How to Set Up and Implement User Defaults in SAP Access Control 10.0

  • by Kehinde Eseyin, Security Architect
  • April 9, 2013
Learn how to configure user defaults functionality in SAP Access Control 10.0 to drive automatic assignment of values to user master data based on specific request attributes.
Key Concept
A user defaults business rule can be used to define the default entries automatically maintained for a user master record based on defined attributes and conditions in a Business Rules Framework plus application. The user default assignment is performed on successful approval of an access request and just before provisioning occurs in the target system. The attributes for the user default are mostly values available in transaction code SU01 (user maintenance). Additionally, you can maintain user group assignment and parameter IDs to be provisioned by default based on a defined business rule.

A typical business environment needs to maintain default values for specific users based on clear-cut reasons such as operational responsibility or organizational structure. For example, in the SAP Advanced Planner & Optimizer (SAP APO) system where the time zone is critical for production planning activities, you can use user defaults to drive the automatic assignment of a time zone based on a user’s physical location. The system allows you to automate the assignment of a user default to users at the point of access provisioning using business rules defined in Business Rule Framework plus (BRFplus).

This capability provides control to access provisioning, saves time in maintaining numerous master records, and makes the assignment of transaction code SU01-specific values less error prone. The user defaults are normally associated with user details that exist in transaction code SU01 (user maintenance). A number of fields in the user master data can benefit from user default assignment.

Figure 1 diagrams the behavior of the business logic on which the user default functionality is based. It shows that user default fields (which exist as fields in transaction code SU01) should be provisioned for an access request when the location and system are defined as LAGOS and GECCLNT800, respectively. In the same vein, when the location and system are defined as LONDON and GECCLNT800, respectively, the corresponding user defaults need to be provisioned. For example, the time zone in the former system scenario is WAT and the time zone in the latter scenario is GMTUK. This assignment is provisioned in the target system (for example, SAP APO) by the access request management functionality of the SAP Access Control 10.0 system.

Figure 1
The user default access control application business rule

I discuss the capability of the User Default Business Rule and describe the following processes:

  • Maintain user defaults master data
  • Maintain actions for request types
  • Maintain the BRFplus function ID and access control application mapping
  • Configure BRFplus logic for a user defaults business rule
  • Simulate a business scenario

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.