on 01-22-2013 1:00 AM
Hello,
I'm reading through the "Identity Management for SAP System Landscapes: Configuration Guide", and one of the prerequisites is to setup a Role Model. I've been searching through a variety of documents and I'm not able to find instructions on how to complete this.
The topic of setting up a Role Model is mentioned in this document: Identity Management for SAP System Landscapes: Architectural Overview, but it doesn't have specific instructions.
Can anyone direct me to a document or instruction on completing this mapping?
Thanks, Paul
Hi Paul,
I've not seen a document as such on putting together a role model, but in essence it is an approach of how you bundle your privileges within IdM together into business roles, and then assign them to users.
Things it should consider are
I hope this is helpful?
Thanks,
Ian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul,
Setting up a role model basically requires input from your different lines of business, technical team, and security team. There is no right or wrong way to set it up. But understanding the concept of business roles and the advantages/disadvantages of each way can be helpful in making decisions. Review the IdM overview presentation that has a overview of what business roles are.
In the end, your design will have to fit your business, and a dicision will have to be made if changes are required or not. If you have any more specific questions about this, i'm sure you'll get tons of advice in this community regarding how they've set up role models. Along with the positives/negatives of each method.
Best Regards,
Chris
Thanks everyone for the input. It's all valuable and conceptually I do understand what's intended in building a role model.
As we go through the installation and configuration for the first time I was hoping for direction in the documentation that's more clear. After reading that settting up a role model is a prerequisite I was hoping to then be directed to documentation on accomplishing this. I might have overlooked a mention on this but don't see anything right now.
Am I going in the right direction by completing this tutorital with the goal of setting up a role model?
Working with roles and privileges
Again, thanks for the responses, much appreciated. For those who might also have this question I'll circle back once I've accomplished this to share my findings.
Cheers, Paul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Paul
That tutorial will help. Its pretty light on though - mostly its a learning / trial and error experience.
In terms of actually loading the roles in, I always build an excel file with the relevant details, including the hierarchy, and then load it in with a job. It allows easy updates and migration.
Hope that helps.
Peter
Thanks Peter,
I like this approach but would like to clarify a few things:
1) I need to load in technical roles from an ABAP system. What would be the format for the excel file when loading these roles? Is the column structure pre-defined? Do you have an example you could share?
2) where would you set up this job?
Thanks for your help.
Paul
Essentially it depends on what you can get out of ABAP.
If you just want to load the technical roles as privileges, you can use a standard ABAP job.
If they want the composite technical roles to be the business roles in IDM then you need to do some work.
You can get an export of the role from the ABAP system - I got:
Composite Role, Description, Assigned Single Role
This gave me multiple copies of the composite role each with a single assigned single role.
I created to 3 jobs to import them.
These jobs are 'Jobs', not Identity Store tasks.
Hi Paul
Business Role models are entirely a business level creation. The role model depends on how the business works, segregation of responsibilities and other things - its not really a technical construct.
The easiest from a technical standpoint is business role = position or business role = composite role.
The business probably doesn't work that way. If you're going to use approvals, the business roles are going to have to mean something to your user base.
ROLE:12345 means nothing. ROLE:Financial Accountant does.
From that point, you can decide whether you need a hierarchy - a Financial Controller has all the tasks of an accountant so you assign that as a sub role rather then reassigning all the privileges. However, some privileges may be excluded for business reasons, in which case the hierarchy doesn't need to be in place.
On the plus side, this means you can devolve the role hierarchy creation to a business person and just build a job to import the resulting spreadsheet.
I hope this ramble is clear
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
92 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.