Developing a Security Structure

Objective

After completing this lesson, you will be able to develop a security structure in SAP Incentive Management using Business Units and Roles.

Business Unit and Role-Based Security

SAP Incentive Management uses a role-based security model, which allows users access to data based on their user login and password.

Management and access to data in the user interface is controlled using two types of security: Role-Based Security and Business Unit Security. For additional system security, audit logs are available to view and track edits by user, date and time of the change.

  • Users are individuals with permission to perform actions such as viewing or editing data, deleting records, or performing administrative tasks.
  • A role is a group of permission settings that apply to all users assigned to that role. Assigned roles with pre-defined permissions make it easier for an administrator to control user access to data.
A diagram showing the association of users, roles and permissions.

Business Units

Business Units allow organizations to control access for specific departments, divisions, groups, or portions of an organization. Business Units are used to restrict user access to data, and to segregate compensation data for dashboards and analytics.

To learn more about Business Units and how they work, watch the following video:

Key points regarding Business Units:

  • Users can be assigned to multiple Business Units.
  • Elements that have no assigned Business Units are visible to all users.
  • Positions can only be assigned to a single Business Unit.
  • Security and Global data such as event types, unit types, and roles are not assigned to Business Units.
  • Calculations are not run in the context of a Business Unit. They can, however, be run by Position Group.
Role-Based Security

Access to view and manage data in the system is granted using a role-based security model that involves creating roles and granting permissions. Permissions represent the level of access to an object or the ability to perform a specified action. For example, a role may allow members to read create and edit records in the Participants workspace, but only read records in the Transactions workspace.

Permissions contain a number of Permission Sets that organize types of permissions into logical groups, making it easier to find a type of data. For example, a permission set called Organization groups the Participants, Positions, Titles, Roll Types, and Position Groups.

Exercise: Create a Role and Assign a User

Business Example

In this exercise, you will create a role that will grant permissions to our compensation team members. You will also create a new user and assign them to the role.

ExerciseStart Exercise

Steps

  1. Create a role called Comp Admins that allows access to Organization and Plan data.

    1. From the Manage Setup tile, click SecurityRoles.

      The Manage Setup tile, with the Security menu and Roles selection highlighted.

    2. Select the Create (+) icon on the toolbar.

    3. Enter the name Comp Admins.

    4. Select the Permissions tab.

    5. Select the Organization permission set.

      The Customization workspace, with the Organization permission set highlighted and the Update boxes checked for Participants, Positions and Titles.

    6. Using the checkboxes, allow Update for Participants, Positions, and Titles.

    7. Select the Plan permission set.

    8. Using the checkboxes, allow Create for all objects.

    9. Choose Create to save the role.

  2. Create a user named Paula Wolf and assign her to the new role. Give her full access to the BikesInMotion Business Unit.

    1. Return to the Home Page.

    2. Select SecurityUsers.

    3. Select Create (+).

    4. Enter the following information for the new user:

      User ID:paula.wolf
      Full Name:Paula Wolf
      Read Only Business Units:Any Business Unit
      Full Access Business Units:BikesInMotion

    5. Set Paula's role to Comp Admin and select Associated Roles.

    6. Select Comp Admins from the dropdown list, then choose Create.

Summary

  • SAP Incentive Management uses a role-based security model.
  • For additional system security, audit logs view and track edits by user, date and time of the change.
  • Business Units restrict user access to data, segregating compensation data for specific departments or groups.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn