Skip to Content
Former Member
Jul 16, 2015 at 05:48 PM

Help needed for SAP Security design for a project.


Hello Experts!

I am reaching out to this forum in hope to get some help/input from you guys to finalized correct role structure for a company.

Right now they have 10% of their business on SAP and rest on legacy. Now they have started implementation SAP for rest of 90% business.

In their current production system they have assigned one Composite Role to one position with a single enabler role to control on organizational level.

So, basically they have removed all organizational level object from other single roles which they have assigned to composite roles.

And added all org. level value to one single role with no activity (01, 02, 03.. etc..) in it.

Based on experience, I generally design composite – Master – derived role and has worked correctly for multiple projects in all business type (Pharma, Fin etc.).

To let you know, I have implemented enabler role for FICO area (only) in one of my previous project and faced several issues after Go-live.

I have proposed Composite – Master – Derived role structure to management but they are not ready to increase their Composite roles as non-SAP people
are doing user/role provisioning here and they are afraid that there could be more chances of error if SAP security creates any complex structure.
So to make it easy they have one role (composite) – to one position , with one Profit center role (Org. level role).

E.g, General Manager (Position) has assigned one general manager composite role with his location so he can have only access to his
location. However when any other joining similar position(s) (GM) in company, it’s easy for them to provision user/role. This makes it easy for managing team to assign, and not to struggle on finding
correct role for every new joinee, instead just checking the position (e.g, GM ) corresponding composite role with his/her location from HR and assign it.

So my concern is, is there any other better structure(s) that I could propose them without increasing number of composite roles.

In case enabler role is the only solution here what could be the pros-cons and what kind of major precaution I should take while implementing it.

Thanks a lot in advance!