Home TORC: The OneRoleConcept TORC and IdM SAP HCM Security SAP HCM Solutions About KNUZEN Contact Information
KNUZEN   SAP HCM SECURITY
TORC: The OneRoleConcept based on ABAC : Attribute Based Access Control. Simplicity Transparency Flexibility
Overview.  TORC: The OneRoleConcept for SAP HCM must secure authorizations for all parts where HCM data is used and not the SAP HCM system alone. The business users normally access a variety of systems for handling their daily tasks, which can involve Portal, Business Intelligence, Employee Interaction Center, e-recruiting, the ERP system and the kernel, the SAP HCM system. The OneRoleConcept includes them all. To keep it holistic you must secure an easy way of requesting access or even better automatic role assignment based on the user’s organizational attributes. The semi automatic way is to assign the roles based on a user request through GRC CUP or other request based tools for roles. The roles to be requested should only be pure business roles which are aligned with the business processes so you secure the users access to all needed systems for daily operations. From a business point of view the request for roles to users should only be based on a single request for one role and not an array of different system roles based on manual created relations or attributes in the organizational structure. The security concept must be centrally maintained by the business itself and when the roles are requested it can be based on business processes. This is how to keep it simple. Simplicity. Simplicity was one of the first aims for TORC: The OneRoleConcept. We must always focus on simplicity when we are setting up a security concept for a company. The security concept must always be as simple as possible, with as few roles as possible and aligned with the business processes. If the business doesn’t understand the roles or what the roles means then you will end up with an unaligned security concept. To simplify the authorization and security set up you can use the OneRoleConcept, which grants one SAP role per business role.  The business role is interpreted as what you can and not where you. The organizational assignment of the users will be used for determining where the users are allowed to operate. So a user with role e.g. HCM_SSC_TIER1_GENERALIST from Krakow Poland can have access to all European employees, while a user assigned the same role in US will have access to all employees in US and Canada. The reason for this is because we are using the ABAC principle (Attribute based Access Control) The OneRoleConcept is based on organizational and functional roles for minimizing the number of roles to a minimum. For one of our global customers, with sites on all continents including 6 service centers, we managed to reduce the number of roles from 1500 to 150. And for those roles, which could be requested by the business we only had 35. The number of roles is crucial for the simplicity and for stating the focus on simplicity we even managed to reduce the transactions in roles to be presented in one functional role only. This will help the support organization when they are searching for roles to a user, or when you need compliance to check the roles. Transparency. A well implemented security concept must be picked up by the business itself and the OneRoleConcept includes the business in the work not only during the implementation, but also for the operational work in the future. It makes the security less IT dependent and much more anchored in the business where it belongs. The business will be responsible for the rule set used for determining, which access the users should have. The rule set structure is based on the global business processes and those business process roles which are needed for running human resources in your company. GRC compliant. The OneRoleConcept is aligned with SAP’s GRC products. The main focus on simplicity and fewer roles makes it easier to operate GRC since your rule set is easier to handle with fewer roles and because the request for new roles through CUP is made user friendly. The automatic assignment of roles based on the OneRoleConcept - The OneRoleConcept gives your business the opportunity to assign roles automatically to users based on the user’s organizational assignment. Automatic assignment and delimitation of roles to users will be based on attributes from the employee’s organizational assignment and for the main business process roles we will determine the role assignment automatic. When we use the method attribute based access control we will have a role assignment, which is based on rule set for identity management. this is far more flexible than RBAC role based access control.   We will use the organizational structure and other details on the employees to determine the role assignment, so the users will not have to request their roles but will automatically be assigned them. The roles automatically assignment to users will be determined when the employee enters the organization and the role will also be removed when the employee is leaving his or here position in the department. This has an impact on the clean up activities, which many companies have scheduled for their user administration. With the OneRoleConcept we have a continuous clean up of role assignment and scheduled clean ups will therefore not be necessary for these roles. RCAT: RootCauseAnalysisTool. The tools which brings a rookie supporter to a Senior SAP HCM Consultants level. In a general user administration you don’t have time for specialising your personnel to be specilaist and the most common set up for user administration is generalists which have a broad knowledge related to SAP security. To help your personnel in such departments I have developed a set of tools know as the RootCause Analysis Tools RCAT, which analyses several possible issues you can have with SAP HCM/ EIC or E-REC authorizations and displayes them in an logic overview. The tool is called an error tracer and will check an user ID and the users related data, which can have an impact on authorizations.  All you have to do is to enter a user ID and the employee number, which the user have an issue with.
H
1: home
2: knuzen_curriculum_vitae
3: The SAP HCM Authorization concept: The OneRoleConcept
4: RCAT: The RootCauseAnalysisTools related to the OneRoleConcept
5: contact.htm
6: SAP_HCM_OVERVIEW
7: Business Control with OneRoleConcept
8: The Details of the OneRoleConcept
9: SAP_HCM_SECURITY_AND_PERFORMANCE
10: The OneRoleConcept Business benefits
11: SAP HCM transit position in Om as DMZ for transfer activity
12: SAP HR structural authorization for multiple parts of the organisation.
13: LSO and PD Catalogue control
14: Knuzen Substitute/ Deputy solution for line managers
15: Enterprice, personnel and organisational structures in SAP HCM
16: sap_enterprise_structures_revisited
17: Clean up SAP Organisational Management
18: Consistency check of SAP OM and PD tables
19: SAP HCM combined with personnel development functionality
20: Optimize the System Performance with indexing structural authorizations: RHBAUS00
21: Identity management with the use of SAP HCM attributes
22: organizational_key_vdsk1
23: master_derived_composite_sap_roles.htm
24: Standard tools for identifying SAP HCM authorization issues
25: Enhance the layout of PPOME and PPOSE the organisational structure
26: Enhance the existing PD model and use it for personnel development
27: To be structural restricted or not to be... thats the question
28: Automate your SAP solution and avoid errors and business break downs
29: SAP HCM Authorizations and performance
30: design_support_organisations_1.htm
31: design_support_organisation_2.htm
32: design_support_organisation_3.htm
33: Upload Documents on your employees
34: Upload Documents on your employees
35: Upload Documents on your employees
36: The role assignment can be used for compliance check and license control.
37: Upload Documents on your employees
38: Upload Documents on your employees
39: Upload Documents on your employees
40: Upload Documents on your employees
41: Data Model for E-ercruiting and Tips & Tricks
42: Upload Documents on your employees
43: Upload Documents on your employees