User Level Authorization in Position Based Security

Similar Messages

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Does auto provisioning work with position based security

  We are implementing GRC 5.3 and use position based security.  I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions.  And finally we want to associate the user to the position.  We want to do all of this through GRC.  Is this possible?
  Thanks!

  Peggy,
     For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
  Regards,
  Alpesh

• Is there any difference in upgrade for position based security model

  Hello Gurus,
  I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
  Are there any extra precautions need to be taken while upgrading in a position based security model ?
  Or
  Is it the same procedure either it is a role based security model or a postion based security model.
  iam new to this upgrade stuff, please kindly direct me in the right direction.
  Also please provide if any documents are available.
  Thanks,
  Sanketh.

  Hi,
  Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
  Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
  Experts correct me in case of correction.

• SAP IDM position based security with user in multiple positions

  Hi,
  In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
  The design is to have one business role assigned to one position so that the user can have all the access he requires.
  In case of higher duties, we see an exception.
  Has anyone implemented such a scenario?
  Inputs/advices are much valued.
  Thanks
  Chaitanya

  Hi Chaitanya,
  Is it possible to assign more than one position to an employee in HCM?
  If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
  1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
  From HCM you will receive :
  Employee :
  - Z_POSITION_ID1 :1
  - Z_POSITION_ID2 : 2
  In IDM
  Employee
  - Member of BR1
  - Member of BR2
  2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
  You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
  Otherwise, It worth to look over this blog for general design of HCM integration :
  How to optimize identities’ lifecycle management in your information system using SAP HR events?
  Fadoua

• Position Based Security

  Hi All,
  How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
  Can some one please let me know the information.
  Regards,
  Sandhya

  Hi,
  the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
  Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
  You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
  Administrators should know of how they assign roles in your system. Just ask them.
  b.rgds,
  Bernhard

• HCM Position based security: any transition period?

  Hello Gurus, If a person is transferred from one position to another, the next time the RHPROFL0 job runs, it will remove all the old position's roles and assign the new ones it finds from the new position; is it possible to have a transition period(e.g. 15 or 30 days) where the user can have both the old and new roles?
  The Structural PD profiles do have an option to support this but is there a way to do this for all normal ABAP roles assigned to the Positions using the relationship infotype?
  Thanks,
  Arya

  Hi Arya
  Yes..this is possible by using the structural switch - AUTSW ADAYS. This switch is used to specify the tolerance time for authorization check in the event of org or position change. I think by default the switch is off.(not sure). If you do not want user to lose old authorization during the transition period you can activate the switch (I think default is 15 calendar days).
  Hope this helps
  Regards
  Santosh kumar

• User level Authorization for SSO by using SOAP Sender

  Hi,
  Scenario : Non-SAP to PI 7.31 using SOAP Sender adapter.
  Authentication we need to go for user based level at the receiver system where the information shall be passed from the sender (non-SAP) and also we 're using Single Sign On method for this interface.
  Note : Previously we achieved this through WS-RM using SAML certificates, but this adapter doesn't support in PI7.31 single stack since we have option only by using SOAP adapter.
  Please suggest how can i achieve this for my current landscape.
  Thanks for your help.
  Warm regards,
  Ram.

  Hi!
  The SOAP Adapter itself has no queueing mechanism. But the PI has one if you work asynchronously.
  To pick files it may be helpful to use the Axis Framework of SOAP Adapter whre you can add your own adapter modules.
  Very helpful tips concerning the SOAP Adapter can be found in the SAP Note 856597 (FAQ SOAP Adapter XI 3.0 Pi 7.0 PI 7.1).
  For Axis Adapter FAQ refer to SAP note 1039369
  Hope this helps.
  Regards,
  Volker

• Using Position Based Security with BI

  Hi
  Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3).  If so, what configuration is involved?

  Hi,
  After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.
  Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.
  Firstly, set-up ALE for the org structure from R/3 to your CUA client.
  I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.
  To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.
  Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.
  In CUA you would need to set the role distribution properties to global in transaction SCUM.
  When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.
  I hope that provides you will some ideas.....
  Regards
  Edited by: S Morar on Apr 10, 2008 1:23 PM

• User level authorization wise F4 help functions

  Dear All,
  We have a requirement i.e. User should be able to see only authorized entities when he/she press F4 on any field like Company code,Customer number,Sales Organization etc.. in any standard screen of SAP transaction codes.
  For Ex: we have 3 company codes 1000,2000 and 3000. Assume user is authorized for 1000 only. If user presses F4 on BUKRS field in any screen, it should show only 1000 as possible entry.
  Is there any way to address this issue. Please help....

  Once you press F4 against the Company Code field from search option, in Drop Down list on the TOOL BAR there is an icon INSERT IN PERSONAL LIST.  Place the mouse on the Company Code which you want and then click on the INSERT IN PERSONAL LIST.  Also Click on Personal Value List after choosing Company Code of your choice in Insert Personal List. Don't forget to click on KEEP Button. Kindly note, this is only valid for that particular user only where you are exercising your insert personal list.
  G. Lakshmipathi

• User level authorization for process order

  Hi,
  Greetings for the day.
  As we all know that there are three main screen of process order
  1. Header Data
  2. Operations data
  3. Materials Data
  Now, we want to restrict the users to access the screen as below. (T-Code: COR1 & COR2)
  Header
  PP, MM, QM Users can change
  Operations
  PP, QM Users can change, MM user can display only
  Materials
  MM, QM Users can change, PP user can display only
  How can we achieve this?
  Please guide me.

  Hi
  Yes, that is impossible to control that way in standard, so I think you may consider the the user exits to write your own source codes to check the changes done by user and prohibit the save.
  PPCO0018  Check for changes to production order header
  PPCO0019  Checks for changes to order operations
  PPCO0008  Enhancement in the adding and changing of components
  Regards.
  Leon.

• Compliance Calibrator 5.2 and position based user role provisioning

  Hi
  We are having Position based security in place... I was just wondering if CC 5.2 can do SOD analysis in Position based secuirty also?

  Hi parveen,
  To do HR Risk analysis perform following steps:-
  To excute this scenario try to take help of HR Consultant.
  1-Go to SAP System>Execute PPSC transaction>create Position.
  2-Now execute PO13 transaction-->select that position assigned role ( Contains some risk violation) to that position.
  3- Now in CC ,go to informer tab> Risk analysis> HR Objects-->excute report with following key  parametrs
      i)System:-any sap system
      ii)Analysis Type :-Object security only
      iii) Object Type:Position
      iv)Rule Set: *
  Now you can perform risk analysis at position level.
  Regards,
  Jagat

• MOAC / "Org-Based" Security

  Hello,
  I'm developing custom pl/sql for submitting concurrent requests/sets. For reference, here is what my initialization 'block' looks like in the pl/sql:
  apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
  apps.mo_global.set_policy_context('M');
  apps.mo_global.init(appShortName);
  (or)
  apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
  apps.mo_global.set_policy_context('S', org_id);
  apps.mo_global.init(appShortName);
  (depending on whether the user chooses a 'multi-org' context or 'single-org' context)
  I just have a few general questions.
  1) Is the "mo_global.set_policy_context" followed by "mo_global.init" proper form?
  2) I understand that if you choose multi-org (set_policy_context('M')), it reads the 'fnd_global.apps_initialize'd user's "allowed orgs" from his profile options (I forget the exact ones at this moment). Is this correct?
  3) Is the sole purpose of "multi-org" security for performing multiple operations on multiple orgs without having to switch responsibility?
  4) Most importantly (saved this one for last), I'm reading about the various different kinds of security (namely, http://docs.oracle.com/cd/E14223_01/bia.796/e14219/security.htm#BGBIFAIG):
  Operating Unit Org-Based security
  Inventory Org-Based Security
  Company Org-Based Security
  Business Group Org-Based Security
  HR Org-based Security
  Payables Org-Based Security
  Receivables Org-Based Security
  SetID-Based Security
  Position-Based Security
  Ledger-Based Security
  My question is, are all of these various "securities" all managed with organizations? In other words, will my code (above) enable users to use ANY of these different kinds of security, if they so choose?

  Hey so seeing as this question hasn't really been answered yet I figure I'll give it another go.
  I'm going to be very specific this time:
  I run PL/SQL scripts against the EBS database in order to do things like schedule requests/request-sets. The first thing I do (always) is initialize the apps context:
  apps.fnd_global.apps_initialize(u_id, r_id, a_id);
  Next, depending on the situation (still unsure when/why, but whatever), we initialize the org context. This is done by performing exactly one of the following steps.
  apps.mo_global.set_policy_context('M', null);
  OR
  apps.mo_global.set_policy_context('S', org_id);
  OR
  apps.mo_global.init('appname');
  Now, the ORG_ID comes from this statement:
  SELECT organization_id FROM apps.org_organization_definitions2 WHERE organization_name = 'blah'
  Again, I don't know why/when we need to do this or apparently what any of these things do but it's kind of beyond the scope of what I do. SOMEBODY chooses one of these, depending on their mood (or whatever factors :) ). Based on my model, the following are the possibilities thus far:
  apps.fnd_global.apps_initialize(u_id, r_id, a_id);
  OR
  apps.fnd_global.apps_initialize(u_id, r_id, a_id);
  apps.mo_global.set_policy_context('M', null);
  OR
  apps.fnd_global.apps_initialize(u_id, r_id, a_id);
  apps.mo_global.set_policy_context('S', org_id);
  OR
  apps.fnd_global.apps_initialize(u_id, r_id, a_id);
  apps.mo_global.init('appname');
  After this, I use
  apps.fnd_submit.submit_program('appName','progName','STAGEXYZ', args); <-- however many times I need
  apps.fnd_submit.set_request_set('appname','requestSetName');
  OR
  apps.fnd_request.submit_request('appName','progName','description',starttime,FALSE, args);
  My question is twofold:
  1) Is this model generic enough? In other words, without doing anything extra, will people be able to do pretty much everything you could think of, at least in terms of running concurrent requests / sets? Will I ever - EVER - need to chain "set_policy_context" with "init"? <-- I would really love a yes/no answer because I am in no way/shape/form an EBS expert. I've read all the docs that I've been presented with thus far but I haven't found a straight answer to this yet.
  2) I understand there are all different kinds of "org-based" security. Could I use my current code to initialize an inv_org, for example? If not, where could I turn for help? Are there other tables I should use for inv_orgs, hr_orgs, etc?
  THANKS! YOU ARE THE BEST!

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Reseeding cache for users with role based security

  I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

  I have created an ibot with the following:
  General - Normal Priority, Personalized (recipient's data visibility)
  Conditional Request - example_report
  Schedule - some schedule
  Recipients - Me(administrator) and User1
  Destinations - Oracle BI Server cache
  when the ibot runs 2 cache entries are created (for the 2 recipients).
  I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
  After the ibot runs:
  When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
  On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
  The User1 has a data level security.
  Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
  Thanks for your inputs.