Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Automatic role assignment

terbesalexandru
Explorer
1,097

Hi Guys,

I am in the situation of changing our role assignment. Our roles are currently assigned manually, but would like to change that and automate the assignment through positions. The roles are already created. Could someone explain to me a bit briefly what the process is and what error messages might occur if anyone has experience with this already?

The role assignment does not only concern Germany but also other countries!

I would be very grateful!

All the best

Alex

1 ACCEPTED SOLUTION

Janek_Niefeldt
Explorer
0 Kudos
865

Hi Alex,

What you are describing could be covered by "indirect role assignments" in an on-premise scenario. You should be able to find documentation for this online. Here are some links:

https://help.sap.com/docs/SAP_NETWEAVER_750/c6e6d078ab99452db94ed7b3b7bbcccf/92e7623c28695c63e100000...

https://www.sapsecuritypages.com/indirect-role-assignment-via-om/

There are lot of factors that play into a proper role assignment design. Some major factors would be:

  • Landscape type (cloud vs. mixed vs. on-premise-only)
  • Number of systems that need to be integrated.
  • Is the organizational structure maintained and updated (e.g. by a central HR department)?
  • Complexity of role design (e.g. do you need to utilize structural authorizations)?
  • Who requests access and how does the approval or review process look like?
  • What are the requirements for reporting of existing access, changes, or SoD risks?
  • Are there existing tools in your company you might be able to leverage (e.g. IDM system)?

...but there are many more technical and business process questions to factor in when it comes to the final design.


If you like many other companies are on your way into the cloud you might want to think more strategically. SAP is and has been in the process of switching gears that area. In the classic centralized on-premise architecture user administration was also centralized. In a cloud-based scenario this is more difficult to accomplish.

Nowadays a lot of these applications get pulled into their own cloud-based products (e.g. HCM is being replaced by SuccessFactors and Employee Central) with their local user and role concepts. While SAP tries to move them towards a common standard with SAP Cloud Identity Services (IAS / IPS) at the center not all products are there yet.

IMHO it makes a lot of sense to see whether an IDM system (utilizing standards such as SCIM) is worth exploring. SAP GRC AC might be worth looking into?

Once you have a stable system to maintain users and their permissions you can use tools such as SAP Cloud Identity Services (IAS / IPS) to provision this data to your endpoints.

Regard,
Janek

2 REPLIES 2

Wallace
Active Participant
0 Kudos
865

I think, like a lot of topics, SAP has software for that... but then it depends on your company/setup/direction and capabilities.
SAP GRC AC on prem is in this space, SAP also brings IAG - Identity Authentication Governance, which in turn uses SAP Cloud Identity Services - Identity Authentication Service and IPS Identity Provisioning Service.

I think there's also an on-prem Identity Management software, but I'm not sure of its capabilities or end of life.

As I understand capabilities, you can have job role assigned to the user in your Identity Provider and then drive authorization assignments from that.
I post this as a comment rather than an answer because I'm not an "expert" in this area and want to see how others answer you.

Wallace

Janek_Niefeldt
Explorer
0 Kudos
866

Hi Alex,

What you are describing could be covered by "indirect role assignments" in an on-premise scenario. You should be able to find documentation for this online. Here are some links:

https://help.sap.com/docs/SAP_NETWEAVER_750/c6e6d078ab99452db94ed7b3b7bbcccf/92e7623c28695c63e100000...

https://www.sapsecuritypages.com/indirect-role-assignment-via-om/

There are lot of factors that play into a proper role assignment design. Some major factors would be:

  • Landscape type (cloud vs. mixed vs. on-premise-only)
  • Number of systems that need to be integrated.
  • Is the organizational structure maintained and updated (e.g. by a central HR department)?
  • Complexity of role design (e.g. do you need to utilize structural authorizations)?
  • Who requests access and how does the approval or review process look like?
  • What are the requirements for reporting of existing access, changes, or SoD risks?
  • Are there existing tools in your company you might be able to leverage (e.g. IDM system)?

...but there are many more technical and business process questions to factor in when it comes to the final design.


If you like many other companies are on your way into the cloud you might want to think more strategically. SAP is and has been in the process of switching gears that area. In the classic centralized on-premise architecture user administration was also centralized. In a cloud-based scenario this is more difficult to accomplish.

Nowadays a lot of these applications get pulled into their own cloud-based products (e.g. HCM is being replaced by SuccessFactors and Employee Central) with their local user and role concepts. While SAP tries to move them towards a common standard with SAP Cloud Identity Services (IAS / IPS) at the center not all products are there yet.

IMHO it makes a lot of sense to see whether an IDM system (utilizing standards such as SCIM) is worth exploring. SAP GRC AC might be worth looking into?

Once you have a stable system to maintain users and their permissions you can use tools such as SAP Cloud Identity Services (IAS / IPS) to provision this data to your endpoints.

Regard,
Janek