2023 Apr 27 4:11 PM
Hi Guys,
I am in the situation of changing our role assignment. Our roles are currently assigned manually, but would like to change that and automate the assignment through positions. The roles are already created. Could someone explain to me a bit briefly what the process is and what error messages might occur if anyone has experience with this already?
The role assignment does not only concern Germany but also other countries!
I would be very grateful!
All the best
Alex
2023 Apr 28 2:27 PM
Hi Alex,
What you are describing could be covered by "indirect role assignments" in an on-premise scenario. You should be able to find documentation for this online. Here are some links:
https://www.sapsecuritypages.com/indirect-role-assignment-via-om/
There are lot of factors that play into a proper role assignment design. Some major factors would be:
...but there are many more technical and business process questions to factor in when it comes to the final design.
If you like many other companies are on your way into the cloud you might want to think more strategically. SAP is and has been in the process of switching gears that area. In the classic centralized on-premise architecture user administration was also centralized. In a cloud-based scenario this is more difficult to accomplish.
Nowadays a lot of these applications get pulled into their own cloud-based products (e.g. HCM is being replaced by SuccessFactors and Employee Central) with their local user and role concepts. While SAP tries to move them towards a common standard with SAP Cloud Identity Services (IAS / IPS) at the center not all products are there yet.
IMHO it makes a lot of sense to see whether an IDM system (utilizing standards such as SCIM) is worth exploring. SAP GRC AC might be worth looking into?
Once you have a stable system to maintain users and their permissions you can use tools such as SAP Cloud Identity Services (IAS / IPS) to provision this data to your endpoints.
Regard,
Janek
2023 Apr 28 11:58 AM
I think, like a lot of topics, SAP has software for that... but then it depends on your company/setup/direction and capabilities.
SAP GRC AC on prem is in this space, SAP also brings IAG - Identity Authentication Governance, which in turn uses SAP Cloud Identity Services - Identity Authentication Service and IPS Identity Provisioning Service.
I think there's also an on-prem Identity Management software, but I'm not sure of its capabilities or end of life.
As I understand capabilities, you can have job role assigned to the user in your Identity Provider and then drive authorization assignments from that.
I post this as a comment rather than an answer because I'm not an "expert" in this area and want to see how others answer you.
Wallace
2023 Apr 28 2:27 PM
Hi Alex,
What you are describing could be covered by "indirect role assignments" in an on-premise scenario. You should be able to find documentation for this online. Here are some links:
https://www.sapsecuritypages.com/indirect-role-assignment-via-om/
There are lot of factors that play into a proper role assignment design. Some major factors would be:
...but there are many more technical and business process questions to factor in when it comes to the final design.
If you like many other companies are on your way into the cloud you might want to think more strategically. SAP is and has been in the process of switching gears that area. In the classic centralized on-premise architecture user administration was also centralized. In a cloud-based scenario this is more difficult to accomplish.
Nowadays a lot of these applications get pulled into their own cloud-based products (e.g. HCM is being replaced by SuccessFactors and Employee Central) with their local user and role concepts. While SAP tries to move them towards a common standard with SAP Cloud Identity Services (IAS / IPS) at the center not all products are there yet.
IMHO it makes a lot of sense to see whether an IDM system (utilizing standards such as SCIM) is worth exploring. SAP GRC AC might be worth looking into?
Once you have a stable system to maintain users and their permissions you can use tools such as SAP Cloud Identity Services (IAS / IPS) to provision this data to your endpoints.
Regard,
Janek