Home TORC: The OneRoleConcept TORC and IdM SAP HCM Security SAP HCM Solutions About KNUZEN Contact Information
KNUZEN   SAP HCM SECURITY
Identity Management must be based on SAP HCM The identity management for the users in SAP systems can with benefit be based on all those attribute we have in SAP HCM on our Employees.   
Identify employees from the organisational assignment and use it for Identity Management and ABAC based security concepts.   When users are being granted roles you can easily split the roles between those you should have because you fulfill certain criterias based on your organisational assignment, such as a specific part of the organisation, or because you are a manager or because you have been hire in a position which is described by a certain jobtype. Those roles does not need to be approved since the approval for granting the roles is build in the organisational assignment of you as employee or manager. If you are hired as an employee in a finance department the security department could set up rules, where you are granted the Employee Self Service role, so you from day one has access to travel expenses, time registration, who is who, Course Catalogue, Competence Development and similar functions. As manager you can automatical be granted access to manager self service, where BI reports for own organisation, Travel approval, time approval, invoice handling could be some of the task you must handle in your position as manager. This automatical granting of roles which should be part of all induction proceses of employees is a benefit for your company because you easily can introduce new employees and make them familar with the work they must perform. To automate the induction proces you will have to use the attributes registered on the employees. All you need is to grap the organisational assignment of your employees, such as personnel area ”site” , employee subgroup ”salaried or hourly employee”, Job assigned to employees position ”such as controller” or ”secretary” Screen shoot where user is inheriting the PFCG and the BIZ role from the organisational structure in CRM. This assignment is granting the user access and will also secure th esystem to stay clean since the user will get th erole removed when he or she moves position. The advantage of using the most common dimensions on the employee is because they are more reliable than dimensions, which is created for identity management only. If you as security organisation can get to a mutual agreement with the HR function how the global job catalogue should be structured so it is for the benefit of both competence development and for the operational granting of roles to your employees you will have a dimension, which is controlled from two sides and handled by personnel administrators in the organisation. Table for identity management services based on ABAC principle. When data is maintained on employees it is a benefit for your organisation that only one part of the organisation is responsible for the data such as HR. If you split the ownership of data between different departments the risk for messy master data increases. When the hiring process has been handled make sure the termination and organisational reassignment processes are handled as well, otherwise you will manual have to clean up the users assignments to roles. When you want to identify the users access rights don’t narrow your IdM tool to rely on one or two dimensions. The real world is far more complicated and therefore your IdM tool must reflect the complexity of your business. The more dimensions you decide to use in IdM the more flexibility you will have for identifying users specific needs. The solution we deliver are based on ABAC attribute based access control. This principle is far more flexible than RBAC role based access control. You can also work with a hybrid where you are using larger components for access control such as business roles.  When you decide on the structure for SAP HCM you must therefore remember to include the security consultant so the need for business control can be identified at the same time as the reporting and functional needs are defined. Please see the page related to enterprise structures: Enterprise_Structures_for_SAP_HCM.
Empl. SubGroup Salary/ Hourly
Personnel SubArea Functional Area
Personnel Area Location
Mgr. Position Manager access rights
Job/ Job Family Responsibility
Organisational Assignment
Country assignment
1: home
2: knuzen_curriculum_vitae
3: The SAP HCM Authorization concept: The OneRoleConcept
4: RCAT: The RootCauseAnalysisTools related to the OneRoleConcept
5: contact.htm
6: SAP_HCM_OVERVIEW
7: Business Control with OneRoleConcept
8: The Details of the OneRoleConcept
9: SAP_HCM_SECURITY_AND_PERFORMANCE
10: The OneRoleConcept Business benefits
11: SAP HCM transit position in Om as DMZ for transfer activity
12: SAP HR structural authorization for multiple parts of the organisation.
13: LSO and PD Catalogue control
14: Knuzen Substitute/ Deputy solution for line managers
15: Enterprice, personnel and organisational structures in SAP HCM
16: sap_enterprise_structures_revisited
17: Clean up SAP Organisational Management
18: Consistency check of SAP OM and PD tables
19: SAP HCM combined with personnel development functionality
20: Optimize the System Performance with indexing structural authorizations: RHBAUS00
21: Identity management with the use of SAP HCM attributes
22: organizational_key_vdsk1
23: master_derived_composite_sap_roles.htm
24: Standard tools for identifying SAP HCM authorization issues
25: Enhance the layout of PPOME and PPOSE the organisational structure
26: Enhance the existing PD model and use it for personnel development
27: To be structural restricted or not to be... thats the question
28: Automate your SAP solution and avoid errors and business break downs
29: SAP HCM Authorizations and performance
30: design_support_organisations_1.htm
31: design_support_organisation_2.htm
32: design_support_organisation_3.htm
33: Upload Documents on your employees
34: Upload Documents on your employees
35: Upload Documents on your employees
36: The role assignment can be used for compliance check and license control.
37: Upload Documents on your employees
38: Upload Documents on your employees
39: Upload Documents on your employees
40: Upload Documents on your employees
41: Data Model for E-ercruiting and Tips & Tricks
42: Upload Documents on your employees
43: Upload Documents on your employees