Role Creation 
To create a role in Enterprise Role Management, you begin with a default methodology process. You can use this default methodology to select role attributes that were defined during configuration. Alternatively, you can define your own custom methodology in the configuration according to your organization's role management process requirements.
Features
The Create Role screen displays the phases, or methodology process of role creation, and indicates each role phase by a colored arrow at the top of the page.
|
Phase |
Function |
|---|---|
|
Definition |
Use this phase to define and set general attributes for the role |
|
Define Authorization |
Use this phase to define authorization data for the role by adding Transactions, Functions, and Authorization Objects to the role, along with maintaining the Org. Values. You display the Organizational Level fields in the role to maintain the Org. Values. |
|
Derive Roles |
Use this phase to create derived roles for different organizational levels based on authorizations data set for the master role. |
|
Risk Analysis |
Use this phase to perform preventative risk analysis for the role. Integration with the Risk Analysis and Remediation capability is required for this phase. |
|
Approval |
Use this phase for role approval process with workflow. Integration with Compliant User Provisioning is required for this phase. |
|
Role Generation |
Use this phase to generate master and derived roles so that they show up in the connected backend systems. |
|
Testing |
Use this phase to document role test results and to store test result files. |
When you select Roles Create, the Create Role screen appears with the default role methodology phases. After you select new role attributes and save the role, the system determines the appropriate methodology, either the default methodology or alternate methodology, based on the condition groups set in configuration. Then, the appropriate methodology appears as a highlighted arrow at the top of the page.
You complete a set of predefined tasks before you can move to the next phase. The arrow turns yellow when you work within a phase. The arrow turns green when you complete a phase.
Note
Whenever you want to bypass a phase, you can simply enter the phase and choose 
Save 
Back to Role Definition 
Activities
This section describes how to complete the fields involved in role creation.
Role Creation Fields
Note
Field names denoted with an asterisk (*) indicate a mandatory field.
System Landscape
Select from the dropdown menu a system landscape where you want to define the role. The Enterprise Role Management administrator sets up the system landscape to group systems such as ERP (dev, qa, and prd). Within the landscape, the system administrator sets up the default system for role risk analysis and for the default generation of roles.
Role Types
You can use two role types for this capability: Single roles and Composite roles. You can create two additional role types during the Derive Role phase: Master roles and Derived roles.
-
Single roles contain unique characteristics that you create with this capability or with another application. A single role contains a set of authorization data. Single roles exist within the SAP back end or Non-SAP systems.
-
Composite roles are logical groupings of single roles. For example, the role for an Accounts Payable clerk that contains multiple single roles, such as Invoice Processing, General Ledger Display, to perform a job function.
-
Derived roles are created using the authorization data and characteristics of a master role with different organizational-level restrictions.
-
Master roles are the basis for derived roles.
Business Process
You select the Business Process from the dropdown menu to create or modify the role attribute. The Enterprise Role Management administrator configures business processes.
Subprocess
You select the Subprocess from the dropdown menu to create or modify the role attribute. Business Process is a configurable role attribute in configuration. The Enterprise Role Management administrator configures the Subprocesses.
Project/Release
You use the Project/Release feature to group roles that are associated to either a project or a new release. A role designer uses this attribute to filter a group of roles across multiple system landscapes, business processes, and subprocesses. If you are the role designer and you need to plan or enhance roles, contact your System Administrator to create a unique Project or Release name to group all roles together.
Role Status
You can add a role status to each role to indicate whether the role is in the development or the production status. When Roles have the role status set to Production, this indicates that the roles are ready for provisioning. These roles are synchronized to Compliant User Provisioning (CUP) when the role import job is run from CUP. In Compliant User Provisioning, you can use an integrated feature to import roles from Enterprise Role Management for provisioning. The Enterprise Role Management administrator configures Role Status in Configuration.
Role Name
This feature creates a default role name based on the naming convention set up by the Enterprise Role Management administrator. You can override these defaults to conform to the role naming conventions in your organization.
Description
The description is a free flow text to describe the role.
Profile Name
There is a default profile name based on the naming convention set up by the Enterprise Role Management administrator. The profile naming convention is configurable to be suggested or enforced. You can customize this profile name to make it unique. When not enforced, you can override the profile name during role creation.
Profile Description
This description is a free flow text to describe the role. This field is automatically populated to match the description.
Note
Refer to the Access Control Configuration documentation to configure your role creation topics. Some Role Creation functionality within the various phases is present only if it has been configured by your administrator.