Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Evaluation path PROFL0

Former Member
0 Kudos

Hi,

Anyone has any idea on an alternate to evaluation path PROFL0 so that a role when assigned to a ORG, drills down to all ORGS and positions below it when executing RHPROFL0?

Did you have to create a new relationship in PROFL0?

Any help in this direction would be appreciated

Thanks

Abhishek

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Abhishek,

You are talking about roles, ie generated profiles.

And I think, when we consider allocation of profiles, RHprofl0 looks for only IT1016, ie manually created profiles.

Regards,

Sachhidanand Rankhambe

26 REPLIES 26

jurjen_heeck
Active Contributor
0 Kudos

> Any help in this direction would be appreciated

Have you considered posting in an HR forum? I think they're the experts on evaluation paths.

0 Kudos

Hmm... sure, will do that, thanks Jurjen.

For the security part of the question, anyone faced problems in role assigned to the root Org and that role not getting assigned to all child Orgs when RHPROFL0 or PFUD is executed?

0 Kudos

Hello Abhishek,

What i understood from your problem is you Assigned the role to root org and it is not getting assigned to all child orgs. .. please correct me i am wrong.

in Evaluation path of PD Profile " Leave Empty " and all Child orgs will get that role.

after you Assigning PD Profile to user I am sure you might be running RHPROFL0 to make Adjustment to all users who got this profile.

Another Alternative way is you Assign the PD Profile directly to user by using T-code " OOSB" in that way you no need run RHPROFL0.

Riyazuddin Mohammed.

0 Kudos

Hi Riyazuddin,

Thanks for your reply... yes, thats our intent here. However, we are not assigning PD profiles, this is just for the standard role assignment. I understand what you mean, use OOSB to manually create entries in T77UA, as an alternate for RHPROFL0. Thats our next goal... to assign PD Profile at Root ORG. And if it does not work, we might use the steps you mentioned.

Right now, we want the role assignment to ripple down. I tried running RHPROFL0 for Standard Authorizations with Evaluation Path blank, I guess it didnt like it.

Did you ever use a custom evaluation path as a copy of PROFL0?

Thanks

Abhishek

0 Kudos

>

> Hello Abhishek,

>

> What i understood from your problem is you Assigned the role to root org and it is not getting assigned to all child orgs. .. please correct me i am wrong.

>

> in Evaluation path of PD Profile " Leave Empty " and all Child orgs will get that role.

>

> after you Assigning PD Profile to user I am sure you might be running RHPROFL0 to make Adjustment to all users who got this profile.

>

> Another Alternative way is you Assign the PD Profile directly to user by using T-code " OOSB" in that way you no need run RHPROFL0.

>

> Riyazuddin Mohammed.

Perhaps it is a design error per Julius, if you want the role assigned to the child orgs per Riyazuddin which you agreed with. I'm assuming the goal is you want to assign a role to an org unit and all the users in the org unit and under will get the role assigment. If have tested this successfully in ECC 6.0 awhile back in RHOPROFL0 with Object type "O" and Evaluation Path "PROFL0". The role will be assigned to all users in the org. Our sandbox is down now for upgrades so I can't test.

Good Luck!

0 Kudos

Hi John,

You got my intent!

I tried running RHPROFL0 , with the standard evaluation path PROFL0, and object type O. However, this is not getting assigned to all child ORGs. This is just reflecting at all those positions attached to that ORGs.

We are on ECC 6.0

Guess, if this not how how the ORG assignment works (that is O-O) , then an alternate way would be to update the role at all ORGs. That way any new position will inherit this relationship using standard (O-S-P).

Am open for any other alternatives....

Thanks all for all your thoughts....

Abhishek

Former Member
0 Kudos

I have never tried, but "evaluation path" with the default value "PROFL0" is a parameter on the selection screen of RHPROFL0... and you can create variants for it... so this would indicate that there is something configurable behind it...

Try F1

Cheers,

Julius

ps: Let me know if you would like to have this thread moved to the HCM forum if you don't find an answer after a while. Please do not cross-post.

0 Kudos

Hi Julius,

Yeah, we actually can create variants of the evaluation path, however, it only updates the role for that org only . and the exact relations are a little complex to understand.

I will not cross-post, maybe just wait a few days....

Thanks

Abhishek

0 Kudos

> ...and the exact relations are a little complex to understand.

Design error...

Cheers,

Julius

0 Kudos

LOL!

0 Kudos

>

> LOL!

Yeah, yeah... he who laughs last...

I understand from previous discussions... that you are also a "basis admin" so in addition to the scalability and automation you are looking for, you might also be considering the performance impact of the authority-check and your app server sizing?

There is a feature available since release 46C called the "reference user concept".

If all users (or known UMR groups of them) in your system are assigned to org units, and you want to assign a "basic" authorization to them at the root node... then you can also do this via one reference user which is assigned to all.

It is not the same as structural authorizations, but will enable the user to pass an authority-check which is unique only to the reference user - because the "auth" will be unique as well.

Some tips:

- The reference user (actually, the auths available to it - it is like a role...) should not be able to do anything on it's own without the "real" user authenticating.

- You need to secure the user and role maintenace of the reference user and the reference role more than what you would normally do for end-users.

Much like trusted RFC for authentication / identification, it is easy to make mistakes here with authorization... but it does work.

Just some thoughts because it might be an option for you to mix with shop floor folks who are not naughty...

Cheers,

Julius

0 Kudos

Right now i am laughing at myself for the amount of work I am in

Just one of those days for me where you really need a drink!!

I used to work in Basis, don't mind working some Basis work occasionally now 😛

How would this affect the performance? The Org reconciliation will run at night, and auth-check will not care if the role comes from org or is a direct assignment in the UMR. The user buffer will be loaded the same way.

The idea of reference users is actually very interesting. I will definitely pursue it as an approach. In this case, if we where we have to assign the role to all, we can do a SU10 or go with the reference user approach.

The reason we are maintaining this at the ORG is, any employee who joins in, will be part of the ORG and will automatically get this access. Contractors will not be part of the ORG, and they will get it on explicit requirement only. Based on the requirement, we thought this is the best approach.

Now if the HR ORG assignment does not drill down to child ORGs, then we will have to analyze the whole design.

For structural to work, we will anyway have to maintain the relationships and roles at the positions.....

bah!! I am talking to myself... am heading to a bar..join me if anyone is interested, its on me!

tc

Abhishek

0 Kudos

Reference users are an indirect assignment, but to the UMR. The user buffer is loaded for the reference user (once only!) and all users who are assigned this reference user for additional authorizations, will pass the authority-check if either their own UMR or that of the reference user can satisfy the object field and value in the check.

So it is not an evaluation path, but rather a super-set of common authorizations which are already loaded for all assigned users if one of them has logged on since the buffers rolled.

It is like a buddy-concept

Cheers,

Julius

0 Kudos

>

> It is like a buddy-concept

>

Like partners in crime :-P.

For this scenario, then it will become difficult to meet a requirement of a manager needs to maintain another ORG. Dont know..... will have to brainstrorm this a little more..

Thanks for this direction... really is helpful.

Former Member
0 Kudos

Hi Abhishek,

You are talking about roles, ie generated profiles.

And I think, when we consider allocation of profiles, RHprofl0 looks for only IT1016, ie manually created profiles.

Regards,

Sachhidanand Rankhambe

0 Kudos

Hi Sachhidanand ,

I think you meant IT1017

Actually, along with the option of PD profiles, RHPROFL0 also reconciles standard authorizations. You can test it, it works. There is an option for standard profiles in the program.

Let me know if you know any findings...or I have misinterpreted anything

Thanks

Abhishek

0 Kudos

Hi Abhishek,

I was talking about the IT1016, ie Standard Profiles only.

You are right, RHprofl0 supports standard authorizations, as well as PD profiles.

But you are considering manually created profiles+generated profiles under standard authorizations option, rather its working in your case. For me,

1) I assigned a composite role to a position & executed RHprofl0, but the user didn't get the role.

2) I ran PFUD with HR Organizational Management Reconciliation & the user got the role.

3) I assigned SAP_all to an org unit & executed RHprofl0, and the users got SAP_all.

Hence I am considering only manually created profiles under standard authorizations option.

I am not sure, why we are getting different outputs. If I am not wrong, then there is no setting controlling this behavior. And I am on 620.

Ultimately I want to say, I doubt, what you are looking is possible using RHprofl0, or not.

Please correct me if you find I am wrong.

Thanks.:-)

Regads,

Sachhidanand Rankhambe

0 Kudos

Hi Sachhidanand ,

Thanks for this info..this is really useful...there is no wrong... only learning!

My bad, I got confused.... I got you meant IT1016 (Standard profiles)...my question was in reference to roles, and I was thinking that and PD profiles 😛

I checked RHPROFL0 for standard profiles, RHPROFL0 updates the profiles: Standard ones. (Assuming Manual profiles are out now ) I tried putting in a generated profile and RHPROFL0 didn't assign that. ( phew! ..or else I would go nuts! )

Coming back to RHPROFL0 for roles, I am myself a bit puzzled at its behavior. If I assign a role to a position, both PFUD and RHPROFL0 (with standard profile checked) will update this in the UMR. However, RHPROFL0 will re-assign all roles for that position on any change to B|007 relationship, the result, all roles will have a start date of the day the position changed.

I think the way out for this model would be to assign role at all the ORG's. This way, any new position will inherit the relationship when attached to any ORG. The frequency of new ORG's is less, so hopefully there will not be too many updates.

Thanks all for your answers....

Abhishek

0 Kudos

Hi Abhishek,

Your observation has increased my confusion.:-(

But definitely a valuable addition to my knowledge. Thanks a lot for that.:-)

Atleast I'll be more careful with RHprofl0.

Aso, navvarshachya hardik shubhechchha.:-)

Regards,

Sachhidanand Rankhambe

0 Kudos

Hi

I have been going through this thread and found Interesting, so thought of contributing my 2 cents

PROFL0 checks all the relationship in Org Unit (you can see it using transaction PPSS (display structure)

PROFL0 finds all relationship on the Orgs, it appears to find all child orgs (looks for relationship B 002, B 003 & B012) and lists all the users.You can assign PD Profile at Org level too and I tried doing that, however the result is same, it just assigns just at one level (using relationship B 003). If PROFL0 can read the structure based on the relationship I think it should also assign roles to all child Orgs.Hopefully we will find some solution on this.

Thanks

Santosh Kumar

0 Kudos

Nice Discussion out here .. qualifies for the A collection of threads: FAQ's, intros and memorable discussions

Yups, Santosh, even for the Standard roles ( which i guess is Abi's concern) only the first level A-008 holder get the standard roles assigned to their UMRs.

Cheer !!

Zaheer

0 Kudos

Hi Abhishek,

Can you please let me know the T77AW entries for Profl0?

Thanks.

Regards,

Sachhidanand Rankhambe

0 Kudos

Bullseye! Guess the way out is to assign at all orgs. PFUD is taking a hell lot longer now (expected)

0 Kudos

Hi Sachhidanand ,

Wishes to you too

This is the standard definition of Profl0 in ecc6.0

EvalPath No. OT S Rel Pr RO S

PROFL0 10 O B 002 * O X

PROFL0 20 O B 003 * S X

PROFL0 30 S A 008 * US

PROFL0 40 S A 008 * P X

PROFL0 50 P B 208 * US

PROFL0 60 BS B 057 * P

PROFL0 70 BS A 608 * VA

PROFL0 80 VA B 605 * VB

PROFL0 90 VB B 605 * VC

Any ideas on creating a custom variant of it?

Thanks

Abhishek

0 Kudos

Just remembered that had found this helpful doc and had thought of putting it here.... thanks to my laziness .....

Anyway, this gives a good explanation of the ORG assignment.

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f03e6f6c-8c16-2a10-1581-ed8812e2...

0 Kudos

Did anyone find a solution on this as we are encountering a similar problem with distributing a structural profile. Apparantly this seems to only inherit on B003 relationsships... or does someone had success by using a different evaluation path? thank you for sharing your solution!