Position based authorisations in CRM

Similar Messages

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Position Based Security

  Hi All,
  How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
  Can some one please let me know the information.
  Regards,
  Sandhya

  Hi,
  the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
  Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
  You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
  Administrators should know of how they assign roles in your system. Just ask them.
  b.rgds,
  Bernhard

• Preview of Fixed Position Based eText template displays the formatting

  Hi,
  I am trying to create an EFT template using the eText Fixed Position Based instructions. I copied an existing Fixed Position Based template and made the changes that were needed. When I hit the Preview link, it displays the payments in the formatted template, not in the output that I'm trying to create by using the template.
  Can anyone tell me what step I'm missing? I have created other types of templates and they preview fine.
  Thanks

  There is no difference between DELIMITER_BASED and FIXED_POSITION_BASED
  you can pick up the fixed and convert it into delimiter based,
  allowed columns are MaximumLength,Format,Data,Tag,Comments. delete the rest of the columns.
  And for DELIMITER_BASED templates,After every data field row,you have to insert a delimiter row and put appropriate field delimiters in separate rows between the fields.

• Role based authorisations in the Integration Directory

  We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
  Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
  I created a role in the ID that allowed editing of any object.
  I assigned the role to my userid in NWA useradmin
  I am unable to edit ANY object in the ID
  When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
  So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
  IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
  IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
  IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
  IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
  Any advice you can offer would be appreciated

  Resolved this issue.
  The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation.

• Template for Position Based Role Generation - Grouping of Transaction

  Hi
  We have almost 3500 Roles. They are all Role based / Transaction Based. We would like to shift it to Position Based Roles.
  Is there any template or high level document which can give you the information regarding the grouping of transaction with respect to module vise like HR, SD, MM, PP etc..
  It should narrow down further to give you info regarding the transactions with respect to the the standard postions provided by SAP which we can use it as a baseline and develop on that.
  Any help would be appreciated.
  Thanks and Regards
  Arun

  Hi,
  please have a look at the standard SAP* roles. They are grouped by applicaiton and alos some are grouped by position. So this may be an entry point for you.
  b.rgds, Bernhard

• Implementing roles and rules based authorisation with Azure AD

  Hi all,
  I would greatly appreciate some input on feasibility and patterns I should look at for a complex technical requirement that I am currently tasked with designing.
  We have a system that comprises a web and mobile app. In the past we have implemented session based authentication through ADAM and authorisation through custom business rules contained within the applications. The authentication mechanism is in the process
  of being migrated to Azure AD and authorisation is planned to be moved to Azure AD for our next release.
  Existing authorisation within our web application is already complex. We have users that belong to different groups with a range of permissions such as read, write or admin. Additionally each user is granted access to N customers and also N locations within
  each customer. We have a requirement that any number of combinations of customers and locations be supported. Users also need to have different permissions for each entity, i.e. read access to customer 1 location 2, write access to customer 4 and administer
  customer 7. Currently these privileges are maintained within a relational database and enforced as part of each PageLoad(). Essentially this is a combination of roles and rules based authorisation.
  We are struggling to represent this complex matrix structure within Azure AD and efficiently implement the authorisation decision in Azure AD. The driver for this technical requirement is to provide re-usability of the authorisation component to other (as
  yet unidentified) applications.
  Currently the best option we have come up with is implementing custom attributes for each class of permissions and storing within this 2048 bit field a bitmask that represents whether this permission is granted for a given location (which has a many to one
  relationship with customer).
  Any help or comment would be gratefully received,
  Phil

  Hi
  When "Advance routing" is used for Task assignment; the task service asserts the folllowing fact types : Task, PreviousOutcome and TaskAction to the rules engine. These facts gives all the reqd info about the task (like outcome of the participant, task stage .. etc)
  Now in the defined ruleset; we can have rules as per our requirement that can extract info from the asserted fact types and assign task to the required/next participant.
  Also note that we write the advance rules for exception cases only.
  For example; let's say all participants have 2 possible Outcomes [COMPLETE, RECHECK]. We have defined the ideal task routing flow as :
  Participant A -> Participant B -> Participant C. This is the flow when all participant selects "COMPLETE"
  Now suppose B selects outcome as "RECHECK" then the task shld move back to A. So for this case only we need to write a advance rule.
  Pls refer to the code sample at : http://download.oracle.com/technology/sample_code/hwf/workflow-106-IterativeDesign.zip
  Also dev guide : refer to section 28.3.7.2 http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10224/bp_hwfmodel.htm#BABBFEJJ
  Thanks
  Edited by: Kania on May 19, 2010 2:41 AM

• NEED TO PLACE THE RECORDS POSITION BASED IN THE UNIX APPLICATION SERVER

  HI GURUS,
                          My internal table has 5 fields I have to palce these 5 fields in the application server(/var/opt...) at position based. Each field has to place in different position in the same row in the application server..
  please help me ....
  reward asure,
  with regards,
  Thambe.

  Hi Thambe,
  Can u be more clear on ur requirement. Find below solution as per my understanding.
  DATA: l_data TYPE string.
  OPEN DATASET po_file FOR OUTPUT IN TEXT MODE.
  CHECK sy-subrc IS INITIAL.
  LOOP AT itab INTO wa.
  CLEAR l_data.
  l_data = wa-f1.
  l_data+10(5) = wa-f2.
  l_data+20(10) = wa-f3.
  l_data+50(8) = wa-f4.
  l_data+100(20) = wa-f5.
  TRANSFER l_data TO po_file.
  ENDLOOP.
  CLOSE DATASET po_file.
  In the Above code at the time of transfer l_data contains all the 5 fields at the specified positions. U can specify the offsets and positions as per ur requirement.
  Thanks,
  Vinod.

• User Level Authorization in Position Based Security

  Hi Geeks,
  I'm facing a problem in restricting a user accessing from another users data.
  Let me give you a picture of my issue.
  I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
  Can you please let me know how to restrict this.
  <removed_by_moderator>
  Thanks
  Venkat
  Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

  > p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
  Stated like that it could still be misleading.
  E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
  This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
  Cheers,
  Julius

• Is there any difference in upgrade for position based security model

  Hello Gurus,
  I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
  Are there any extra precautions need to be taken while upgrading in a position based security model ?
  Or
  Is it the same procedure either it is a role based security model or a postion based security model.
  iam new to this upgrade stuff, please kindly direct me in the right direction.
  Also please provide if any documents are available.
  Thanks,
  Sanketh.

  Hi,
  Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
  Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
  Experts correct me in case of correction.

• Qusetion: client-based synchronization from CRM to lotus-notes

  hi, expert
  there's a requirement to configure the activity of client-based synchronization from CRM to lotus-notes.
  I can only find the path to "client-based synchronization" in IMG,but I have no idea about how to implement the activity
  synchronization. I don't know the steps or conditions both in CRM activity management configuration and lotus-notes
  configuration.
  Could anybody help and guide me?
  sincerely Claud

  do the following steps:
  1. create transaction type for activity in spro>crm>transactions>basic settings>define transaction types
  2. define synchronization settings under spro>crm>crm middleware and related components>client-based groupware integratuion>settings for client-based synchronization. here define values for:
  - Default process type for new tasks(DEFAULT_TASK_PROC_TYPE)  
  - Text type for the task notes(DEFAULT_TASK_TEXTTYPE) 
  - Status code for the Status "Open"(DEFAULT_TASK_OPEN)  
  - Status code for the Status "In process"(DEFAULT_TASK_INPROCESS)  
  - Status code for the Status "Completed"(DEFAULT_TASK_COMPLETED)  
  - Status code for the Status "Cancelled"(DEFAULT_TASK_CANCELLED)  
  3. go to spro>crm>basic settings>one-to one e-mail>Define Multipart E-Mail Option and Groupware Integration - here define lotus notes
  4. instal groupware integration component - in personalization of web ui
  5. edit synchronization settings - in personalization of web ui
  Regards.

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Employee/Supervisor and position based hierarchy combination

  Hi All,
  Can Employee/Supervisor and position based approval hierarchy used in the same Business Group? If I have OU1 and OU2 belonging to BG1. Can OU1 use employee supervisor and OU2 use position based?
  Please throw some light on this setup and limitations.
  Regards,
  Praveen

  Setup-->Financial Options-->Human Resources tab -->Use Approval Hierarchies check box. If you check uses approval hierarchies based on positions if not uses the employee hierarchy (supervisor in employee).
  Thanks
  Nagamohan

• Does auto provisioning work with position based security

  We are implementing GRC 5.3 and use position based security.  I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions.  And finally we want to associate the user to the position.  We want to do all of this through GRC.  Is this possible?
  Thanks!

  Peggy,
     For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
  Regards,
  Alpesh

• MSS Substitution - Position Based and Change Fields

  Hi Experts,
  We are on EHP7 and using NWBC (POWL) for work item. We have set-up position based substitution. But when the user logs in, he/she don't see work item of other user. We have set-up A210 relationships between positions. Do we need to set-up anything else?
  Second Question,
  On MSS when we set-up substitution, it shows Assignee -  PERNR not User Name. How can we change the fields to show User Name instead of PERNR?
  Regards,
  Ashish

  We would like to see User Name instead of User IDs as Manager may not remember person with User IDs. In this scenario, substitution created from Manage Substitution Rules (Create Rules). In Assignee field it shows User ID and we would like to see User Name.
  Regards,
  Ashish