Conquer Context Problems in HR Security
- by A.J. Whalen, SAP Marketing Director, Velocity Technology Solutions
- May 15, 2004
When the same HR user is in charge of multiple tasks, conflict problems can occur on the subject of how much authorization to grant the user. The author compares the technical differences between general and structural authorization and how to optimize their usage. He also describes SAP's context-sensitive authorization functionality in R/3 Enterprise Release 4.70.
The changing business climate and restructuring of workforce responsibilities mean that some users are asked to assume more than one role in their organization. Their day-to-day duties might mean they “wear many hats,” each with its own particular needs and restrictions from a business software security standpoint.
It is not uncommon to find SAP users who have more than one functional role and whose security needs are more complex than the traditional single-role user. For example, a user with multiple functional roles may need to view certain HR master data for one organizational unit, but also maintain read/write access to that same data for a separate unit. Designing SAP security roles to meet the demands of these multi-functional users is not always as simple as it sounds.
Traditionally, the design of SAP security roles has closely mirrored functional job duties for many customers. In a role-based design, the transactions, authorization levels, and organizational restrictions built into security objects reflect the day-to-day job duties of the person holding the role. This is true whether the overall security concept includes only general roles or also includes structural security profiles. For some, the addition of structural security to limit a user’s view of the organizational structure provides a level of detail in their security that is required to fully use R/3’s growing functionality.
Would you like to see this full item?