Organization level control on Role
Dear security gurus.
I have 2 business roles in company and 2 subsidiaries under HQ.
Each company have
- Accout clerk
- Account manager
HQ's clerk&manager: be able to check all company's data.
Subsidiary's clerk&manager: be able to check ONLY their own company's data
In this case, I have to create these 6 roles, because
company code restriction can be controled only by role, not user.
Am I correct?
1.HQ's manager(Company code: *)
2.HQ's clerk(Company code: *)
3.Subsidiary1's clerk(Company code: 1)
4.Subsidiary1's manager(Company code: 1)
5.Subsidiary2's clerk(Company code: 2)
6.Subsidiary2's manager(Company code: 2)
There is another approach you can consider, Enabler Role based.
1. Create roles including only transactions and all associated authorizations. Keep org levels blank (comp code in your case). So you need to create 2 roles: CLERK and MANAEGR.
2. Create enabler roles for each company codes. These roles will not have any tcode. Only authorization objects related to org levels (company code) would be added to this role. So you need to create 2 enabler roles: COMPCODE1 and COMPCODE2.
Now you can assign appropriate combinations to any user. Ex, clerk of company 1 would be assigned CLERK and COMPCODE1 roles.
HQ managers and clerk would get their respective tcode basd role and multiple enabler roles.
This approach would be much easier to handle. As if there is any new position, you would just have to create a tcode based role. If there is a new company code, you would just need to create enabler role.
In enabler roles, you can also consider other finance related org levels apart from company code.