cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP IDM - Assign Role through Position ID - Indirect Role Assignment

Go to solution
Former Member

on ‎01-13-2014 3:16 PM

0 Kudos

Hi IDM Experts,

We are working with HR data exported through the LDAP 604 extract, and based on position IDs, we need to assign certain ECC roles to users, indirectly, via position IDs (or how it would normally be done through TCODE: PO13 - Assignment comes from HR Organization Management).

As seen below, the role assignment needs to be indirect, as opposed to the standard IDM role assignment which is direct:

How can roles be provisioned in this manner? Can this be done through the standard SAP provisioning framework? Or does this require a custom script?

Thanks a ton in advance!

Best regards,
Sandeep

Message was edited by: Sandeep J

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-13-2014 9:55 PM
0 Kudos

Regardless of what you want, its going to be a custom setup.  However, I've done this in several different fashions.

1) You can create 'position' objects which are essentially roles (whether its a new object, or a role objects with a different naming standard POSITION:123456 for example).  You automatically assign people to the position roles as their position number changes (or they go in and out of higher duties positions).  Make sure its possible to assign more then one given that most places will have a substantive and HD role assignment scenario.  The roles / privs are then assigned to the position and move with it from user to user.  A new object has issues with standard views in the UI, so its probably easier to go with a role object with different naming standards.

2) You create a 'position' attribute on roles and add the position numbers to it.  When a person is assigned a position, go through the roles and assign anything with that position number associated with it and remove those that no longer apply.  Again, take care of HD positions.

3) There's probably other ways based on your given scenario.

Option 1 is probably the easiest - it lets you assign ownership of the 'position role' to other people to manage, as well as wrap workflows around it.  It takes advantage of the standard 'assignment' process in IDM whereas option 2 takes a lot more custom processing.

Peter

Show replies
Show replies
Former Member
‎01-14-2014 3:43 AM
0 Kudos

Thank you Peter for the quick response! Just to clarify though, if you were to go with option 1 and add these "position" (role) objects to users in the target ECC system, using the SAP provisioning framework, and 7.2's sap_abap_getNameOfPendingPrivileges script, it would result in the associated roles / privs being directly assigned to the user in the target ECC system, unlike a role / priv assignment that would come from TCODE PO13; where instead of it being a direct assignment, it is an indirect assignment (or as seen in the screenshot, it is seen that the "Assignment comes from HR organization management").

Peter / Matt, I have attached the screenshots taken from a user's profile in the target ECC system, and to clearly show the two different possibilities for a role / priv assignment in the ECC target system, through the roles tab of SU01; DIRECT & INDIRECT

Looking at the first screenshot (DirectAssignment.png) it can be seen that a standard role assigned to the user via SU01 (standard IDM role provisioning, will also assign the role / priv to a user in this manner), shows up as a direct assignment ("=" symbol).

Instead when looking at the second screenshot (IndirectAssignment.png), for a role that is assigned to the user not via SU01, but via TCODE PO13; the role rather than being directly assigned to the user, is inherited / indirectly assigned to the user by way of assigning a position to the user in TCODE PO13 (in SU01, it shows up as a symbol of a person, instead of the "=" symbol).

An overview of the user's SU01 Roles tab can be seen in the third screenshot (overview.png), where the 2 different types of assignments can be clearly seen in the "Indirect" column, highlighted in red.

How can IDM 7.2 be used to provision a role / priv in this second manner? so that it does NOT show up as a direct assignment in SU01, but be seen that the "Assignment comes from HR organization management".

Thanks a ton for your help so far!

Best regards,

Sandeep

Former Member
‎01-14-2014 1:26 PM
0 Kudos

As far as I know this is not possible with the SAP JCo provisioning API but I haven't checked the latest API documentation.

If you know what table / field TCODE P013 will maintain you might find something in the API or

You may have to create a custom BAPI and call this via JCo API.

I have no clue about how SAP NW IDM connectors connect to SAP ABAP user stores but from other Java based IDM tools I know they use JCo.

Former Member
‎01-14-2014 9:38 PM
0 Kudos

Ah, I see what you mean.  I don't think this is possible without custom writing something.  As far as I know, IDM directly assigns things to the user in the backend.  Its only within IDM that you can get fancy about the assignments.  A custom BAPI would probably do the job but thats a lot of effort so make sure that the business requirement is worth it   Much easier to get the business to change I think...

Peter

Former Member
‎01-15-2014 3:00 AM
0 Kudos

Thank you Thomas & Peter! Yes, as you both have said, I suppose custom development is the only way to achieve this! Thank you for the helpful advice and insight!

Best regards,
Sandeep

Answers (1)

Answers (1)

former_member2987
Active Contributor
‎01-13-2014 6:22 PM
0 Kudos

Sandeep,

Can't seem to view the image.  Can you give a description of what you mean by indirect?

Thanks,

Matt

Show replies
Show replies
Ask a Question