Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can I use SAP HR to drive ESS Portal user creation?

Former Member

‎01-30-2007 1:04 PM

0 Kudos

Hello

We are implementing a new instance of SAP HR and Portal for ESS and MSS and I am not sure of all the steps that need to be completed so any guidance / tips would be greatly appreciated.

Company currently has an LDAP - but not used extensively. Not all employees currently in LDAP as not all have network ids. All employees will have a SAP account to enable ESS (via Kiosks etc). ESS iViews in Portal will call SAP HR and possibly SAP BW. We have an instance of SAP already and user admin maintained via CUA - this will continue.

Scenario:

My initial thoughts are that we try to use SAP HR as the leading system to drive the ESS Portal users and access. Basically I want to create the user in SAP and assign them an ESS SAP role... then through syncronization have the user created in the Portal and have the correct ESS Portal assigned (in the Portal)

My thinking so far is to go the following way;

1) Create User Master Record in SAP (SU01)

2) Hire employee into the org structure (via HR processes)

3) Populate Infotype 0105 with SAP username

4) Populate Infortype 1016 - with SAP role to be assigned to allow ESS access (not sure about this aspect) or role could be assigned in 1) above

I am not sure of the next steps - I think there must be a way in an SAP table to map the ESS SAP role to the ESS Portal Role (is this via WP3R?)

then I am hoping that a standard job can be run (is this RSLDAPSYNC_USER) that will create the user in the Portal (UME?) and assign the correct Portal role ?

(obviously configuration needed)

For MSS and HR Power users - we would continue to assign SAP roles via SU01.

Can anyone assist with;

- Is my thinking correct in terms of how this should / could work?

- in SAP how can I map SAP Roles to Portal Roles ?

- will syncronization in SAP create the user in Portal and assign the role ? what do I need to configure?

Thanks in advance

9 REPLIES 9

Former Member

‎01-30-2007 2:39 PM

0 Kudos

Hi,

For more Info

http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm

I hope this would help.

Cheers

Soma

Message was edited by:

soma pradeep

Former Member

‎01-30-2007 6:01 PM

0 Kudos

Thanks for the info - but the SAP Help doesn't really answer my questions.

fredrik_borlie
Contributor

‎01-31-2007 12:29 PM

0 Kudos

Hi Michael!

There are some guides and weblogs here at SDN that can give you some ideas how to solve the problem.

Thread: SAP HR LDAP

Thread: Acess HR-Data and User

http://help.sap.com/saphelp_nw04/helpdata/en/95/49cb3a663bfc70e10000000a114084/frameset.htm

They all are utilising the LDAP directory with the SAP syncronisation tool.

You also should try to set your portal user store to the same LDAP directory and have the ESS-roles assigned to every user.

Best wishes

Fredrik

Former Member
In response to fredrik_borlie

‎01-31-2007 5:26 PM

0 Kudos

Hi - this is interesting but all seem to use exisiting LDAP.

The company I am workign at doesn't have an LDAP in place.

At this company we are implementing an HR only instance for 30,000 employees. All employees need to access ESS and a bunch of will have MSS - via the Portal. The rest of the users - around 200 will access SAP via the GUI. What I am trying to work out is how we get access to 30,000 ESS users.

My thinking is that as these users will have already have a personnel record and a corresponding User account in SAP - we should use this as the leading system to update the Portal.... however I am unsure how this will work. From your experience can you offer any ideas?

fredrik_borlie
Contributor
In response to fredrik_borlie

‎02-01-2007 8:18 AM

0 Kudos

Maybe then you should look in to the UME functionalities of the SAP Enterprise Portal!

http://help.sap.com/saphelp_nw2004s/helpdata/en/42/d5c20837ed3308e10000000a1553f7/frameset.htm

Good luck!

Fredrik

koehntopp
Product and Topic Expert
Product and Topic Expert
In response to fredrik_borlie

‎02-01-2007 2:20 PM

0 Kudos

We are currently working on a similar process, using SAP Access Enforcer functioanlity

(http://www.sap.com/solutions/grc/accessandauthorization/index.epx)

Access Enforcer provides an interface to HR, which can then trigger user and role provisioning. For the customer in question, we will be provisioning to CUA, and the UME will use CUA as persistence store.

This enables us to trigger the process through HR as the authoritative source for employee information, while making sure all ensueing processes use proper authorisation workflows and risk management procedures.

Maybe that's something you want to look into.

Frank.

Former Member

‎02-19-2007 8:15 AM

0 Kudos

Dear Michale,

I just dont know if this can throw some light on your prob.'

In our Orgn we had around 250 ess users and 200 sapr/3 users. Some of the r/3 users also logon to ess via their r/3 uname and password.

What we have done is like follows:

1. Created a role for only the ess users ZHRESS. For this i asked the HR functional people with sap_all profile to do all the job which the ESS users are supposed to do and tracer the authorization via tcode st01. We created the role on the basis of this trace report.

2. For the purely ESS users we created the users via tcode HRUSER and assigned then with the above role.

3. For the R/3 users who are supposed to avail the ess facility we assigned them with the role ZHRESS role in addition to the other roles assigned to them to carry out their normal R/3 transactions. Then we mapped their R/3 uname to their employee no via PA30 infotype 105.

4. Tcode HRUSER saved time which would have consumed had we done it via su01 and moreover it picked Name etc data from the HR master table. In HRUSER tcode , setting the user attributes helps to define what roles the users are to be assigned, what should be their initial password etc.

Pl let me know if it satisfies you querry.

Regards

Former Member

‎03-20-2007 4:31 PM

0 Kudos

Yes you can do that, through UME configuration in the Java Stack of the Portal.

You need to configure settings using the Visual Administrator.

We currently have a system setup Where the Portal user is linked to the R3 user database.

So the user gets authenticated against the R3 account. This also holds the roles and permissions.

Its also part of the admin settings in the Portal, where you point the User account settings at the Logical R3 system.

We have this exact system setup and running in dev and QA and plan to role it out for about 6000 end users.

P.S. Any R3 Roles will automatically map across to the portal.

And there are standard ESS/MSS roles in the Portal which you can assign to the Role 'Everybody' so that all R3 users have the correct Portal access.

Message was edited by:

former_member66888
Participant
In response to Former Member

‎06-17-2007 11:02 AM

0 Kudos

Hi Michael,

did you find a solution to your problem? Please share it here if you did.

thanks