cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP IDM position based security with user in multiple positions

Go to solution
Former Member

on ‎03-13-2014 3:03 AM

0 Kudos

Hi,

In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.

The design is to have one business role assigned to one position so that the user can have all the access he requires.

In case of higher duties, we see an exception.

Has anyone implemented such a scenario?

Inputs/advices are much valued.

Thanks

Chaitanya

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-13-2014 3:45 AM
0 Kudos

Yes, and you'll find a few discussions on this board about handling it.

Issue 1: Make sure your positions are reasonably static.  Someone tried it where the positions were changing massively and it created way to much work for everyone.

Issue 2: You'll need to figure out how you want to manage them - as objects managed in the UI or just as raw data coming from HCM(?).  Given that you want to attach the role to the positon and then have everyone who is in it get that role, you have 2 options:

- add an attribute to the role that holds 'position numbers' and evaluate it whenever it changes or whenever a person gets a new position

- treat them as roles and have the 'position' role have the business role(s) as children.  When a person gets a 'position' role they automatically inherit everything.

Issue 3: How the hell do you determine from the incoming data whether the position is substantive or a higher duties one.  I've seen custom stuff written around this to provide the data to IDM and it invariably requires quite a bit of javascript on the IDM end to 'evaluate'.

Issue 4: Separation of duties.  I act in my managers role.  I can now approve my own leave / purchase request.  Problem? GRC is already implemented, yes?

Issue 5: Managing roles assigned to positions.  Is there an approval workflow requirement etc.

Just a few things off the top of my head.

Peter

Show replies
Show replies
Former Member
‎03-13-2014 5:20 AM
0 Kudos

Hi Peter,

Thanks for the quick reply.

Issue 1: We thought of this problem and are about to find something from the business.

Issue 2: Thought of leveraging the MX_FS_POSITION_ID attribute to evaluate the change and appropriately assign the business role.

               For this, we think of having a mapping between the Business role and the position in a custom database table. Are you aware of any other method of doing this

Issue 3: Will talk to the HCM team around this. If they are going to have a custom info type or a special request comes in just in case of higher duties.

Issue 4: GRC is being implemented and we ensure this is not possible

Issue 5: By default, role attached to the position is provisioned without approval if the trigger happens via HR. Management of the Business role ties back up to my question under Issue 2

Let me know what you think.

Former Member
‎03-14-2014 12:04 AM
0 Kudos

Hey

On issue 5 - I'm more worried about managing the role <-> position link rather than the person<->position link.  Adding a role to a position will have a big effect on security and should probably be managed appropriately.

On Issue 2: I've done one where there was a separate read from HCM for the positions.  You need this as you'll have to set up positions that have no one in them.  If you just rely on MX_FS_POSITION_ID you'll only see the position when its populated.  Its probably easier to manage the mapping in IDM given that all your role data is there and you already have a UI for assigning it to things.  You can create roles with a different naming standard (eg: POSITION:... rather than ROLE:...) or create a new object (although the built in display stuff doesn't work so well for this, like MX_ASSIGNMENTS).  Then you can have workflows built which allows the assignments of roles -> positions with security etc in IDM.

On Issue 3: One place had a custom evaluation path as well as operation types.  It was a while ago and I can't give a full evaluation but it is an HCM problem.  They will need to provide some manner of identifying the changes.  It may require multiple data items (dates, flags etc)

Peter

Former Member
‎03-16-2014 11:30 PM
0 Kudos

Hi Peter,

Thanks for your insight.

Considering the issues are taken care of, making a custom multi-valued attribute for Position ID should solve the problem of holding the user in multiple positions in case of higher duties by assigning multiple roles tied to these positions.

I am guessing this is a valid scenario. What do you suggest?

Thanks

Chaitanya

Former Member
‎03-17-2014 8:54 PM
0 Kudos

Thats a valid option.  Its worth considering whether you need to identify the HD position separately in which case a separate attribute is probably best.  It really comes down to - how are you getting the data from HCM.  If its an MV attribute, thats perfect.  If its not, you're going to have to evaluate each time to determine if its an HD or substantive position in which case separate attributes might be easier...

Former Member
‎03-17-2014 10:51 PM
0 Kudos

Hi Peter,

We are in discussions with the HR guys on setting up a flag which will help us identify the HD position. Will update how the talks end up in.

Regards

Chaitanya

Answers (1)

Answers (1)

Former Member
‎03-21-2014 4:52 PM
0 Kudos

Hi Chaitanya,

Is it possible to assign more than one position to an employee in HCM?

If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :

1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.

  • From HCM you will receive :

Employee :

- Z_POSITION_ID1 :1

- Z_POSITION_ID2 : 2

  • In IDM

Employee

- Member of BR1

- Member of BR2

2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).

You wil be able to manage relations much easier than a simple relation (One-to-one attribute)

Otherwise, It worth to look over this blog for general design of HCM integration :

Fadoua

Show replies
Show replies
Former Member
‎03-24-2014 5:09 AM
0 Kudos

Hi Fadoua,

Your question makes sense about HR holding multiple positions and your blog helps. What we anticipated is an HR custom field which will tell IDM that a HD position change has happened with the corresponding changed position ID.

Let me tell you what the requirement is.

1. One user must be a part of a single business role with all the entitlements.

2. If this user occupies a HD position, the existing BR (before occupying the HD position) will be removed and the new one will be assigned as per the Position-BR mapping stored in IDM.

With the HD position ID coming from HR and the Position-BR mapping in IDM, the corresponding BR can be assigned as per the new HD position.

Let me know what you think.

Regards

Chaitanya

Ask a Question