How to use ABAC for handling access to multiple Qualification & Course Catalogues.
In global organisations there is a need for different training and qualification catalogs, which matches those demands you find in the companies divisions/ locations. In SAP LSO learning solution and TEM Training & Event management we have always been able to create multiple of catalogs, which matched the different parts of the company’s needs. But it has always been a struggle to secure the validity of right catalogs to our employees. Especially over time where employees is being expatriated or is internal moved from one division to the other.
There are several solutions to secure our employees is being presented for the right catalogs in time. We can either manual assign the catalogs through structural access control each time our employees change division or is being expatriated. This solution secures correct access for our employees when they are searching for qualifications or courses, but this solution requires manual work, input from employment handlers when employees are moved and FTE’s for changing the structural access control for the moved employees, so this solution is not recommendable.
Figure 1 The manual work where a supporter manually is securing the employees correct access to catalogs.
The other solution is to grant the employees access to all catalogs, which gives us no manual work when our employees have an organisational reassignment, but the cons of this solution is the missing user friendliness because users, when searching for qualification or a course, will be represented for multiple options where some is relevant and others not.
Figure 2 All employees have the access to all catalogs.
The most flexible solution I will display for you is based on ABAC: Attribute Based Access Control. We will use the attributes assigned to the employees through their organisational assignment and determine which Course-, Job-, or Qualification catalogs they should have access to. The advantage of using ABAC principles is the automatic assignments of right catalogs in right time for our employees.
Figure 3 The ABAC method used for securing the correct access to our users.
The functional Solution to grant access to specific parts of the organizational structure, qualification catalogs or course catalogs.
The access can be granted through function modules, which is reading the users organizational assignment. Based on the employees organizational assignment we can grant the employee access to:
- specific parts of organisational structures,
- specific qualification catalogs
- Course catalogs.
- Job Catalogs
- Development Plan Catalogs
This assignment is automatically and requires a minimum of work because it reads the employees IT0001 organizational assignment record.
When the employee gets a new record of organizational assignment the solution will automatic change the access to those structures, which suits the employee’s new organisational assignment.
At the same time is keeps us stay clean because it will automatically delimit the access to the catalogs, which was available according to the employees old organisational assignment.
Figure 4 The ABAC rule-set automatic grants and delimits access to catalogs for our employees.
What you need to set up is an attribute based rule-set, which is a customer specific table like Z_STRUCTURES_BASED_ON_ABAC. You can decide whether this table should be defined as a master data table or as a customizing table, which depends on your needs and alignment of master data across your system landscape.
If it is a master data table you will be able to specify entries directly in the production system and you will avoid waiting on IT and change request boards. But if you maintain the table directly in production, you will not have any test system, which is updated and you must therefore make sure that the rule set entries in production can be copied and brought back to your development and testing system.
You must have clear procedures describing who is having the task for maintaining the ABAC rule-set because it will have a global perspective.
Your decision whether you which to transport the entries from development or you which to maintain them directly in the production system will depend on your analysis of the company’s exact needs.
Example of Z_STRUCTURE_BASED_ON_ABAC table, which is being used in a company represented in 54 countries and with 9 divisions.
The Combination possibilities in the ABAC based rule-set makes this solution highly flexible. The table Z_STRUCTURES_BASED_ON_ABAC is used by a function module where you are setting up the combination possibilities e.g. [WERKS and BTRTL] or [WERKS AND JOB] or [POSITION]
The function modules are created through SE37 and when it has been created you assign it to a structural profile in transaction OOSP.
Benefit: The use of selection in PA0001 secures the employees access to relevant catalogues as soon as they have been through an organisational reassignment. The only work you have to focus on is when new locations or divisions are decided since your rule set must reflect your company.
Tips: Create the entries in the rule-set on simple rules, which is aligned on a global set. If you e.g. can define that all employee belonging to Division A will get access to e.g. The Global course catalogue and Course Catalogue A then you could focus on entries, which had one dimension for selection. The worst scenario for your rule set is when each division has their own way of defining access to the catalogue since this will make it difficult to administrate for a shared service center. Keep it simple!
More and similar information can be found on this site: http://www.knuzen.dk/knuzen_catalogue_control.htm