Home TORC: The OneRoleConcept TORC and IdM SAP HCM Security SAP HCM Solutions About KNUZEN Contact Information
The concept of Master, Derived and composite Roles SAP roles can be constructed with the use of master/ template roles and derived roles where you distinquish between “what you can” and “where you can”
The use of master and derived roles for SAP security is one of the most used concepts. This is know as RBAC: Role based access control.   Master roles (What can I do) Master role also known as template is a collection of task, which is executed according to a process. The role is a group of task, which must be conducted to execute the process. The master role does not contain any information regarding organizational assignment it tells you what you are supposed to do, but not where. The master role in SAP HCM contains information about objecttypes, infotypes and transactions. Derived Role (Where I can do it) is based on the masterrole and inherites all the ”what’  I can do’s”. The derived roles also tells you where you are supposed to do what. The derived roles are organizational dependent. Derived roles are the building bricks for our composite roles. Structural Authorizations: Is an additional authorizations, which allowes you to maintain/see employees in a certain part of the organizational structure. If you use theP_ORGINCON authorization object the structural authorizations is integrated with the derived roles so we can specify where according to the organisation. (unless you are using the old P_ORGIN authorization object) The Composite roles represents the business roles and can contain several derived and single roles, which together secures a users access to the system according to the business proces.   With the use of composite roles you will assign these roles to the end user. You can also assign single roles to end users but if you have chosen to use composite roles then be loyal to the concept aross all systems and not only in one system. The RBAC method disadvantage is the number of roles it is generating For medium companies with 20.000 employees we have examples of a role landscape with 34.000 roles. On HR alone there was 1500 roles. When the HR roles where transferred to ABAC based methodology we reduced teh number to 173 roles and out of these roles it was only 34 which was selectable by the end users. ABAC is the future for security since it also stays clean.
1: home
2: knuzen_curriculum_vitae
3: The SAP HCM Authorization concept: The OneRoleConcept
4: RCAT: The RootCauseAnalysisTools related to the OneRoleConcept
5: contact.htm
7: Business Control with OneRoleConcept
8: The Details of the OneRoleConcept
10: The OneRoleConcept Business benefits
11: SAP HCM transit position in Om as DMZ for transfer activity
12: SAP HR structural authorization for multiple parts of the organisation.
13: LSO and PD Catalogue control
14: Knuzen Substitute/ Deputy solution for line managers
15: Enterprice, personnel and organisational structures in SAP HCM
16: sap_enterprise_structures_revisited
17: Clean up SAP Organisational Management
18: Consistency check of SAP OM and PD tables
19: SAP HCM combined with personnel development functionality
20: Optimize the System Performance with indexing structural authorizations: RHBAUS00
21: Identity management with the use of SAP HCM attributes
22: organizational_key_vdsk1
23: master_derived_composite_sap_roles.htm
24: Standard tools for identifying SAP HCM authorization issues
25: Enhance the layout of PPOME and PPOSE the organisational structure
26: Enhance the existing PD model and use it for personnel development
27: To be structural restricted or not to be... thats the question
28: Automate your SAP solution and avoid errors and business break downs
29: SAP HCM Authorizations and performance
30: design_support_organisations_1.htm
31: design_support_organisation_2.htm
32: design_support_organisation_3.htm
33: Upload Documents on your employees
34: Upload Documents on your employees
35: Upload Documents on your employees
36: The role assignment can be used for compliance check and license control.
37: Upload Documents on your employees
38: Upload Documents on your employees
39: Upload Documents on your employees
40: Upload Documents on your employees
41: Data Model for E-ercruiting and Tips & Tricks
42: Upload Documents on your employees
43: Upload Documents on your employees