Solved: CUA with HR-Org - How to assign systems for role

former_member188973 · ‎07-23-2009

Dear all,

we are planning to use CUA with HR-Org assignment. Can please anyone explain to me how or where the system for the role comes from.

I mean, normaly in SU01 -> Role Assignment I have in the first colum the system and in the second colum the role. It the role assigment come from HR-ORG there is always the local logical system in the system colum. This is not what we want.

CUA is on Solution Manager, HR-ORG is replicated from R/3 HR Systeme and the user needs the roles in ECC production systeme.

So how can we manage the system/role combination assignment?

Thanks for any hints.

Best regards

Roman

Frank_Buchholz · ‎07-31-2009

Hi Roman,

if you want to use both the CUA and HR org. role assigmnets you have two options:

a) local HR org. role assigmnets

Transfer the org. hierarchy to all systems using ALE.

Assign roles to positions (or org units respective jobs) locally in every system.

Create users via CUA assigning some basic roles for the target system.

Execute PFUD locally in every system.

b) central HR org. role assigmnets

Transfer the org. hierarchy to the CUA master system using ALE.

Check if all role namens from all systems are unique.

Read the roles from all systems into the CUA master system using RFC. With this step you get 'local' roles in the CUA master which have a remote system attribute.

Assign these roles to positions (or org units respective jobs) in the CUA master system.

Create users via CUA.

Execute PFUD in the CUA master system.

I recommend to go for a)

Kind regards

Frank Buchholz

Former Member · ‎07-23-2009

Hi Roman ,

For HR org. role assignments in CUA (Parent ) system, You need to maintain roles in Child systems

then you need to replicate all roles to Parent systems .Also tranfer HR org structure from HR

to the CUA central system.

For more Please visit: http://help.sap.com/saphelp_sm310/helpdata/en/8b/3c713eeaac5441e10000000a114084/content.htm

Regards

Vikas rana

former_member188973 · ‎07-23-2009

Of Course but how is the system set while HR-Org roles are adjusted with the user?

BR

Roman

Former Member · ‎07-23-2009

By Evaluation Path US_ACTGR in Table T77AW .

Remember ,

Customizing switch HR_ORG_ACTIVE in table PRGN_CUST is set to YES to activate

the HR-ORG management for role administration.

Let me know ,if it helps ..

Regards

former_member188973 · ‎07-23-2009

Sorry still didn´t get it.

So far the process is working but in the system there is always the logical system of the CUA client.

Let me explain.

Org Model is maintained in System HR1 client 010 and distributed to System SOL Client 090 where the CUA is running. In the CUA there are the systems D01, Q01, P01 with different clients connected.

Now the user has a role assigned in HR-Org and this is replicated to SOL/090. The PFCG_TIMEDEPENDENCY Job is now running in SOL/090. The role is added to the user but not with system e.g. P01/010 it is added with system SOL/090. So how can I tell the system to which systems/clients the user should get the role?

I hope you understand my explanations.

Many thanks for help.

Best regard

Roman

Former Member · ‎07-23-2009

I understood these are CHILD systems D01, Q01, P01 and this is SOL Client 090 , Parent system.

Once role in parent system , You can manually maintain by SU01 , IN system TAB enter System &client no.

for which you want to assign role to particular user .Save it .

Then role automatically assigned for particular user in particular system and client.

For Others: Please suggest ,If i am wrong.

Regards

Vikas rana

former_member188973 · ‎07-23-2009

Of course I can manually maintain systems and role in SU01 but what sense then makes the HR-Org Role maintainance if I have to add system/role manually.

So my question is: How to add role from HR-Org automatically including system.

Example: User Muster in HR-Org has role z_myrole for system P01/010 and role z_otherrole for system Q01/030.

Any idea?

Best regards

Roman

Former Member · ‎07-23-2009

> For Others: Please suggest ,If i am wrong.

I dont think you are necessarily wrong just not understanding the question, and it seems you have copy&pasted your answer from Raj's answer in ...

Former Member · ‎07-23-2009

So you want to include the system assignment in the HR org structure based on some "business role" which the user has?

Perhaps you want to take a look into the IdM which is designed for such purposes. See the link at the top of the forum by Kristian Lehment.

Cheers,

Julius

former_member188973 · ‎07-23-2009

Ok, of course the role is assigned to a position, the position has a user assignment and so on....

I am wondering a little bit about the answers I get, to me it seems nobody understands my question. But it is not so difficult.

Ok, again the szenario.

HR System with OM. Many positions with role assignment and user assignment. The OM infos are distributed to the CUA system. There an assigment of the role to the user happens. So far so good. But the role is assigned with system of the CUA client. But the role from position should be assigned to the production system (in CUA) and the distributed by CUA.

Isn´t this the process explained in the SAP Docus and diagrams?

Thanks for help

Roman

former_member188973 · ‎07-24-2009

Hi Julius,

I did not Copy&Paste anything this is really an issue to me and I am still searching for a solution or maybe the right understanding of how it works.

Thanks for help.

Roman

Former Member · ‎07-24-2009

>


> I did not Copy&Paste anything...
>

That comment was directed at Vikas.

Cheers,

Julius

Former Member · ‎07-30-2009

Hi,

If I understand your problem you want to do role assignment from the HR-Org structure on a system that is using CUA.

I have only managed this successfully when the CUA master is also the system with the HR-Org structure on it. Otherwise you have lots of issues with replicating data between systems. I did this for a UK council's SAP solution where we allocated all the roles from the HR system, including roles on ECC, SRM(EBP), CRM and BI - so it does work.

PO13 on the system with the org. structure will only allow you to allocate a role that exists on that system, but if the roles that you are allocating are composite roles that include single roles on other systems, you can achieve this sort of business role allocation without having to go the IdM route.

Darren Hague (no relation) gave a presentation at SAP Tech Ed 07 on such a scenario, that explains how the composites would be set up far better than I can, but in essence you use the CUA connectivity and the rights of the CUA master system (which includes the org. structure) to allocate roles on other systems / clients in your CUA landscape.

Have a search through SAP Tech Ed 07 presentations and you should find what you are looking for.

Frank_Buchholz · ‎07-31-2009

Hi Roman,

if you want to use both the CUA and HR org. role assigmnets you have two options:

a) local HR org. role assigmnets

Transfer the org. hierarchy to all systems using ALE.

Assign roles to positions (or org units respective jobs) locally in every system.

Create users via CUA assigning some basic roles for the target system.

Execute PFUD locally in every system.

b) central HR org. role assigmnets

Transfer the org. hierarchy to the CUA master system using ALE.

Check if all role namens from all systems are unique.

Read the roles from all systems into the CUA master system using RFC. With this step you get 'local' roles in the CUA master which have a remote system attribute.

Assign these roles to positions (or org units respective jobs) in the CUA master system.

Create users via CUA.

Execute PFUD in the CUA master system.

I recommend to go for a)

Kind regards

Frank Buchholz

Former Member · ‎09-29-2009

Hello Frank,

If you go for your scenario b

b) central HR org. role assigmnets

Transfer the org. hierarchy to the CUA master system using ALE.

Check if all role namens from all systems are unique.

Read the roles from all systems into the CUA master system using RFC. With this step you get 'local' roles in the CUA master which have a remote system attribute.

Assign these roles to positions (or org units respective jobs) in the CUA master system.

Create users via CUA.

Execute PFUD in the CUA master system

is it needed to have ALL roles unique and ALL roles available in the central system or only the ones that you want to assign via the hr org assignment?

Kind regards,

Henk Peter

Frank_Buchholz · ‎09-30-2009

>


> Hello Frank,
> 
> If you go for your scenario b
> 
> b) central HR org. role assigmnets 
> [...]
> 
> is it needed to have ALL roles unique and ALL roles available in the central system or only the ones that you want to assign via the hr org assignment?
> 
> Kind regards,
> 
> Henk Peter

Hello Henk Peter

it is sufficent to have the roles to be used for the HR org assignement unique - but of course it might be a continuous source of trouble if you cannot enforce this rule.

Kind regards,

Frank

Former Member · ‎10-28-2013

Hello.

We are implementing SAP GRC with the HR Triiger integration and we would like to understand if from the HR system could be done a relationship between the HR position and a role from another SAP systema like an ECC.

At this moment we only can see the roles created locally in our HR system.

Many thanks in advanced.

former_member226975 · ‎10-29-2013

Hi Sara,

You could try to use PFCG->role -> Read from other system by RFC, give th RFC to your ECC system, and then you will get the roles in your HR system. but only the "name", no real authorization objects in it, and with no profile generated.

so now, you can assign the role to positions in your HR system.

Best regards,

Candy