-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Authorization based on profile parameters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Authorization based on profile parameters
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 3:35 AM
- SAP Managed Tags
- Security
Dear colleagues,
I have had this challenge for a couple of years already and I am assuming that other mid-size implementations have this as well.
Problem description:
Based on the functional area and entity defined in a given role, it is always possible to assign a number of users in SAP. However, in mid-size organization, maintenance of several roles with identical transaction assignments is a significant challenge. I initially thought that it might be possible to assign the restrictions based on profile parameters. However, this doesn't seem to be effective.
As an example, if I have 5 regional controllers (all having same t-codes), I would have preferred to create one role Z_RG_FI_CONTROLLER and assign the users to the role above. While creating/updating the user account(s), I would have assigned the BUKRS to the relevant users (0011, 0012, 0013, etc). Please note that I am not interested in creating Z_0011_FI_CONTROLLER, Z_0012_FI_CONTROLLER, Z_0013_FI_CONTROLLER etc.
I tried searching for notes but it seems we don't have any solutions in the space. Would anyone know of options to solve the challenge above?
Thanks and best regards,
Kaushik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 9:36 AM
- SAP Managed Tags
- Security
Kaushik,
You need to maintain org values alone in derived role and yes you need to create authorization and profile but you no need to enter any other values in derived role where you can centrally maintain the menu structure which can be pushed to all child roles.
But there is no other ways to do it.
Regards,
RK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 4:19 AM
- SAP Managed Tags
- Security
Kaushik Das,
Your requirement is there are 5 locations with different company code values all of those users have same tcode access except organizational values if i understood correct.
This requirement can be done using master role and derived role concept.
- Create a master role with all tcodes(since its same for all users) Z_RG_FI_CONTROLLER except organizational values
- Create a derived role/child role Z_FI_CONTROLLER_LOC1, Z_FI_CONTROLLER_LOC2,etc and add Z_FI_CONTROLLER in Derive role from option so it will derive all the menu and authorization structure from master role you only need to maintain org values in child roles
- by this way you can maintain all tcodes in single place and which will be automatically pulled down to all child roles except org values
- Check online document for derived role concept which will give you more details
Regards,
RK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 6:36 AM
- SAP Managed Tags
- Security
Hello Radhakrishnan,
Thanks for your advise. I see some issues here - while I have the t-codes copied over into the derived roles, I need to recreate the profiles all over again. I see this as bit of help but this doesn't solve the entire issue.
With best regards,
Kaushik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 7:49 AM
- SAP Managed Tags
- Security
No, you don't need to . You only need to maintain the org.level field for BUKRS once for every role. Maintain the other authorizations only once in the inheriting role. That is, how it works. Its described at help:sap.com..... Please check.
your approach with parameters doe snot owrk in standard. Maybe there exist some applicaitons, which verify the parameters. But its a security issue, as many users are allowed to change their own parameters and might get therefore wider access by assignming mor parametr values...
b.rgds, Bernhard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 10:12 AM
- SAP Managed Tags
- Security
Thanks Bernhard, I get your point. I was hoping for a smaller set of roles since it looks quite unusual for a 150 (active) user organization to have 130 roles. Yes it is risk to expose parameters since users are generally given certain powers to adjust parameters for pre-filling entries and layouts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Aug 12 9:36 AM
- SAP Managed Tags
- Security
Kaushik,
You need to maintain org values alone in derived role and yes you need to create authorization and profile but you no need to enter any other values in derived role where you can centrally maintain the menu structure which can be pushed to all child roles.
But there is no other ways to do it.
Regards,
RK
Bluesky