How to assign sap business planning and consolidation authorizations via the sap governance, risk, and compliance (grc) access control compliance user provisioning pro

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com
© 2012 SAP AG 1
How to Assign SAP Business Planning &
Consolidation Authorizations via the SAP
GRC Access Control Compliance User
Provisioning Product
Applies to:
SAP Business Planning and Consolidation 10.0, version for SAP NetWeaver.
Summary
This paper describes how to keep the technical names of the roles for the SAP Business Planning and
Consolidation version for SAP NetWeaver consistent across the different systems in the SAP NetWeaver
Business Warehouse landscape so that they can subsequently be assigned via the SAP GRC Access
Control Compliance User Provisioning product. For simplification, the SAP Business Planning and
Consolidation product, the SAP GRC Access Control Compliance User Provisioning product, and the SAP
NetWeaver Business Warehouse product will be referred to in this paper as “BPC”, “CUP”, and “BW”,
respectively. Please download relevant files here.
Authors: Colleen Cunningham and Peter Bruns
Company: SAP Americas, Inc.
Created on: February 17, 2012
Author Bio
Colleen Cunningham is a Solution Architect in the Global Business Intelligence team within SAP IT. She is
also a member of the Identity Access Management BI Authorization Center of Excellence. She has
developed, implemented, and supported authorization concepts for BI solutions based upon SAP NetWeaver
BW as well as BusinessObjects Enterprise. Additionally, she has developed complete BI reporting solutions
from the backend BW data load processes (e.g. creation of BW InfoObjects, DSOs, InfoCubes,
Transformations, and Process Chains) to the frontend solutions using BEx Query Designer, Web Application
Designer, Xcelsius, and Webi.
Peter Bruns is a certified SAP NetWeaver BW consultant that has been working for SAP as an external
consultant for more than 7 years. His primary departments within SAP AG are the SAP Value Prototyping
team as a BI/BO & Planning expert and the SAP CSA team for Mobile Solutions. During his past
assignments in the RIG EMEA team, he was responsible for the technical aspects of BPC customer
implementations during the Ramp-Up process. Today, Peter is the Solution Architect of one of the first
productive BPC 10 version for SAP NetWeaver implementations at SAP, done on a BW HANA system.

© 2012 SAP AG 2
Table of Contents
Conventions........................................................................................................................................................3
Business Scenario ..............................................................................................................................................3
BPC Background Information .............................................................................................................................3
Prerequisites.......................................................................................................................................................5
Access to NetWeaver Transactions................................................................................................................5
BPC-Related Notes for BPC 10, version for SAP NetWeaver SP03..............................................................5
Overview of Step-by-Step Procedure .................................................................................................................5
Detailed Step-by-Step Procedure.......................................................................................................................6
Copying the Standard Roles to Desired Namespace & Assigning Them to BPC Service User.....................6
Copying the Standard Roles to Desired Namespace...................................................................................................6
Transporting the Newly Copied Standard Roles ..........................................................................................................8
Assigning the Newly Copied Roles to the BPC Service User.....................................................................................10
Creating the BPC Task Profiles, Data Access Profile, and Team Profiles via the BPC interface ................11
Creating the BPC Task Profile(s)...............................................................................................................................11
Creating the Data Access Profiles .............................................................................................................................12
Creating the Team Profiles ........................................................................................................................................13
Copying the BPC Generated Roles ..............................................................................................................18
Determining the AppSet Prefix for the BPC environment...........................................................................................18
Copying the Generated Roles for the Specific BPC Environment..............................................................................19
Creating BPC Composite Roles....................................................................................................................21
Download the Contents of the UJE_* Security Tables ...............................................................................................22
Analyzing the Downloaded Files to Determine the Composite Roles to Create.........................................................24
Creating the Actual Composite Roles ........................................................................................................................25
Transporting BPC Authorizations..................................................................................................................27
BPC Transport Connection Object.............................................................................................................................27
Transporting the Manually Created Roles..................................................................................................................30
Keeping the BPC Technical Role Names Consistent ...................................................................................31
For BPC 10 version SAP NetWeaver, SP4 or earlier:................................................................................................31
For BPC 10 version for SAP NetWeaver, SP5:..........................................................................................................31
Replacing the Technical Role Names in the UJE_* Security Tables with the Desired Namespace ............31
Adding the Composite Roles into CUP.........................................................................................................32
ABAP Programs................................................................................................................................................32
ZBPC_EXPORT ABAP Program ..................................................................................................................32
ZBPC_IMPORT ABAP Program ...................................................................................................................33
ZBPC_CUP ABAP Program..........................................................................................................................35
Related Content................................................................................................................................................40
Copyright...........................................................................................................................................................41

© 2012 SAP AG 3
Conventions
The following table summarizes the conventions used in this document:
Format Description
<<Text>> Placeholders, which should be replaced by the reader’s specific information
Italics Field names, button labels/names, dialog box titles, and referenced section
titles
“Text” Literal values
//This is a code
sample block
Sample Code
highlights Highlights are used in screenshots to identify which buttons should be clicked
and to emphasize information in the screenshots
Business Scenario
The IT Security team within company XYZ, Inc. has the requirement that standard delivered roles cannot be
assigned to any userID in the BW systems. Instead, IT Security insists that all authorizations that are
assigned must be in the company’s authorization namespace. Additionally, IT Security requires that all
authorizations must be requested and assigned via CUP. As the BPC product has its own standard
delivered roles and also generates its own roles in the product namespace, this document describes how to
overcome these facts in order to satisfy the IT Security requirements described above.
BPC Background Information
There are a few important concepts/conventions to keep in mind about BPC that will help you understand
BPC authorizations and the contents of this paper.
1. BPC uses a proxy user to generate SAP NetWeaver BPC roles and BPC objects in the SAP
NetWeaver environment in the ZBPC_* and /CPMB/* namespaces, respectively. As such, the proxy
user, also known as the BPC service user, must be assigned the equivalent of the standard
delivered roles required to perform the tasks in the SAP NetWeaver environment. The BPC service
userID is configurable (i.e. the technical name is determined during setup) and must be assigned the
same rights in all BW systems. In this paper, the BPC service userID is named ZBPC_SERVICE.
Note: The BPC product refers to the SAP NetWeaver roles as BPC profiles within the product. The generated
authorizations are actual SAP NetWeaver roles.
2. BPC also uses the ALEREMOTE userID to perform post-processing steps when transporting BPC
objects and BPC generated roles. As such, the standard delivered roles must also be assigned to
the ALEREMOTE userID in all BW systems.
Note: Some companies use a different ID from the ALEREMOTE ID. Whatever ID is used in the company for such tasks
will need to have the standard delivered roles assigned to it in all BW systems in the landscape.

© 2012 SAP AG 4
3. BPC requires explicit deny rights. Since SAP NetWeaver analysis authorizations do NOT allow for
explicit deny rights, this product requirement is achieved with the use of internal UJE_* security
tables and virtual analysis authorizations. The following are the most relevant security-related
tables:
BPC 10.0 Table Comment
UJA_APPSET_INFO Contains the Appset IDs, Prefix, InfoArea, and Description. The appset prefixes
will be used in the name of the generated roles (e.g. ZBPC_XX*).
UJE_MEMACCESS Contains the profile ID for each environment for which security has been setup. It
will show the name of the profile (as it is known within BPC) and the dimension for
which security has been enabled.
UJE_PROFILE_AGR Maintains the relationship between the appset and the task profile & data access
profile
UJE_TASK Contains the task IDs and descriptions
UJE_TEAM_AGR
Maintains the relationship between the team and the profile that belongs to the
team as well as the profile that belongs to the leader of the team.
UJE_TEAM_MULTAGR Maintains the relationship between the team and the profile that belongs to the
team
UJE_USER_AGR Maintains the relationship between the appset and the user role assignments
UJE_USER_SPECAGR This table is populated ONLY if the profile assignment is inherited by the team
assignment AND assigned directly to the user via the BPC front-end.
NOTE: This table should NOT be populated in production as the assignments will
be made via CUP!
4. The naming convention for standard and generated BPC roles are as follows:
a. Standard Delivered Roles
i. SAP_BPC_*  SAP BPC roles needed by the BPC service user ONLY
ii. /POA/BUI_*  roles required for the FLEX component to work for all BPC users
b. Generated BPC Roles
i. ZPBC_<<Appset_Prefix>><<Role_Type_Abbreviation>><<6-digit-number>>
ii. Appset_prefixes are defined in table UJA_APPSET_INFO and are unique across
ALL BPC appsets
iii. Role_Type_Abbreviation are as follows
1. User: U
2. Team: T
3. Team Leader: L
4. Task Profile: P
5. Data Access Profile: M
5. The naming convention for composite BPC roles that were created during the implementation was as
follows:
a. <<Company Namespace>>_<<XXXX>>_<<DEV or PRD>>_<<Region or User Type>>
b. <<Company Namespace>> represents the company’s namespace for roles
c. XXXX represents the 4-character BPC environment (formerly appset)
d. DEV is used to represent the development version of the role (which should ONLY be
assigned in development)
e. PRD is used to identify the production version (i.e. non-development version) of the role,
which should ONLY be assigned in non-development systems (e.g. BWV, BWP).
f. Region or User Type is used to identify the specific region (e.g. GLOBAL, APJ, NA, etc.) or
type of user (e.g. Admin, PowerUser, etc.)
Note:
BPC Composite roles in the development system contain the original single roles that were generated by the BPC
product! Composite roles in the non-development systems contain the appropriate copies of the generated BPC roles!

© 2012 SAP AG 5
Prerequisites
Access to NetWeaver Transactions
The administrator setting up the authorizations will require access to the following SAP NetWeaver
transactions:
Transaction Description
PFCG Role Maintenance
RSA1 Data Warehousing Workbench
SE01 (or SE09 or
SE10)
Transport Organizer Extended View (Transport Organizer)
SU01 User Maintenance
BPC-Related Notes for BPC 10, version for SAP NetWeaver SP03
The following Notes MUST be installed in the BW systems:
Note # Comment
Note # 1634986 This note allows the BPC product to recognize composite roles
Note # 1610249 This note allows the users to see the data that they just entered. This also requires that the
follow-up activities listed in the Note be performed. Specifically, after implementing Note #
1610249, then someone that is assigned the role ZBPC_APPSET_MANAGER (i.e. or its
equivalent role in the company-specific namespace) must run the program
Z_MIRGRATE_BI_AUTH in the system. The content of that program is attached to the Note. The
program will remove 0BI_ALL from the generated roles.
Overview of Step-by-Step Procedure
This How-to-Guide provides the procedure for creating BPC roles in your own namespace and keeping the
technical names of the roles consistent across multiple BW systems so that they can be assigned via CUP.
Overall, the steps are as follows:
1. Copying the standard delivered roles and assigning them to the BPC service user
2. Creating the BPC Task Profiles, Data Access Profile, and Team Profiles via the BPC interface
3. Copying the BPC Generated Roles
a. Create teams in BPC front-end
b. Copy ZBPC* generated roles into new namespace
4. Creating BPC Composite Roles
a. Review the contents of the relevant UJE_* security tables
b. Create composite roles with the appropriate roles that should be assigned together
5. Transporting BPC Authorizations
a. Use the BPC transport mechanism to transport the BPC roles
b. Transport the composite roles and single roles that were created in the desired namespace
to the target system
6. Keeping the BPC Technical Role Names Consistent Between the Source and Target Systems
7. Replacing the technical role names in the UJE_* security tables with the desired namespace
a. Implement the ZBPC_EXPORT ABAP and ZBPC_IMPORT ABAP code & transport it to all
of the BW systems
b. Execute the code in the target system ONLY
8. Adding the composite roles into CUP with the appropriate approval workflow
Detailed step-by-step instructions for how to do the above steps are in the subsequent sections.

© 2012 SAP AG 6
Detailed Step-by-Step Procedure
Copying the Standard Roles to Desired Namespace & Assigning Them to BPC Service User
Copying the Standard Roles to Desired Namespace
1. Log into BW via the SAP GUI
2. Go to transaction PFCG
3. Click on the Views button and then select Single Roles
4. Click on the Set Filter button to filter the list of Single Roles
a. On the pop-up screen that appears, enter the following pattern: SAP_BPC*
b. Click the green arrow to execute the search
5. From the list that is returned, click once on the role SAP_BPC_ADMIN
6. From the toolbar, click the icon to copy the role
7. In the pop-up screen that appears, replace the “SAP” prefix with the desired namespace and then
click the Copy all button
8. For the /POA/* roles, replace the 1
st
slash (i.e. “/”) with the desired namespace and the 2
nd
slash
with an underscore (i.e. “_”)

© 2012 SAP AG 7
9. Repeat steps 5 – 8 for each of the standard delivered roles in the following table that should be
copied to Company XYZ’s namespace:
Standard Roles
(Do NOT Assign)
New Roles
(Can Assign) Short Descriptions
SAP_BPC_ADMIN <<company namespace>>_BPC_ADMIN BPC Administrator
SAP_BPC_BICS_REPORTER
<<company
namespace>>_BPC_BICS_REPORTER
BPC role for user to allow
connection using BICS
SAP_BPC_BTCH_JOB
<<company
namespace>>_BPC_BTCH_JOB
Authorization for BPC CLM
background job
SAP_BPC_CLM_EXPORT
<<company
namespace>>_BPC_CLM_EXPORT
Authorization for exporting to
CLM
SAP_BPC_CLM_IMPORT
<<company
namespace>>_BPC_CLM_IMPORT
Authorization for importing
from CLM
SAP_BPC_MDX_REPORTER
<<company
namespace>>_BPC_MDX_REPORTER
connection using MDX
SAP_BPC_SERVICE <<company namespace>>_BPC_SERVICE
Reference role for BPC
service user
SAP_BPC_SYSADMIN
<<company
namespace>>_BPC_SYSADMIN BPC System Administration
SAP_BPC_TABU_DIS
<<company
namespace>>_BPC_TABU_DIS
BPC Role for Authorization
Object S_TABU_DIS
SAP_BPC_USER <<company namespace>>_BPC_USER BPC user
SAP_BPC_WS_USER
<<company
namespace>>_BPC_WS_USER
SOAP webservice access
/POA/BUI_FLEX_CLIENT
<<company
namespace>>_POA_BUI_FLEX_CLIENT
A role that is required to start
the Flex client
/POA/BUI_UM_USER
<<company
namespace>>_POA_BUI_UM_USER
A role that is required to work
with user management in
particular for retrieving roles
and user information
Note: The last two roles in the 2nd column MUST be assigned to ALL BPC users; whereas, the other roles in the 2nd
column should be assigned to the BPC service user ONLY. The roles in the 1st column should not be assigned to
any user ID in the system at all. It should be noted that since the SAP_BPC_* roles are only for the BPC service
user and the ALEREMOTE user, the equivalent roles should not be listed in CUP as none of the BPC users should
request or be granted those roles.

© 2012 SAP AG 8
Transporting the Newly Copied Standard Roles
1. From within PFCG, select one of the new roles that was created in the last step of the previous
section Copying the Standard Roles to Desired Namespace
2. Click the Transport role button to add the role to a transport
3. On the pop-up screen that appears, click the Execute icon
4. On the Information pop-up screen that appears, click the Continue button (i.e. the green checkmark)
5. On the Choose objects pop-up screen that appears, click the green checkmark

© 2012 SAP AG 9
6. On the Prompt for Customizing Request pop-up screen that appears, click the Own Transport button
Note: A new transport can be created either by clicking the paper icon (i.e. the 2
nd
icon) on the screenshot above OR by
clicking the Own Requests button and then the paper icon from that subsequent screen. However, although a new
transport can be created directly from the screen above (via the 2
nd
button with the paper icon), it is a good idea to
click the Own Requests button because it provides an opportunity to first review the existing transports for a
suitable transport to use before creating a new one.
7. On the subsequent screen that appears, if a suitable transport already exists, then click on the
transport number and then click the green checkmark. If a suitable transport does not already exist,
then go to Step 8.

© 2012 SAP AG 10
8. Click the paper icon to create a new Customizing Request, enter a description in the Short
Description field, select a value from the pick list for the Project field (if required), and then click the
Save button. Finally, from the lists of transports, click the newly created transport number, and then
click the green checkmark.
9. Repeat steps 1 – 7 for the remaining roles that were previously created in Step 9 of the previous
section Copying the Standard Roles to Desired Namespace
10. Go to transaction SE01 (or SE09 or SE10)
11. Expand the transport to see the tasks in the transport
12. For each task in the transport, click on the task number and then press {F9} on the keyboard to
release the individual task
13. Click on the transport number, and then press {F9} on the keyboard to release the transport
Note: It is assumed that the company already has a defined process for importing released transports into subsequent
NetWeaver systems in the BW landscape.
Assigning the Newly Copied Roles to the BPC Service User
1. Go to transaction SU01
2. In the User field, enter the BPC Service User ID ZBPC_SERVICE
3. Click the Edit icon
4. Click on the Roles tab
5. Enter the names of the roles that were copied to the desired namespace
Note: Assigning roles to the BPC service user may need to be done by the company’s Central User Administration team
(depending upon the company’s specific internal policies about authorization assignments).

© 2012 SAP AG 11
Creating the BPC Task Profiles, Data Access Profile, and Team Profiles via the BPC interface
Creating the BPC Task Profile(s)
1. Go to the BPC interface
2. From the Home tab, click the Planning and Consolidation Administration link in the Launch section
on the far right-side of the screen
3. On the Administration tab, expand the Security node and click Task Profiles
4. Click the New link to create a Task profile
5. In the Add Task Profiles window, enter a name and description for the task profile that will be
created, and click the Next button
6. Select the specific tasks that the user should be allowed to do, click the Add button, and then click
Next

© 2012 SAP AG 12
7. On the next screen, click the Finish button
Creating the Data Access Profiles
1. On the Administration tab, expand the Security node and click Data Access Profiles
2. Click the New link to create a Data Access Profile
3. Enter a name and description for the Data Access Profile, select the members for each dimension
and set the access rights on the Member Access tab, click the Save button and then click the Close
button.

© 2012 SAP AG 13
Creating the Team Profiles
1. From the Administration tab, expand the Security node and click Teams
2. Click the New link to create a Team
3. On the Add Team screen that appears, enter the name and description of the Team to create and
click the Next button.

© 2012 SAP AG 14
4. Do NOT add any users on the next screen (as all user assignments will be done via CUP; instead,
click Next
5. On the summary screen, click the Finish button.
6. On the subsequent screen, click the Task Profiles tab and click Add/Remove

© 2012 SAP AG 15
7. On the next screen, click the desired Task profile(s) that the Team should have, click the Add button,
and then click the OK button.
8. Click the Data Access Profiles tab and then click Add/Remove

© 2012 SAP AG 16
9. On the subsequent screen, click the Data Access Profile(s) that the Team should have, click the Add
button, and then click OK.

© 2012 SAP AG 17
10. Click the Save button, and then the Close button.

© 2012 SAP AG 18
Copying the BPC Generated Roles
After the BPC implementation team creates the teams within the BPC front-end, the generated roles for the
specific BPC environment needs to be copied to the desired namespace. The default naming convention (as
described in Section BPC Background Information) can be used to identify the subset of generated roles that
need to be copied for the BPC environment via the following steps:
Determining the AppSet Prefix for the BPC environment
1. Go to transaction SE16
2. Enter “UJA_APPSET_INFO” in the Table Name field and click the Table Contents button
3. On the subsequent screen, enter the technical name of the BPC environment (formerly AppSet) in
the APPSET_ID field and then click the Execute button (or press {F8} on the keyboard). For the
example captured by the screenshot below, “ADRM” is used as the BPC environment.
4. From the subsequent results screen, make a note of the value in the AppSet_Prefix field as it will be
used in all of the generated roles for the specific BPC environment
Note: In the example above, all of the generated roles for the ADRM BPC environment will start with ZBPC_IR*. This
information will be used to search for the generated roles that need to be copied to a new namespace in the
following sub-section.

© 2012 SAP AG 19
Copying the Generated Roles for the Specific BPC Environment
2. Click on the Views button and then select Single Roles
3. Click on the Set Filter button to filter the list of Single Roles
a. On the pop-up screen that appears, enter the following pattern: ZBPC_<<AppSet_Prefix>>*
b. Click the green arrow to execute the search
4. From the list that is returned, click once on one of the ZBPC_<<AppSet_Prefix>>* roles
5. From the toolbar, click the icon to copy the role
6. In the pop-up screen that appears, replace the “Z” prefix with the desired namespace followed by an
underscore (i.e. _), and then click the Copy all button
Note: When copying the generated BPC environment roles, only replace the first letter “Z” with the desired namespace
followed by an underscore (i.e. _). Do not replace or change the remaining characters/sequential numbers. This
will make the source for the newly created roles clear, and will also make it easier to understand which roles
should be combined into composite roles (which is described in the Section “Creating BPC Composite Roles”).
7. Click the Edit button to edit the newly copied role
8. Click on the Authorization tab, and then click the Change Authorization Data button.

© 2012 SAP AG 20
9. On the Information dialog screen that appears, click the green checkmark.
10. Click the Generate icon
Note: To display the technical names, select the following menu path: Utilities  Technical names on
11. In the Assign Profile Name for Generated Authorization Profile pop-up screen that appears, click the
green checkmark.
Note: In the screenshot above, the user-specified namespace will appear for the <<Namespace>> placeholder.

© 2012 SAP AG 21
12. Click the green Back button twice
13. Repeat steps 4 – 12 for each of the generated roles that follow the naming convention in the
following table that should be copied to Company XYZ’s namespace:
Generated Role New Role Description
ZBPC_<<appset_prefix>>U*
<<company
namespace>>_BPC_<<appset_prefix>>U*
Generated
USER roles for
the specific
appset
ZBPC_<<appset_prefix>>T*
<<company
namespace>>_BPC_<<appset_prefix>>T*
Generated
TEAM roles for
the specific
appset
ZBPC_<<appset_prefix>>L*
<<company
namespace>>_BPC_<<appset_prefix>>L*
Generated
LEADER roles
for the specific
appset
ZBPC_<<appset_prefix>>P*
<<company
namespace>>_BPC_<<appset_prefix>>P*
Generated
TASK roles for
the specific
appset
ZBPC_<<appset_prefix>>M*
<<company
namespace>>_BPC_<<appset_prefix>>M*
Generated
MEMBER
ACCESS roles
for the specific
appset (access
to the data)
Creating BPC Composite Roles
Composite roles are manually created in order to simplify the process for requesting and approving
authorizations for specific types of users in specific environments. In order to determine which BPC single
roles should be grouped together in a composite role, evaluate the contents of the PROFILE_ID field in the
UJE_MEMACCESS and UJE_PROFILE_AGR tables as well as the TEAM_ID field in the UJE_TEAM_AGR
and UJE_TEAM_MULTAGR tables. The overall steps are summarized below:
1. Download the contents of the UJE_* security tables to Excel spreadsheets.
2. Merge the Excel files
3. Every distinct value in the TEAM_ID/PROFILE_ID columns in the UJE* security table will become a
separate composite role.
4. Using the included Excel file, analyze the contents of the UJE_* security tables to determine which
roles should be grouped together in the composite roles.

© 2012 SAP AG 22
Download the Contents of the UJE_* Security Tables
1. Start transaction SE16
2. Enter the name of the UJE_* security table in the Table Name field and click the Table Contents
icon. In the example below, the table name “UJE_TEAM_AGR” was used.
3. Enter the ID for the appset in the APPSET_ID field and click the Execute button
Note: Before clicking the Execute button, click the Number of Entries button to confirm that the number of records found
is less than the value in the Maximum No. of Hits field. If necessary, increase the value in the Maximum No. of
Hits field before clicking the Execute button.

© 2012 SAP AG 23
4. From the Data Browser results screen, click the following menu path: Table Entry  List  Export 
Local File
5. In the Save list in file pop-up screen, select Spreadsheet and click the green checkmark
6. In the subsequent pop-up screen, specify the path where the exported file should be saved in the
Directory field and the filename in the File Name field; and then click the Generate button

© 2012 SAP AG 24
7. Click the green Back button once
8. Repeat steps 2 – 7 for the following UJE_* security tables:
BPC 10.0 Table
UJE_MEMACCESS
UJE_PROFILE_AGR
UJE_TEAM_AGR
UJE_TEAM_MULTAGR
UJE_USER_AGR
Analyzing the Downloaded Files to Determine the Composite Roles to Create
1. Two separate composite roles will be created for every distinct TEAM_ID/PROFILE_ID in the UJE*
security tables UJE_TEAM_MULTAGR, UJE_TEAM_AGR, UJE_PROFILE_AGR: one for the
development system and one for the non-development systems.
Note:
BPC Composite roles for the development system contain the original single roles that were generated by the BPC
product! Composite roles for the non-development systems contain the appropriate copies of the generated BPC roles!
2. Add the following columns at the end of the data range in each of the files that were exported:
File that was exported from table… Add the following columns at the end…
UJE_TEAM_AGR EquivalentTeamRole
EquivalentTeamLeadRole
CompositeRole_DEV
CompositeRole_PRD
UJE_TEAM_MULTAGR EquivalentRole
CompositeRole_DEV
CompositeRole_PRD
UJE_PROFILE_AGR EquivalentRole
CompositeRole_DEV
CompositeRole_PRD
Note:
The columns in the above table can be described as follows…
Equivalent*Role: Use to specify the equivalent role (e.g. role for Team, Lead, etc.) that was copied from the generated
Team role
CompositeRole_DEV: Used to specify the name of the composite role that should be used in the development system
for the specific team
CompositeRole_PRD: Used to specify the name of the composite role that should be used in the non-development
system for the specific team

© 2012 SAP AG 25
3. Using the naming convention for the equivalent BPC roles that were copied and the naming
convention for the composite roles, populate the additional columns in the Excel files with the
specific names of the equivalent roles and composite roles for the development and non-
development systems.
4. Filter the TEAM_ID/PROFILE_ID columns in each sheet for the specific BPC team for which the
composite role needs to be created.
5. In the next section, the composite roles for the non-development systems (e.g. <<Company
Namespace>>_<<XXXX>_PRD_<<Region or User Type >>) will be created by including all of the
equivalent roles that appear for the specific team in the different filtered Excel files. The composite
roles for the development system (e.g. <<Company Namespace>>_<<XXXX>_DEV_<<Region or
User Type >>) will be created by including all of the original roles that appear for the specific team in
the different filtered Excel files.
Note: The included Excel file is a template that can be used to simplify the analysis of the exported data. All that is
required is to copy and paste the exported data into the appropriate tabs and to specify the company-specific
information on the Info tab. Then you will be able to filter
Creating the Actual Composite Roles
2. For each of the composite roles that have been identified in the analysis section above, enter the
name of the composite role to create in the Role field, and click the Comp. Role button. The
example below is based upon creating the production version of the planning role for Germany for
the appset_ID ADRM.
Note: The suggested naming convention for composite BPC roles is as follows:
<<Company Namespace>>_<<XXXX>>_<<DEV or PRD>>_<<Region or User Type>>
a. <<Company Namespace>> represents the company’s namespace for roles
b. XXXX represents the 4-character BPC environment (formerly appset)
c. DEV is used to represent the development version of the role (which should ONLY be assigned in development)
d. PRD is used to identify the production version (i.e. non-development version) of the role, which should ONLY be
assigned in non-development systems (e.g. BWV, BWP).
e. Region or User Type is used to identify the specific region (e.g. GLOBAL, APJ, NA, etc.) or type of user (e.g. Admin,
PowerUser, etc.)
3. Enter a short role description and a longer text description in the Description and Long Text fields,
respectively.

© 2012 SAP AG 26
4. Click the Save button, but do not exit the role.
5. Click on the Roles tab.
Note: If the Roles tab is clicked before saving the role, then a prompt will appear to save the role first before being able
to continue to the Roles tab.
6. Enter the technical names of the roles that should be included in the composite role, and click the
Save button.
7. Click the green Back arrow button.
8. Repeat steps 2 – 7 for each additional composite role that needs to be created.

© 2012 SAP AG 27
Transporting BPC Authorizations
BPC 10, version for SAP NetWeaver has its own transport object type, which is accessible via RSA1 
Transport Connection. Unlike typical BW transports that transport authorizations as-is from the source
system to the target system, the BPC transport mechanism for authorizations in BPC 10, version for SAP
NetWeaver SP4 and earlier:
1. Deletes the roles in the target system
2. Deletes the entries for the BPC environment from the UJE_* security tables
3. Re-creates the BPC roles directly in the target systems and re-populates the UJE_* security tables
with the names of the roles that were newly created in the target systems
As such, THERE IS NO GUARANTEE THAT THE TECHNICAL NAMES OF THE ROLES WILL BE THE
SAME in the target system(s) with BPC 10, version SAP NetWeaver SP4 and earlier! Thus the technical
names of the roles could vary from one system to the next in the same landscape and the contents of the
UJE_* security tables would be different! That would cause an issue when trying to use CUP to assign
authorizations to users.
The following sections describe how the transport of the roles must be done as well as the follow-up activities
to perform so that everything works as properly. In general the steps are as follows:
1. Transport the BPC generated roles via the BPC transport mechanism
2. Transport the single roles that were copied to the company namespace as well as the composite
roles.
3. For BPC 10, version SAP NetWeaver SP4 and earlier, perform the follow-up activities in the section
“Keeping the BPC Technical Role Names Consistent” in order to keep the technical names of the
roles consistent in the UJE_* security tables across the landscape.
4. For all BPC 10, version SAP NetWeaver instances, perform the follow-up activities in section
“Replacing the Technical Role Names in the UJE_* Security Tables with the Desired Namespace” in
order to replace the default namespace with the company-specific namespace.
BPC Transport Connection Object
To transport the BPC generated roles (i.e. ZBPC_*),
1. Go to transaction “RSA1”, click Transport Connection, and then click Object Types
2. In the far right section of the screen, click the Grouping button and select Only Necessary Objects.
3. In the far right section of the screen, click the Collection Mode button and select Collect
Automatically.

© 2012 SAP AG 28
4. In the list that appears in the middle of the sreen, expand the More Types and the Environment
nodes, and then double-click Select Objects
5. In the Data Warehousing Workbench: Transport Connection pop-up screen, select the BPC
Environment (e.g. “ADRM” in the example screenshoot) and then click the Transfer Selections button
6. In the far right section of the screen, right-click on the name of the BPC environment, and select Do
Not Transport Any Below.
7. Expand the node for the BPC environment and Data Access Profiles, and then select the specific
Data Access Profiles to include in the transport

© 2012 SAP AG 30
9. Expand the Task Profile node and select the specific Task Profile that should be transported
10. Click the Transport button and follow the prompts to create a new transport in which the selected
objects will be saved
11. Go to transaction SE01 (or SE09 or SE10) and release the task and transport
Transporting the Manually Created Roles
AFTER transporting the generated BPC roles via the BPC transport mechanism as described in the previous
section, transport the manually created roles as follows:
2. From the Utilities menu, select Mass transports
3. On the subsequent screen, enter the pattern for the composite BPC roles and make sure that the
two checkboxes are selected. In the screenshot for the example, the pattern is
“00BO_BWP_BPC_ADRM*”
4. Follow the subsequent screens as already described section “

© 2012 SAP AG 31
Transporting the Newly Copied Standard Roles”.
Note: By selecting the checkbox Also Transport Single Roles for Composite Roles, the individual roles that were
included in the composite roles will also be added to the same transport request.
5. Go to transaction SE01 (or SE09 or SE10) to release the transport task and transport.
Keeping the BPC Technical Role Names Consistent
For BPC 10 version SAP NetWeaver, SP4 or earlier:
This section provides a work-around for BPC 10 version for SAP NetWeaver SP4 instances to make sure
that the contents of the UJE_* security tables remain the same across the entire BW landscape. The work-
around involves the creation of two ABAP programs: (1) one to export the content of the UJE_* security
tables for a specified AppSet from the source BW system; and (2) one to import the exported files into the
target system to overwrite the contents of the UJE_* security tables for that same AppSet.
The code for the ZBPC_EXPORT and ZBPC_IMPORT ABAP programs are in the sections “ZBPC_EXPORT
ABAP Program” and “ZBPC_IMPORT ABAP Program”, respectively.
Detailed Steps to Perform within the source BW system where the development work was done…
2. Execute the program ZBPC_EXPORT
3. Specify the AppSet ID
4. Specify the path were to save the exported files
Detailed Steps to Perform within the target BW system(s)…
2. Execute the program ZBPC_IMPORT
3. Specify the AppSet ID
4. Specify the path from which the files that were exported in the previous section can be imported
For BPC 10 version for SAP NetWeaver, SP5:
The workaround described in Section “For BPC 10 version SAP NetWeaver, SP4 or earlier:” is not required
as BPC 10 version SAP NetWeaver SP5 already addressed the issue of making sure that the contents of the
UJE_* security tables are consistent between the source BW system and the target BW systems.
Replacing the Technical Role Names in the UJE_* Security Tables with the Desired Namespace
In order to use the newly created roles in the desired namespace, those technical role names must be
included in the UJE_* security tables as the BPC product is only aware of the roles listed in the UJE_*
security tables. The work-around involves the creation of an ABAP program that should be executed in the
target system ONLY. The program should NEVER be run in the BW source system as it could lead to
problems in the product in the development system!
The custom code for the program is listed in the section “ZBPC_CUP ABAP Program”.

© 2012 SAP AG 32
Detailed Steps to Perform within the target BW system(s)…
2. Enter the program name ZBPC_CUP
3. Enter the AppSet ID
Adding the Composite Roles into CUP
The composite roles that were created in Section “Creating the Actual Composite Roles” should be added to
CUP so that they can be requested and assigned in the BW system (once the approval workflow has been
approved).
ABAP Programs
This section provides the code to the ABAP programs that were used in this solution.
ZBPC_EXPORT ABAP Program
*&---------------------------------------------------------------------*
*& Report ZBPC_EXPORT
*&
*&---------------------------------------------------------------------*
*&
*&
*&---------------------------------------------------------------------*
REPORT ZBPC_EXPORT.
REPORT ZBPC_EXPORT.
PARAMETERS: p_env type uj_appset_id,
p_tgt type String default 'c:agr_test'.
data: lt_profileagr type STANDARD TABLE OF uje_profile_agr,
lt_teamagr type STANDARD TABLE OF uje_team_agr,
lt_multagr type STANDARD TABLE OF uje_team_multagr,
lt_useragr type STANDARD TABLE OF uje_user_agr,
lt_specagr type STANDARD TABLE OF uje_user_specagr,
lt_appset_id type uj0_t_string,
lc_localfile_profileagr type String,
lc_localfile_teamagr type String,
lc_localfile_multagr type String,
lc_localfile_useragr type String,
lc_localfile_specagr type String.
CONCATENATE p_tgt 'profile_agr' INTO lc_localfile_profileagr.
CONCATENATE p_tgt 'team_agr' INTO lc_localfile_teamagr.
CONCATENATE p_tgt 'mul_agr' INTO lc_localfile_multagr.
CONCATENATE p_tgt 'user_agr' INTO lc_localfile_useragr.
CONCATENATE p_tgt 'spec_agr' INTO lc_localfile_specagr.
select DISTINCT appset_id into table lt_appset_id from uja_appset_info where appset_i
d = p_env.
if lines( lt_appset_id ) ne 1 .
write: / 'invalid environment id.'.
exit.
endif.

© 2012 SAP AG 33
Select *
from uje_profile_agr
into table lt_profileagr
WHERE APPSET_ID = p_env.
CALL FUNCTION 'GUI_DOWNLOAD'
EXPORTING
filename = lc_localfile_profileagr
filetype = 'DAT'
TABLES
data_tab = lt_profileagr.
Select *
from uje_team_agr
into table lt_teamagr
EXPORTING
filename = lc_localfile_teamagr
filetype = 'DAT'
TABLES
data_tab = lt_teamagr.
Select *
from uje_team_multagr
into table lt_multagr
EXPORTING
filename = lc_localfile_multagr
filetype = 'DAT'
TABLES
data_tab = lt_multagr.
Select *
from uje_user_agr
into table lt_useragr
EXPORTING
filename = lc_localfile_useragr
filetype = 'DAT'
TABLES
data_tab = lt_useragr.
write: / 'Agr infomation of ', p_env , 'has been exported to', p_tgt, '.'.
ZBPC_IMPORT ABAP Program
*&---------------------------------------------------------------------*
*& Report ZBPC_IMPORT

© 2012 SAP AG 34
*&
*&---------------------------------------------------------------------*
*&
*&
*&---------------------------------------------------------------------*
REPORT ZBPC_IMPORT.
PARAMETERS: p_env type uj_appset_id,
p_tgt type String default 'c:agr_test'.
data: lt_profileagr type STANDARD TABLE OF uje_profile_agr,
lt_teamagr type STANDARD TABLE OF uje_team_agr,
lt_multagr type STANDARD TABLE OF uje_team_multagr,
lt_useragr type STANDARD TABLE OF uje_user_agr,
lt_specagr type STANDARD TABLE OF uje_user_specagr,
lt_appset_id type uj0_t_string,
* ls_profileagr type uje_profile_agr,
* ls_teamagr type uje_team_agr,
* ls_multagr type uje_team_multagr,
* ls_useragr type uje_user_agr,
* ls_specagr type uje_user_specagr,
lc_localfile_profileagr type String,
lc_localfile_teamagr type String,
lc_localfile_multagr type String,
lc_localfile_useragr type String,
lc_localfile_specagr type String.
select DISTINCT appset_id into table lt_appset_id from uja_appset_info where appset_i
d = p_env.
if lines( lt_appset_id ) ne 1 .
write: / 'invalid environment id.'.
exit.
endif.
CONCATENATE p_tgt 'profile_agr' INTO lc_localfile_profileagr.
CONCATENATE p_tgt 'team_agr' INTO lc_localfile_teamagr.
CONCATENATE p_tgt 'mul_agr' INTO lc_localfile_multagr.
CONCATENATE p_tgt 'user_agr' INTO lc_localfile_useragr.
CONCATENATE p_tgt 'spec_agr' INTO lc_localfile_specagr.
CALL METHOD CL_GUI_FRONTEND_SERVICES=>GUI_UPLOAD
EXPORTING
FILENAME = lc_localfile_profileagr
FILETYPE = 'DAT'
CHANGING
DATA_TAB = lt_profileagr.
Delete from uje_profile_agr where APPSET_id = p_env.
insert uje_profile_agr FROM table lt_profileagr.
write: / 'UJE_PROFILE_AGR of environment: ', p_env, ' has been updated according to t
he source files.'.

© 2012 SAP AG 35
EXPORTING
FILENAME = lc_localfile_teamagr
FILETYPE = 'DAT'
CHANGING
DATA_TAB = lt_teamagr.
Delete from uje_team_agr where APPSET_id = p_env.
insert uje_team_agr FROM table lt_teamagr.
write: / 'UJE_TEAM_AGR of environment: ', p_env, ' has been updated according to the
source files.'.
EXPORTING
FILENAME = lc_localfile_multagr
FILETYPE = 'DAT'
CHANGING
DATA_TAB = lt_multagr.
Delete from uje_team_multagr where APPSET_id = p_env.
insert uje_team_multagr FROM table lt_multagr.
write: / 'UJE_TEAM_MULTAGR of environment: ', p_env, ' has been updated according to
the source files.'.
EXPORTING
FILENAME = lc_localfile_useragr
FILETYPE = 'DAT'
CHANGING
DATA_TAB = lt_useragr.
Delete from uje_user_agr where APPSET_id = p_env.
insert uje_user_agr FROM table lt_useragr.
write: / 'UJE_USER_AGR of environment: ', p_env, ' has been updated according to the
source files.'.
ZBPC_CUP ABAP Program
*&---------------------------------------------------------------------*
*& Report ZBPC_CUP
*&
*&---------------------------------------------------------------------*
*&
*&
*&---------------------------------------------------------------------*
report zbpc_cup.
data: l_bpc_namespace type string value 'ZBPC_',
l_cup_namespace type string value '00BO_BWP_BPC_',
l_bpc_namespace_pattern type string,
l_cup_namespace_pattern type string,
l_bpc_namespace_len type i,

© 2012 SAP AG 36
l_cup_namespace_len type i,
lt_user_agr type table of uje_user_agr,
lt_user_specagr type table of uje_user_specagr,
lt_profile_agr type table of uje_profile_agr,
lt_team_agr type table of uje_team_agr,
lt_team_multagr type table of uje_team_multagr.
l_bpc_namespace_len = strlen( l_bpc_namespace ).
l_cup_namespace_len = strlen( l_cup_namespace ).
concatenate l_bpc_namespace '%' into l_bpc_namespace_pattern.
concatenate l_cup_namespace '%' into l_cup_namespace_pattern.
select * into table lt_user_agr from uje_user_agr
where user_agr like l_bpc_namespace_pattern.
select * into table lt_user_specagr from uje_user_specagr
where agr_name like l_bpc_namespace_pattern.
select * into table lt_profile_agr from uje_profile_agr
where profile_agr like l_bpc_namespace_pattern.
select * into table lt_team_agr from uje_team_agr
where team_agr like l_bpc_namespace_pattern.
select * into table lt_team_multagr from uje_team_multagr
where child_agr like l_bpc_namespace_pattern.
"validate first
data: lt_messages type table of string,
l_cup_agr type agr_name,
l_message type string,
ls_user_agr type uje_user_agr,
ls_user_specagr type uje_user_specagr,
ls_profile_agr type uje_profile_agr,
ls_team_agr type uje_team_agr,
ls_team_multagr type uje_team_multagr.
field-symbols: <user_agr> type uje_user_agr,
<user_specagr> type uje_user_specagr,
<profile_agr> type uje_profile_agr,
<team_agr> type uje_team_agr,
<team_multagr> type uje_team_multagr.
write: / 'Validating UJE_USER_AGR'.
loop at lt_user_agr assigning <user_agr>.
concatenate l_cup_namespace <user_agr>-user_agr+l_bpc_namespace_len into l_cup_agr.
select single * into ls_user_agr from uje_user_agr
where user_agr = l_cup_agr.
if sy-subrc is initial.
concatenate 'Conflict detected: Role "' l_cup_agr '" is already occupied for
environment "' ls_user_agr-appset_id '".' into l_message respecting blanks.
append l_message to lt_messages.
endif.
endloop.
write: / 'Validating UJE_PROFILE_AGR'.

© 2012 SAP AG 37
loop at lt_profile_agr assigning <profile_agr>.
concatenate l_cup_namespace <profile_agr>-profile_agr+l_bpc_namespace_len into
l_cup_agr.
select single * into ls_profile_agr from uje_profile_agr
where profile_agr = l_cup_agr.
concatenate 'Conflict detected: Role "' l_cup_agr '" is already occupied by
profile: "' ls_profile_agr-profile_id '" for environment "' ls_profile_agr-appset_id
'".' into l_message respecting blanks.
endif.
endloop.
write: / 'Validating UJE_TEAM_AGR'.
loop at lt_team_agr assigning <team_agr>.
concatenate l_cup_namespace <team_agr>-team_agr+l_bpc_namespace_len into l_cup_agr.
select single * into ls_team_agr from uje_team_agr
where team_agr = l_cup_agr.
concatenate 'Conflict detected: Role "' l_cup_agr '" is already occupied by team:
"' ls_team_agr-team_id '" for environment "' ls_team_agr-appset_id '".' into
l_message respecting blanks.
endif.
endloop.
"modify
data: lt_modification_result type table of string.
if lt_messages is initial.
write: / 'Started modification process.'.
if lt_user_agr is not initial.
write: / 'Started processing UJE_USER_AGR'.
loop at lt_user_agr assigning <user_agr>.
concatenate ' Converting "' <user_agr>-user_agr '" to ' into l_message
respecting blanks.
concatenate l_cup_namespace <user_agr>-user_agr+l_bpc_namespace_len into
<user_agr>-user_agr.
concatenate l_message '"' <user_agr>-user_agr '"' into l_message respecting
blanks.
endloop.
loop at lt_messages into l_message.
write: / sy-tabix, l_message.
endloop.
clear lt_messages.
modify uje_user_agr from table lt_user_agr.
endif.
if lt_profile_agr is not initial.
write: / 'Started processing UJE_PROFILE_AGR'.
loop at lt_profile_agr assigning <profile_agr>.

© 2012 SAP AG 38
concatenate ' Converting "' <profile_agr>-profile_agr '" to ' into l_message
respecting blanks.
concatenate l_cup_namespace <profile_agr>-profile_agr+l_bpc_namespace_len into
<profile_agr>-profile_agr.
concatenate l_message '"' <profile_agr>-profile_agr '"' into l_message
respecting blanks.
endloop.
endloop.
clear lt_messages.
modify uje_profile_agr from table lt_profile_agr.
endif.
if lt_team_agr is not initial.
write: / 'Started processing UJE_TEAM_AGR'.
loop at lt_team_agr assigning <team_agr>.
concatenate ' Converting "' <team_agr>-team_agr '" to ' into l_message
respecting blanks.
concatenate l_cup_namespace <team_agr>-team_agr+l_bpc_namespace_len into
<team_agr>-team_agr.
concatenate l_message '"' <team_agr>-team_agr '"' into l_message respecting
blanks.
concatenate ' Converting "' <team_agr>-team_leader_agr '" to ' into l_message
respecting blanks.
concatenate l_cup_namespace <team_agr>-team_leader_agr+l_bpc_namespace_len into
<team_agr>-team_leader_agr.
concatenate l_message '"' <team_agr>-team_leader_agr '"' into l_message
respecting blanks.
endloop.
endloop.
clear lt_messages.
modify uje_team_agr from table lt_team_agr.
endif.
if lt_team_multagr is not initial.
write: / 'Started processing UJE_TEAM_MULTAGR'.
delete uje_team_multagr from table lt_team_multagr.
loop at lt_team_multagr assigning <team_multagr>.
concatenate ' Converting "' <team_multagr>-child_agr '" to ' into l_message
respecting blanks.
concatenate l_cup_namespace <team_multagr>-child_agr+l_bpc_namespace_len into
<team_multagr>-child_agr.
concatenate l_message '"' <team_multagr>-child_agr '"' into l_message
respecting blanks.
endloop.

© 2012 SAP AG 39
endloop.
clear lt_messages.
insert uje_team_multagr from table lt_team_multagr.
endif.
if lt_user_specagr is not initial.
write: / 'Started processing UJE_USER_SPECAGR'.
delete uje_user_specagr from table lt_user_specagr.
loop at lt_user_specagr assigning <user_specagr>.
concatenate ' Converting "' <user_specagr>-agr_name '" to ' into l_message
respecting blanks.
concatenate l_cup_namespace <user_specagr>-agr_name+l_bpc_namespace_len into
<user_specagr>-agr_name.
concatenate l_message '"' <user_specagr>-agr_name '"' into l_message respecting
blanks.
endloop.
endloop.
clear lt_messages.
insert uje_user_specagr from table lt_user_specagr.
endif.
write: / 'Modification process is completed.'.
else.
write: / 'Modification is not processed due to the following errors(s):'.
write: / l_message.
endloop.
endif.

© 2012 SAP AG 40
Related Content
BPC Blogs
BPC NW SCN Forum
For more information, visit the Enterprise Performance Management homepage

© 2012 SAP AG 41
Copyright
© Copyright 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by
Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document
serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the
express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.

How to assign sap business planning and consolidation authorizations via the sap governance, risk, and compliance (grc) access control compliance user provisioning pro

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to How to assign sap business planning and consolidation authorizations via the sap governance, risk, and compliance (grc) access control compliance user provisioning pro

Similar to How to assign sap business planning and consolidation authorizations via the sap governance, risk, and compliance (grc) access control compliance user provisioning pro (20)

More from Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)

More from Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU) (7)

Recently uploaded

Recently uploaded (20)

How to assign sap business planning and consolidation authorizations via the sap governance, risk, and compliance (grc) access control compliance user provisioning pro