ESS + Backend access Issue

Former Member · ‎04-10-2015

Hi Experts,

Recently I have come across a design issue for the HR roles in our system.

Our HCM system has ESS/MSS as well as other backend roles such as payroll, time admin etc.

The ESS/MSS role is categorized based on country, as such the P_ORGIN object will have full country value for PERSA etc.

The backend role such as PAYROLL ADMIN will have restrictions based on PERSA.

When we combine both, the ESS/MSS access overrides PERSA restrictions in PAYROLL Admin role & gives additional access to full country.

Is there a way to mitigate this & restrict the access without changing the ESS/MSS authorizations?

Please share your thoughts.

Nivin

Former Member · ‎04-10-2015

Nivin,

Its not exactly a pinpoint solution to your issue but move from P_ORGIN to P_ORGINCON. P_ORGIN is old and IMHO obsolete. P_ORGINCON offers much needed flexibility to meet most of the business scenarios.

Regards,

Shivraj Singh

Former Member · ‎05-08-2015

Hi Navin -- We got similar situation, curious to understand the solution,

We got an ugly setup to bypass this problem, backend user is segregated from ESS/MSS, meaning every user has two ID's in SAP, one for ESS/MSS for supporting portal SSO(enterprise AD ID) and other for SAP backend HR access. Users are not aware of their enterprise AD ID's existing in backend. they use only SAP backend ID's to login. Its because our SAP license gives this flexibility and some one has jus put this easy bypass solution.

I'm working to eliminate this mess now, its impacting us in all cases like GRC tools & Identity management tools especially in auto provision setup's.

I was thinking of structural restrictions with Contex objects, but it seems a lot of effort now that we got 40000 ESS users and 2500 SAP users, with a complex HR org and also I'm worried about the performance impact it will have.

Thanks,

Sridhar.