Earlier this year, we did a webinar on SAP HCM security. We received a lot of comments, especially around how to implement Position-based security in your HCM system. Here’s a step by step ‘how-to’ on getting this set up in your system.
Why use Position-based security? It allows you to grant access to a Position and when a new person is placed into that Position, they automatically receive the access contained within the role. Consequently, when the person leaves the position, their access is automatically removed. This is a win-win for your Security team, as well as your Auditors. Many clients use this as a way to automate adding and removing security roles from users. Automating some of the tasks of your security team frees them up for more important work.
– Maintain infotype 105 subtype 0001 for all employees (via transaction PA30). This infotype assigns the User ID to the employee number. Without this association the program will not be able to create the position relationship of role to user ID.
Here’s how to set it up.
When you go into transaction PFCG, select Edit- Settings. Then, in the pop-up screen, select Complete view, as seen here, then green check:
On the next screen select the Create Assignment button:
The below pop-up will be shown. Enter the start/end date for the assignment and click the Create icon:
Now let’s look at the user ID assigned to the position. Go to transaction SU01:
Program RHAUTUPD_NEW (transaction PFUD) is the program that adds/removes the access. This should be set up to run daily.
As you test the above process (moving employees in/out of positions), run this program to affect the changes on the user ID.
SAP OSS Note 1871405 provides a fix if this program isn’t working correctly for you.
If you have any questions/comments please email me at firstname.lastname@example.org
We are here to WOW you!