Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

Similar Messages

• Template for Position Based Role Generation - Grouping of Transaction

  Hi
  We have almost 3500 Roles. They are all Role based / Transaction Based. We would like to shift it to Position Based Roles.
  Is there any template or high level document which can give you the information regarding the grouping of transaction with respect to module vise like HR, SD, MM, PP etc..
  It should narrow down further to give you info regarding the transactions with respect to the the standard postions provided by SAP which we can use it as a baseline and develop on that.
  Any help would be appreciated.
  Thanks and Regards
  Arun

  Hi,
  please have a look at the standard SAP* roles. They are grouped by applicaiton and alos some are grouped by position. So this may be an entry point for you.
  b.rgds, Bernhard

• User Level Authorization in Position Based Security

  Hi Geeks,
  I'm facing a problem in restricting a user accessing from another users data.
  Let me give you a picture of my issue.
  I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
  Can you please let me know how to restrict this.
  <removed_by_moderator>
  Thanks
  Venkat
  Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

  > p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
  Stated like that it could still be misleading.
  E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
  This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
  Cheers,
  Julius

• Compliance Calibrator 5.2 and position based user role provisioning

  Hi
  We are having Position based security in place... I was just wondering if CC 5.2 can do SOD analysis in Position based secuirty also?

  Hi parveen,
  To do HR Risk analysis perform following steps:-
  To excute this scenario try to take help of HR Consultant.
  1-Go to SAP System>Execute PPSC transaction>create Position.
  2-Now execute PO13 transaction-->select that position assigned role ( Contains some risk violation) to that position.
  3- Now in CC ,go to informer tab> Risk analysis> HR Objects-->excute report with following key  parametrs
      i)System:-any sap system
      ii)Analysis Type :-Object security only
      iii) Object Type:Position
      iv)Rule Set: *
  Now you can perform risk analysis at position level.
  Regards,
  Jagat

• Position based authorisations in CRM

  Hi there,
  In SAP ECC the user account is assigned against the employee record.  When the employee is assigned against the position it automatically inherits the roles when transaction PFUD is run.
  We want to use the same functionality in the CRM environment but find this is not working.
  We distribute our org structure using the standard model via message HRMD_ABA and include IT0105 subtype 0001 (User)
  We note the distribution assigns the user against the BP employee role created in CRM.  However in PFCG it is the CP that is assigned to the position not the BP
  Can you please provide any information to get position based authorisations working in CRM.
  Many thanks
  Stephen.

  >
  Mike Ferguson wrote:
  > Hello,
  >
  > So we before we go down this path we would like to know how many others have.
  >
  > We are distributing our OM hierarchy with O, S, AG, and User to BI from ECC so that role assignments that are on the position get pushed to BI.
  >
  > We run RHPROFL0 in BI to create new users and push roles to the user master record.
  >
  > Everything is working a expected, however I haven't seen this done anywhere so I can't answer questions about sustainability or stability.
  >
  > Please provide feedback to this approach if you have experience with it or if you considered implementing and decided against it, please provide your rationale.
  >
  > We have also looked at using CUA which works for this scenario as well, however would have a larger impact to our implementation from a technical and process perspective.
  >
  > Thanks,
  >
  > Mike
  Mike,
  I don't see any problem with your design except for the double maintenance of new users and possibly of role assignment to positions.
  My vote is for the CUA, depending on how you look at it, it might be less work up front and can save a lot of maintenance overhead once implemented.
  BI is a child in our CUA, we assign ECC composite role on a position and these composite roles are pointed to BI child roles using variables.  When we run RHPROFLO in ECC new user will be created in BI if the position has ECC composite role pointed to BI child roles.  Everything is maintained in ECC.

• Rule based Role membership in OIA is not pushing to OIM

  Hi All,
  Rule based Role membership in OIA is not pushing to OIM due to error as
  00:01:38,055 DEBUG [DBIAMSolution] Group Role container for JDE.JDE_BHRUSRTT found...
  00:01:38,144 ERROR [DBIAMSolution] Error Occured while adding users to role
  Thor.API.Exceptions.tcAPIException: Error occurred while find User information: USER_NOT_FOUND
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
  at Thor.API.Operations.tcGroupOperationsIntf_13pobh_tcGroupOperationsIntfRemoteImpl_1035_WLStub.getAllMemberUsersx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy396.getAllMemberUsersx(Unknown Source)
  at Thor.API.Operations.tcGroupOperationsIntfDelegate.getAllMemberUsers(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Meth
  Any one can help will be appreciate...
  Thanks
  Bikas
  Edited by: Bikas Mandal on Mar 27, 2013 6:15 AM

  Try these steps and let me know what you see:
  Login to OIA > Administration > Configuration > Workflows
  Select Role membership create workflow
  And check if you have added OIM provisioning server in the Step5 of the workflow.
  Cheers,
  Vamsi.

• JOB Based Roles

  Hi,
  We are planning to go for Job Based roles design in our SAP (ECC,BW & Portal)
  Can any one please give me an idea of how the process works
  Thanks in advance

  Hi KT
  The whole concept around assigning a Business Roles is to provide a specific set of functions to a specific user or user group.
  There should not be any reason for a User to log off from one role and then log in with another.
  If for example you want a user to have some Sales Professional access as well as some Service Professional access then you would copy Sales Professional Role to you own custom role, remove the Sales Professional attributes that you do not want, then add in the required Service Professional attirbutes required.
  The WEB UI views can then be configured for that particular Custom role you have created.
  Hope this helps
  Arden

• Create BDC recording for position,job,role

  hi all,
  i want to create BDC recording for position,job,role . what is the transaction for creating postion,job, role?/??
  and i have to check wheather for one job , role is there or not? if not i have to create that role.. similiarly i have to check for position that there is corresponding job is there or not.. if not i have to create the job???
  how would i do that??
  thanks
  SAchin

  Hi Sachin,
  1) Creating BDC is an ABAP-ers job and being functional its not ur responsibility. If u really want to do that then u can do it through T.Code - SHDB.
           While creating BDC for Position u have to go through T.Cdoe - SHDB and in that give PP01 in the TRANSACTION CODE feild. Then go on for recording.  After that ask the help of an ABAP-er.
  2) To Check if a POSITION or a JOB is there, then Go to T.Code - PP01, under Obj Abbr. feild put S for POSITION and C for JOB and press enter after entering the POSITION and JOB id. U'll get the result. OK
  3) To check for ROLE, u have go to T.Code - PFCG and there check for the particular ROLE u r looking for. Here in this T.Code u can actually create, change and delete the ROLES.OK
  Hope this helps,
  ARNAV...

• Position Based Security

  Hi All,
  How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
  Can some one please let me know the information.
  Regards,
  Sandhya

  Hi,
  the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
  Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
  You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
  Administrators should know of how they assign roles in your system. Just ask them.
  b.rgds,
  Bernhard

• Ad Hoc Query & HR Structural Authorisations

  Good day,
  Can you kindly suggest solutions to the following?
  Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
  Can you advise how i can restrict IT8 access for users across sites/company codes?
  Thanks have a lovely day!

  Hi Anders,
  Thank you for the reply,
  We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
  My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?

• Concurrent Employment and MSS ( Structural Authorisation)

  Hi
  We are having some problem with Structural authorisation in case of concurrently employed users. The scenarios is as follows
  1. User A is manager and have MSS role and relevant PD profile
  2. User P is employee . This employee is concurrently employed. one position of this user is in the organisation unit of manager A and the another position for this
  The problem is that the manager A is unable to approve the form submitted by the employee P. if we remove concurrent employment it start working again.
  I can see that Manager has structural access over employee P in tcode OOSb
  Any suggestion will be welcome
  Parveen

  Hi
  The problem we were having is that index was not updated. So inspite of having access to the user i was not able to approve the form. I have regenerated the index via report rhbaus00 which fixed the problem
  Parveen

• Problem in Structural Authorisation

  Hi All,
  scenario: There is CEO, of a org unit say ABCpvt Ltd. This root org unit has many sub units, depts & positions.
  This CEO, should need to view only his org units & positions which come under ABC pvt Ltd, & he should not able to view other depts & units.
  For this i want to create structural authorisation,
  1.hence I created a user eg: RKRao(CEO)
  2.I created a role through PFCG.
  3.I creeted stucrutal autho through OOSP, OOSB...
  4.I maintained infotype  IT 0105 communication, then OM IT 1017(pd profiles infotype)
  When I went to test this user, it is not showing me the desired data, which he is liable to seeunder his org unit ( i.e ABCPvt ltd, units, positions ,jobs etc)
  Hence can any one tell me where I am wrong, I have maintained all the neceaary transaction needed for structural autho
  Pls help me out in this!  <b>points are assured</b>
  Regds,
  NithiBabu

  Hi Nithi,
  The pre-requisite for configuring Structural Authorization are:
  A)PLOGi – ORGA
  TCode: OOPS
  This switch activates the integration between Personnel administration (PA) and Org Management (OM). Ensure this switch is ‘on’ before setting up the Org Plan; structural profile etc.  Turning the switch ‘on’ is a mandatory prerequisite before other setups are initiated.
  B) In case of OOAC,Following switches need to be set to appropriate values (switching on) for structural authorizations:
  1.     ORGIN : HR master data: Value “1” mean its activated
  2.     ORGPD: HR Structural authorization check: Value “1” means it is activated. This is mandatory for Structural authorization to work (see note).
  3.     PERNR: HR Master Data: Personnel number check activation: Value “1” mean it is activated.
  4.     ADAYS: Tolerance time for authorization check: The value entered here is the number of days for tolerance limit. This determines how many calendar days the user has access to the data he or she is entitled to, after the organizational change. For example “ADAYS = 10” means 10 calendar days of tolerance limit. In the standard system the value is set to 15; If the value is set to “0”, the organizational change causes the user to lose the authorization immediately upon change.
  C) After creating the Authorization Profile in OOSP
  IMG > Personnel mgmt > Org Mgmt > Basic Settings > Authorization Mgmt > Structural Authorization > Maintain Structural Authorization Profile
  Select the Profile and double click the Authorization Profile maintenance in the dialog structure on the left of the screen
  1.     Accessible Org Mgmt Objects are determined by the settings defined in this step. This step determines permissible Objects for the user.
  2.     Permissible objects can be defined in more than one ways. By directly identifying the Object ID’s (optional) in the Object ID field. Or through an Evaluation Path (optional) which ensures that users are only authorized to access objects along a particular path in Organization structure or plan. If an Evaluation path is specified, Object ID needs to be specified which determines the root object for the evaluation path Or via a function module which determines the objects the users are authorized to access.
  3.     If function module (optional) is specified, the Object ID need not be specified and depending upon the logic of the function module, evaluation path may or may not be specified. The usage of Function module to determine authorized objects provides flexibility that is not available via Evaluation path.
  Hope this further clarifies your doubt.
  Regards,
  Raj

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Is there any difference in upgrade for position based security model

  Hello Gurus,
  I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
  Are there any extra precautions need to be taken while upgrading in a position based security model ?
  Or
  Is it the same procedure either it is a role based security model or a postion based security model.
  iam new to this upgrade stuff, please kindly direct me in the right direction.
  Also please provide if any documents are available.
  Thanks,
  Sanketh.

  Hi,
  Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
  Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
  Experts correct me in case of correction.

• Structural authorisation along with organisational key

  Hi All:
  The scenario is:There are 8 company codes(8 diff countries) with 8 diff Personnel areas.A user needs to have access to all employees in his country and secondly, all the HR employees spread over all other company codes in different org units.
  I can create role using P_ORIGIN with that PA and assign to the user but how do i provide him access to all other HR employees.Structural Authorisation would restrict access to a specific org unit which doesn't suffice both criteria as it overrides org key.
  Helpful answers would be duly rewarded.
  Regards,
  Kmaini

  Hi,
  Structural authorization does not overwrite org.key.
  You need to customize structural authorization accordingly.
  For example, you have 8 company codes associated with personnel areas PA01-PA08. You are trying to create role for company code 1.
  1. In P_ORGIN you give access to all personnel areas PA01-PA08.
  2. For structural authorization you create following entry points:
  - root org.unit for company 1
  - HR org unit for company 2
  - HR org unit for company 3
  - HR org unit for company 4
  - HR org unit for company 5
  - HR org unit for company 6
  - HR org unit for company 7
  - HR org unit for company 8
  Cheers