IDM, GRC and position based security

We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
How can IdM be configured to react to a position change and update the roles appropriately?
Has anyone implemented GRC and IDM with position based security?
Regards,
Wayne

Hi Wayne,
In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
This is all theory though, I'm just getting started with IdM myself.
Kind regards,
Dagwin

Similar Messages

  • Does auto provisioning work with position based security

    We are implementing GRC 5.3 and use position based security.  I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions.  And finally we want to associate the user to the position.  We want to do all of this through GRC.  Is this possible?
    Thanks!

    Peggy,
       For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
    Regards,
    Alpesh

  • Is there any difference in upgrade for position based security model

    Hello Gurus,
    I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
    Are there any extra precautions need to be taken while upgrading in a position based security model ?
    Or
    Is it the same procedure either it is a role based security model or a postion based security model.
    iam new to this upgrade stuff, please kindly direct me in the right direction.
    Also please provide if any documents are available.
    Thanks,
    Sanketh.

    Hi,
    Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
    Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
    Experts correct me in case of correction.

  • Employee/Supervisor and position based hierarchy combination

    Hi All,
    Can Employee/Supervisor and position based approval hierarchy used in the same Business Group? If I have OU1 and OU2 belonging to BG1. Can OU1 use employee supervisor and OU2 use position based?
    Please throw some light on this setup and limitations.
    Regards,
    Praveen

    Setup-->Financial Options-->Human Resources tab -->Use Approval Hierarchies check box. If you check uses approval hierarchies based on positions if not uses the employee hierarchy (supervisor in employee).
    Thanks
    Nagamohan

  • Compliance Calibrator 5.2 and position based user role provisioning

    Hi
    We are having Position based security in place... I was just wondering if CC 5.2 can do SOD analysis in Position based secuirty also?

    Hi parveen,
    To do HR Risk analysis perform following steps:-
    To excute this scenario try to take help of HR Consultant.
    1-Go to SAP System>Execute PPSC transaction>create Position.
    2-Now execute PO13 transaction-->select that position assigned role ( Contains some risk violation) to that position.
    3- Now in CC ,go to informer tab> Risk analysis> HR Objects-->excute report with following key  parametrs
        i)System:-any sap system
        ii)Analysis Type :-Object security only
        iii) Object Type:Position
        iv)Rule Set: *
    Now you can perform risk analysis at position level.
    Regards,
    Jagat

  • Position Based Security

    Hi All,
    How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
    Can some one please let me know the information.
    Regards,
    Sandhya

    Hi,
    the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
    Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
    You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
    Administrators should know of how they assign roles in your system. Just ask them.
    b.rgds,
    Bernhard

  • User Level Authorization in Position Based Security

    Hi Geeks,
    I'm facing a problem in restricting a user accessing from another users data.
    Let me give you a picture of my issue.
    I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
    Can you please let me know how to restrict this.
    <removed_by_moderator>
    Thanks
    Venkat
    Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

    > p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
    Stated like that it could still be misleading.
    E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
    This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
    Cheers,
    Julius

  • Using Position Based Security with BI

    Hi
    Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3).  If so, what configuration is involved?

    Hi,
    After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.
    Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.
    Firstly, set-up ALE for the org structure from R/3 to your CUA client.
    I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.
    To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.
    Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.
    In CUA you would need to set the role distribution properties to global in transaction SCUM.
    When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.
    I hope that provides you will some ideas.....
    Regards
    Edited by: S Morar on Apr 10, 2008 1:23 PM

  • SAP IDM position based security with user in multiple positions

    Hi,
    In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
    The design is to have one business role assigned to one position so that the user can have all the access he requires.
    In case of higher duties, we see an exception.
    Has anyone implemented such a scenario?
    Inputs/advices are much valued.
    Thanks
    Chaitanya

    Hi Chaitanya,
    Is it possible to assign more than one position to an employee in HCM?
    If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
    1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
    From HCM you will receive :
    Employee :
    - Z_POSITION_ID1 :1
    - Z_POSITION_ID2 : 2
    In IDM
    Employee
    - Member of BR1
    - Member of BR2
    2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
    You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
    Otherwise, It worth to look over this blog for general design of HCM integration :
    How to optimize identities’ lifecycle management in your information system using SAP HR events?
    Fadoua

  • HCM Position based security: any transition period?

    Hello Gurus, If a person is transferred from one position to another, the next time the RHPROFL0 job runs, it will remove all the old position's roles and assign the new ones it finds from the new position; is it possible to have a transition period(e.g. 15 or 30 days) where the user can have both the old and new roles?
    The Structural PD profiles do have an option to support this but is there a way to do this for all normal ABAP roles assigned to the Positions using the relationship infotype?
    Thanks,
    Arya

    Hi Arya
    Yes..this is possible by using the structural switch - AUTSW ADAYS. This switch is used to specify the tolerance time for authorization check in the event of org or position change. I think by default the switch is off.(not sure). If you do not want user to lose old authorization during the transition period you can activate the switch (I think default is 15 calendar days).
    Hope this helps
    Regards
    Santosh kumar

  • Difference between Structural and Org. Based Security

    Hi
       Could anyone please explain the difference between Structural and Org. based security
    Also could anyone please point to relevant documents.
    Thanks

    Structural authorization:
    ex: assigning roles to position and not to userids.. Listed below are some links that may help you to get started in understanding "Structural authorization".
    http://www.sap-img.com/human/structural-authorization-vs-role-authorization.htm
    http://www.sap-press.de/katalog/buecher/inhaltsverzeichnis/gp/titelID-1071
    https://websmp205.sap-ag.de/~form/ehandler?_APP=00200682500000001337&_EVENT=DISPLAY&COURSE=ADM940
    HB

  • MOAC / "Org-Based" Security

    Hello,
    I'm developing custom pl/sql for submitting concurrent requests/sets. For reference, here is what my initialization 'block' looks like in the pl/sql:
    apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
    apps.mo_global.set_policy_context('M');
    apps.mo_global.init(appShortName);
    (or)
    apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
    apps.mo_global.set_policy_context('S', org_id);
    apps.mo_global.init(appShortName);
    (depending on whether the user chooses a 'multi-org' context or 'single-org' context)
    I just have a few general questions.
    1) Is the "mo_global.set_policy_context" followed by "mo_global.init" proper form?
    2) I understand that if you choose multi-org (set_policy_context('M')), it reads the 'fnd_global.apps_initialize'd user's "allowed orgs" from his profile options (I forget the exact ones at this moment). Is this correct?
    3) Is the sole purpose of "multi-org" security for performing multiple operations on multiple orgs without having to switch responsibility?
    4) Most importantly (saved this one for last), I'm reading about the various different kinds of security (namely, http://docs.oracle.com/cd/E14223_01/bia.796/e14219/security.htm#BGBIFAIG):
    Operating Unit Org-Based security
    Inventory Org-Based Security
    Company Org-Based Security
    Business Group Org-Based Security
    HR Org-based Security
    Payables Org-Based Security
    Receivables Org-Based Security
    SetID-Based Security
    Position-Based Security
    Ledger-Based Security
    My question is, are all of these various "securities" all managed with organizations? In other words, will my code (above) enable users to use ANY of these different kinds of security, if they so choose?

    Hey so seeing as this question hasn't really been answered yet I figure I'll give it another go.
    I'm going to be very specific this time:
    I run PL/SQL scripts against the EBS database in order to do things like schedule requests/request-sets. The first thing I do (always) is initialize the apps context:
    apps.fnd_global.apps_initialize(u_id, r_id, a_id);
    Next, depending on the situation (still unsure when/why, but whatever), we initialize the org context. This is done by performing exactly one of the following steps.
    apps.mo_global.set_policy_context('M', null);
    OR
    apps.mo_global.set_policy_context('S', org_id);
    OR
    apps.mo_global.init('appname');
    Now, the ORG_ID comes from this statement:
    SELECT organization_id FROM apps.org_organization_definitions2 WHERE organization_name = 'blah'
    Again, I don't know why/when we need to do this or apparently what any of these things do but it's kind of beyond the scope of what I do. SOMEBODY chooses one of these, depending on their mood (or whatever factors :) ). Based on my model, the following are the possibilities thus far:
    apps.fnd_global.apps_initialize(u_id, r_id, a_id);
    OR
    apps.fnd_global.apps_initialize(u_id, r_id, a_id);
    apps.mo_global.set_policy_context('M', null);
    OR
    apps.fnd_global.apps_initialize(u_id, r_id, a_id);
    apps.mo_global.set_policy_context('S', org_id);
    OR
    apps.fnd_global.apps_initialize(u_id, r_id, a_id);
    apps.mo_global.init('appname');
    After this, I use
    apps.fnd_submit.submit_program('appName','progName','STAGEXYZ', args); <-- however many times I need
    apps.fnd_submit.set_request_set('appname','requestSetName');
    OR
    apps.fnd_request.submit_request('appName','progName','description',starttime,FALSE, args);
    My question is twofold:
    1) Is this model generic enough? In other words, without doing anything extra, will people be able to do pretty much everything you could think of, at least in terms of running concurrent requests / sets? Will I ever - EVER - need to chain "set_policy_context" with "init"? <-- I would really love a yes/no answer because I am in no way/shape/form an EBS expert. I've read all the docs that I've been presented with thus far but I haven't found a straight answer to this yet.
    2) I understand there are all different kinds of "org-based" security. Could I use my current code to initialize an inv_org, for example? If not, where could I turn for help? Are there other tables I should use for inv_orgs, hr_orgs, etc?
    THANKS! YOU ARE THE BEST!

  • Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

    Hi
    I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
    This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
    1. Can we integrate both structural authorizations and position based role mapping in one system?
    2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
    3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
    4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
    Any help or suggestions on the above would be appreciated.
    Thanks and Regards
    Arun R

    Hi
    1. Can we integrate both structural authorizations and position based role mapping in one system?
    Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
    2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
    No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
    3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
    Create user in SU01.SU10 first before creating infotype 105 in PA30.
    4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
    *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
    Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
    Hope this helps.
    Charmaine

  • IDM & GRC (including Firefighter ) role in SAP Security

    Please provide me information reg IDM,GRC & FIREFIGHTER in SAP

    That is quite a difficult task, given the eloquent description in your question
    I suggest you have a look at the GRC area here in BPX, and browse through the GRC and Identity Management forums.
    The solution web pages (like http://www.sap.com/solutions/grc/index.epx) should also provide you with a lot of information.
    Feel free to come back here if you have detailed questions.

  • MSS Substitution - Position Based and Change Fields

    Hi Experts,
    We are on EHP7 and using NWBC (POWL) for work item. We have set-up position based substitution. But when the user logs in, he/she don't see work item of other user. We have set-up A210 relationships between positions. Do we need to set-up anything else?
    Second Question,
    On MSS when we set-up substitution, it shows Assignee -  PERNR not User Name. How can we change the fields to show User Name instead of PERNR?
    Regards,
    Ashish

    We would like to see User Name instead of User IDs as Manager may not remember person with User IDs. In this scenario, substitution created from Manage Substitution Rules (Create Rules). In Assignee field it shows User ID and we would like to see User Name.
    Regards,
    Ashish

Maybe you are looking for

  • G5 wont boot past grey Apple screen and spinning cirlce

    I cam in to work this morning and found my Mac on with fans blazing the the display just showing the grey Apple screen and spinning circle. I have it set to turn on before I arrive at work and it has been doing so flawlessly for all the years I've ha

  • How to copy a pdf file from a windows PC to an iPad?

    how to copy a pdf file from a windows PC to an iPad?

  • Router/Adapter Compatibile?

    Good afternoon, I have a quick question....I recently upgraded my router from a WRT54G wireless-G broadband router to a WRT300N wireless-N broadband router. On one of my PC's, I have a WMP54G wireless adapter. Do I need to upgrade this adapter to a w

  • Object Types Attributes (Data Modeler 3.0 EA1.)

    Hi, Will the attribute object type support in data modeler be upgraded to the same functionality as column relational table support in 3.0? For relational columns I can attach a domain to a column, I can't attach a domain to an attribute in an object

  • No Internet: DHCP works, but no IP.

    I don't know what exactly caused it, but this was within the recent few weeks. Symptom: No IP address, even though DHCP (dhclient and dhcpcd) works perfectly. After invoking dhcpcd and obtaining an IP, ifconfig still shows nothing. I don't know if it