03-20-2007 4:42 PM
hi,
generally how the role matrix wrks wth the security guy?basically he ll b given the list of roles by the functional guy n in turn security guy has to make whether it is derived r composite? without assingnig users how do we know which role to make derived r single ?
03-20-2007 6:56 PM
Hi Kamal,
A few Inputs from my side....
The list of roles ( Ideally they would be responsibilities like Buyer, Controller, Purchaser, Shared services, FI manager , etc etc) would be in paper and controlled by the fiunctiona. guys. They would check for the SOD matrrix and take technical help and advices from the securioty guy who is alwatys a part of the party :).. so after discussions and checking the SOD matrix, they would arrive atthe list of tcodes that needs to go into wich role and things like that.
The concept of derived and Master role would comne when u have many companies under one big name and then the security guy has to decide where they would go with that oncept or not.
Initially its Child roles assigned to users and Never we assign the MASTER Roles to any user. Master roles are kept as templates to drill down our changes to child roles... thats it... and alwsasy the child roles are assigned ot users in the respective company code areas,,.
Hope this INFO is helpful.
VBr,
Sri
Award points fo rhelpful answers
03-20-2007 5:07 PM
Kamal,
You can look at table AGR_DEFINE to determine which roles are defined.
You may also incorporate a naming standard for derived roles.
Generally one will used derived roles if there is a standard business process that needs to then be restricted by various organizational elements.
Derived roles don't work very will if the business process is not standard across the various organizations for which there will be a derived role.
Cheers,
Ben
03-20-2007 6:56 PM
Hi Kamal,
A few Inputs from my side....
The list of roles ( Ideally they would be responsibilities like Buyer, Controller, Purchaser, Shared services, FI manager , etc etc) would be in paper and controlled by the fiunctiona. guys. They would check for the SOD matrrix and take technical help and advices from the securioty guy who is alwatys a part of the party :).. so after discussions and checking the SOD matrix, they would arrive atthe list of tcodes that needs to go into wich role and things like that.
The concept of derived and Master role would comne when u have many companies under one big name and then the security guy has to decide where they would go with that oncept or not.
Initially its Child roles assigned to users and Never we assign the MASTER Roles to any user. Master roles are kept as templates to drill down our changes to child roles... thats it... and alwsasy the child roles are assigned ot users in the respective company code areas,,.
Hope this INFO is helpful.
VBr,
Sri
Award points fo rhelpful answers
03-20-2007 9:27 PM
hi sri,
here u mean child role?is it copy of master role? and morever we are not creating the roles initialy with respect to the user?
think am srewing u.
03-20-2007 10:37 PM
Hi Kamal,
Yes, A child role is almost a copy of the master role ( Derived role) with only the Organisational criterion which differs between these two.'
thats where the derived from concept is into the picture...
And u also got this point correct that we dont create roles with respect to a particu;lar user... we create them as per the activity or type of job and then assign it to the user who is used to do that job in the shop floor...
hope this helps...
VBr,
Sri
Award points for helpful answers.