Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Conflict with Position-Based Authorization

Former Member

‎05-26-2009 8:04 AM

0 Kudos

Hi Experts,

We are implementing position-based authorization for our organization. However there are exception cases whereby a holding position is occupied by multiple users and they require different rights in the system. For such scenarios, authorizations would be assigned to userids directly.

To mitigate the risk of such direct assignments not removed, we assign roles direct to userid with a stipulated end-date. However, we face a potential issue whereby the employee may be posted to another position (with position-based security) before his directly assigned role has expired. This may lead to the employee having 2 conflicting authorizations and running into the risk of segregation of duties.

Would need your expert advice on the best practice for monitoring such userids (direct role assignment to ids) to ensure that the authorizations that have been assigned directly is appropriately removed when they shift from holding position to other positions?

Thanks in advance.

8 REPLIES 8

Former Member

‎05-26-2009 11:15 AM

0 Kudos

Hello,

I assume this refers to the SAP HCM module whereby users are assigned directly to positions, aka indirect role assignment.

If you have several users in a position who require additional access or request frequently for additional access, is there a need for a few more positions with this access?

Please note that I would not recommend direct role assignments as it takes away the benefit of using position based authorizations and has several complications.

- Avinash

Former Member
In response to Former Member

‎05-26-2009 4:18 PM

0 Kudos

> 

>
> Please note that I would not recommend direct role assignments as it takes away the benefit of using position based authorizations and has several complications.
> 
> - Avinash

Avinash has a good point.

Using one position to many users is not a good idea for position base security. Have a meeting with your HR functional team about making a position unique for each user. If they don't agree with your request it will be a huge challenge to pass audit in regards to segragation of duties. Your other option will be roles assigned directly to users and for this you will need an army of security admin to support the system

Good Luck!

jurjen_heeck
Active Contributor
In response to Former Member

‎05-26-2009 5:15 PM

0 Kudos

> Your other option will be roles assigned directly to users and for this you will need an army of security admin to support the system

That's a bold assumption! OP doesn't mention any number of users.

On the other hand you're not giving away your standard army-size

Former Member
In response to Former Member

‎05-26-2009 7:41 PM

0 Kudos

Guess its directly proportional

Hi Khai,

The option of assigning roles directly to a user, deviating from position based security seems more like a band-aid solution. The fact that the holders need different roles, itself calls for a new job a new position. You can put compensating controls like running reports and checking for extra access as a result of a position change., but this will be a little cumbersome (John's army needed ) and will be an on-going process.

Like Avinash and John mentioned, to get this streamlined and to resolve this conflict, talk with the HR functional team.

Good luck with that and let us know how it goes

Abhishek

Former Member

‎05-26-2009 7:59 PM

0 Kudos

Dropping your org structure to one level lower might (have been) an option, but probably not anymore?

If you are going to mix the two, then the easiest way I can think of is to give the HR folks access to display the role assignment to the users to check for this additional access when they change the position, and train them to do it.

Next easiest would be to schedule a daily job which checks for changes in positions and whether a certain direct role assignment is present, and then send a mail to the security admins or HR to check.

Again... humans are involved...

I am also tempted to say that you could add a bit of custom code to remove certain direct access when RHPROFL0 runs, and even add the new direct access associated to the new posistion - but that is what structural authorizations set out to do in the first place.

Cheers,

Julius

Former Member
In response to Former Member

‎05-26-2009 10:30 PM

0 Kudos

> 

> 
> Again... humans are involved... 
> 
> Cheers,
> Julius

Humans or soldiers... ;-). Jurjen and Abhishek, I just needed to make a point but I guess I exagerated a little bit with the army reference. In our case going with manual assignments will kill us, 3 security admins vs 40k employees. I hope I got my message accross.

Former Member
In response to Former Member

‎05-26-2009 10:50 PM

0 Kudos

> Humans or soldiers... ;-).

Throw in a few contractors, eCatts and GUI scripting and you have a whole ecosystem...

I think the key here is the scalability. If you want to use it to tap into HR, then you need to respect it's rules.

Cheers,

Julius

Former Member
In response to Former Member

‎05-26-2009 11:03 PM

0 Kudos

Ha ha... We totally understand! The army thing actually was a nice way to put it and was a good laugh.

Same here, 4 vs 40k