Kontakt

Ansicht
Dokumentation

DFS_AUTHPROF_GENERATOR - Authorization Profile Generation

DFS_AUTHPROF_GENERATOR - Authorization Profile Generation

PERFORM Short Reference   SUBST_MERGE_LIST - merge external lists to one complete list with #if... logic for R3up  
This documentation is copyright by SAP AG.
SAP E-Book

Purpose

This program “Authorization Profile Generation” is the successor to the role generator. This program creates roles with specific values from dependent force elements, based on a reference role with authorization objects at organizational level.

The role generator assigned the generated role to the user directly. Authorization profile generation assigns the roles to the positions. This should improve system performance.

The program can only be run if the role generator is deactivated (see below in chapter Controlling) to switch off the role generator in your system.

As a default, the selection and required evaluation paths start with force elements, the object type O and search for roles for positions, object type S. Other starting points and other HR objects can usually also be selected. This requires the evaluation paths to be adjusted.

Integration

Prerequisites

  1. An SAP user needs to be maintained in infotype 0105, subtype 0001 for a personal number.
  2. The person number must be assigned to an active position. Only active HR objects are processed.
  3. The position must be assigned to a force element.
  4. A reference role must be defined and assigned to the position.

If you have previously worked with the role generator, make sure you have removed the role generator roles from your system to make sure your system responds as expected.

Features

Selection

Plan version / object type / object ID / object status is the entry point for authorization profile generation. Together with the evalution path (default ORGEH) / status vector, force elements are selected from where the positions are taken.

(FE1)

|-------------------|-----------------|

(FE2) (FE3)

|---- (FE4) |---- (FE5)

|---- (FE6)

On the selection screen, starting with FE2 as input

The path on the selection screen (ORGEH) is the selection variant used to find all force elements, in this case FE4 and FE6.

Based on this selection (FE2, FE4 and FE6) the next steps for profile generation start.

To now find all positions and roles for these selections, the parameter ATHPRFGN_OBJPTH is defined and all positions are selected (default DFS_AG1 - Operational Structure O-S-AG). Note that both the S and AG level are observed here, since some additional checks are also performed if there are any roles to be taken into consideration; if not, it's skipped

Now all positions are selected to validate if there are any reference values (org values). This is done using the parameter ATHPRFGN_REFPTH and default (DFS_AG2 - Operational Structure S-AG)

The last part is to find the real org value for force elements. As a default, the evaluation path DFPS_RMR is used. Redefinition can be done using the parameter ATHPRFGN_FEPTH. All force elements found by this path are read with the org values and these values are added to the generated roles.

In general: The same behavior was already available in the old solution but used different evaluation paths. However, the paths are hard coded so you had to redefine BAdIs to change a path. For this reason, the parameters are now provided.

The same applies to the role assignment. By default it's assigned to a position (type S) but by changing the path it can also be assigned to other HR objects.

Standard Variants

Authorization profile generation uses some parameters that can be modified using SM30 and the view DFS_VDFPSK100 or Defense & Security > Organizational Flexibility > Security > User and Role Administration > General Settings for Defense & Security.

ATHPRFGN_ACTIVE:

Set the ARG active or set role generator to active.

X = authorization profile generator active; ‘ ‘ = role generator active.

ATHPRFGN_OBJPTH:

This is the evaluation path for the force element for the position and role. This requires the parameter ATHPRFGN_OTYPE to be set to “S”.

You can select the object type (O (default), S, US, etc.) using the report. With the standard selection for the object type (OTYPE) = O, the evaluation path ORGH is taken and selects all force elements with the evaluation path ORGH starting from force element ID entered on the selection screen. The force elements found are then evaluated using the evaluation path „DFS_AG1“ (Parameter ATHPRFGN_OBJPTH ). All roles (object type = AG) and positions (Otype = P) are processed and used.

ATHPRFGN_OTYPE OTYPE = S (Position). -> Because the report is based on the working position.

ATHPRFGN_PFUD X = transaction PFUD runs after authorization profile generation is finished. ‘ ‘ = No PFUD afterwards.

ATHPRFGN_REFPTH:

This evaluation path is used within the BAdI AUTH_REF_DATA_GET. The evaluation path starts with the position (if ATHPRFGN_OTYPE = S) followed by the assigned AGs (ROLE) above the position. This AG is used as the ‘Reference Role’.

ATHPRFGN_FEPTH:

This evaluation path is used within the BAdI AUTH_DATA_GET. The evaluation path starts with the position (if ATHPRFGN_OTYPE = S) followed by the assigned force elements above the position. The force element data is now used to fill the org. values.

Output

When the program ‘Authorization Profile Generation’ is finished, a program log is displayed that contains any issues or information. This log can also be displayed using transaction SLG1 with DEFENSE and the subobject AUTHPROF.

Activities

Example






CPI1466 during Backup   CPI1466 during Backup  
This documentation is copyright by SAP AG.

Length: 6276 Date: 20240520 Time: 081920     sap01-206 ( 116 ms )