SAP IDM position based security with user in multiple positions

Similar Messages

• Using Position Based Security with BI

  Hi
  Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3).  If so, what configuration is involved?

  Hi,
  After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.
  Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.
  Firstly, set-up ALE for the org structure from R/3 to your CUA client.
  I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.
  To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.
  Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.
  In CUA you would need to set the role distribution properties to global in transaction SCUM.
  When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.
  I hope that provides you will some ideas.....
  Regards
  Edited by: S Morar on Apr 10, 2008 1:23 PM

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Does auto provisioning work with position based security

  We are implementing GRC 5.3 and use position based security.  I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions.  And finally we want to associate the user to the position.  We want to do all of this through GRC.  Is this possible?
  Thanks!

  Peggy,
     For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
  Regards,
  Alpesh

• Is there any difference in upgrade for position based security model

  Hello Gurus,
  I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
  Are there any extra precautions need to be taken while upgrading in a position based security model ?
  Or
  Is it the same procedure either it is a role based security model or a postion based security model.
  iam new to this upgrade stuff, please kindly direct me in the right direction.
  Also please provide if any documents are available.
  Thanks,
  Sanketh.

  Hi,
  Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
  Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
  Experts correct me in case of correction.

• Retain standard SAP order type after copying with user defined order type

  Hello SAP Gurus,
  We have a requirement of retaining the standard SAP order types after copying with User defined order types. But the issue is we don't want to see the standard SAP order type such as PM01, PM02 in production system while using transaction like IW31 etc.
  Is there anybody who has answer to retain these stanadard SAP order types without deleting from system configuration?
  Thanks in advance.
  Cheers,
  Vaibhav

  Vaibhav,
  When you F4 on the order type field in IW31 you will get the popup showing the order type list. At the top of this list is a button with a green "+" sign (Insert in personal list).
  You can use this button to select your favourite list.
  This function is available in most F4 drop-down lists.
  However, you cannot set this setting for all users. You will need to write an ABAP program to do this.
  PeteA

• 'BBPSC11' error in Monitor SC for one User having multiple positions but on

  Hello,
  'BBPSC11' error in Monitor SC for one User - having multiple positions in org structure - but having one BP code associated to all positions.
  We have one BP ID associated to multiple positions of the same user - in multiple org structure.
  The org unit is refered as one Project and like wise we have multiple projects people worked on.
  Once the Proj is over we move the Users from one Proj (Org unit) to another Proj, with new Position created copying the old and associate old BP code to it.
  With this when we go for Monitor SC option - enter User ID in Created By field - old SC are listed but we are getting error if we click on the Detail icon.
  Error:The Internet Transaction Server could not start the transaction "BBPSC11" because of the following error: Attribute for user contains errors. Inform systemadmin. .
  AD

  Hi,
  Pl. verify the user with txn-bbp_attr_check. It could be that the org. relationship of the user changed with what was captured on shopping cart. Also use txn-users_gen to repair the user.
  Regards,
  Sanjeev

• Personalization Publication with user defined / multiple / discrete values

  Hello,
  I try to personalize a main report ( with Enterprise XI 12.1.0, Crystal Report XI  )
  ( parameter p_company_code ( as string ),  with user defined / multiple / discree and range values )
  with dynamic recipients ( Crystal Report ).
  For a single value it works.
  But I did not find a solution how to set up the values for my parameter p_company_code so that I can start the main report
  with the following company codes  ( 4711, 4712, 0815-0890 ) for one recipients ( only one report for all this company codes  )
  Thans for your help
  H. Blum

  Hi Fabio,
  It works as follows.
  let's say you have 3 multiple single lines for your cost center variable.
  once you are in the folder, select any single value & the layout is ready for planning with the corresponding cost center.
  now, select the "Cost center variable row" in the header of the folder within section "Name of Variable" & click on "Trash Can" icon to "Delete Selection" of variable.
  this basically deletes all the entered selections (3 entries) & displays for all.
  It works this way, because we don't have "resriction of values required by user".
  if am not wrong & correct me if am wrong,
  overall, this is nothing but equal to "planning level not restricted with any variable".
  I just tested this & the flaw in this is that, it is not only displaying for all the initially entered 3 lines but it displays for each & every cost center irrespective of the variable selections.
  hope it is clear.

• User Level Authorization in Position Based Security

  Hi Geeks,
  I'm facing a problem in restricting a user accessing from another users data.
  Let me give you a picture of my issue.
  I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
  Can you please let me know how to restrict this.
  <removed_by_moderator>
  Thanks
  Venkat
  Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

  > p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
  Stated like that it could still be misleading.
  E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
  This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
  Cheers,
  Julius

• Position Based Security

  Hi All,
  How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
  Can some one please let me know the information.
  Regards,
  Sandhya

  Hi,
  the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
  Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
  You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
  Administrators should know of how they assign roles in your system. Just ask them.
  b.rgds,
  Bernhard

• SAP IDM  7.0 integration with third party system

  Hi Experts,
  I know SAP IDM  7.0 can integrate with third party systems and create user ids on most of the third party systems.
  But I need to know regarding If it is possible to integrate with following systems
  1) Microsoft Exchange 2007 (  I know till exchange 2003 SAP  IDM support )
  2)  Microsoft  Active directory 2008 ( I know till Actice directory 2003)
  3) EMC  Documentum 6.5
  4)  ARIS 7.1.0
  5)  BlackBoard, Release 9.0
  6) Oracle 10g  ( Is it possible to create users at oracle level ? or at what level ? )
  7)  Sun Solaris Sparc  ( Is it possible to create users at  OS level )
  If you have information how on this please share. I know that  provisioning framework will have templates for most of the target systems. I want to know if they are available for above systems on SAP IDM 7.0 or if not have we can connect to them?

  Hi Matthew
  Your expertise in SAP IDM is indeed a great help!!
  >Can't see why not, it's all done via SQL commands. I've done similar things with MSSQL
  You mean that there will be oracle 10g drivers/oledb connectors in SAP IDM and in through SQL commands like "create user alfredo identified by alfredos_secret; " we can create user  in oracle database ?. As you said this should be possible.  What about creating user( user management ) in oracle 10g application  like dba or scot  and assigning the privileges in oracle application?
  >might need to do via UNIX scripts, but it can be done
  You mean that Unix scripts will be defined in SAP IDM and SAP IDM will execute these scripts in the Sun Solaris Sparc ?. It should be possible as you said. By the way how we will be able connect to Sun Solaris sparc ?  Is it via  the option "file " under the "Repositories" with repositories wizard  and later executing the file from SAP IDM ?
  Thank you once again for your expert answers on third party systems.

• IP based security with JSP?

  Hi,
  How easy/hard would it be to implement IP based security in a JSP application? I.e. We want to restrict the IP addresses that can access our application.
  Is this something that can be done in the web.xml using the security contraints??
  Or is it much more ocmplex than this?
  (We want to prevent our customer from sharing the application with third-parties, so we can not rely on a firewall based approach)
  Thanks

  Well, for Apache, it's easier. I think for Location to work, you need virtual directories set up. I could be wrong... Or try using Directory intead of Location. I recall Location was for something special... but I forget the details. For Apache/Tomcat, I've usually used aliases to handle directories...
  Alias /ITMS "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS"
  <Directory "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS">
  AllowOverride None
  Options Indexes
  Order allow,deny
  Allow from all
  ExpiresActive On
  ExpiresByType application/octet-stream "access plus 7 days"
  ExpiresByType image/gif "access plus 7 days"
  ExpiresByType image/jpeg "access plus 7 days"
  ExpiresByType text/x-javascript "access plus 0 seconds"
  ExpiresByType text/css "modification plus 7 days"
  ExpiresByType text/html "access plus 0 seconds"
  ExpiresByType text/vnd.wap.wml "access plus 0 seconds"
  ExpiresDefault "now plus 1 month"
  </Directory>
  You can set up deny's from IP or IP range or domain.
  Deny from .domain.com
  Deny from 123.232.123.33
  Deny from 123.232.124.

• SAP IDM on Solution Manager with Change Request Management

  Hi Experts,
  I'm facing a question. Does SAP Identity Management manage association between user in Solution Manager and links in PPOMA_CRM tree for Ticket validation on Change Request Management project ?
  It seems that it could be done using Compliant User Provisioning from GRC Access Control application.
  Thanks for your help,
  Ben

  Hello Ben,
  as far as I know currently there is no "business level" integration between IdM 7.1 and SAP Solution Manager. You only can create SU01 user data as for any other SAP ABAP system.
  I have heard that it is planned for the future to integrate the Solution Manager also in the business suite integration options the IdM product already provides for applications such as CRM, SRM and others.
  Nevertheless you could create your own implementation for your requirements.
  Regards,
  René Feister
  SAP Consulting Germany

• Issue with SAP GUI 7.30 launching with users upgrading from 7.10

  We started rolling out SAP 7.30 GUI Final 7300.3.7.117 out to people, and we've ran into this error with people who had upgraded from SAP GUI 7.10.
  Our environmental variable uses saplogon.ini (SAPLOGON_INI_FILE) and points to c:\windows\saplogon.ini
  I don't know why the program is trying to search for saplogontree.xml.
  I've tried uninstalling, rebooting, reinstalling. Deleting some of the %appdata% SAP folders.
  I need some guidance as people who upgraded from GUI 7.20 do not run into this issue.

  This popup would make sense Jason,as the path C:\Windows\SapLogonTree.xml would not be a valid path to this file.
  Really, 7.10 should not have been used at all as an upgrade path as this had finished support in 2009
  If you have a small number of users with 7.10, it's recommend to remove it via add/remove programs in the OS, then install a clean 7.30 gui.
  The environment variable should not point to C:\Windows\ at all since this is a restricted folder in
  Windows Vista and higher, and will only cause further trouble later on in the updates
  See note http://service.sap.com/sap/support/notes/1409494
  Jude

• HCM Position based security: any transition period?

  Hello Gurus, If a person is transferred from one position to another, the next time the RHPROFL0 job runs, it will remove all the old position's roles and assign the new ones it finds from the new position; is it possible to have a transition period(e.g. 15 or 30 days) where the user can have both the old and new roles?
  The Structural PD profiles do have an option to support this but is there a way to do this for all normal ABAP roles assigned to the Positions using the relationship infotype?
  Thanks,
  Arya

  Hi Arya
  Yes..this is possible by using the structural switch - AUTSW ADAYS. This switch is used to specify the tolerance time for authorization check in the event of org or position change. I think by default the switch is off.(not sure). If you do not want user to lose old authorization during the transition period you can activate the switch (I think default is 15 calendar days).
  Hope this helps
  Regards
  Santosh kumar