Skip to Content
author's profile photo Former Member
Former Member

Using Position Based Security with BI

Hi

Has anyone been involved in an implementation where you can assign BI roles to Positions (organisational structure maintained in R/3). If so, what configuration is involved?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Apr 10, 2008 at 11:15 AM

    Hi,

    After replying I realised that this may not be answering your question exactly, but it is the approach that I would adopt.

    Not sure if it feasible for your landscape but I would use a CUA for this approach - in long run I find it to be a good approach especially if you are adding more SAP appllications to your landscape.

    Firstly, set-up ALE for the org structure from R/3 to your CUA client.

    I would then create composite roles in the CUA client, which include roles for both R/3 and BI. These would then be assigned to the positions in the HR Org structure.

    To create the composite roles, read roles into your CUA client via RFC - note that this is not the text comparison for CUA, but reading roles from other systems via RFC through PFCG. Once you read the roles in you will notice that the RFC destination is maintained in the menu tab of roles that have been imported. Then when you create the composite roles containing R/3 and BI roles you will see that the target system is maintained. If you use the variable mentioned below, it achieves the same thing but makes future maintenance easier.

    Creating the composite roles does mean additional maintenance upfront, but before you begin I would make use of the table SSM_RFC. Through this you could assign a variable to a RFC destination, you can use the same variable name in DEV, QA & PRD but have different RFC destinations allocated. This means that you can transport roles from the DEV CUA to PRD CUA without having to maintain the roles.

    In CUA you would need to set the role distribution properties to global in transaction SCUM.

    When you assign a composite role to either a user in CUA you will notice that it will complete all the system assignments as defined in your composite role. If you allocate to a position, then it would do the same thing provided the the IT105 is maintained for the employee and position assignment is valid - once you run the user compare it will update the user master and distribute.

    I hope that provides you will some ideas.....

    Regards

    Edited by: S Morar on Apr 10, 2008 1:23 PM

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Morar,

      Your information is very helpful. Regarding the position based security(PBS) which is the best way to deal with the contractors since they are not assinged to any postion.

      Do we need to create a seperate positon for them ( which is not generally accepted by business) or do we need to assign the roles to them directly.

      Thanks.

  • Posted on Apr 11, 2008 at 09:17 PM

    1. ALE setup- Create Distribution model and define filters in ECC(HR/sending systems), Receiving should be BI systems ( Non HR systems) using BD64.

    2. Distribute model from ECC to BI using BD64.

    3. Initial load Transfer from ECC to BI, First “O” and then “S” send IDOCs using PFAL or run program RHALEINI using SA38 in ECC.

    4. Send delta change to update org structure using BD21 put in background job to run every 2hrs in ECC to update org struckture in BI.

    5. Personnel no and user id must be tide with info types 0105/0001 using PA30 in ECC (PA team are resposible)

    6. Assigned role to position using po13 or pp02 with relationship B007 in BI systems.

    7. Run PFUD select option with Replicate local HR assignment in to CUA for update CUA (Schedule in background job in night)

    Here is the helful link

    http://help.sap.com/saphelp_47x200/helpdata/en/8b/3c713eeaac5441e10000000a114084/frameset.htm

    Edited by: Farukh on Apr 11, 2008 11:41 PM

    Edited by: Farukh on Apr 11, 2008 11:48 PM

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Apr 13, 2008 at 11:58 PM

    Some replies have been quiet useful. However, if the Org Structure is ALE'd to the CUA client which would be our Solution Manager system, how will this impact structural profiles and the use of ESS/MSS. Can structural profiles be RFC'd as well since they are also assigned to positions within the org structure?

    You also mentioned creating "composite" roles in the CUA client? What happens if you have already created composite roles in the R/3 system?

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi,

      With regards to the structural auths - these would always have to be assigned in the child systems where it is required. As far as I'm aware CUA cannot handle the distributed assignment of structural auth to position, without some considerable effort.

      I'm guessing that you would like to RFC your structural assignments to make use of these restrictions in BI, if so then that is not going to help you. Structural auth implementation for BI involves the transfer of your index table (T77UU) from R/3 to BI. Take a look at this link for more info, it is an old document but will give you some background:

      https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.highlightedcontent?documenturi=%2flibrary%2fbusiness-intelligence%2fa-c%2fbw_hrAuthorization-ASAPforBWAccelerator

      I don't see this having any impact on MSS/ESS - you are only using the org structure to handle role assignments to position, so it would not replace the org management and structural restrictions in your child system.

      If you have composites already in your R/3 client, then I don't see how you could avoid recreating the composites on the CUA client - I'm pretty sure that you cannot read compsites into your CUA client via RFC.

      Regards

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.