Profile Assignment via OM
In the last article we have already looked at the process of indirect role assignment through OM objects. SAP provides another option to achieve indirect assignment of security through the org structure of the enterprise. This method involves indirect assignment of authorization profiles. Though much less common now-a-days as most companies have moved to a system where access is based on roles instead of authorization profiles, there is really nothing preventing its use in even a role based system.
The basic concept of indirect assignment remains the same. Instead of creating B007 relationships, between the user’s position and object type AG, we maintain infotype 1016 for the position with the profile names. An example screen-shot is given below. Through configuration, its also possible to maintain IT 1016 for other org objects like jobs, org units, tasks, etc.
To copy the profiles from HR objects to users, the report RHPROFL0 is used with the options shown below. This report can also be scheduled to run in the background everyday at midnight to sync up user access (both PD profiles and general authorization profiles) with a changing org structure.
hai aninda,
your explanation is superb,really ur making a difference
can please post some data on sm19,sm20, sm21 with screen shots
regards
syed
Thanks Syed. I will keep your request in mind for future articles. Till now I have been mostly associated with security design rather than security administration. Hence, my experience with SM19 or SM20 is a bit limited. But I agree, this is an important aspect of security.