cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Support of structural authorizations in IdM?

Former Member

on ‎07-17-2009 12:27 PM

0 Kudos

I am currently working on an IdM implementation where structural authorizations are handled individually on the various backend systems. Would it be possible to implement a mechanism that would allow IdM to distribute privileges that in the backend system essentiall would translate into entries in the T77UA table? If not, would it be possible to make IdM call a customer RFC in the backend system?

Best regards,

Anders

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎12-07-2010 6:23 PM
0 Kudos

Execute transaction HRAUTH. You will see a list of Badi's. One of the bAdi's is specifically for allowing structural authorizations (PD profiles) to be assigned to a standard role. The sample code is very good for many applications and could be for yours as well (if you're using real structural authorizations.)

Then you no longer have to worry about separate measures for assigning PD profiles. No OOSB and no RHPROFL0

Show replies
Show replies
Former Member
‎09-11-2009 9:26 PM
0 Kudos

Anders, yes, it is possible to include Structural PD profiles in the IDM provisioning framework but only if you implement Position based security. IDM Business role can be linked with position which in turn can be linked with the PD profile(Infotype 1017) as well as ABAP roles(Infotype 1001: Subtype Role).

Show replies
Show replies
Former Member
‎09-28-2009 7:28 AM
0 Kudos

Hello again, I've just learned that our version of structural authorizations is not position based and in another thread found out that the better option might be to enhance the BADI that IdM is calling as per my requirements. However, just out of curiousity, where can I find the use case documentation for the implementation according to your suggestion?

Best regards,

Anders

Former Member
‎09-28-2009 4:39 PM
0 Kudos

Dear Anders, I understand that you are trying your best to reseach this but I feel that you need help with HCM Position based security from someone who has some real expertise in it. I say that because your statement "version of structural authorizations is not position based" is invalid. Firstly, in SAP there is no 'version' of structural authorizations. Secondly, Position base security has been around for a long time, for example I've done half a dozen position based security implementations since 2001 and all of them included structural authorizations.

On the IDM use case question:

Any use-case can can be used because the use-case does not define your ability to use structural auths. I'm using the ILM use case with position based security in the back end and all we need to do on the IDM side is to create tasks to assign business roles to positions. That task can then be used in the IDM Webdynpro UI to do the actual assignments. Since the structural auth. is already defined inside the position(Ifty 1017), it will satisfy your requirement.

Former Member
‎09-28-2009 4:39 PM
0 Kudos

Anders, if you have never done position based security with structural authorizations then this may help:

http://help.sap.com/saphelp_nwmobile71/helpdata/en/bb/bdb338575911d189240000e8323d3a/frameset.htm

Arya

Former Member
‎09-29-2009 10:11 AM
0 Kudos

Hello again, I can see now that it is evident that I am a little confused about structural authorizations in general

With our version of structural authorizations I meant that we have implemented a BADI to create a customer specific check of structural authorizations. In fact our implementation is not using the authorizations main switch table in HR as the requirement is to use structural authorizations in some areas of HR and not in other areas. When I wrote that we do not use position based security that is of course not true. What I meant to say, was that we do not use indirect role assignment, which I had confused with the position based assignement of structural authorization profiles. Sorry, about that....

It is probably our customer specific implementation that is causing the problems we are experiencing, so I will look more into that. Thank you for your explanations.

Best regards,

Anders

Former Member
‎09-29-2009 4:22 PM
0 Kudos

Hi Anders, thanks for explaining your environment and what you are doing. I think you guys are using custom structural authorizations created by BADI with user based security assignment. You are not using the position based approach.

Former Member
‎09-29-2009 4:22 PM
0 Kudos

Anders, to add, anytime you see a BADI based custom structural authorization design, it means that the original designer had limited understanding of structural authorizations and thats why he/she resorted to asking the developers to create a BADI to take care of this. The reason I say this is because if you have deep understanding of this technology, 99.9% of customer requirements can be satisfied by the SAP structural authorization concept itself. One can create very complicated structural PD profile and custom evaluation paths very quickly to satisfy most customer requirments instead of using ABAP code in the BADIs.

Although, I still have very little understand of your SAP enviroment, I think that due to this custom structural profile and user based assignment approach, you will find it difficult to use the current version of IDM(7.1) for assigning the structural authorizations.

Ask a Question