Position-based/User-based Role Manager - Background
The main focus for developing the Role Manager is the performance optimization. One of the main reasons is that the role generation is user-based instead of position-based. SAP decided to focus on this point as its solution will bring the most benefit.
Problem statement:
In the standard program the position is selected whereupon the program would find theForce Element to which the position belongs and then generate RM roles for every user in that structure (e.g. from the FE down depending on selected evaluation path). This can leadto very long run times and unnecessary repetitive work.
Solution Approach
- SAP took a copy of Role Manager and changed it accordingly.
- This minimized the needed support from the responsible Roleman team and offered D&S solution the chance to use the new API.
- This copy is a completely new and independent report called „Position-based Role Manager". The "classical" user-based Role Manager has not been changed.
- User-based Role Manager and Position-based Role Manager cannot be used in parallel as this would produce messy authorizations.
Key points
- New System: The new Role Manager creates roles based on positions, which makes it faster and avoids unnecessary work.
- Independent Reports: The Position-based Role Manager is a new, separate report and does not change the original User-based Role Manager.
- Parallel Use Restrictions: You can't use both the User-based and Position-based Role Managers at the same time. This prevents confusion and "messy authorizations."
So, it's like having two different tools for role management now: one that works with user data and one that works with position data.
Position-based Role Manager - Overview
- Roles are not maintained on User-Level but on Position- Level and inherited to the user with transaction PFUD.
- The Reference Role includes:
- Standard Authorization Objects w/wo Organizational Level
- Based on the Reference Role the position role is generated (red box). Users inherit the position role.
- You can either run User Role Assignment or Position Role Assignment (not both in parallel)
Technical Objects and Features
- Report
- DFS_AUTHPROF_GENERATOR
- Transaction
- DFS_AUTHPROF
- Package
- IS_S4DFS_COMMON
- Same „look and feel" as "classic" Role Manager
- Performance optimization (dependency of runtime mainly on size of organization and hardly on number of roles)
- Automatic start of transaction PFUD after running the Position-based Role Manager (optional)
- Customizing for changing evaluation paths
- TCode OOAW to generally create or maintain evaluation path
- TCode SM30 for View "DFS_VDFPSK100" to set used evaluation paths for the position based Role Manager
In summary, the new Role Manager aims to be user-friendly, efficient, and customizable, giving you control over how it evaluates roles within your organization.
User-based Role Manager - Technical Objects and Features
- Report
- /ISDFPS/ROLEMAN_UPDATE_USERS - Trigger Update User for user-based Role Manager
- Transaction
- -
- Package
- /ISDFPS/ROLEMAN
If you decide to use the user-based Role Manager keep the necessary activities above in mind.
Configuration
ATHPRFGN_ACTIVE:
When "X" is used:
- If you put the value "X" in the specified field, the Role Manager will work based on the position.
- This means the role management system will assign roles based on the positions people hold.
When the field is empty:
- If you leave the field empty, the Role Manager will work based on individual users.
- This means the role management system will assign roles based on specific users and their settings.
The other settings in this customizing table are only relevant to customize the way the position-based Role Manager is working.
