10-16-2011 9:21 PM
Hi all,
we are working on a Security project and the final goal is to manage all authorizations with HR-OM (organizational management).
The most of users are working on ECC6 system which is a different system respect the HR.
Up to now, we are designing the roles through the concept of composite roles (job roles) and simple roles.
The standard SAP approach is based on the chain u201CPerson-User (infotype 105)/ position/job/organizational unitsu201D but, since in our situation the HR-OM is on a different system respect the ECC6, we cannot assign users and roles to HR-OM positions.
In HR system we have all employees (linked with users through infotype 105-0001) distributed in the HR-OM structure.
In ECC6 system we have all users and all necessary roles.
The question is: how we can link the HR system (having PA and OM) with the ECC6 system (having users and roles)?
We imagine the following scenarios:
1) Replicate the HR-OM structure (with PFAL transaction) on ECC6 system and make the link position/roles in the ECC6 system
2) Create a custom table in HR system in which we maintain the relationship position/roles then we create an ABAP program which compute in the ECC6 system the link users/roles
3) We implement an Identity Management solution which will be the bridge between SAP HR and ECC6
4) We implement a CUA in the HR-system (not sure it makes sense)
Do you have suggestions ?
Andrea
10-17-2011 12:41 AM
Hi,
in regards of option 3, this is a standard scenario supported by SAP provisioning framework. You would also get additional benefits from IdM but cost will be higher.
in step 2 you could create empty role for each ECC role and assign it to positions. The background program in ECC would read all role assignments and replicate them in ECC. A good naming convention to identify HR and ECC roles would be really helpful in this case.
Cheers