HR Position Base Security Discussion

Former Member · ‎10-16-2009

Hello all,

We all know the beauty of using HR position base security vs manual role assignments to user IDs. Roles are automatically assigned and removed during a move with HR position base security.

Recently a question came up regarding HR position base security and I have a few ideas on how to address the question but Iu2019m just curious how some of you have dealt with this issue. This thread will be more of a discussion than a question.

Issue/Example in regards to HR position base security:

User-A is in position#1 and has been granted access to SAP after successfully completing SAP Accountant Training.

Position#1 have the following roles:

Z-Accountant

Position#2 have the following roles:

Z-Finance-Director

If User-A got a promotion and is moved to position#2, he will automatically inherit Z-Finance-Director and assignment Z-Accountant will be removed.

How can you justify assigning Z-Finance-Director even though User-A did not take the SAP Finance Director training?

Your response will be appreciated.

Regards,

John N.

jurjen_heeck · ‎10-16-2009

There's a nice blog about this one: [The two-edged sword of security automation|https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/15105] [original link is broken] [original link is broken] [original link is broken];

Former Member · ‎10-16-2009

Promotion seldomly comes "out of the blue"...

So, much like the manual role assignment checks, a required check to see whether training for the role has been done by the applicant for a position should be checked by HR or the person who approves the promotion.

If you have the training records in your HR system, then you could also wisp together a reconciliation report for them which checks this after-the-fact.

Cheers,

Julius

morten_nielsen · ‎10-19-2009

Hello John,

I my world this all boils down to a question of Coorperate Policy and Business Process.

If you have a Scenario where training is required before assigning a specific role to a user, then I would not use "out-off-the-box" Position Based Security.

In this kind of scenario I would look for a more "Workflow-Based" provisioning solution. This can ofcourse still be controlled by your HR data, and you can implement a "training-check" before assigning the role, or even go one step further and integrate your solution with your training System.

I do not have in deepth NetWeaver IdM knowledge, but I guess that could support this Scenario, otherwise you can create your own workflow solution for this.

Regards

Morten Nielsen

Former Member · ‎10-19-2009

>


> In this kind of scenario I would look for a more "Workflow-Based" provisioning solution. This can ofcourse still be controlled by your HR data, and you can implement a "training-check" before assigning the role, or even go one step further and integrate your solution with your training System.
> Regards
> Morten Nielsen

Morten,

I believe your solution is more towards a user base role assignment, manually assigned roles to the UMR. I'm not sure how you can control this through HR data? Please elaborate... Thanks.

morten_nielsen · ‎10-19-2009

Hello John,

No I'm not thinking of User based Role Assignment/Manual Role Assignment.

What you can do is:

1. Assign your roles to your organizational Chart

2. Let the Creation of new employees/Reorg/leaving etc in your HR system trigger a Small SAP Workflow template

3. Let the Workflow check if training has been provided to the user (or.... depending on scope)

4. Let the workflow automatically assign the required roles, after training has been completed (There's a standard BAPI available for that: BAPI_USER_ACTGROUPS_ASSIGN or BAPI_USER_LOCPROFILES_ASSIGN if you are using CUA).

This is of course not "out-of-the-box", but it is quite possible to acheive with SAP's workflow engine. You will of course have to do some ABAP, some Workflow building, and perhaps some HR customization,

The SAP NetWeaver IdM solution work along these lines as well (although I'm not quite sure if and how you can check if training has been provided - but me guess is that is possible to).

Hope it helps

Regards

Morten Nielsen

Former Member · ‎10-19-2009

>


> 4. Let the workflow automatically assign the required roles, after training has been completed (There's a standard BAPI available for that: BAPI_USER_ACTGROUPS_ASSIGN or BAPI_USER_LOCPROFILES_ASSIGN if you are using CUA).
> 
> Regards
> Morten Nielsen

Morten,

Thanks for the prompt reply, you definitely picked my curiousity. In step #4 "automatically assign the required roles", are the roles assigned to position of the HR data?

morten_nielsen · ‎10-19-2009

Hello John

Well at the end of the day the roles are always assigned to the user.

But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).

So infact you can decide if you want to map the roles to a Position, an organizational unit, a Job etc. (but as always it's a good idea to to decide on a strategi otherwise it can endup in a big mess )

regards

Morten Nielsen

Former Member · ‎10-19-2009

>


> Hello John
> 
> Well at the end of the day the roles are always assigned to the user. 
> 
> But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
> 
> So infact you can decide if you want to map the roles to a Position, an organizational unit, a Job etc. (but as always it's a good idea to to decide on a strategi otherwise it can endup in a big mess  )
> 
> regards
> Morten Nielsen

Morten,

If we decide to assign the roles to the HR position after the completion of the workflow it should assign the roles to the UMR (using RHPROFL0 & PFUD) automatically which is great. But now that the roles are assigned to the position aren't we back on the same vicious cycle of a user authomatically inheriting roles on the position and at times not having training on the roles automatically assigned.

Perhaps I just need to research the the following that you mentioned.

>


> 
> But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
> 
> regards
> Morten Nielsen

Again thanks for the suggestion.

Regards,

-John N.

morten_nielsen · ‎10-20-2009

Hello John

No, in this Workflow scenario you do not assign the Roles to the Position, you assign the Roles to the UMR, based on the roles allocation to the positions.

In a Workflow solution like this you might not need to rely on RHPROFL0 & PFUD. What you do in this Scenario is simply to hand over the allocation of the roles to the SAP Workflow engine. This allocation is the again based on your HR structure, and the roles allocation here.

So in short the Workflow engine Assignes the roles to the UMR. Your HR structure tells the workflow engine what to assign.

Regards

Morten Nielsen

Former Member · ‎10-20-2009

>


> Hello John
> 
> No, in this Workflow scenario you do not assign the Roles to the Position, you assign the Roles to the UMR, based on the roles allocation to the positions.
> 
> In a Workflow solution like this you might not need to rely on RHPROFL0 & PFUD. What you do in this Scenario is simply to hand over the allocation of the roles to the SAP Workflow engine. This allocation is the again based on your HR structure, and the roles allocation here. 
> 
> So in short the Workflow engine Assignes the roles to the UMR. Your HR structure tells the workflow engine what to assign.
> 
> Regards
> Morten Nielsen

Morten,

This is definitely something I will look into or consider if we decide to change our security policies. Very good info... thanks again!

-John N.