How To Set up and Use Position-Based Security

Earlier this year, we did a webinar on SAP HCM security. We received a lot of comments, especially around how to implement Position-based security in your HCM system. Here’s a step by step ‘how-to’ on getting this set up in your system.

Why use Position-based security? It allows you to grant access to a Position and when a new person is placed into that Position, they automatically receive the access contained within the role. Consequently, when the person leaves the position, their access is automatically removed. This is a win-win for your Security team, as well as your Auditors. Many clients use this as a way to automate adding and removing security roles from users. Automating some of the tasks of your security team frees them up for more important work.

– Maintain infotype 105 subtype 0001 for all employees (via transaction PA30). This infotype assigns the User ID to the employee number. Without this association the program will not be able to create the position relationship of role to user ID.

Here’s how to set it up.

When you go into transaction PFCG, select Edit- Settings. Then, in the pop-up screen, select Complete view, as seen here, then green check:

ds1Next, go into your role in update mode- Navigate to the User Tab and you will see a new button- Organizational Mgmt:

ds2Click it.

On the next screen select the Create Assignment button:

ds3In the pop-up select Position- green check:

ds4Enter the position number, then green check

The below pop-up will be shown. Enter the start/end date for the assignment and click the Create icon:

ds5Select indirect user assignment:

ds6…so it turns green. Green arrow back. Now click User Comparison:

ds7NOTE: The user assigned is a different color here, indicating position-based assignment. The X = Indirect assignment.

Now let’s look at the user ID assigned to the position. Go to transaction SU01:

ds8The role is assigned and you know it was an indirect assignment ds.indirect assignment:


Program RHAUTUPD_NEW (transaction PFUD) is the program that adds/removes the access. This should be set up to run daily.
As you test the above process (moving employees in/out of positions), run this program to affect the changes on the user ID.
SAP OSS Note 1871405 provides a fix if this program isn’t working correctly for you.

If you have any questions/comments please email me at

We are here to WOW you!

This entry was posted in Talk Techie to Me and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s