Tiered Security Roles

Tiered Security Roles began about the time that Sarbanes-Oxley (SOX)
and Segregation of Duties (SOD) became important to corporations.

Process Area
Maintain / Update Roles
Process Area
Display / Reporting Roles

Portal / DUET Roles

Default / Common Role

(Su3,Su53etc)

What to Map in Maintenance Role and Display

Role
Maintenance Role :
Maintenance role should contain maintenance T-code only e.g. (Create
,Delete ,change Tcode) No Display T-code should be mapped to any of
Master/Template Based role.

Display Role :
Display role will only contain those transaction for which the user may
only requires display
mode & ECC reports, No change allowed.

SAP Portal & DUET Roles :

Portal & DUET roles will be assigned to users to provide access for Finance
& SRM functionality.

ARIS Positions/Master/Template roles

methodology
ARIS Position based Roles
The Parent or controlling role for a specific position that inherit group of ARIS roles
mapped to all transactions, authorization objects to execute any process in the
organization. Transactions can be mapped to the role considering the job responsibilities of
the mapped AIRS position with in the organization.

Master/Template Roles
The Parent or controlling role for Derived role that inherit all their transactions,
authorization objects and most authorization object values from the Master Role. (except
for Org. Level values which will be assigned at ach Derived role level.) Transactions can be
added to the Master Role (in one step) and adjusted to all the Derived roles in that Master
role set

Positions in Org Structure

A Position represents an element in the organizational structure. An Employee is assigned a
position which represents their job title (typically) and indicates their relationship in the
organizational hierarchy.
There may be many users associated with one position
description (such as Teacher or SAM) or only few

Position-Based Security Roles

Position-Based Security Roles have been in existence since
the earliest versions of SAP R/3 Security
Advantages of Position Based Security Role:
Position Based Security Roles are relatively easy to create
because they contain all the necessary transactions to perform a
particular job in Maintenance role and Display role.
Position-Based Security Roles are much easier for Help Desk staff
to assign. If the new hire is an AP Manager, they get an AP
Manager Maintenance roles and an AP Display role by simply
assigning the user to HR position in the org structure.
Disadvantages of Position-Based Security Roles:
If Display transactions are in the same role as Maintenance
transactions, they can be difficult to restrict to Display.
If multiple role assignments are made and two or three very large
roles are added to a User Id, multiple SOD conflicts can be
created.

How to Derive Position based

Role/Assignment of T-code
Map ARIS Roles to ARIS Positions and based on ARIS Positions
T-code To SAP Master roles will be created. SAP Master roles will serve
Master
as a Template or Parent Role . T-codes mapped to ARIS roles
Role
will be added to one-to-one SAP Master roles
Each SAP master role will be derived into School Namespace
e.g.(Z_1633_Business_anaylst) where 1633 is the school
Derived
identifier
Roles

Multiple SAP Derived roles will be assigned to HR Org

structure positions of each school as per the role mapping
Derived
Roles to HR performed for each school.
Position

Derived Role to Org Position

Also called a Child role. The Derived role inherits its transactions and authorization objects from Master or Parent Role and applies certain organizational level restrictions. This allows the
restriction of access to one Company Code, or other organizational elements, such as Purchasing Group, Plant or Sales Organization. Master/Position roles are combination of multiple
ARIS Positions

T - Codes

Process Roles

ARIS Position

Tcodes

Process
Roles A
Process
Roles B
Process
Roles C

AP Analyst

ZEC.FI.RE.S.####.A
P.Analyst

AR Business
Mgr

ZEC.FI.RE.S.####.AR_B
us_Mgr

Master data
Analyst

ZEC.FI.S.####.MD.An
alyst

T-codes
T-codes

SAP Roles

Note:

ARIS positions are combination of Multiple Process Roles

#### is School Identifier

HR Org Position

Principle
Head Teacher
SAM

What are Org values

Finance
Company Code
Profit Center
FM Area
Credit Control Area
Work Centre
Purchasing
Purchasing Group
Plant
Sales Organization

BW
Reporting Unit

The typical reasons for the implementation and enforcement of

organizational level restrictions are:
Sensitivity of information
Prevention of processing errors across organizational areas

SAP Portal & SRM Roles Mapping to Org Positions

SAP
Portal
& DUET roles mapping to Org Position
Portal
roles created in SAP Portal will be mapped to single shell roles in ECC system
(Composite Role)

DUET roles are based on function modules which are grouped and aligned to match
with SAP Portal roles functionality

Based on the mapping matrix, SAP Portal and DUET roles will be assigned to position
in schools

Basis of roles mapping matrix are SAP ECC roles assignment to org positions

SAP SRM role mapping to Org Position

SRM roles created in SAP SRM system will be transferred into ECC system and map to
shell role in ECC before assignment to org positions
Any employee who will be assigned to the position in org structure of that particular
school will get the SAP SRM roles assigned to that position, Similar procedure is for
other business units
There are two SRM roles based on the level of access required across the
organization.

Thank You