Indirect Role Assignments via Groups

Similar Messages

• SAP R/3 : Indirect Role assignments - Is position unique to every user?

  Hi.
  While am exploring /learning SAP R/3 roles and auth, I would appreciate if I could get clarity on the following :
  This  link on SDN on Indirect role assignments are very informative.
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2effe
  This link is also more explanatory : http://my.affinitext.com/public/book/5442/-1/1423831
  So if my understanding is correct, it is better to assign roles - indirectly by position, so that if an employee's position changes, his role can be removed, based on position again ??? And somewhere we are linking with infotype 105.
  My only doubt is : if we are going to assign roles by position and remove the roles by position, so that as the position of an employee changes, the previous roles become null and void and new roles can be assigned as per new position.
  So would like to know :
  as to whether this position number which we see from PA20, is unique to every user on the system ?
  So that, if there is a need to remove a role based on postion, we could remove the role from PO13;
  BY doing that, then will it not affect other users ?
  Can somebody help me understand this.
  Because if i want to see the effect immediately, if i go to PFUD and put the role name and say execute, i see that the role which was removed from PO13 is gone immediately from the user.
  Many thanks
  Indu
  Edited by: Indumathy Narayanan on Nov 22, 2011 9:25 AM

  GOT IT THANKS.
  Hi Prashant.
  Good morning and wishes.
  Can you please help me understand this.
  I understand from HR person that position is uniquely defined (from hire to retire)
  and roles are generally given based on position.
  However, I see a person : whose roles have been assigned as per position all these years.
  He had 2 roles in project A. He now moved into a different project B.
  But. when i check, i still see the roles - reflecting on SU01  & well as in the tab of user of the role X under pfcg.
  BUT when i check PO13 - and put the position / relationship and say overview.
  I dont see the roles at all there.
  Why this is so.  Why the discrepancy on different screens.
  Also How can I get a confirmation that - these roles are actually removed and is not there for the user.
  Rather.
  How could the removal of roles based on position become completely effective on the system.
  So that all screens display the same information.
  Also would like to know - whether it is ok to remove the role expiry date directly from PFCG/ROLE Display/user tab/select user/
  and then make the role invalid or expired / or extend the expiry.
  Many thanks.
  Indu
  Edited by: Indumathy Narayanan on Dec 7, 2011 12:09 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 1:42 PM
  Edited by: Indumathy Narayanan on Dec 7, 2011 5:17 PM

• Indirect role assingment restricted only to Positions?

  Hello All,
  i have this doubt:
  While using indirect role assignment, can we assign roles to Work Center, Job, Org unit, Person also?
  (My understanding was that we could assign this only yo posistions...)
  Can anybody who has worked on HR security answer my doubt?
  Many thanks for your help.
  Warm Regards,
  Pradeep

  Hi Pradeep:
  Indirect role assignments are not restricted to only positions. You can make role assignments to other objects such as Job or Org. Such as where you can assign roles onto the position via PO13, a role to Job assignment can be made through PO03 and a role to Org unit can be made via PO10.
  That's the beauty of position-based security. By assigning roles to higher levels, this would reduce the load on Security folks doing role assignments. For example, if you know a role is to be assigned to everyone in a particular org unit, you might as well assign the role there. Therefore, everyone under that org would automatically inherit the role. Of course, this approach heavily depend on accurate HR data.
  Let me know if you need more clarification.
  Thanks.

• Indirect Role Assignment

  I am adding roles to positions using indirect role assignment, when adding the role to the position I am prompted to carry out a reconcilliation of indirect user assignments, receive message 'Indirect user assignments ok'  so then I've run PFUD.  When I check both the role and the user I cannot see the role attached to the user, but the role is listed in the 'Relationships' in PP01.
  A new organisation structure has been created, when I click on the drop down at the 'change agent assignment' the old organisation structure is displayed.  Any suggestions please how I can select the new organisation structure?
  Thanks

  Hello Anthea,
  to pass on a role from a position to a SAP user id I would suggest the following.
  Go to transaction SA38 and run report RHPROFL0.
  Some notes on the report and report selections.
  The report can be used to eveluate and assign roles from HR objects to SAP users. The report starts reading at a given HR object along an evaluation path. It then updates the SAP user found with authorisation roles.
  Selections:
  You have assigned the roles to a position therefore you should select object type S.
  Then put the position number in the Object ID.
  The key date is hopefully self explaining.
  The evaluation path might have defaulted to PROFL0. That would be the correct one.
  The program has a test mode. I suggest you run the test mode first. It will tell you what the program would change in an actual run.
  In the next selection box - "Generate authorization profiles"
  You might leave the ticks in the boxes:
  - Standard authorizations
  - PD authorizations
  That will generate profiles if they aren't generated yet.
  Next selection box - "Delete manually maintained authorisation profiles"
  Leave the tick boxes blank if you have any direct assigned roles.
  If you tick the boxes all roles and profiles directly assigned to SAP user ids will be deleted.
  In section "New Users"
  There is a tick box "Generate".
  If that box is ticked the report will create new SAP user IDs for all occupied positions with roles but without SAP user ID on the Employee record.
  You might leave that box unticked for the moment.
  I suggest to create the application log --> Last tick box on the selection screen.
  Some general comments at the end.
  The report RHPROFL0 might be scheduled in production systems if indirect role assignments are used. Depending on your needs make sure that the deletion of manual assigned profiles is activated or deactivated.
  If you do not enter an object id, the report will run for all object ids.
  A further note on the indirect setup.
  If roles should be passed on from a Position to a SAP user id, it is important, that the following conditions are fulfilled.
  The Position is valid/active as of the report key date.
  The position has a holder at key date.
  The holder has an assignment of a valid SAP user ID at key date. Infotype 0105 subtype 0001 for object type P.
  The Roles on the position are valid at the key date.
  I hope that helps solving your issue.
  Best regards
  Karsten

• HR-ORG - Indirect Role Assignment

  Hello
  We are designing the role & security strategy in a new implementation project. The best security strategy seems to be an indirect role assignment via SAP organizational structure. We've looked for some information about that, but we have some doubts about it (we have downloaded "HR-ORG - Indirect Role Assignment" and "User & Roles" files from SAPNet).
  The organizational structure will have a lot of leaves named "explotacion". Every leaf will have a different company code, sales organization, sector and so on... On the other hand, it's a requirement that a user obtains automatically its roles when its moved through organizational structure.
  Our plan consists in create several primary roles (for example, sales manager). Then we will create a lot of derivate roles which will inherit all authorizations from the parent role. However, it shouldn't inherit organization field values... Then, when this role is assigned to a position, this role should obtain all organizational field values (company code, sector, ...) from our organizational structure.
  Is it possible? How can we do that?
  Best regards,

  As mentioned previously, the indirect role assignment may work in this case since it assigns complete roles to positions rather than inheriting the properties of that position.
  Structural authorisations however, do have specific authorisation values assigned directly to the organisational positions.
  I have not had much experience in implementing these but that maybe worth a look.
  Simon

• Exporting groups including role assignments

  Hello experts,
  we are using EP 7.0 and CRM 5.0.....
  I facing the following problem in the portal regarding the export / import of groups:
  1) I go to USER ADMINISTRATION > IDENTITY MANAGEMENT
  2) I search for GROUPs by typing in "Z_*" in order to find all our relevant groups.
  3) I get the search result list of our groups and I press SELECT ALL
  4) Now I press export and a little window appears .... just like the process of exporting of groups is described in the SAP Netweaver library.... I can ex-/import the group and the user-assignments...
  But what we would like to do is export and later on import the groups inluding the role-assignments belonging to the group.
  Perequisite: The roles and groups already exist in both the target system and in the source system. Only the content of the groups is different.  So we actually want to make a refresh of the groups from one to the another System so that the groups will have the same content in both systems again...
  How can I download the groups including the role assignment data so that the assignment information is exported (and later on imported) as well and not lost during the export? This would save us a lot of work and be a lot easier instead of having to adapt the roles contained in the groups manually...
  Thanks for your help in advance!
  Kind regards,
  Hauke

  Hi,
  Think of the Group structure in the Object Oriented way. Employee is the parent of Group1/2/3. Group1/2/3 inherit the properties of Employee, but Employee does not inherit anything from its children.
  Users assigned to the Group Employee have only the properties that Employee has. If Employee does not have the role that Group1/2/3 have, the users assigned to Employee will never get the role assigned to Group1/2/3.
  Correct me if i am wrong if someone has a better idea.
  Teecheu Loh

• Provisioning of roles to ABAP system deletes role assignments in backend

  Hi all,
  following scenario:
  user has role A in an ABAP system which is connected to IDM. Assignment of role A to the user is not in the identity store.
  Now you assign role B via workflow to the user and IDM provisions this new assignment to the ABAP system.
  What will happen is that the user will get role B but assignment of role A will be deleted.
  This happens because in the job "SetABAPRole&ProfileForUser" the connector attribute "roles" will only consist the role assignments which are in the identity store. All assignments in the ABAP system which are not yet in the IDS will be overwritten.
  This behaviour can be very critical. If you still allow role assignments directly in the backend system and you read these assignments e.g. once a day to the IDS - but in the meantime assignments have been done via workflow - you will lose data.
  My customer wants to assign roles both directly in the system and also by workflow. Every night an ABAP update job runs which writes new assignments to the IDS.
  Do you have any idea how I could solve this? Is there a way NOT to overwrite assignments with the ABAP connector field "roles"? I tried to use multivalue operator but this didn't do the trick.
  I hope I was able to describe my problem properly and you have answers...
  Best regards
  Jörn Kaplan

  No, there is not a way to avoid that IdM replaces the role assignment in ABAP with the current assignments as know by IdM. IdM is the master!
  This is not directly an issue of IdM: The standard BAPIs in ABAP (up to release 7.0) offer "replace all role assignments" but not "add role assignment" or "remove role role assignment".
  However, there exist an exception: Role assignments in ABAP which are created indirectly by an HR-ORG assignment are not touched by IdM. (There role assignment are viewed in blue in transaction SU01.)
  See  http://help.sap.com/saphelp_nw70/helpdata/EN/50/e9683c5de8676fe10000000a114084/frameset.htm for details.
  Kind regards
  Frank Buchholz

• ABAP Role Assignments stored in MSAD

  Hi all,
  unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
  We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
  WAS ABAP
  1. possible - user master data (e.g. userName, address, etc.)
  2. possible - user/role assignments
  3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
  Portal UME
  1. possible  - user master data
  2. possible - user password
  3. possible - role/group assignments
  4. possible - group/user assignments
  5. possible - user/group assignments
  6. possible - user/role assignments
  Thanks for the help!!
  Cheers Stefan

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Mass Change for Indirect Role Assignment

  Hi all,
  I am in the process of changing the company’s authorisations from a standard SU01 role assignment to a position based indirect role assignment.
  At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way.  Is there a way of assigning more than one role to a position at the same time?
  Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
  Thanks for your help
  Ian

  you can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.

• Indirect Role Assignment Within CUA

  Hi Experts,
  Weu2019re implementing indirect role assignment in SAP HR and exploring the feasibility to include this client as part of CUA. Has anyone implemented this before? Appreciate if you could share.
  I understand that CUA able to distribute DIRECT role assignment made from central client to the child client(s), but not so sure if it is possible for INDIRECT role assignment approach. My previous project exclude client with indirect role assignment from the CUA distribution landscape and I wonder why.
  Appreciate your input in this matter and looking forward for further discussion.
  Best regards and million thanks in advance.

  Hi,
  So I worked on a CUA managed landscape that had systems that featured indirect org assignment hooked in.  The association between the User ID and the HR org based position was still maintained locally as the local system contained the HR Org structure, but direct access was still blocked by CUA The roles assigned indirectly were visible from CUA in a different colour.  You can still maintain users directly from CUA on top of this.  This may be an alternative to consider.
  If the local system does not contain the HR Org structure you are probably going to have to export the structure, so if that is the case you might as well import it to CUA if all org relevant users are maintained there and manage it centrally via the advised link anyway.
  Cheers
  Steve

• CUA sync with child client issue for indirect role assignment.

  Hello Security experts,
  we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually.   This has been an ongoing issue CUA has on any role or user from time to time.   any hint on fixing this issue. please help..

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh

• Indirect Role Assignment: Composite roles

  Can anyone shed some light regarding the following scenario:
  We have a user previously assigned to a managerial position and this position is attached to a MSS-composite role in PO13 (thorugh the AG relationship). Now this user has been delimited from that managerial position, and is now assigned to a new position as a normal staff, so he shouldn't have the MSS-composite role anymore. We updated the run in PFUD with HR Org-assignment reconcilation, but we still find the Composite role for Managers in his user master record in SU01.
  What might be wrong?

  > Items to check for before running RHPROFL0:
  > PA Records info for the User
  > ==================
  > 1.  Was the HR check pointer on when the position was delimited?
  > 2.  Is the position truly delimited
  > 3.  Does the IT105/ST0001 match the person's user ID
  > 4.  How many position does this person hold in the PA record
  > 5.  Check if the new position have the correct roles for this person, it might actually have the MSS composite role you are trying to remove access from the user.
  Hi John, thanks for your response to this thread.
  We have not scheduled RHPROFL0 to run. Correct me if I'm wrong, isn't this is only needed when PD-profile is used? We are not assigning structural profile though PD-profile in PO13, we do it manuall instead in OOSB. Besides, I am not able to run that program anyway, because we have the CUA set to Global, and no indirect role asssignment is possible. We can only do the comparison via the HR-org assignment reconciliation in PFUD. Can this be the main reason somehow?
  I also found out that our PRGN_CUST has no entries in it: HR_ORG_ACTIVE is not on. <<--- Does this only need to be switch-on if our CUA is set Local? Do I need this?
  Then, my answers below to your questions:
  1. Do you mean the "pink-arrow-up" icon from the old position? Then the answer is yes.
  2. Then position itself it not delimited, only the user assignment is. In PPOSE, it shows that the person is assigned to this old position from 01.04.2007 until 31.01.2008. So I guess in that sense, it tells that the position is truly delimited.
  3. Yes
  4. In PA records I can see many records under different validity dates, but they are all records of the new position. The earliest record (the one at the end of the list) was a record attached to a default position and without any organization assignment. Then, in PA > List Organizational Assignment screen, there is a system message that says "Employee has more than one position". --> Does this refer to the non-listed old position? or default position + new position in PA record?
  5. No. The new position is just an ordinary employee without any indirect role assigment.
  We also tried to remove the MSS-composite role from the old position in PO13, but it doesn't make any difference to the user master record in SU01.
  For your reference as well, this is how our US_ACTGR looks like:
  40 > AG > A > 007 >  S
  50 > AG > A > 007 > US
  60 > AG > A > 007 > P
  70 > P > B > 208 > US
  110 > S > A > 008 > *
  Hope this information tells something.
  I appreciate your time and many thanks in advance for your help!

• What roles assignments for Rights Management?

  System: Adobe LiveCycle Server ES3 system.
  Question and Issue: I need to create a user that is able to manage the settings via the web administrator (adminui) for:
  1. Policies
  2. Documents
  3. Events
  4. Watermarks
  However this user must not have the abiltiy to change the server configuration, key management, etc that is most of the stuff in the "LiveCycle Rights Management->Configuration" page except for "Watermarks".
  I had assigned this user the following Role Assignments:
  1. Rights Management Policy Set Administrator
  2. Rights Management Invite User
  3. Rights Management End User
  4. Rights Management Manage Invited and Local Users
  The above lists works for most part except this user is unable to configure/manage the Watermarks.  The ability to configure/manage Watermarks is critical in our scenario.
  I found that by assigning this user the "Rights Management Super Administrator" role, it would allow this user the "Watermark" capability; however it also allows the user other capabilities that we do not want the user to manage/configure.  I believe the "Rights Manage Configuration" permission gives this role the ability to configure all aspects of the Rights Management. 
  So is there a permission that just allows the user the ability to configure just the "Watermark"?  Is this configuration even possible?
  Regards,
  TS

  Watermark is in the Configuration part of RM UI so as per current implementation there is no such role defined by which an user can configure the Watermark only.
  It is designed as such because only an administrator can change such configuration and create or modify Watermark.

• Matching ABAP Roles with UME Groups

  Hello,
  we are facing the following issue:
  We are providing Business Warehouse access via NW Portal beside the "normal" abap system. Therefore we need to put every new user into a special UME-group. How can we match ABAP-Roles with UME-Groups?
  We just want to assign a single (portal-)role to an user in the abap-stack, not another group in the UME. Is this possible?

  Sascha Landowski wrote:
  We did it a little bit different, but that's it. We had an existing portal group with the needed portal roles. We created a new group in reference to a existing abap role and gave it the portal roles.
  In fact thats I have suggest Sascha However, its a very common construct in EP, glad it worked for you
  reagrds

• Migrating Role Assignments

  Hi Everyone,
  I would like to migrate the role assignments from an SP7 Portal to an SP17 Portal but when exporting the users from the SP7 Portal, i only get the users that have company numbers.  As well, the roles are not migrated if the roles are attached to groups (only roles that are directly attached to the user are exported)
  Any ideas how to get all the users/role assignment migrated?
  Thanks

  Hi Amit,
  As your new Portal is SP 17 and you need move your roles from SP 7 so for that u need to first transport Portal Content(Roles).
  For which below wiki which is written by me will be helpful to you:
  https://www.sdn.sap.com/irj/scn/wiki?path=/display/ep/process%252bof%252bmigrating%252bportal%252bcontent%252bfrom%252bportal%252bto%252banother%252bportal
  Regards
  Pooja
  Edited by: Pooja Gehani on Dec 10, 2008 7:43 AM