Hi Prashant,

Thanks for the comments.

Maybe I didn't explain my reasoning of object duplication well. If you have 10 different FI roles then you will likely have close to 10 repetitions of F_BKPF objects for example. Can you give some guidance on how you see the business process profile matrix helping with this?

Cheers

Hello Alex,

I will upload that doc and send you link here,so that you can have review and provide me feedback aboout your findings,

Business process profile is made based on users position i.e based on thier job description,and we created role as per that

It not Hr Security,its role based, that matrix will help you to determine which role user should have but giving the profile id and to which cost centre they belong.

Please let me know ,do we have any portal to upload such docs, and i do have list of use ful reports and tables which people some time ask,we can share with them .

Regards,

Prasant K paichha

I also agree on the risk factor on duplicate or shared authorization objects on simple roles within the same composite role. You can also argue that you can assign multiple single roles and it will have the same risk. Composite roles can add some complexity but it can also simplify the role assignments if the simple roles are design by jobs or tasks.

The composite roles are critical in our system environment but for a different reason. Our security is based on HR position and itu2019s also in a CUA. We use our composite role for traditional grouping of roles but more importantly to assign roles on child systems.

ECC 6.0 is our master CUA and we can only assign roles to a position that are available in ECC 6.0. You cannot assign a role in BI, SRM, SUS or other child system to a position. We use simple dummy role in ECC to point to a child role in BI, SRM, SUS, etc. We then add this dummy role to a composite role in ECC 6.0. We can then assign the composite role to a position and address the issue of assigning child roles to position. I hope that makes sense, itu2019s really simpleu2026 really

Thatu2019s it for now.

I agree with Alex on all levels, but only as long as you are considering one system landscape.

if you have a setup like this (and I do):

>

> The composite roles are critical in our system environment but for a different reason.  Our security is based on HR position and itu2019s also in a CUA.  We use our composite role for traditional grouping of roles but more importantly to assign roles on child systems.

there's no avoiding composite roles, since you don't have any other technology at hand that enables you to assign roles in child systems.

>

> > Useful for creating cross system roles in a CUA master (my one situation where I find they can save time). 
> Alternately you could use the IdM, where you don't need to use composites.
> 
> On the contrary, the IdM uses Business Roles which can be built using component system roles, which is much the same concept. If you still have composite ABAP roles in between, it will be a big crow's nest.
> 
> Cheers,
> Julius

We still don't have IdM but it looks like a good product.

Hi David,

I have used them in the past. Same benefits/limitations as in R/3. Can be useful to consolidate report menu structures.

<pre>Hi Alex,

Well this discussion could run and run, surely the use of a composite does depend on the landscape and business matter you

are trying to address?

Completely agree that with HR org. structure assignment of roles to other systems under CUA the composite role approach is

very elegant.

Globally we have a couple of views on the use of composites for 'simplifying' user access - not necessarily a position

I agree with but being out in the real world with thousands of users and roles across multiple production systems I sort of

inherited this set up. And changing something that the business perceives as not being broken, is quite hard to justify. (Happy to

take comments on why we should change this - probably a new discussion that could also run and run!)

In the US we have a pseudo IdM solution, where we have job functions made up of single roles, which if we didn't have that

solution would probably have been deployed via composites. The idea being all the access a job requires would be in the

composite role, so role allocation is easier. As it is the allocation of a job, ends up with all the single roles being provisioned to

the user master, and so from the SAP side of things there is no visibility of the job or which job each single role belongs to.

This was developed many years back before SAP moved into the IdM space and it is something the US don't want to abandon.

On the other side of the world, in our Asia Pacific systems, we don't have this set up but we do have heavy use of composite

roles, in all countries except Taiwan, who have just moved away from composites because they were too rigid.

The arguement for composites in Asia Pacific was that each composite was throughly checked against Virsa to ensure that

there were no SOD issues in the role. They also have a business direction that no user is allowed more than one composite, so

it helps ensure that users don't get SOD issues through their normal access. We still need to check for SOD but day to day role

allocations, provided they comply with the only one composite directive, should not pose risks. Does mean a bit more work on

role set up and change, but not having the automated compliant user provisioning that you could, this does help allay managment

fears that users aren't getting risky access.

For the rest of the world (EMEA and Latin America) we don't have composites much, but the desire is to deploy a global IdM

solution, so there's no business driver at the moment to deploy the US solution or the Asia Pacific solution.

Personally the cost of user role allocation support effort vs the support effort of maintaining what ever role structure is in place

is always a driver for if composites can be used - from experience security always has to play catch-up and collecting the

single roles into composites is often something that falls by the wayside.

Business roles under an IdM so that provisioning is simplified is where we'd like to get to, but the journey to get there, long and

painfull!

By the way apologies for the formatting - it looks fine in edit mode - but isn't reading any formatting when posted - sorry!

Edited by: Chris Haigh on Sep 4, 2009 1:20 PM

Edited by: Julius Bussche on Sep 4, 2009 1:30 PM

Formatting improved a little bit...</pre>

HI Chris,

Thanks for your comments on the subject.

Cheers

Alex

p.s. I just remembered I have that stuff for you! will get it over.

To add my 2cents to the interesting topic of composite role lets go back to the original purpose of SAP Composite role. This method is designed for an organization that has a staff performing dual or multiple job responsibilities. Instead of the potential confusion that could generate as a result of assigning volumunous single roles to a user, SAP has made it a little easier by using the composite.

You may want to ask why on earth should there not be a proper definition and assignment of responsibility, or better put, why cant an organization have one person carrying a specific job function; and my response would be most organizations are looking for a way of cutting down on resource costs therefore; they can 't afford to have one person strictly assigned to a job function. Should they be mounting so many responsibilities on one employee? No, but hey, we are not operating in the world of "what it ought to be" but "what it is." I bet you had done the same thing if you had an ownership title to a company.

Composite is good if carefully and intelligently used.

True - you then also have a 1 user : 1 role mapping possibility.

But why would a user then ever need more than 1 composite role? This is seldom the case IMO. PRGN_COMPRESS_TIMES is evidence of this.

From what I have seen, composites are a "workaround" for badly built single roles (often designed too late in the project, with poor requirements) and not maintaining SU24 to keep the quality of the single roles up to scratch and intact with their menus, and consistent with some (hopefully existent) concept. Just to get the system to work... with "yellow" single roles.

Actually, an auditor once told one of my ex-boss's that benchmarking "my" systems against other SOX companies, the rest of the market is about 2 years ahead of me regarding compliance because "they" use composite roles, which means less profiles for the users, lower TCO and higher ROI etc.

What he didn't know is that my boss (the CIO) started in the company donkey's years ago as an ABAP developer, and used to drop by our office in the afternoons sometimes with a coffee - looking to see whether there was any interesting problem which needed to be debugged...

> Composite is good if carefully and intelligently used.

Composite roles are an "enabling technology": they make it possible for unsuspecting people to do stupid things beyond the bounds of that which they could achieve on their own - with single roles.

Cheers,

Julius

>

> I'm trying to find out if anyone uses composite roles in BI/BW 7.0 (I'll use both terms "BI" and "BW" here to mean the same thing).  There is usually not a need for composite roles in BI/BW but curious if anyone has used them.  Thanks.

This is an interesting one. To give key users the ability to maintain their user's menu for a specific namerange of composite roles without letting them near any authorizations or the ability to assign single roles.

But there are also newer frontend components than the BEX Analyzer now - the BW Portal, WebIntelligence, BEXweb, Pioneer (a mix of BW and BO).

On the technical side, you might want to consider restricting the program ID's via which these query reports are generated and not the SAPGui menus in future. So the requirement for using composites will fall away here as well IMO.

Cheers,

Julius