HR Position Base Security Discussion
Hello all,
We all know the beauty of using HR position base security vs manual role assignments to user IDs. Roles are automatically assigned and removed during a move with HR position base security.
Recently a question came up regarding HR position base security and I have a few ideas on how to address the question but Iu2019m just curious how some of you have dealt with this issue. This thread will be more of a discussion than a question.
Issue/Example in regards to HR position base security:
User-A is in position#1 and has been granted access to SAP after successfully completing SAP Accountant Training.
Position#1 have the following roles:
Z-Accountant
Position#2 have the following roles:
Z-Finance-Director
If User-A got a promotion and is moved to position#2, he will automatically inherit Z-Finance-Director and assignment Z-Accountant will be removed.
How can you justify assigning Z-Finance-Director even though User-A did not take the SAP Finance Director training?
Your response will be appreciated.
Regards,
John N.
>
Morten Nielsen wrote:
> Hello John
>
> Well at the end of the day the roles are always assigned to the user.
>
> But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
>
> So infact you can decide if you want to map the roles to a Position, an organizational unit, a Job etc. (but as always it's a good idea to to decide on a strategi otherwise it can endup in a big mess )
>
> regards
> Morten Nielsen
Morten,
If we decide to assign the roles to the HR position after the completion of the workflow it should assign the roles to the UMR (using RHPROFL0 & PFUD) automatically which is great. But now that the roles are assigned to the position aren't we back on the same vicious cycle of a user authomatically inheriting roles on the position and at times not having training on the roles automatically assigned.
Perhaps I just need to research the the following that you mentioned.
>
Morten Nielsen wrote:
>
> But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
>
> regards
> Morten Nielsen
Again thanks for the suggestion.
Regards,
-John N.
Similar Messages
-
How do I apply SAP's mantra, "Run Like a Factory" to my Basis/Security team?
I will preface this by stating that I am a newbie to SAP, and I am not technical. Currently I manage a Basis/Security team, albeit understaffed.
For the past 5 years I have been charged to:
Organize the team into a highly-performing department. (Done!)
Leverage existing SAP (and non-SAP) tools to drive up the performance and availability of our SAP landscape. (Currently on SolMan 7.1, SP12. Early Watch reports for 17 instances. Crank out CQC's like they are free candy)
Take full advantage of our SAP Enterprise Support. (Monthly calls with our Ent. Support Advisor. Burn through our EGI's, AEI's, and Road Maps. Training curriculum built around the Ent. Support Academy offerings, etc.)
But there is a part that is missing, and this is where I need guidance. What I am referring to is the integration and synchronization of my team with the abundance of proactive services of SAP's MarketPlace (MP) and Enterprise Support (ES). Here is what I mean:
So I am subscribed to umpteen SAP "MP" & "ES" newsletters and RSS Feeds, I occasionally browse the Security Portal (because I can't find where to subscribe to an RSS Feed), I receive the "SAP Support Notification" email every couple of days, I am connected to their Social Media presence,and there are a few other communication channels I am connected to. But from all of this what I am missing is... Continuity!
I have had this nagging feeling that I am missing, or not yet fully aware, of some basic elements within the "MP" or "ES" that I need to address so that the steady flow of information from these channels are relevant and substantial. Here is my best example:
Every few days I receive the "SAP Support Notification" email. At first the email was basically empty. I figured out that I had to choose my instances within my subscription so that I receive relevant information. I accessed my instance list and found it was a mess. So I had my architect remove all obsolete instances. The contents of the email is now more substantial, but there is more to the email that I don't understand the relevance of.
Another example is the SAP Security Portal. I can't figure it out. Updates, announcements, etc. aren't sent out. I have to remind myself to visit the Portal.
I have a few more examples, but this post is already too long. I need help with the manipulation of the basic elements of "MP" and "ES" to start receiving more substantial, and actionable, proactive support. Once I have this I can integrate this support into the daily administration of my SAP ecosystem, as well as define KPI's and metrics to strive for improved performance and availability.
So what am I missing?Hi Pete,
This is a great discussion item, and I am glad that you brought it up! There is a lot of information out there, and how to syphon it so it relates to you is definitely something that is important.
Couple points/questions on the above, and then some information that may help future wise.
There are many notifications within the SAP Support Portal that you can subscribe to. Some require filters, some are based on 'subscribing' to Spotlight News or to specific notes and KBAs. Happy to set up some time with you to go through these in detail.
What is the URL to the SAP Security Portal you mention? Are you referring to this area: https://support.sap.com/kb-incidents/notifications/security-notes.html?
Future direction is focusing on personalizing your experience within the portal. Giving you what you need, when and how you prefer. We can chat on that as well.
Feel free to reach out to me directly.
Cheers,
Kristen -
Is there any difference in upgrade for position based security model
Hello Gurus,
I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
Are there any extra precautions need to be taken while upgrading in a position based security model ?
Or
Is it the same procedure either it is a role based security model or a postion based security model.
iam new to this upgrade stuff, please kindly direct me in the right direction.
Also please provide if any documents are available.
Thanks,
Sanketh.Hi,
Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team for ex :HR and technical team Workflow if there are any issues.
Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
Experts correct me in case of correction. -
IDM, GRC and position based security
We use position based security in our ERP system and are implementing GRC. In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs. We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead. There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?
How can IdM be configured to react to a position change and update the roles appropriately?
Has anyone implemented GRC and IDM with position based security?
Regards,
WayneHi Wayne,
In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
This is all theory though, I'm just getting started with IdM myself.
Kind regards,
Dagwin -
SAP Basis Security in Sales order pricing - Help required
Hi,
My requirement goes like this:
The ability to view cost and margin should be restricted
The ability to add discounts and update price should be restricted
Sales Directors, Sales Managers, Revenue Recognition and members of the Sales Ops team will be allowed to view cost and margin
Sales Directors will have the ability to add controlled discounts (i.e. up to a pre-defined % value)
Sales Ops will have the ability to add discounts without restriction
Sales Ops will have the ability to maintain price overrides
These are governed by Condition types such as PR00 etc., can you control it by using Authorization objects in sales order Item Condition tab for the particular USER?
In T.code: V/06
For E.., EK01/EK02, double click on it....You can find a sub screen "Changes which can be made". There u can enable whatever required by tick marking ...e.g., amount, value, delete etc.,
Pricing procedure will be normally designed for a sales AREA and group of customers/Documents.
Condition type values are stored in the form of condition record by using T.code: VK11. It is stored in table KONV and KONP.
So, actually client needs like:
Some users should NOT be allowed to change the price/discount.
Also some are to shown in DISPLAY mode only.
Some can add some conditions types too.
Is it possible through SAP BASIS security?
I am waiting for your valuable suggestions.
Regards,
AnbuYes it is possible to restrict authorizations for condition types using authroization objects. Some user exits need to be used to meet the requirement. Refer OSS Note 105621 which gives a detailed procedure for customizing Authorization check for the condition screen.
Regards,
GSL. -
Does auto provisioning work with position based security
We are implementing GRC 5.3 and use position based security. I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions. And finally we want to associate the user to the position. We want to do all of this through GRC. Is this possible?
Thanks!Peggy,
For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
Regards,
Alpesh -
Video Tutorials for SAP Basis & Security
Hi,
Is Any CBT Nuggets/Video Tutorials are also available for SAP Basis & Security???
please provide me the link if it is availableSaurabh,
You cannot expect A to Z of SAP Basis and Security tutorials in videos. May be you can find some basic to important information.
Refer to the links though
www.youtube.com/watch?v=OT4PQarbT0k
www.learnsap.com/config/basis.html
http://sapdownloads.blogspot.com/.../sap-basis-training-for-beginners.html
Just google it, you will find loads of information.
Good Luck
Regards,
Arjun -
Hi All,
How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes, compared to roled based security.
Can some one please let me know the information.
Regards,
SandhyaHi,
the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
Administrators should know of how they assign roles in your system. Just ask them.
b.rgds,
Bernhard -
Is role base security supported by WLS 5.1?
To what extent is role based security supported by servlets under WLS 5.1?
Declarative role based security does not seem to be supported?
Are any of the following methods supported?
HttpServletRequest.isUserInRole()
HttpServletRequest.getUserPrincipal()
If so, where are the roles declared? Where is the role/principal mapping
done? Does getUserPrinicipal() return the principal using the WLS security
realm?
Thank you.
Marko.
Cool. Bonus mystery feature. I will call support.
Thanks Winston.
Marko.
Winston Koh <[email protected]> wrote in message
news:[email protected]...
> no, i am not referring to ACL. to my knowledge, the servlet security
> features docs do not make it into the WLS 5.1. I understand its a bit hard
> to use the features properly without proper documentation. contact support
> for more info
>
> thanx
>
> Winston
> Marko Milicevic <[email protected]> wrote in message
> news:[email protected]...
> > The only servlet authorization mechanism I can see documented is ACL's.
> Is
> > this what you are referring to Winston? If so, I believe ACL are
> different
> > than declarative role based security. An ACL grants access to a servlet
> for
> > a set of principals (users and/or groups). But a role is not a
> prinicipal.
> > A role name is mapped to a set of principals.
> >
> > If you are referring to roles, can you give a URL to the documentation
> which
> > discusses this?
> >
> > Thanks Winston.
> >
> > Marko.
> > .
> >
> > Winston Koh <[email protected]> wrote in message
> > news:[email protected]...
> > > both declarative and programmtic based security roles are supported by
> WLS
> > > 5.1.
> > >
> > > if you don't specify any specific security realm in the
> > weblogic.properties
> > > file, a default WebLogic Security realm is assumed. you could specify
> the
> > > group and its associated users and passwords there in the properties
> file.
> > > in the web.xml file associated with each web app, you could speciify
the
> > > security constraints for each servlet
> > >
> > > I would imagine when accessing a secured servlet within a web app, a
> > client
> > > would supply her credentials thru some sort of authentication, and
based
> > on
> > > the credentials, we find out the role name from the
weblogic.properties
> > file
> > > which in turn mapped to the web.xml which specify the security role
that
> > > could access the particular servlet. if the role matches, access to
the
> > > servlet is granted
> > >
> > > refer to WL Docs for more specific details
> > >
> > > thanx
> > >
> > > Winston
> > > Marko Milicevic <[email protected]> wrote in message
> > > news:[email protected]...
> > > > To what extent is role based security supported by servlets under
WLS
> > 5.1?
> > > >
> > > > Declarative role based security does not seem to be supported?
> > > >
> > > > Are any of the following methods supported?
> > > >
> > > > HttpServletRequest.isUserInRole()
> > > > HttpServletRequest.getUserPrincipal()
> > > >
> > > > If so, where are the roles declared? Where is the role/principal
> > mapping
> > > > done? Does getUserPrinicipal() return the principal using the WLS
> > > security
> > > > realm?
> > > >
> > > > Thank you.
> > > >
> > > > Marko.
> > > > .
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
-
Row-base security : how to filter on a set of value ?
Hello all!
I am currently trying to setup the row-based security in OBIEE and I am facing some difficulties, not sure if they are basic or not:
I'd like my users or groups to access data depending on a list of value.
I know the best practice is to create a session variable and to filter on it in the security filters. But what if I want to filter on n values?
It looks like a session variable can only host one value. Should I then define n variables initialized in my initialization block ? this would limit the number of values I can filter on. I can't believe there isn't a way to make it clean.
More precisely, my context is:
each user can belong to one or more groups
each group is granted access to one or more brands.
So basically, I'd like to filter on "brand in group.brands where group in (all groups in nq_session.groups)"
I don't have any prerequisite on where to store the filter data (repository, database) nor anything else.
Any help much appreciated ! thanks in advance !
CedricHi
Thanks, I am able to figure out that.
But I am stuck in performance issue with this approach, I am applying filter on my fact table , but my issue is that for a given user, filter values are in thousands, so OBIEE is putting them in a IN Clause(1,.... 20000) and when the actual query get executed it had performance issue.
Is there any way where I can write subquery on fact table instead of storing multiple values in dynaic variable.
Another issue is that when user log in , this variable get initialize which result in delay in login for the user.
Deepak -
Row-base security - mulitiple dimensions
Hi
I filter data using the row-wise initialization.
In groups, in security filter, the logical SQL is eg.:
Group "Region 1" has filter: DM."Dim Region"."rg_id" = VALUEOF("R1")
Group "Region 2" has filter: DM."Dim Region"."rg_id" = VALUEOF("R2")
R1, R2- are static variables containing numeric IDs of regions.
User belongs to one or more groups.
That works good for one dimension Region and the condition in sql is like:
WHERE Region.rg_id in (1,2)
When I've added next serveral groups for second dimension, eg.:
Group "Category 1" has filter: DM."Dim Category"."Ct_id" = VALUEOF("C1")
Group "Category 2" has filter: DM."Dim Category"."Ct_id" = VALUEOF("C1")
generated sql has the condition like this:
WHERE
Region.rg_id in (1,2)
OR
Category.Ct_id in (1,2)
But, I'd like to have logical sum:
WHERE
Region.rg_id in (1,2)
AND
Category.Ct_id in (1,2)
regards
HarnasHi
Thanks, I am able to figure out that.
But I am stuck in performance issue with this approach, I am applying filter on my fact table , but my issue is that for a given user, filter values are in thousands, so OBIEE is putting them in a IN Clause(1,.... 20000) and when the actual query get executed it had performance issue.
Is there any way where I can write subquery on fact table instead of storing multiple values in dynaic variable.
Another issue is that when user log in , this variable get initialize which result in delay in login for the user.
Deepak -
SAP IDM position based security with user in multiple positions
Hi,
In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
The design is to have one business role assigned to one position so that the user can have all the access he requires.
In case of higher duties, we see an exception.
Has anyone implemented such a scenario?
Inputs/advices are much valued.
Thanks
ChaitanyaHi Chaitanya,
Is it possible to assign more than one position to an employee in HCM?
If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
From HCM you will receive :
Employee :
- Z_POSITION_ID1 :1
- Z_POSITION_ID2 : 2
In IDM
Employee
- Member of BR1
- Member of BR2
2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
Otherwise, It worth to look over this blog for general design of HCM integration :
How to optimize identities’ lifecycle management in your information system using SAP HR events?
Fadoua -
User Level Authorization in Position Based Security
Hi Geeks,
I'm facing a problem in restricting a user accessing from another users data.
Let me give you a picture of my issue.
I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
Can you please let me know how to restrict this.
<removed_by_moderator>
Thanks
Venkat
Edited by: Julius Bussche on Jun 4, 2009 8:44 AM> p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
Stated like that it could still be misleading.
E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
Cheers,
Julius -
Role base security & authorization
hi,
i want the details about Role based security & authorization for all objects in reporting and the T.codes related to security & authorization (like RSSM ....).
plz help me with any document and security manualHi,
I hope search inthese forums would definately hep you.
My previous postings on the Data level security at the Reporting side:
https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2940809.
https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2783106
And take a loook on the links:
https://websmp107.sap-ag.de/~sapidb/011000358700000274062002
https://websmp107.sap-ag.de/~sapidb/011000358700000972382004
With rgds,
Anil Kumar Sharma .P
Message was edited by:
Anil Kumar Sharma -
Role Base Security SSAS Tabular and PPS not working
Hi,
I am having SSAS (Tabular Model) with Role based Security. It is working fine with Powerview and PowerPivot.
But when i am using same with PPS. it is giving me error like 'Data source not accessible'.
If i don't Provide Role while connecting and if i select
unattended account, it is working but no security.
Please help me out on this situation or provide any steps with snapshot(if possible), how to make pps
working with SSAS Tabular model with Role.
Thanks in Advance
Pinak kakadiyaHi Vishal,
According to your description, you are trying to use time intelligence functions in SQL Server Analysis Services Tabular model without success, right?
In order to use time intelligence functions in DAX formulas, you must specify a date table and a unique identifier (datetime) column of the Date data type. Once a column in the date table is specified as a unique identifier, you can create relationships
between columns in the date table and any fact tables. Please refer to the links below to see the details steps to use time intelligence functions in DAX formulas.
https://msdn.microsoft.com/en-us/library/hh758415.aspx?f=255&MSPPError=-2147217396
http://blog.gbrueckl.at/2013/02/fiscal-periods-tabular-models-and-time-intelligence/
If the issue persists, please provide us more information about your tabular structure, so that we can make further analysis.
Regards,
Charlie Liao
TechNet Community Support
Maybe you are looking for
-
Is there a way (or a setting) for my individual folders in Mail to automatically update across all devices? For example, if I transfer an email to a folder for follow-up on my PC - say 10th of the following month - the same folder in Mail on my iPhon
-
Scenario : The company is collecting Advance from the customer for a sale. The sale includes freight. The Customer gives 50 % of the sales order which includes freight. In SBO : 1. 'AR Down Payment Invoice' is raised for advance. Issue 1. The AR Do
-
User defined Selection screen for Logical database
hi all, can we display a user defined selection screen instead of the default selection screen in LDB . eg pnp cheers senthil
-
How do you release a disc that is stuck in the drive ?
-
Hi, can you tell me where can I find release notes to SAP upgrade 4.7 to 6.0. I am interested in MM module. Thank you in advance. Kasia.