04-10-2008 7:18 AM
Hi
Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3). If so, what configuration is involved?
04-10-2008 12:15 PM
Hi,
After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.
Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.
Firstly, set-up ALE for the org structure from R/3 to your CUA client.
I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.
To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.
Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.
In CUA you would need to set the role distribution properties to global in transaction SCUM.
When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.
I hope that provides you will some ideas.....
Regards
Edited by: S Morar on Apr 10, 2008 1:23 PM
04-10-2008 3:12 PM
Hi morar,
How to read the roles into the CUA client via RFC .
Do we need to create each and every role and then maintain the RFC destination in the menu tab manually are is there any other way to do it.
Is it better to maintain the CUA on the HR system or on a seperate system (Solution Manager). Becasue ( I think)moving the org structure from HR to CUA system is challenging
and alsi is there any additional maintainence after we move the org structure from HR to CUA system.
Thanks.
04-11-2008 9:11 AM
Hi,
It is not necessary to maintain the RFC destination for each role, this is automatically populated when you read the roles via RFC. You execute this from PFCG: Role > Read from other system by RFC. After you click the drop-down for RFC destination, you would select either RFC or variable - I prefer to use the variable which is maintained in table SSM_RFC as mentioned in the previous post.
I prefer to import from the child systems, although you can create the role from your CUA client - just with the role name and description, then distribute to child system when maintaining the RFC destination.
I agree that moving the HR org is challenging, and depending on the stability of your org it could mean quite a lot of updates being transferred to CUA. I'm not aware of any additional config when using this approach.
I have used my HR system for the CUA before as well - this worked quite well, although you would need to carefully consider the upgrade approach for this system - you always want the system where your CUA resides to be on the highest basis release level in your landscape. I currently have a CUA client on release 700 and an child system on 710, and we have noticed a few issues.
Regards
04-11-2008 5:25 PM
Hi Morar,
Your information is very helpful. Regarding the position based security(PBS) which is the best way to deal with the contractors since they are not assinged to any postion.
Do we need to create a seperate positon for them ( which is not generally accepted by business) or do we need to assign the roles to them directly.
Thanks.
04-11-2008 10:17 PM
1. ALE setup- Create Distribution model and define filters in ECC(HR/sending systems), Receiving should be BI systems ( Non HR systems) using BD64.
2. Distribute model from ECC to BI using BD64.
3. Initial load Transfer from ECC to BI, First O and then S send IDOCs using PFAL or run program RHALEINI using SA38 in ECC.
4. Send delta change to update org structure using BD21 put in background job to run every 2hrs in ECC to update org struckture in BI.
5. Personnel no and user id must be tide with info types 0105/0001 using PA30 in ECC (PA team are resposible)
6. Assigned role to position using po13 or pp02 with relationship B007 in BI systems.
7. Run PFUD select option with Replicate local HR assignment in to CUA for update CUA (Schedule in background job in night)
Here is the helful link
http://help.sap.com/saphelp_47x200/helpdata/en/8b/3c713eeaac5441e10000000a114084/frameset.htm
Edited by: Farukh on Apr 11, 2008 11:41 PM
Edited by: Farukh on Apr 11, 2008 11:48 PM
04-14-2008 12:58 AM
Some replies have been quiet useful. However, if the Org Structure is ALE'd to the CUA client which would be our Solution Manager system, how will this impact structural profiles and the use of ESS/MSS. Can structural profiles be RFC'd as well since they are also assigned to positions within the org structure?
You also mentioned creating "composite" roles in the CUA client? What happens if you have already created composite roles in the R/3 system?
04-14-2008 9:47 AM
Hi,
With regards to the structural auths - these would always have to be assigned in the child systems where it is required. As far as I'm aware CUA cannot handle the distributed assignment of structural auth to position, without some considerable effort.
I'm guessing that you would like to RFC your structural assignments to make use of these restrictions in BI, if so then that is not going to help you. Structural auth implementation for BI involves the transfer of your index table (T77UU) from R/3 to BI. Take a look at this link for more info, it is an old document but will give you some background:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent?documenturi=...Authorization-ASAPforBWAccelerator
I don't see this having any impact on MSS/ESS - you are only using the org structure to handle role assignments to position, so it would not replace the org management and structural restrictions in your child system.
If you have composites already in your R/3 client, then I don't see how you could avoid recreating the composites on the CUA client - I'm pretty sure that you cannot read compsites into your CUA client via RFC.
Regards