-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Master-derive role concept -Global Implementation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Master-derive role concept -Global Implementation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 13 8:10 AM
- SAP Managed Tags
- Security
Dear Experts,
We have many SAP products in our landscape like ECC, Solman, PI,BI,EM,SCM,CRM,HCM etc. We have Different SAP landscapes across Globe. (Like Separate ECC for Europe,Middle east, USA etc.) And we are trying to align our authorization concept followed in each region. As of now we follow Master-derive role concept in ECC and SCM only for Business roles only.
Now we are implementing GRC AC and IDM for full automation.So we will have Business Role which will be mapped to Composite roles to which technical role mapping will be done.We have plans to resign our authorization structure globally.
And there is one Global proposal to follow Master-derive role concept for all SAP products (except BI). Proposal for authorization structure is as below
Master -derive role concept for
1.All SAP products (Solman, PI,EM,EWM,CRM,HCM,ECC,SCM) for all (IT and Business roles)
2.All Communication roles.
3. in short, there will not be Single roles created in system. All are Master-derive in all SAP systems.
The above proposal provided justification that we will have consistency in authorization concept across all systems and there will not be confusion while creating composite roles.
I personally feel that Master-derive role concept for Non- org value systems like Solman,PI,EWM and for communication roles will not be wise decision.
Please advise, about above proposal.
Best Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 13 9:14 AM
- SAP Managed Tags
- Security
Hi,
As per my view, Master-Derived concept is good for both Org. & Non-org. value systems too. You can create derived roles for region wise and one master role on top. Also you can maintain derived role for user's job position wise. It is not necessary to maintain org. value for each derived role in non-org. structure. Also you can create one composite role by grouping some specific region's derived roles.
Hope this helps you to clear your view up to certain extant
Regards,
Kiran
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 13 9:28 AM
- SAP Managed Tags
- Security
Hi Kiran,
Thanks and appreciate your reply. But there will be Common Business roles (for all systems) which will be created based on Region / position. I don't see need to create Master-Derived role based on region/position in Non-org value systems like PI,Solman,EWM and also for communication roles.
Kindly note that I also prefer Master/derive role concept only for Org. Value system like ECC/SCM. Also I prefer to have single roles in ECC/SCM whenever required as special need of Add-on roles.
Others, please share your views as well on Proposal mentioned in my question.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 14 11:18 AM
- SAP Managed Tags
- Security
What does your support model look like? Is it internal? Internal + external? external black box? (the worst of the lot!).
The most elegant solution may not be the one that fits your target support model. If the support is going to be largely transactional activities performed by relatively low-skill individuals then simplicity and consistency is paramount. Taking that instance as an example, having a policy that there is a master and 1 or more derived for all roles in all systems has merit. If you have a relatively skilled team of internals (and can see it staying like that) then you have a bit more flexibility and can rely a bit on retained knowledge and develop your solution with that in mind, afterall you will be supporting this for much longer than you will be deploying it.
Out of interest, if IDM BR's are being used then what is the purpose of composite roles other than adding an additional layer or complexity between the provisioning unit (BR) and the technical roles?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 15 7:16 AM
- SAP Managed Tags
- Security
Hi Alex,
Thank you for your reply.
There is no such policy in our organization that mandate to follow master-derive concept in all systems. We are responsible for designing authorization structure, hence it is internal decision.
But our team is segregated across region and there is proposal (from one region) to follow master-derive role concept to all systems globally. My personal view is to have Master-derive in org. level value based system like ECC/SCM and non-org system Solman,PI will have single technical roles created. And I am looking for opinions or pro's/cons of proposals.....
We have Project and support teams in organization. I am in project design team and once i document Global procedure accordingly Support team will follow it. Project team has a control on support team hence would not be difficult to guide support team whenever required.
Thanks
Imran
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 15 12:46 PM
- SAP Managed Tags
- Security
But our team is segregated across region and there is proposal (from one region) to follow master-derive role concept to all systems globally. My personal view is to have Master-derive in org. level value based system like ECC/SCM and non-org system Solman,PI will have single technical roles created. And I am looking for opinions or pro's/cons of proposals.....
Hopefully I have provided some food for thought then
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2013 May 13 11:05 AM
- SAP Managed Tags
- Security
Hi Imran,
You are correct, master-derive role concept is not optimal for Solman, PI or IT roles, single roles are best for this purpose. If you go with master and derived role concept then during implemetation you will have a overhead of creating one extra parent/derived role where just a single role would have served the purpose. Futhermore, role maintenance will also become complex if only parent-derived roles are in use.
I suggest take more time on explaining these pro's and con's to your client and hope they go with your approach.
Bluesky