Assigning Roles Indirectly

Objectives

After completing this lesson, you will be able to:
  • Outline organizational management authorizations
  • Outline user assignments
  • Compare user authorization assignments

Organizational Management Authorization Objects

Authorizations in Organizational Management

  • Problem

    • Maintaining direct role assignments to users can be very time consuming for large implementations.

    • If users in the company change department or function, you have to adjust their authorizations.

  • Solution:

    • Create roles on the basis of organizational objects, for example positions in your company such as sales executive, accountant, administrative assistant, and so on.

    • Assign roles to your organizational plan. Users then inherit the authorizations according to their position in the organizational plan.

Indirect role assignment means that you do not assign the role to one or more users directly in transaction SU01, SU10, or PFCG. Instead, you link the role using Organizational Management to an organizational unit, job, position, and so on. This has the following advantages:

Replacement and Change

  • If you assign roles to individual users directly, you have to adjust this assignment each time an employee's responsibilities change.

  • If you base the assignment on positions, you do not have to adjust the agent assignment of roles.

Time-Dependent Planning for Reorganizations

  • SAP Organizational Management enables you to plan and activate the validity and assignment of organizational objects according to the time frame available. You must schedule the program for updating user master records to ensure the profiles can be added or deleted in accordance with the changes to the organizational plan.

Comparing the User Master

For users to be authorized to execute the transactions contained in the menu tree of their role, their user master record must contain the profile for the corresponding roles.

You can start the user compare from role maintenance (on the User tab page, choose User Compare). As a result of the comparison, the role and the generated profile are entered in the user master record.

Caution

Never enter generated profiles directly into the user master record (using transaction SU01, for example). During automatic user compare (by report PFCG_TIME_DEPENDENCY, for example), generated profiles are removed from user masters if they do not belong to the roles assigned to the user.

If you assign roles to users for a limited period of time only, you must perform a comparison at the beginning and at the end of the validity period. You are recommended to schedule the background job PFCG_TIME_DEPENDENCY in such cases.

User Assignment View of Authorizations

To be able to assign components to your organizational plan, you must call role maintenance (PFCG) by choosing GotoSettingsOverall View.

Choose the Organizational Mgmt. button to go to the maintenance screen Role: Maintain Agent Assignment. The "indirect user assignments" that have already been maintained are displayed here.

When you are creating an assignment, if you select the agent type Position, you can assign users to a role using positions. One of the following prerequisites must be fulfilled:

  1. The position is related to a person (P) whose user is entered in infotype 0105 Communication.

    OR

  2. The position is related with a user (US).

You can define the following relationships by choosing Create assignment:

RoleOrganizational unit/position/user/job/work center/person.

Indirect User Authorization Assignments

If you choose Indirect user assignment reconciliation, the system reconciles the positions and the users assigned. Users that were newly added are entered, and user assignments that are no longer current are deleted.

During the reconciliation process, the users assigned on the basis of positions are entered as "indirect user assignments" for the role.

Since assignments in Organizational Management are time-dependent, you must take this time dependency into account when you assign users. This occurs during the reconciliation process when the relationship period is copied from Organizational Management for the indirect user assignments.

The status display of the button Org.Management indicates whether or not you have to update the indirect user assignments:

  • Green:

    User assignments are up to date

  • Red:

    User assignments are not up to date; the indirectly assigned users are not displayed in full on the tab page

    If you run a user master compare (refer to the figure titled Compare Indirect User Assignment), the indirect user assignment is automatically reconciled. The same applies if you run the PFCG_TIME_DEPENDENCY report.

Compare the User Master

If you change the users assigned to the role or generate an appropriate authorization profile, you must compare the user masters (choose User compare). In this process, the system compares the authorization profiles with the user master records. This means that profiles that are no longer up-to-date are removed from the user master records, and the up-to-date profiles are entered in the user master records.

Compare User Master Records

You can specify a time limit when you assign roles to user master records. You cannot specify a time restriction for authorization profiles and their entries in the user master record.

To ensure that only the authorization profiles valid for a specific day are included in the user master record, you must perform a daily comparison. When you start report RHAUTUPD_NEW, a complete comparison of the user master records takes place for all roles. The authorizations in the user master records are updated. The profiles with invalid user assignments are removed from the user master record. The authorization profiles for valid user assignments for the role are entered.

There are two ways to run the comparison:

  1. If you run jobPFCG_TIME_DEPENDENCY nightly as a background job, the authorization profiles in the user master record are up to date every morning (if the job runs without errors).

  2. Use transaction PFUD, User Master Data Reconciliation. As administrator, you should run the transaction regularly for control purposes. This gives you the opportunity to manually correct any errors that occurred in the background.

You can specify whether HR Organizational Management should be included in the reconciliation (Reconcile with HR Organizational Management).

Compare User Authorization Assignments

ExerciseStart Exercise

Business Scenario

You want to simplify authorization administration by linking roles with objects in Organizational Management.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn