Indirect Role Assignment via OM
We have come across the Organizational Management (OM) component while talking about SAP HCM. The OM component in SAP is used to map the Organizational Hierarchy of an enterprise by means of HR objects and Relationships between these objects. In this post we will discuss about the possibility of using OM to simplify some of the user-role assignments tasks that need to be handled by a security administrator.
Lets start with an sample org hierarchy created in PPOME transaction as shown below. We start with a root org unit ( HR obj O) “IDES Root” with “IDES India” and “IDES Bangalore” under it. ” IDES India” includes the position (HR obj S) of “Director – India” which is also set as the Line Manager for it. The position is filled by person (HR obj P) “Mister Director”. We make the basic assumption that the SAP access for a user corresponds to his position in the org structure of the enterprise.
Consider the access for “Mister Director”. In the case of direct role assignment, any role would be assigned to the user id for “Mister Director” through SU01 or PFCG. Now lets consider, that “Mister Director” get promoted to be the CEO of “IDES Root” and a new person comes to take his place. However, since the roles for the India Director were directly assigned to his user id, he will continue to keep his old access even in his new position. Also the new person filling the position of “Director – India” will have to be manually assigned with enough access to enable him to do his job. This same situation will repeat for every transfer, promotion, demotion (and most other org changes in general) that takes place in an enterprise. For an enterprise with more than a few thousand employees, the effort involved in keeping user access in sync with the org hierarchy is substantial. In addition to the monetary cost of the effort, their is a time penalty as users would need to wait for the User Admin team to adjust their security before they can start using SAP. Indirect role assignment comes to the rescue in such situation and if configured correctly can reduce the routine maintenance effort appreciably. In indirect assignment, instead o directly assigning the roles to user id for “Mister Director” we assign the roles to the position “Director India” (The standard SAP configuration allows role assignments to the OM objects – Position, Org Unit, Work Center, Task and can be used depending on business cases) such that any user occupying the position would automatically get the access needed for “Director India”.
There are four technical prerequisites for the use of indirect role assignment through Org Mgmt
-
- An active planning version must be defined in the system. Roles/profiles are assigned to the OM objects defined in the active plan.
- The User and Personnel masters are linked via the IT 0105 (communication) subtype 0001 (system id). This translates to maintaining the SAP user id for a user in IT 0105, 0001 for the user’s personnel number with an active validity date.
- The HR_ORG_ACTIVE customizing switch is set to YES in the PRGN_CUST table either as the default value or as an entry in the table.
- The evaluation path US_ACTGR is defined and suitably adjusted in the system. The evaluation path is actually used by SAP to assign roles to the users during user comparison and is the last and the most vital cog in the wheel. The screen-shot below shows the default definition of the evaluation path in OOAW.
Once the above prerequisites are met, we can just go ahead and create indirect role assignments between roles and HR objects. Indirect role assignment through PFCG can be accessed through the “Organization Management” button shown below. The blue lines correspond to indirect role assignments.
Clicking the Org Mgmt button opens the below screen where we can check the existing assignments for the role (both direct and indirect). New role assignments can e created using the highlighted button
Roles can also be assigned through PP01. An indirect role assignment is a relationship between object type AG (Activity Group or Role) and HR objects like positions, org units, etc. Below screen shows a new assignment (relationship B007) between the users’ position and the role object (object type AG)
The final step in the process of indirect role assignment is to copy the roles from the HR objects to the users. One of the most common way to achieve this is to execute the PFUD transaction with the option for HR reconciliation checked. In productive systems, this program is normally scheduled to run everyday at midnight to sync user access with a changing org structure.
The critical success factor for indirect role assignment is to understand how correctly your org hierarchy mirrors the roles/ responsibilities of your users. Some of the questions that need to be discussed with your business owners, functional consultants and security team are
- What is the correlation between the roles/responsibilities users and their position in the org structure?
- Who will be responsible for maintaining the org structure and how frequently?
- Will users need their old access even if they move to a new position?
- How will contractors be given access? Contractors are normally not part of the org structure and don’t occupy a position. So do you continue to directly assign roles to contractors or do you link them to the org structure in some way (for example through positions/jobs/tasks)?
- Are you only concerned about a central ECC system or are there other systems in the landscape (BW, CRM, SRM, APO, etc)? Will the roles assigned in these other systems also be determined by the users’ positions in ECC?
Hi,
I want to implement 0Employee Level Security. Can you please suggest me what needs to be done on this?
Hi Prakash,
Sorry, but you need to be more specific than this. By 0EMPLOYEE, I think you are working on BI security for HR data. In such a case please go through the posts on BW security in my blog. They should help to get you started.
Regards,
Aninda
can Please explain how the organizational units , managers,employees are created in the hirarchy and the transactions that are used in a step by step manner.
I am trying to test the structral autorizations but i am struck whith creating the structure correctly.
HI Aninda,
We are having a default position ie 99999999 in the organisation structure. Any user who is not assigned to any postion will be automatically gets assigned to this default position. i want to add a role to this position but system says position does not exist.
Can you please advice
Parveen
Hi Parveen,
I have never actually tried doing this but I believe the system will not allow you to add roles to the default position as this is not really an actual position in the org structure. Since these people on 99999….. position are not actually part of the org structure, indirect role assignment probably would not work for them.
I think you are trying to set default access for all users? One way of handling this to add the default access when the user masters for new users are actually being created.
Regards,
Aninda
HI Aninda
we have a requirement that when the users leave the organisation all the roles should be taken from them and a new role should be added for ESS – Separated employees.
Since when the users will leave the organisation they will be removed from the position in organisation structure and they will automatically get default position assigned to them. So if by any way i can add the role ESS – Separated employees to the default position user will get it automatically.
Let me know if you have any other suggestion for automatically assigning roles to the user when they leave the organisation
Parveen
Sorry, I must have missed the original comment. Can not think of a standard functionality which will handle this. However, you can probably develop a simple program which runs in the background each day, which evaluates the employees leaving the company on that day and replaces their existing roles with the single role. I don’t think indirect assignment through OM will work as the employees in question belong to the default position.
The question mentioned above – “Will users need their old access even if they move to a new position?”
How do we achieve this, do we map a single pernr/object ID to more than one position? When a person changes position, wouldn’t the roles associated with prev. position assignment (which doesn’t exist anymore for the user) get auto-removed by system?
The indirect position role assignment will remove the access once a person moves to a new position. I am yet to see a standard way to achieve this without significant amount of coding.
Thanks for all the useful knowledge that you are sharing, I am looking for a solution to mass in-direct role assignment i.e. ‘X’ number of users/positions are getting assigned ‘Y’ number of roles (different user & different role combinations). Rather than opening one role at a time and assigning it to one position, is there any SU10 equivalent method to assign en mass. Regards, Sean
Thank you very much for the useful information, but I have a couple of questions. Do we need to maintain all the entries as you have maintained them in ooaw or simply maintaing a single entry for AG? Also what will the relating object be? I am assuming it would be Position (S). Secondly I would like to have indirect role assignment ONLY for MSS access. I do not want any other indirect role assignments. Do you think I need to be careful of it compromising some other functionality? Looking forward to your response.
Paul
Hi Paul,
The default definition of the evaluation path should already be provided by SAP and for assigning access to positions like in the case of MSS should work without you having to update this at all. You just assign the MSS role to the manager positions and run PFUD checking the options for org assignment. You don’t need to use indirect assignment of roles for all roles or positions.
Thanks,
Aninda
Hi,
How can we get change documents for Indirect role assignment(Role assigned to position).
Thanks & Regards,
Sreeknath