Position Based Security

Hi All,
How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes, compared to roled based security.
Can some one please let me know the information.
Regards,
Sandhya

Hi,
the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
Administrators should know of how they assign roles in your system. Just ask them.
b.rgds,
Bernhard

Similar Messages

Is there any difference in upgrade for position based security model

Hello Gurus,
I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
Are there any extra precautions need to be taken while upgrading in a position based security model ?
Or
Is it the same procedure either it is a role based security model or a postion based security model.
iam new to this upgrade stuff, please kindly direct me in the right direction.
Also please provide if any documents are available.
Thanks,
Sanketh.

Hi,
Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team for ex :HR and technical team Workflow if there are any issues.
Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
Experts correct me in case of correction.

IDM, GRC and position based security

We use position based security in our ERP system and are implementing GRC. In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs. We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead. There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?
How can IdM be configured to react to a position change and update the roles appropriately?
Has anyone implemented GRC and IDM with position based security?
Regards,
Wayne

Hi Wayne,
In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
This is all theory though, I'm just getting started with IdM myself.
Kind regards,
Dagwin

Does auto provisioning work with position based security

We are implementing GRC 5.3 and use position based security. I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions. And finally we want to associate the user to the position. We want to do all of this through GRC. Is this possible?
Thanks!

Peggy,
For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
Regards,
Alpesh

User Level Authorization in Position Based Security

Hi Geeks,
I'm facing a problem in restricting a user accessing from another users data.
Let me give you a picture of my issue.
I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
Can you please let me know how to restrict this.
<removed_by_moderator>
Thanks
Venkat
Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

> p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
Stated like that it could still be misleading.
E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
Cheers,
Julius

SAP IDM position based security with user in multiple positions

Hi,
In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
The design is to have one business role assigned to one position so that the user can have all the access he requires.
In case of higher duties, we see an exception.
Has anyone implemented such a scenario?
Inputs/advices are much valued.
Thanks
Chaitanya

Hi Chaitanya,
Is it possible to assign more than one position to an employee in HCM?
If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
From HCM you will receive :
Employee :
- Z_POSITION_ID1 :1
- Z_POSITION_ID2 : 2
In IDM
Employee
- Member of BR1
- Member of BR2
2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
Otherwise, It worth to look over this blog for general design of HCM integration :
How to optimize identities’ lifecycle management in your information system using SAP HR events?
Fadoua

Using Position Based Security with BI

Hi
Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3). If so, what configuration is involved?

Hi,
After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.
Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.
Firstly, set-up ALE for the org structure from R/3 to your CUA client.
I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.
To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.
Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.
In CUA you would need to set the role distribution properties to global in transaction SCUM.
When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.
I hope that provides you will some ideas.....
Regards
Edited by: S Morar on Apr 10, 2008 1:23 PM

HCM Position based security: any transition period?

Hello Gurus, If a person is transferred from one position to another, the next time the RHPROFL0 job runs, it will remove all the old position's roles and assign the new ones it finds from the new position; is it possible to have a transition period(e.g. 15 or 30 days) where the user can have both the old and new roles?
The Structural PD profiles do have an option to support this but is there a way to do this for all normal ABAP roles assigned to the Positions using the relationship infotype?
Thanks,
Arya

Hi Arya
Yes..this is possible by using the structural switch - AUTSW ADAYS. This switch is used to specify the tolerance time for authorization check in the event of org or position change. I think by default the switch is off.(not sure). If you do not want user to lose old authorization during the transition period you can activate the switch (I think default is 15 calendar days).
Hope this helps
Regards
Santosh kumar

MOAC / "Org-Based" Security

Hello,
I'm developing custom pl/sql for submitting concurrent requests/sets. For reference, here is what my initialization 'block' looks like in the pl/sql:
apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
apps.mo_global.set_policy_context('M');
apps.mo_global.init(appShortName);
(or)
apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
apps.mo_global.set_policy_context('S', org_id);
apps.mo_global.init(appShortName);
(depending on whether the user chooses a 'multi-org' context or 'single-org' context)
I just have a few general questions.
1) Is the "mo_global.set_policy_context" followed by "mo_global.init" proper form?
2) I understand that if you choose multi-org (set_policy_context('M')), it reads the 'fnd_global.apps_initialize'd user's "allowed orgs" from his profile options (I forget the exact ones at this moment). Is this correct?
3) Is the sole purpose of "multi-org" security for performing multiple operations on multiple orgs without having to switch responsibility?
4) Most importantly (saved this one for last), I'm reading about the various different kinds of security (namely, http://docs.oracle.com/cd/E14223_01/bia.796/e14219/security.htm#BGBIFAIG):
Operating Unit Org-Based security
Inventory Org-Based Security
Company Org-Based Security
Business Group Org-Based Security
HR Org-based Security
Payables Org-Based Security
Receivables Org-Based Security
SetID-Based Security
Position-Based Security
Ledger-Based Security
My question is, are all of these various "securities" all managed with organizations? In other words, will my code (above) enable users to use ANY of these different kinds of security, if they so choose?

Hey so seeing as this question hasn't really been answered yet I figure I'll give it another go.
I'm going to be very specific this time:
I run PL/SQL scripts against the EBS database in order to do things like schedule requests/request-sets. The first thing I do (always) is initialize the apps context:
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
Next, depending on the situation (still unsure when/why, but whatever), we initialize the org context. This is done by performing exactly one of the following steps.
apps.mo_global.set_policy_context('M', null);
OR
apps.mo_global.set_policy_context('S', org_id);
OR
apps.mo_global.init('appname');
Now, the ORG_ID comes from this statement:
SELECT organization_id FROM apps.org_organization_definitions2 WHERE organization_name = 'blah'
Again, I don't know why/when we need to do this or apparently what any of these things do but it's kind of beyond the scope of what I do. SOMEBODY chooses one of these, depending on their mood (or whatever factors :) ). Based on my model, the following are the possibilities thus far:
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.set_policy_context('M', null);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.set_policy_context('S', org_id);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.init('appname');
After this, I use
apps.fnd_submit.submit_program('appName','progName','STAGEXYZ', args); <-- however many times I need
apps.fnd_submit.set_request_set('appname','requestSetName');
OR
apps.fnd_request.submit_request('appName','progName','description',starttime,FALSE, args);
My question is twofold:
1) Is this model generic enough? In other words, without doing anything extra, will people be able to do pretty much everything you could think of, at least in terms of running concurrent requests / sets? Will I ever - EVER - need to chain "set_policy_context" with "init"? <-- I would really love a yes/no answer because I am in no way/shape/form an EBS expert. I've read all the docs that I've been presented with thus far but I haven't found a straight answer to this yet.
2) I understand there are all different kinds of "org-based" security. Could I use my current code to initialize an inv_org, for example? If not, where could I turn for help? Are there other tables I should use for inv_orgs, hr_orgs, etc?
THANKS! YOU ARE THE BEST!

Compliance Calibrator 5.2 and position based user role provisioning

Hi
We are having Position based security in place... I was just wondering if CC 5.2 can do SOD analysis in Position based secuirty also?

Hi parveen,
To do HR Risk analysis perform following steps:-
To excute this scenario try to take help of HR Consultant.
1-Go to SAP System>Execute PPSC transaction>create Position.
2-Now execute PO13 transaction-->select that position assigned role ( Contains some risk violation) to that position.
3- Now in CC ,go to informer tab> Risk analysis> HR Objects-->excute report with following key parametrs
    i)System:-any sap system
    ii)Analysis Type :-Object security only
    iii) Object Type:Position
    iv)Rule Set: *
Now you can perform risk analysis at position level.
Regards,
Jagat

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

4 tiered security vs. task based security design

I have recently joined a company that has only FICO implemented. They are currently ramping up to implement all modules globally.
The current security model is 4 tiered security approach, in other words, there are 4 single roles which are roled up into a composite depending on what your position is in the hierarch. For example, an end user AP Clerk will get the basic role and probably one other. The AP clerks boss would get those 2 roles plus one other role and so on. Because the security is not very granular, they have a huge amount of mitigating controls in GRC to pass the yearly audits.
Most companies I have worked at are changing to a task based security approach to make the security more granular and therefore easier to manage and manipulate (for want of a better word) and possibly eliminate having to create and maintain a huge number of mitigating controls. Task single roles would be added to a composite per job position.
My question is, which version would be the SAP best practice approach? The 4 tiered approach is easier up front but a lot more maintenance going forward. The task based approach is a lot of work up front but less maintenance going forward.
No matter what road we take, there may also be derived roles thrown into the mix!

@Lovin_JV_941794
The welcome page is public available since it does not have appropriate PageDef file.
Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
It seems the task flow call stack to be destroyed after redirect to login page.
Edited by: user13307311 on Apr 17, 2013 12:45 AM

HR Position Base Security Discussion

Hello all,
We all know the beauty of using HR position base security vs manual role assignments to user IDs. Roles are automatically assigned and removed during a move with HR position base security.
Recently a question came up regarding HR position base security and I have a few ideas on how to address the question but Iu2019m just curious how some of you have dealt with this issue. This thread will be more of a discussion than a question.
Issue/Example in regards to HR position base security:
User-A is in position#1 and has been granted access to SAP after successfully completing SAP Accountant Training.
Position#1 have the following roles:
Z-Accountant
Position#2 have the following roles:
Z-Finance-Director
If User-A got a promotion and is moved to position#2, he will automatically inherit Z-Finance-Director and assignment Z-Accountant will be removed.
How can you justify assigning Z-Finance-Director even though User-A did not take the SAP Finance Director training?
Your response will be appreciated.
Regards,
John N.

>
Morten Nielsen wrote:
> Hello John
>
> Well at the end of the day the roles are always assigned to the user.
>
> But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
>
> So infact you can decide if you want to map the roles to a Position, an organizational unit, a Job etc. (but as always it's a good idea to to decide on a strategi otherwise it can endup in a big mess )
>
> regards
> Morten Nielsen
Morten,
If we decide to assign the roles to the HR position after the completion of the workflow it should assign the roles to the UMR (using RHPROFL0 & PFUD) automatically which is great. But now that the roles are assigned to the position aren't we back on the same vicious cycle of a user authomatically inheriting roles on the position and at times not having training on the roles automatically assigned.
Perhaps I just need to research the the following that you mentioned.
>
Morten Nielsen wrote:
>
> But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
>
> regards
> Morten Nielsen
Again thanks for the suggestion.
Regards,
-John N.

Difference between Structural and Org. Based Security

Hi
Could anyone please explain the difference between Structural and Org. based security
Also could anyone please point to relevant documents.
Thanks

Structural authorization:
ex: assigning roles to position and not to userids.. Listed below are some links that may help you to get started in understanding "Structural authorization".
http://www.sap-img.com/human/structural-authorization-vs-role-authorization.htm
http://www.sap-press.de/katalog/buecher/inhaltsverzeichnis/gp/titelID-1071
https://websmp205.sap-ag.de/~form/ehandler?_APP=00200682500000001337&_EVENT=DISPLAY&COURSE=ADM940
HB

How can I turn off the WLS 6.1 security in order to develop my own application-based security module?

Dear Colleagues,
I am currently developing a J2EE application using WLS 6.1.
My team and I have to implement a security requirement to suit our company's needs.
The security requirements are that, users' password need to be aged (30 days maximum) and we need to provided a GUI front-end (JSP) to allow users to change their password when these expire after 30 days.
Our internal contacts in the company, have already taken the lead to find out about whether we will be able to use the WLS 6.1 platform to do this and the answer we got back, was.
Now we need to develop our own security module.
I have 2 questions:
1. How can we turn off the WLS security in order develop our own application-based security module?
2. How can we develop a security module that allows us to age users' password and provide them with facilities to change their passwords when these expire?
At the moment, we are using the default BEA WebLogic login.jsp page and there some configuration in the web.xml for this. I will be grateful if you could advise me on how to turn this default security off so that we can write our own security module.

hi,
1.You can write your own realm in 61 which can plugged for your security
calls.
2. once you write your ownrealm.. you can access it through weblogic
api/ur api..
thanks
kiran
"Richard Koudry" <[email protected]> wrote in message
news:3dd0d081$[email protected]..
Dear Colleagues,
I am currently developing a J2EE application using WLS 6.1.
My team and I have to implement a security requirement to suit ourcompany's needs.
>
The security requirements are that, users' password need to be aged (30days maximum) and we need to provided a GUI front-end (JSP) to allow users
to change their password when these expire after 30 days.
>
Our internal contacts in the company, have already taken the lead to findout about whether we will be able to use the WLS 6.1 platform to do this and
the answer we got back, was.
>
Now we need to develop our own security module.
I have 2 questions:
1. How can we turn off the WLS security in order develop our ownapplication-based security module?
>
2. How can we develop a security module that allows us to age users'password and provide them with facilities to change their passwords when
these expire?
>
At the moment, we are using the default BEA WebLogic login.jsp page andthere some configuration in the web.xml for this. I will be grateful if you
could advise me on how to turn this default security off so that we can
write our own security module.

Position Based Security

Similar Messages

Maybe you are looking for