Skip to Content

Note: This Blog does not give details about the creation of Business Roles or realted initial activities. It deals only with the functionality that is enhanced, and the new behaviour of Business roles.

The functionality related to Business Role is enhanced in SP13 to support the removal of single roles that are part of business role, based on the validity. Also, the roles which are specific to the business role will be removed from user, when a business role is selected for removal.

Below are more details of the scenarios.

1)  Assign two Business roles to user having two Technical roles each, one of the technical role is common to both business roles (Say BR1 having T1 and T2 and BR2 having T2 and T3).

Till SP12: When trying to remove one Business Role (say BR1), the common technical role (T2) is also getting removed from the backend system which actually was assigned through other Business role (BR2).

2)  Assign one Business Role having two technical roles (say B1 having T1 and T2) to a user, also assign one of the technical roles directly to user (say T1).

Till SP12: When trying to remove the single technical role (T1), the technical role (T1) assigned through business role is also removed from the backend system, irrespective of the validity with which business role and single technical role is assigned.

From SP 13 Onwards:

Validity dates are considered for role removal, below is description of scenarios about how role removal will work.

1) Assign wo Business roles to user having two Technical roles each, one of the technical role is common to both business roles (Say BR1 having T1 and T2 and BR2 having T2 and T3).

SP13 Onwards: When trying to remove one Business Role (say BR1), it will be completely removed without affecting the assignments through Other Business role (BR2), i.e. assignment of T2 and T3 through BR2 will remain unaffected.

2) Assign one Business Role having two technical roles to a user (say B1 having T1 and T2) with validity Period say 01.01.2012 to 31.12.2013. Also assign one of the technical roles (say T1) of business role, directly to user with same validity as of Business role (i.e. 01.01.2012 to 31.12.2013).

SP13 Onwards: When trying to remove the single technical role that is directly assigned.

a)  If parameter 4011 is set to NO only the single technical role (T1) will be removed and assignment of T1 and T2 through Business Role remains unaffected.

b)        If parameter 4011 is set to YES then single role (T1) assigned to user directly as well as the single role (T1) assigned through business role is removed. Since now the business role assignment is now partial, so the other technical role (T2) that was assigned as a part of business role is reflected in existing assignment as if it is directly assigned to user and is no longer a part of business role. Apart from this, at the time of request generation as well as all the approval stages a warning message appears “Role <Role_name> (T1 Here) is a part of Business role of user“.

3)  Assign one Business Role having two technical roles to a user (say BR1 having T1 and T2) with a validity period say 01.01.2012 to 31.12.2013. Also assign one of the technical roles of business role (T1), directly to user with different validity as of Business role say 02.02.2012 to 30.11.2015.

SP13 Onwards: Now on removing the single technical role (T1), only the single role assigned directly (T1 with validity dates 02.02.2013 to 30.11.2015) will be removed irrespective of parameter 4011 as the validity for the assignment through business role is different.

4)  Assign one Business role having any number of technical role to a user (say B1 having T1, T2, T3, T4). On trying to remove (say T2) directly via access request:

SP13 Onwards:

a) If parameter 4011 is set to NO then the end user will not be able to create a request and anerror message “Role <Role_name> cannot be deleted as it is part of business role of user” will be generated.

b) If parameter 4011 is set to YES then request will be created with a warning message “Role <Role_name> (T2 here) is a part of Business role of user“, which will also appear at the time of approving the request.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Harinam SanKirtan

    Thank you SAP for listening to us and fixing this issue, it was frustrating that shared single roles between multiple business roles were being removed from users. With the consideration of validity dates etc, a major flaw has been fixed.

    Any one know if a useful “User to Business Role relationship” report will be made available on the NWBC end? “User to Role Relationship” report is not adequate enough to analyse which business roles have been assigned to the user.

    A “Technical Role to Business Role Relationship” report would also be useful if the “Business Role” concept is really the future of Access Management within the SAP/GRC space.

    (0) 

Leave a Reply