. All that is

required is to copy and paste the exported data into the appropriate tabs and to specify the company-specific information on the Info tab. Then you will be able to filter

Creating the Actual Composite Roles

1. Go to transaction PFCG 2. For each of the composite roles that have been identified in the analysis section above, enter the

name of the composite role to create in the Role field, and click the Comp. Role button. The example below is based upon creating the production version of the planning role for Germany for the appset_ID ADRM.

Note: The suggested naming convention for composite BPC roles is as follows:

<<Company Namespace>>_<<XXXX>>_<<DEV or PRD>>_<<Region or User Type>> a. <<Company Namespace>> represents the company’s namespace for roles b. XXXX represents the 4-character BPC environment (formerly appset) c. DEV is used to represent the development version of the role (which should ONLY be assigned in development) d. PRD is used to identify the production version (i.e. non-development version) of the role, which should ONLY be

assigned in non-development systems (e.g. BWV, BWP). e. Region or User Type is used to identify the specific region (e.g. GLOBAL, APJ, NA, etc.) or type of user (e.g. Admin,

PowerUser, etc.)

3. Enter a short role description and a longer text description in the Description and Long Text fields, respectively.


© 2012 SAP AG 26

4. Click the Save button, but do not exit the role. 5. Click on the Roles tab.

Note: If the Roles tab is clicked before saving the role, then a prompt will appear to save the role first before being able

to continue to the Roles tab.

6. Enter the technical names of the roles that should be included in the composite role, and click the Save button.

7. Click the green Back arrow button. 8. Repeat steps 2 – 7 for each additional composite role that needs to be created.


© 2012 SAP AG 27

Transporting BPC Authorizations

BPC 10, version for SAP NetWeaver has its own transport object type, which is accessible via RSA1 Transport Connection. Unlike typical BW transports that transport authorizations as-is from the source system to the target system, the BPC transport mechanism for authorizations in BPC 10, version for SAP NetWeaver SP4 and earlier:

1. Deletes the roles in the target system 2. Deletes the entries for the BPC environment from the UJE_* security tables 3. Re-creates the BPC roles directly in the target systems and re-populates the UJE_* security tables

with the names of the roles that were newly created in the target systems

As such, THERE IS NO GUARANTEE THAT THE TECHNICAL NAMES OF THE ROLES WILL BE THE SAME in the target system(s) with BPC 10, version SAP NetWeaver SP4 and earlier! Thus the technical names of the roles could vary from one system to the next in the same landscape and the contents of the UJE_* security tables would be different! That would cause an issue when trying to use CUP to assign authorizations to users.

The following sections describe how the transport of the roles must be done as well as the follow-up activities to perform so that everything works as properly. In general the steps are as follows:

1. Transport the BPC generated roles via the BPC transport mechanism 2. Transport the single roles that were copied to the company namespace as well as the composite

roles. 3. For BPC 10, version SAP NetWeaver SP4 and earlier, perform the follow-up activities in the section

“Keeping the BPC Technical Role Names Consistent” in order to keep the technical names of the roles consistent in the UJE_* security tables across the landscape.

4. For all BPC 10, version SAP NetWeaver instances, perform the follow-up activities in section “Replacing the Technical Role Names in the UJE_* Security Tables with the Desired Namespace” in order to replace the default namespace with the company-specific namespace.

BPC Transport Connection Object

To transport the BPC generated roles (i.e. ZBPC_*),

1. Go to transaction “RSA1”, click Transport Connection, and then click Object Types

2. In the far right section of the screen, click the Grouping button and select Only Necessary Objects.

3. In the far right section of the screen, click the Collection Mode button and select Collect

Automatically.


© 2012 SAP AG 28

4. In the list that appears in the middle of the sreen, expand the More Types and the Environment nodes, and then double-click Select Objects

5. In the Data Warehousing Workbench: Transport Connection pop-up screen, select the BPC

Environment (e.g. “ADRM” in the example screenshoot) and then click the Transfer Selections button

6. In the far right section of the screen, right-click on the name of the BPC environment, and select Do

Not Transport Any Below. 7. Expand the node for the BPC environment and Data Access Profiles, and then select the specific

Data Access Profiles to include in the transport


© 2012 SAP AG 29

8. Expand the Team node and select the specific Team Profiles that should be transported


© 2012 SAP AG 30

9. Expand the Task Profile node and select the specific Task Profile that should be transported

10. Click the Transport button and follow the prompts to create a new transport in which the selected

objects will be saved

11. Go to transaction SE01 (or SE09 or SE10) and release the task and transport

Transporting the Manually Created Roles

AFTER transporting the generated BPC roles via the BPC transport mechanism as described in the previous section, transport the manually created roles as follows:

1. Go to transaction PFCG 2. From the Utilities menu, select Mass transports

3. On the subsequent screen, enter the pattern for the composite BPC roles and make sure that the

two checkboxes are selected. In the screenshot for the example, the pattern is “00BO_BWP_BPC_ADRM*”

4. Follow the subsequent screens as already described section “


© 2012 SAP AG 31

Transporting the Newly Copied Standard Roles”.

Note: By selecting the checkbox Also Transport Single Roles for Composite Roles, the individual roles that were

included in the composite roles will also be added to the same transport request.

5. Go to transaction SE01 (or SE09 or SE10) to release the transport task and transport.

Keeping the BPC Technical Role Names Consistent

For BPC 10 version SAP NetWeaver, SP4 or earlier:

This section provides a work-around for BPC 10 version for SAP NetWeaver SP4 instances to make sure that the contents of the UJE_* security tables remain the same across the entire BW landscape. The work-around involves the creation of two ABAP programs: (1) one to export the content of the UJE_* security tables for a specified AppSet from the source BW system; and (2) one to import the exported files into the target system to overwrite the contents of the UJE_* security tables for that same AppSet.

The code for the ZBPC_EXPORT and ZBPC_IMPORT ABAP programs are in the sections “ZBPC_EXPORT ABAP Program” and “ZBPC_IMPORT ABAP Program”, respectively.

Detailed Steps to Perform within the source BW system where the development work was done…

1. Go to transaction SE38 2. Execute the program ZBPC_EXPORT 3. Specify the AppSet ID 4. Specify the path were to save the exported files

Detailed Steps to Perform within the target BW system(s)…

1. Go to transaction SE38 2. Execute the program ZBPC_IMPORT 3. Specify the AppSet ID 4. Specify the path from which the files that were exported in the previous section can be imported

For BPC 10 version for SAP NetWeaver, SP5:

The workaround described in Section “For BPC 10 version SAP NetWeaver, SP4 or earlier:” is not required as BPC 10 version SAP NetWeaver SP5 already addressed the issue of making sure that the contents of the UJE_* security tables are consistent between the source BW system and the target BW systems.

Replacing the Technical Role Names in the UJE_* Security Tables with the Desired Namespace

In order to use the newly created roles in the desired namespace, those technical role names must be included in the UJE_* security tables as the BPC product is only aware of the roles listed in the UJE_* security tables. The work-around involves the creation of an ABAP program that should be executed in the target system ONLY. The program should NEVER be run in the BW source system as it could lead to problems in the product in the development system!

The custom code for the program is listed in the section “ZBPC_CUP ABAP Program”.


© 2012 SAP AG 32

Detailed Steps to Perform within the target BW system(s)…

1. Go to transaction SE38 2. Enter the program name ZBPC_CUP 3. Enter the AppSet ID

Adding the Composite Roles into CUP

The composite roles that were created in Section “Creating the Actual Composite Roles” should be added to CUP so that they can be requested and assigned in the BW system (once the approval workflow has been approved).

ABAP Programs

This section provides the code to the ABAP programs that were used in this solution.

ZBPC_EXPORT ABAP Program

*&---------------------------------------------------------------------*

*& Report ZBPC_EXPORT

*&

*&---------------------------------------------------------------------*

*&

*&

*&---------------------------------------------------------------------*

REPORT ZBPC_EXPORT.

REPORT ZBPC_EXPORT.

PARAMETERS: p_env type uj_appset_id,

p_tgt type String default 'c:\agr_test\'.

data: lt_profileagr type STANDARD TABLE OF uje_profile_agr,

lt_teamagr type STANDARD TABLE OF uje_team_agr,

lt_multagr type STANDARD TABLE OF uje_team_multagr,

lt_useragr type STANDARD TABLE OF uje_user_agr,

lt_specagr type STANDARD TABLE OF uje_user_specagr,

lt_appset_id type uj0_t_string,

lc_localfile_profileagr type String,

lc_localfile_teamagr type String,

lc_localfile_multagr type String,

lc_localfile_useragr type String,

lc_localfile_specagr type String.

CONCATENATE p_tgt 'profile_agr' INTO lc_localfile_profileagr.

CONCATENATE p_tgt 'team_agr' INTO lc_localfile_teamagr.

CONCATENATE p_tgt 'mul_agr' INTO lc_localfile_multagr.

CONCATENATE p_tgt 'user_agr' INTO lc_localfile_useragr.

CONCATENATE p_tgt 'spec_agr' INTO lc_localfile_specagr.

select DISTINCT appset_id into table lt_appset_id from uja_appset_info where appset_i

d = p_env.

if lines( lt_appset_id ) ne 1 .

write: / 'invalid environment id.'.

exit.

endif.


© 2012 SAP AG 33

Select *

from uje_profile_agr

into table lt_profileagr

WHERE APPSET_ID = p_env.

CALL FUNCTION 'GUI_DOWNLOAD'

EXPORTING

filename = lc_localfile_profileagr

filetype = 'DAT'

TABLES

data_tab = lt_profileagr.

Select *

from uje_team_agr

into table lt_teamagr



EXPORTING

filename = lc_localfile_teamagr

filetype = 'DAT'

TABLES

data_tab = lt_teamagr.

Select *

from uje_team_multagr

into table lt_multagr



EXPORTING

filename = lc_localfile_multagr

filetype = 'DAT'

TABLES

data_tab = lt_multagr.

Select *

from uje_user_agr

into table lt_useragr



EXPORTING

filename = lc_localfile_useragr

filetype = 'DAT'

TABLES

data_tab = lt_useragr.

write: / 'Agr infomation of ', p_env , 'has been exported to', p_tgt, '.'.

ZBPC_IMPORT ABAP Program

*&---------------------------------------------------------------------*

*& Report ZBPC_IMPORT


© 2012 SAP AG 34

*&

*&---------------------------------------------------------------------*

*&

*&

*&---------------------------------------------------------------------*

REPORT ZBPC_IMPORT.

PARAMETERS: p_env type uj_appset_id,

p_tgt type String default 'c:\agr_test\'.

data: lt_profileagr type STANDARD TABLE OF uje_profile_agr,

lt_teamagr type STANDARD TABLE OF uje_team_agr,

lt_multagr type STANDARD TABLE OF uje_team_multagr,

lt_useragr type STANDARD TABLE OF uje_user_agr,

lt_specagr type STANDARD TABLE OF uje_user_specagr,

lt_appset_id type uj0_t_string,

* ls_profileagr type uje_profile_agr,

* ls_teamagr type uje_team_agr,

* ls_multagr type uje_team_multagr,

* ls_useragr type uje_user_agr,

* ls_specagr type uje_user_specagr,

lc_localfile_profileagr type String,

lc_localfile_teamagr type String,

lc_localfile_multagr type String,

lc_localfile_useragr type String,

lc_localfile_specagr type String.

select DISTINCT appset_id into table lt_appset_id from uja_appset_info where appset_i

d = p_env.

if lines( lt_appset_id ) ne 1 .

write: / 'invalid environment id.'.

exit.

endif.

CONCATENATE p_tgt 'profile_agr' INTO lc_localfile_profileagr.

CONCATENATE p_tgt 'team_agr' INTO lc_localfile_teamagr.

CONCATENATE p_tgt 'mul_agr' INTO lc_localfile_multagr.

CONCATENATE p_tgt 'user_agr' INTO lc_localfile_useragr.

CONCATENATE p_tgt 'spec_agr' INTO lc_localfile_specagr.

CALL METHOD CL_GUI_FRONTEND_SERVICES=>GUI_UPLOAD

EXPORTING

FILENAME = lc_localfile_profileagr

FILETYPE = 'DAT'

CHANGING

DATA_TAB = lt_profileagr.

Delete from uje_profile_agr where APPSET_id = p_env.

insert uje_profile_agr FROM table lt_profileagr.

write: / 'UJE_PROFILE_AGR of environment: ', p_env, ' has been updated according to t

he source files.'.


© 2012 SAP AG 35


EXPORTING

FILENAME = lc_localfile_teamagr

FILETYPE = 'DAT'

CHANGING

DATA_TAB = lt_teamagr.

Delete from uje_team_agr where APPSET_id = p_env.

insert uje_team_agr FROM table lt_teamagr.

write: / 'UJE_TEAM_AGR of environment: ', p_env, ' has been updated according to the

source files.'.


EXPORTING

FILENAME = lc_localfile_multagr

FILETYPE = 'DAT'

CHANGING

DATA_TAB = lt_multagr.

Delete from uje_team_multagr where APPSET_id = p_env.

insert uje_team_multagr FROM table lt_multagr.

write: / 'UJE_TEAM_MULTAGR of environment: ', p_env, ' has been updated according to

the source files.'.


EXPORTING

FILENAME = lc_localfile_useragr

FILETYPE = 'DAT'

CHANGING

DATA_TAB = lt_useragr.

Delete from uje_user_agr where APPSET_id = p_env.

insert uje_user_agr FROM table lt_useragr.

write: / 'UJE_USER_AGR of environment: ', p_env, ' has been updated according to the

source files.'.

ZBPC_CUP ABAP Program

*&---------------------------------------------------------------------*

*& Report ZBPC_CUP

*&

*&---------------------------------------------------------------------*

*&

*&

*&---------------------------------------------------------------------*

report zbpc_cup.

data: l_bpc_namespace type string value 'ZBPC_',

l_cup_namespace type string value '00BO_BWP_BPC_',

l_bpc_namespace_pattern type string,

l_cup_namespace_pattern type string,

l_bpc_namespace_len type i,


© 2012 SAP AG 36

l_cup_namespace_len type i,

lt_user_agr type table of uje_user_agr,

lt_user_specagr type table of uje_user_specagr,

lt_profile_agr type table of uje_profile_agr,

lt_team_agr type table of uje_team_agr,

lt_team_multagr type table of uje_team_multagr.

l_bpc_namespace_len = strlen( l_bpc_namespace ).

l_cup_namespace_len = strlen( l_cup_namespace ).

concatenate l_bpc_namespace '%' into l_bpc_namespace_pattern.

concatenate l_cup_namespace '%' into l_cup_namespace_pattern.

select * into table lt_user_agr from uje_user_agr

where user_agr like l_bpc_namespace_pattern.

select * into table lt_user_specagr from uje_user_specagr

where agr_name like l_bpc_namespace_pattern.

select * into table lt_profile_agr from uje_profile_agr

where profile_agr like l_bpc_namespace_pattern.

select * into table lt_team_agr from uje_team_agr

where team_agr like l_bpc_namespace_pattern.

select * into table lt_team_multagr from uje_team_multagr

where child_agr like l_bpc_namespace_pattern.

"validate first

data: lt_messages type table of string,

l_cup_agr type agr_name,

l_message type string,

ls_user_agr type uje_user_agr,

ls_user_specagr type uje_user_specagr,

ls_profile_agr type uje_profile_agr,

ls_team_agr type uje_team_agr,

ls_team_multagr type uje_team_multagr.

field-symbols: <user_agr> type uje_user_agr,

<user_specagr> type uje_user_specagr,

<profile_agr> type uje_profile_agr,

<team_agr> type uje_team_agr,

<team_multagr> type uje_team_multagr.

write: / 'Validating UJE_USER_AGR'.

loop at lt_user_agr assigning <user_agr>.

concatenate l_cup_namespace <user_agr>-user_agr+l_bpc_namespace_len into l_cup_agr.

select single * into ls_user_agr from uje_user_agr

where user_agr = l_cup_agr.

if sy-subrc is initial.

concatenate 'Conflict detected: Role "' l_cup_agr '" is already occupied for

environment "' ls_user_agr-appset_id '".' into l_message respecting blanks.

append l_message to lt_messages.

endif.

endloop.

write: / 'Validating UJE_PROFILE_AGR'.


© 2012 SAP AG 37

loop at lt_profile_agr assigning <profile_agr>.

concatenate l_cup_namespace <profile_agr>-profile_agr+l_bpc_namespace_len into

l_cup_agr.

select single * into ls_profile_agr from uje_profile_agr

where profile_agr = l_cup_agr.


concatenate 'Conflict detected: Role "' l_cup_agr '" is already occupied by

profile: "' ls_profile_agr-profile_id '" for environment "' ls_profile_agr-appset_id

'".' into l_message respecting blanks.


endif.

endloop.

write: / 'Validating UJE_TEAM_AGR'.

loop at lt_team_agr assigning <team_agr>.

concatenate l_cup_namespace <team_agr>-team_agr+l_bpc_namespace_len into l_cup_agr.

select single * into ls_team_agr from uje_team_agr

where team_agr = l_cup_agr.


concatenate 'Conflict detected: Role "' l_cup_agr '" is already occupied by team:

"' ls_team_agr-team_id '" for environment "' ls_team_agr-appset_id '".' into

l_message respecting blanks.


endif.

endloop.

"modify

data: lt_modification_result type table of string.

if lt_messages is initial.

write: / 'Started modification process.'.

if lt_user_agr is not initial.

write: / 'Started processing UJE_USER_AGR'.

loop at lt_user_agr assigning <user_agr>.

concatenate ' Converting "' <user_agr>-user_agr '" to ' into l_message

respecting blanks.

concatenate l_cup_namespace <user_agr>-user_agr+l_bpc_namespace_len into

<user_agr>-user_agr.

concatenate l_message '"' <user_agr>-user_agr '"' into l_message respecting

blanks.


endloop.

loop at lt_messages into l_message.

write: / sy-tabix, l_message.

endloop.

clear lt_messages.

modify uje_user_agr from table lt_user_agr.

endif.

if lt_profile_agr is not initial.

write: / 'Started processing UJE_PROFILE_AGR'.

loop at lt_profile_agr assigning <profile_agr>.


© 2012 SAP AG 38

concatenate ' Converting "' <profile_agr>-profile_agr '" to ' into l_message

respecting blanks.

concatenate l_cup_namespace <profile_agr>-profile_agr+l_bpc_namespace_len into

<profile_agr>-profile_agr.

concatenate l_message '"' <profile_agr>-profile_agr '"' into l_message

respecting blanks.


endloop.



endloop.

clear lt_messages.

modify uje_profile_agr from table lt_profile_agr.

endif.

if lt_team_agr is not initial.

write: / 'Started processing UJE_TEAM_AGR'.

loop at lt_team_agr assigning <team_agr>.

concatenate ' Converting "' <team_agr>-team_agr '" to ' into l_message

respecting blanks.

concatenate l_cup_namespace <team_agr>-team_agr+l_bpc_namespace_len into

<team_agr>-team_agr.

concatenate l_message '"' <team_agr>-team_agr '"' into l_message respecting

blanks.


concatenate ' Converting "' <team_agr>-team_leader_agr '" to ' into l_message

respecting blanks.

concatenate l_cup_namespace <team_agr>-team_leader_agr+l_bpc_namespace_len into

<team_agr>-team_leader_agr.

concatenate l_message '"' <team_agr>-team_leader_agr '"' into l_message

respecting blanks.


endloop.



endloop.

clear lt_messages.

modify uje_team_agr from table lt_team_agr.

endif.

if lt_team_multagr is not initial.

write: / 'Started processing UJE_TEAM_MULTAGR'.

delete uje_team_multagr from table lt_team_multagr.

loop at lt_team_multagr assigning <team_multagr>.

concatenate ' Converting "' <team_multagr>-child_agr '" to ' into l_message

respecting blanks.

concatenate l_cup_namespace <team_multagr>-child_agr+l_bpc_namespace_len into

<team_multagr>-child_agr.

concatenate l_message '"' <team_multagr>-child_agr '"' into l_message

respecting blanks.


endloop.


© 2012 SAP AG 39



endloop.

clear lt_messages.

insert uje_team_multagr from table lt_team_multagr.

endif.

if lt_user_specagr is not initial.

write: / 'Started processing UJE_USER_SPECAGR'.

delete uje_user_specagr from table lt_user_specagr.

loop at lt_user_specagr assigning <user_specagr>.

concatenate ' Converting "' <user_specagr>-agr_name '" to ' into l_message

respecting blanks.

concatenate l_cup_namespace <user_specagr>-agr_name+l_bpc_namespace_len into

<user_specagr>-agr_name.

concatenate l_message '"' <user_specagr>-agr_name '"' into l_message respecting

blanks.


endloop.



endloop.

clear lt_messages.

insert uje_user_specagr from table lt_user_specagr.

endif.

write: / 'Modification process is completed.'.

else.

write: / 'Modification is not processed due to the following errors(s):'.


write: / l_message.

endloop.

endif.


© 2012 SAP AG 40

Related Content

BPC Blogs

BPC NW SCN Forum

For more information, visit the Enterprise Performance Management homepage

http://wiki.sdn.sap.com/wiki/display/CPM/BPC+Blogs

http://forums.sdn.sap.com/forum.jspa?forumID=412&start=0

http://www.sdn.sap.com/irj/bpx/epm


© 2012 SAP AG 41

Copyright

© Copyright 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Documents

How to Assign SAP Business Planning and Consolidation Authorizations via the SAP Governance%2c Risk%2c and Compliance (GRC) Access Control Compliance User Provisioning Product