Question:
Hi all
Any inputs on Role Naming best practices / guidelines? We are in the process of re-designing the entire security setup and would like to go with some "Generally Accepted Security Role Naming Practices". Ours is a global company with decentralised SAP setup with SAP instances for each region.
Any suggestions be much appreciated.
Thanks
_________________
SAPFAN
Answer:
hi
plan with regular naming conventions as basic with module, instance, country details as sufixes as per ur requirement. which facilitates easy understanding and helpful for u in future.
thanks
Answer:
An example...
The intent of developing a naming convention for SAP access is to facilitate long-term maintenance of Security, enhance auditability, and improve the periodic access review of access. The following is a proposal for the naming convention guidelines for Roles, profiles and Authorizations. Note: Composite Role naming conventions are not covered as they are NOT recommended for use.
Naming Conventions – Roles
The letter ‘Z’ or ‘Y’ is not needed as part of the naming convention. SAP Security is Master data not configuration OR repository object and therefore does not need to use the standard development name space. The ‘:’ is the customer designation.
Role name template = xxxx:yyyy_Describe_org
Where: xxxx = Major division such as Grainger, Grainger Parts, etc (does not have to be 4 characters)
: = Customer Role designation
yyyy = Functional area in SAP such as Financial Accounts Payable (FIAP), Materials Management Warehouse Maintenance (MMWM) does not have to be 4 characters).
Describe = Brief description of role i.e. INVOICE_PROCESSOR
Org = Any major organizational limitations such as plant, sales org or warehouse.
Example: G:FIAP_INVOICE_PROCESSOR - Grainger Financial Accounts Payable invoice processor for Company. Note “Grainger is a company so there is no need to use the _org designation. If this role did ALL or cross company then a designation would be appropriate.
Note: If you set the configuration for Session manager to sort the roles for display, they sort in alphabetical order by technical name, therefore your generic System role (Printing, RFC, GUI control, SU56, SU53, SU3, SMX) should sort to the bottom so yyyy should be XA – Cross Application.
Answer:
I would always put the org ahead of the description. If you need to access it programmatically, parse it in a spreadsheet etc. its is jyust easier.
Answer:
We use Z and Y (Z for single roles and Y for composites)
We have multiple companies in one landscape and differentiate with only two letters. For example:
Z_FI_CREATEBANK_GRCC1200
FI - Module
CREATEBANK - Terse description
GR - Company or division (GR for Grainger)
CC - Primary org level restriction (company code)
1200 - org level value
In the text description of the role you can use a more verbose description.
Answer:
We've created a naming convention but I can't really recommend it . This is just a "I'll show you mine if you show me yours"!
First character denotes the role type
Composite starts Z
Single start Y
Two character is the client
R = R3
H = HR
B = BW
E = EBP
Three and Four are the stream
AR = Finance (we call it Accounts Receivable)
PP = Purchasing (we call it P2P)
BW = BW
HM = HR (I really don't know why "HM")
So far we've got:
ZRPP - composite in R3 for Purchasing
ZEPP - composite in EBP for Purchasing
Five - Six are the Country (POrg - one to one basis so they are the same thing)
PT - Portugal etc.
Seven - Eight
Denote the company code - where you have more than one in a role then we've called them 01, 02, 03 etc and maintain a table externally to check what's in them
PT11 would be company code PT11
PT01 would be company code PT11 and PT12
Nine - Twelve
Plants, if there's a single plant in a role then it has the four character plant code ie 3AHE if there's more than one plant then it has a plant combi code Z001, Z002, Z003 etc again maintained externally for reference
3AHE would be plant 3AHE
Z001 would be 3AHE and 3STB etc
Thirteen
Underscore for a breather
Fourteen onwards
Starts with either "DO" or "SEE" followed by an underscore followed by a short description to character thirty. a DO role has create/change/display access and a SEE role has display access only.
So in the end the monstrosity looks like this:
ZRPPPT113AHE_DO_STOCK_ORDER - Create LA Stock Order
Grim init?
but it works - just.
Answer:
Thanks guys for all the inputs. Much appreciated. Some views are really worth considering and we intened to take these with our internal SAP group to debate and conclude. What presently we have is
Z:XX XX XX 99
1st - XX - Company (Today we have decentralised instances because of business reasons and not tech reasons but it is likely that we might centralise)
2nd - XX - Major module viz..PP,MM, BW, HR etc
3rd - XX - Process within the module - Bill Payment, Recruiting etc.
99 - Sr no of the role within the subset of module & process.
Anyways, if others do have some opinions and views, please continue to post them here while our team debates on the best practices for "Role Naming".
Thanks once again.
_________________
SAPFAN
Answer:
Thanks guys for all the inputs. Much appreciated. Some views are really worth considering and we intened to take these with our internal SAP group to debate and conclude. What presently we have is
Z:XX XX XX 99
1st - XX - Company (Today we have decentralised instances because of business reasons and not tech reasons but it is likely that we might centralise)
2nd - XX - Major module viz..PP,MM, BW, HR etc
3rd - XX - Process within the module - Bill Payment, Recruiting etc.
99 - Sr no of the role within the subset of module & process.
Anyways, if others do have some opinions and views, please continue to post them here while our team debates on the best practices for "Role Naming".
Thanks once again.
_________________
SAPFAN