SAP User Authorizations

Using SAP user roles and authorizations, you can protect Sana in SAP from unauthorized access.

The SAP administrator can assign the necessary roles and authorizations to the SAP users that determine which actions users can execute in the SAP system, depending on the responsibilities of users, after they have logged on to the system.

You can add Sana authorizations to the existing user role or you can create a separate Sana role with the Sana authorizations. We recommend to create a separate role. This will help you to manage Sana authorizations separately.

You can give access to the entire Sana add-on in SAP ECC or to different features. For example, you can give access to Sana in SAP ECC only to your employees who will work with Sana and data required for the Sana webstore. For everyone else who does not work with Sana Commerce Cloud, you can deny access so that they do not break something.

If necessary, you can also give access to different Sana Commerce Cloud features. For example, one user who is responsible for creating and initial setup of a Sana webstore in SAP can be granted access to the Sana Startup Wizard, Webstore Configuration, Webstore Integrity Check and Webstore Optimization. Another user who is responsible for managing the catalog in SAP for the Sana webstore can have access to Webstore Filter, Customer Assortment and Webstore Catalog Overview, for example. You can give access to the Webstore Orders Overview, Sales Statistics and Invoice Payments to your sales manager. If you have a technical SAP specialist who is responsible for your webstore maintenance in SAP, you can give access to Manual Process Requests and Data Validation Rules to this user.

You can set up user roles and authorizations in SAP the way you need depending on your employees and their responsibilities. Different users can also have access to different Sana webstores.

Create Authorization Class and Object

First, you must create an authorization class and object for Sana.

Step 1: Call the transaction code SU21 (Maintain the Authorization Objects).

Step 2: Create an object class and authorization object. Below you can see the ZAUO object class and ZAUTHSANA authorization object that we created as an example.

Step 3: Add the necessary authorization fields to the authorization object. The fields WEBSTORE and ACTVT are unique. Therefore, you must add these fields to the authorization object.

Step 4: Click Permitted Activities to select the necessary activities for the authorization object. You must select the activities shown on the screenshot below.

Activity

Description

Create or generate

A user can enter any record, for example create a webstore.

Change

A user can change any existing record.

Display

A user can view any record.

Delete

A user can delete any record.

Transport

A user can generate a transport request for the Sana specific changes.

Copy

A user can create a new record by copying an existing record.

Download

A user can download reports and templates.

Upload

A user can create records by uploading data.

Assign Sana Objects to Authorization Object

You must assign the Sana table /SANAECOM/AUTHDT with the Sana objects to the authorization object that you created.

Step 1: Call the transaction code SM30.

Step 2: In the Table/View field, enter /SANAECOM/AUTHDT and click Maintain.

Step 3: Assign the authorization object that you created to all Sana objects. In our example, the authorization object is ZAUTHSANA.

Set Up User Role

You can create a new role to assign Sana authorizations to the necessary users or you can add the authorization object to the existing user role. We recommend to create a new user role for Sana as this will help you to manage Sana authorizations separately from other SAP roles and authorizations.

Step 1: Call the transaction code SU01 (User Maintenance) and open the details of the necessary user.

Step 2: On the Roles tab you must add the necessary role with the Sana authorization object. On the screenshot below, you can see the ZAUTH role that we created as an example.

If you open the role with the Sana authorization object, on the Authorization tab, you can check the Authorization Data.

There you can change permitted activities for your Sana webstore. For example, if you have several webstores, you can allow a user to access one webstore, but deny access to all other webstores. You can also allow the user to change the settings of one webstore and only view settings of other webstores, for example.

There is also one limitation on the Sana Admin side related to the SAP user authorization. For example, if you have two Sana webstores configured in SAP and the SAP user has access to one webstore but not the other, and this SAP user is also used for connection between Sana and SAP, you will not be able to index products and customers for the Sana webstore to which this SAP user does not have rights. In this case the products and customers indexing will fail with an error stating that the user is not authorized for accessing product or customer data.