Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to manage user authority delegation in backend ?

Go to solution
mehmet_koc3
Explorer

‎01-12-2011 12:28 PM

0 Kudos

Hi experts,

I need your recommendation in SAP role assignment domain.

At my current client, they DO NOT have workflows, portal or GRC or AIM or any other security tool. They will have only sap backend and IDM probably.

The user id and their belonging organization unit, will be maintained in LDAP. There will be daily synchro between LDAP and IDM. We will create the back-end roles in SAP, and IDM will manage the sap role assignment based on the org unit of users.

The question is the following : client wants to manage automatically (if possible) the delegation of user authorization. They want that a user X in cost center X is able to delegate his access authorization to another user Y. With the result, the user Y will be able to do his job and the job of user X.

They want to have the flexibility of start and end period of this delegation, the end of delegation being managed automatically.

What happened if the user X loses his access in sap, does user Y also lose the same access?

I need your recommendations on how I can manage this situation please.

Thanks a lot

Cheers

1 ACCEPTED SOLUTION

Go to solution
jurjen_heeck
Active Contributor

‎01-12-2011 12:44 PM

0 Kudos

I would start by asking the client how many of these delegations they expect on a yearly basis and how long in advance the changes are known. That will reveal if there is a gain in automating this. For the actual delegation I think you should focus on the capabilities of the IDM system. Trying to do this in the back end will involve either lots of programming or granting user admin rights to end users...

7 REPLIES 7

Go to solution
jurjen_heeck
Active Contributor

‎01-12-2011 12:44 PM

0 Kudos

I would start by asking the client how many of these delegations they expect on a yearly basis and how long in advance the changes are known. That will reveal if there is a gain in automating this. For the actual delegation I think you should focus on the capabilities of the IDM system. Trying to do this in the back end will involve either lots of programming or granting user admin rights to end users...

Go to solution
Former Member
In response to jurjen_heeck

‎01-12-2011 8:01 PM

0 Kudos 
For the actual delegation I think you should focus on the capabilities of the IDM system.

Exactly here the IdM has interesting capabilities, but they are release dependent.

Which release is this IdM system on?

I have implemented exactly such scenarios in IdM and they work. You need to consider however that it might become a crow's nest and there are technical limitations to the number of roles assigned to a user on the backend, so you need a way to find mutually inclusive roles and eliminate them. No easy task, but fun to implement

In an ERP system without IdM you can also do it specifically for cost centers - but some custom programming is required if you want to take the role-based route and a great deal of thought about how to prevent escalation of priviledges. Alternately you can take the hierarchy route and accept the risk of not being able to transport it.

You need to explain the pros and (potential) cons to your customer to make a correct decision here. They will also need to give you more information about the requirement than what you have given us.

Cheers,

Julius

Go to solution
mehmet_koc3
Explorer
In response to jurjen_heeck

‎01-13-2011 1:24 PM

0 Kudos

Thanks guys for your help. I don't have a full info yet from the client. As soon as I have a better view, I will come back again.

Go to solution
mehmet_koc3
Explorer
In response to jurjen_heeck

‎01-13-2011 2:11 PM

0 Kudos

Hi Julius,

I don't know yet IDM aplication. Can you elaborate these interresting delegation capabilities please ? Which they are ?

The IDM version is 7.1 apparently.

Thanks a lot

Regards

Go to solution
mehmet_koc3
Explorer

‎01-19-2011 2:29 PM

0 Kudos

Hi experts,

For my client, they have 100 cost centers and 800 WBS elements, they would like to restrict the authorization in the reporting of these WBS. An employee should have access only to the data of this cost center or WBS, by using the same report transactions as everybody. So transaction is same, but data is different and restricted by objects.

I have few ideas, and I would like to have your thought and recommendation on these :

- I know we can use the concept of derived roles by cost center or WBS. But as we have not tool or application to create those 900 roles, we would liket o avoid this. Can we avoid this solution or is it mandatory ?

or

- what if we use the same role for everobody, we maintain the responsible of each WBS or cost center somewhere, and we use a userexit or BADI to check the cost center/WBS before to give access or not to the data in the report ?

or

- can we create authorization groups by user responsible and restrict the reporting by auth group in this report transaction? Is that feasible?

Can you give me your thought on this please?

Thanks a lot

Regards

Go to solution
tsenol
Active Participant

‎07-17-2014 11:01 AM

0 Kudos

Hi,

Is there any new news about this issue? I noticed that Oracle ERP has an ability to do it now.

Regards

tutku

Go to solution
Former Member
In response to tsenol

‎07-17-2014 11:13 AM

0 Kudos

In IDM you can practically do anything you want (the limitation is more an organizational one when the process is too complicated..).

For temporary substitution management (people are on holiday and you don't want to consider substitutes in role design) we built our own application to manage the delegation and logging required. We could not find any other way to do it.

Cheers,

Julius