SAP Business Planning and Consolidation is part of SAP Net Weaver and has a different authorization concept from SAP R/3 or ECC. It has both frontend and backend views and uses User Teams, Task Profiles & Data Access Profiles instead of User Groups,Transactions & Roles.
When every kind of User Administration is done in the front end BPC (User Addition, Task Profile & Data Access Profile creation), we cannot create a new user to the BPC frontend system, but add a user who is present in the ECC backend system. That means, the user should be created first in the backend and then only he/she be available to add in the frontend system.
Also, for the user to access BPC frontend from Web Login, two mandatory roles should be assigned to the user’s account in the backend! (Given in below table).
In the above two contexts, when a user account should be created and assigned with two mandatory roles, we can avoid the use of frontend system for giving access to a user (at least for the first time, as we already need to edit the user from SU01), by adding all the necessary roles in one go! How it is done?
Usually, when we create an Environment, User Team, Data Access Profile and Task Profile from BPC frontend, a role is created in the backend system automatically. For administrating user from the backend, what we have to do is identify these automatically created roles. For this, we have some tables which maintain these data.
From SE16, access the following tables to get the data:
- Environment: To find out the role related to each Environment, go to table UJE_USER_AGR. Here, you can see the environment name under APPSET_ID and the corresponding role under USER_AGR. The role will be starting with ZBPC_##UXXXXXX. U denotes environment.
- User Team: To find out the role related to each User Team, go to table UJE_TEAM_AGR. Here, you can see all the teams created in all the environments available in the system (you can filter the environment from the first page if required), and the role corresponding to each teams and team leaders. The role will be similar to the above, ie ZBPC_##TXXXXXX for team and ZBPC_##LXXXXXX for team leader. T denotes User Team and L denotes Team leader.
- Task Profile & Data Access Profile: To find out the role related to each Task Profile and Data Access Profile, go to table UJE_PROFILE_AGR. Here, you can see the Profile Name under PROFILE_ID, PROFILE_CLASS contains the type of profile (MBR for Data Access Profile & TSK for Task Profile), and the corresponding role name under PROFILE_AGR. The role will be like ZBPC_##MXXXXXX for Data Access Profile and ZBPC_##PXXXXXX. Here M denotes Data Access Profile (referred to as Member Access Profile in earlier versions) and P denotes Task Profile.
Now, let us look into the role naming convention here:
These roles can be found out from the above tables and added to the users so that the frontend administration can be avoided. So in the end a user who wants to login through web, who is assigned with a Data Access Profile and Task Profile and a User Team in an environment will (should) have the following roles assigned to his profile.
| ZBPC_ | Common for all roles. |
| ## | It is the APPSET (Environment) Prefix, which is specific to each environment. This can be found out from the table UJA_APPSET_INFO. |
| U/T/L/M/P | Denotes Environment, Team, Team Leader, Data Access Profile and Task Profile respectively. |
| XXXXXX | This is the number. (This number will be in sequence for Environment, Team, etc.) |
These roles can be found out from the above tables and added to the users so that the frontend administration can be avoided. So in the end a user who wants to login through web, who is assigned with a Data Access Profile and Task Profile and a User Team in an environment will (should) have the following roles assigned to his profile.
| /POA/BUI_FLEX_CLIENT | Role for Web login |
| /POA/BUI_UM_USER | Role for Web login |
| ZBPC_CMU000002 | Environment Role |
| ZBPC_CMT000027 | User Team Role |
| ZBPC_CMP000009 | Task Profile Role |
| ZBPC_CMM000014 | Data Access Profile Role |
Note: If we have added a Task Profile & a Data Access Profile o a User Team from frontend, and added only the User Team role in the backend for a user, the user will not have access to the Task Profile and Data Access Profile. These two roles should be added explicitly!
