Indirect Role Assignment Using Organizational Management (OM)

The employees or users require appropriate authorizations to perform their tasks. As the authorization administrator, you can assign the roles required for this (single and/or composite roles) directly using transactions SU01, SU10, and PFCG or indirectly using the organizational management model.

If the employee changes, you do not need to assign the role to the new employee again, but only the position. In this way, the new employee automatically receives the roles assigned indirectly through the position.

If an employee changes position, the personnel administrator assigns a new position to the employee. This means that the employee loses the authorizations that belonged to his or her old position, and receives the authorizations for his or her new position.

There must be a maintained OM model in your company for you to be able to assign roles indirectly as the authorization administrator. The employees or users are each assigned to a position that combines their activities. You can assign authorizations in the form of roles to any OM object types.

Task Areas of the HR Department and of the User Administrator

The user master comparison (transaction PFUD) evaluates these indirect role assignments and automatically assigns the authorizations to the users. This means that you, as the authorization administrator, develop activity-specific roles. These roles are then assigned to positions, jobs, work centers, or superordinate organizational units.

To create the direct role assignment, the user master comparison uses the rules contained in evaluation path US_ACTGR (table T77AW) to link the role with the employee or user. The rules describe how the user is determined, starting from the role, using the OM model links.

The evaluation path is delivered with default values; that is, you need to modify it to suit your requirements. As you can assign the role to any object type, you must adjust the evaluation path so that the direct assignment of the role to the user can be created during the user comparison. As soon as a valid evaluation path is available, you can assign the roles to the OM object types. This means that a user assigned to a position automatically receives the roles defined for the position. For more information about maintaining evaluation paths, see Maintaining Evaluation Paths.

You can use organizational management to assign single and composite roles with and without the use of Central User Administration in accordance with the rules of the composite roles resolution. However, this is a local assignment; that is, the role must exist in the system in which it is to be assigned.

• You have defined an active plan variant in the current client.
• The infotype 0105 is maintained in the HR system, so that the connection between the employee and the user ID can be created.
• The Customizing switch HR_ORG_ACTIVE in table PRGN_CUST is set to YESto activate the organizational management for role administration.
• The evaluation path US_ACTGR (table T77AW) is adjusted.
• You have shown the Org.Management button (transaction PFCG → Goto → Settings → Complete View).

Example 1

In our first example, the employees (P) are assigned the positions (S) in the HR system. This is the usual structure of an OM model, although you can also link users directly with the position, without using the object type P. The user ID (US) of the user is stored using the infotype 0105. At the same time, the role (AG) is also assigned to the position. From this indirect role assignment, the user master comparison generates the direct role assignment to the user. See the following graphic.

OM Model with the Organizational Object Type Employee

Evaluation Path US_ACTGR in Table T77AW with Organizational Object Type Employee

Explanations for the Evaluation Path

The evaluation path allows you to specify the connection between the role and user. Starting from the role, the user master comparison (transaction PFUD) reaches the associated position at sequence number 40. The connection between the position and the employee is described with sequence number 110. Sequence number 70 then describes the connection between employee and user. This corresponds to Infotype 0105. The result is the direct connection between the role and the determined user; that is, the role assignment. Sequence number 50 also displays the direct role assignments in role maintenance using the Org. Management button.

Example 2

Our second example describes a system in which the organizational object type Employee either does not exist or is not used. This structure usually arises when you are copying the OM model from an HR system to an SAP NetWeaver AS, which does not recognize the organizational object type Employee. Therefore, in this case, the user is assigned to the position, to which in turn the role is assigned. See the following graphic.

OM Model with the Organizational Object Type Employee

Therefore there is a different evaluation path for systems with the organizational object type Employee to that for systems without this object type. The evaluation paths of these structures are in the table below.

Evaluation Path US_ACTGR in Table T77AW without Organizational Object Type Employee

Explanations for the Evaluation Path

This evaluation path is different from the previous path in only one way: the object type P is not used. The connection between the position and the employee is therefore created directly with sequence number 110.

 

See also:

Organizational Management