cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how to define a role model in SAP IdM 7.2?

Go to solution
Former Member

on ‎01-22-2013 1:00 AM

0 Kudos

Hello,

I'm reading through the "Identity Management for SAP System Landscapes: Configuration Guide", and one of the prerequisites is to setup a Role Model. I've been searching through a variety of documents and I'm not able to find instructions on how to complete this.

The topic of setting up a Role Model is mentioned in this document: Identity Management for SAP System Landscapes: Architectural Overview, but it doesn't have specific instructions.

Can anyone direct me to a document or instruction on completing this mapping?

Thanks, Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-22-2013 9:52 PM
0 Kudos

Hi Paul,

I've not seen a document as such on putting together a role model, but in essence it is an approach of how you bundle your privileges within IdM together into business roles, and then assign them to users.

Things it should consider are

  • Should all the access a user need be in a role or do you extract some "core" access that is in a common "All user" role.
  • Will you put business roles inside business roles, or have a flat role model?
  • Naming conventions for roles

I hope this is helpful?

Thanks,

Ian

Show replies
Show replies
Former Member
‎01-22-2013 10:18 PM
0 Kudos

Hi Paul,

Setting up a role model basically requires input from your different lines of business, technical team, and security team.  There is no right or wrong way to set it up.  But understanding the concept of business roles and the advantages/disadvantages of each way can be helpful in making decisions.  Review the IdM overview presentation that has a overview of what business roles are. 

In the end, your design will have to fit your business, and a dicision will have to be made if changes are required or not.  If you have any more specific questions about this, i'm sure you'll get tons of advice in this community regarding how they've set up role models.  Along with the positives/negatives of each method.

Best Regards,

Chris

Answers (2)

Answers (2)

Former Member
‎01-23-2013 7:11 PM
0 Kudos

Thanks everyone for the input. It's all valuable and conceptually I do understand what's intended in building a role model.

As we go through the installation and configuration for the first time I was hoping for direction in the documentation that's more clear. After reading that settting up a role model is a prerequisite I was hoping to then be directed to documentation on accomplishing this. I might have overlooked a mention on this but don't see anything right now.

Am I going in the right direction by completing this tutorital with the goal of setting up a role model?

 

Working with roles and privileges

Again, thanks for the responses, much appreciated. For those who might also have this question I'll circle back once I've accomplished this to share my findings.

Cheers, Paul

Show replies
Show replies
Former Member
‎01-23-2013 10:10 PM
0 Kudos

Hey Paul

That tutorial will help.  Its pretty light on though - mostly its a learning / trial and error experience.

In terms of actually loading the roles in, I always build an excel file with the relevant details, including the hierarchy, and then load it in with a job.  It allows easy updates and migration.

Hope that helps.

Peter

Former Member
‎02-26-2013 7:57 PM
0 Kudos

Thanks Peter,

I like this approach but would like to clarify a few things:

1) I need to load in technical roles from an ABAP system. What would be the format for the excel file when loading these roles? Is the column structure pre-defined? Do you have an example you could share?

2) where would you set up this job?

Thanks for your help.

Paul

Former Member
‎02-26-2013 10:32 PM
0 Kudos

Essentially it depends on what you can get out of ABAP.

If you just want to load the technical roles as privileges, you can use a standard ABAP job.

If they want the composite technical roles to be the business roles in IDM then you need to do some work.

You can get an export of the role from the ABAP system - I got:

Composite Role, Description, Assigned Single Role

This gave me multiple copies of the composite role each with a single assigned single role.

I created to 3 jobs to import them.

  • A fromAscii to read it into a temp database
  • A ToIDStore with the SQL: "select distinct(RoleName), Description from ascBusinessRoles" that created the role mskeyvalue and description
  • A ToIDStore to assign the single roles to the composites.  It depends on what systems these are for as to how complex this gets.  If its all the same system you can hard code the PRIV:xxx: on the front.  If its multiple systems you need to do some more work.

These jobs are 'Jobs', not Identity Store tasks.

Former Member
‎01-22-2013 11:22 PM
0 Kudos

Hi Paul

Business Role models are entirely a business level creation.  The role model depends on how the business works, segregation of responsibilities and other things - its not really a technical construct.

The easiest from a technical standpoint is business role = position or business role = composite role.

The business probably doesn't work that way.  If you're going to use approvals, the business roles are going to have to mean something to your user base.

ROLE:12345 means nothing.  ROLE:Financial Accountant does.

From that point, you can decide whether you need a hierarchy - a Financial Controller has all the tasks of an accountant so you assign that as a sub role rather then reassigning all the privileges.  However, some privileges may be excluded for business reasons, in which case the hierarchy doesn't need to be in place.

On the plus side, this means you can devolve the role hierarchy creation to a business person and just build a job to import the resulting spreadsheet.

I hope this ramble is clear

Peter

Show replies
Show replies
Ask a Question