Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

Former Member

‎01-07-2009 8:24 PM

0 Kudos

Hi

I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).

This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.

1. Can we integrate both structural authorizations and position based role mapping in one system?

2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.

3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.

4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.

Any help or suggestions on the above would be appreciated.

Thanks and Regards

Arun R

2 REPLIES 2

RainerKunert
Active Participant

‎01-08-2009 8:58 AM

0 Kudos

Hi,

structural authorizations are used to grant access to special personal master data. Functional authorizations (like transactions) must still be granted with standard roles. These roles can be assigned indirectly (position based).

Users cannot be created in PA30. You may use HCM methods to create users automatically, but this is custom development. So create your users in SU01 and map them in PA30 (infotype 105).

There is a customizing parameter to specify the amount of time, old authorizations are still accessible after the organizational move of a person. I don't know the parameter name at the moment. I think the standard value is 5 days, that means old authorizations are still valid for 5 days.

charmaine_greene
Explorer

‎01-08-2009 11:07 AM

0 Kudos

Hi

1. Can we integrate both structural authorizations and position based role mapping in one system?

Yes you can. Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.

2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.

No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01

3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.

Create user in SU01.SU10 first before creating infotype 105 in PA30.

4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.

*When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.

Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC . SAP currently defaults this to 15 days and this is used to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.

Hope this helps.

Charmaine