Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Managing Large number of roles in Utilities Project

former_member785781
Explorer

‎11-21-2011 1:29 PM

0 Kudos

Dear Experts,

We are in a utilities (Electiricity) project and as per project demands We need to do mass creation and changes of Security roles which would be approx 29,000 roles where we need to maintain the business area or RSG's so that for example, Revenue Accountant of RSG- A will not able to see/modify or create RSG- B.

There are around 490 RSG's (business areas) divided into 5 zones( viz:West, Central ,North, Border, South). Initially we have created 58 roles for 1 RSG with the t-codes recieved from respective departments and handed over to the team for testing and maintaining, the Authorization issues as and when occured duting testing.

Now our concern is:

1. Is that really, a need of creation of these many security roles?

2. How can we reduce such a large number of roles, maintainence of which would be a huge task after go live? if yes, what should be the strategy and further planning to adopt and go with it?

3. How can we automcate these role creation, if need to create, so that the business area will be maintained in such a manner, that RSG A will not have any type of access of RSG-B?

Thanks!!

Best Regards,

Gunveen

1 REPLY 1

mvoros
Active Contributor

‎11-21-2011 7:21 PM

0 Kudos

Hi,

there is one approach called something like split roles. It has advantages as well as disadvantages. The idea is that you split roles into two types: the first has only authorization to execute transactions but no authorizations for all other objects. The second type has has authorizations for all other objects for corresponding business unit. So in your case you would have 50 roles of first type and 500 roles of second type. One of the disadvantages is that you can't do things like a user is accountant in division A and warehouse manager in division B. Because user would get roles of type 2 for both divisions and hence assigning role of first type gives him authorization to execute transactions for both divisions. Check memorable discussions on this forum. It was discussed here. It has some additional disadvantages like breaking compliance checks.

Cheers