EHP5 for SAP ERP 6.0 April 2012 English
Consultant and End User Security The SAP ERP Rapid-Deployment Solution for Employee and Manager Self-Service
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany
SAP Best Practices
Consultant and End User Security Guide
Copyright © 2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
© SAP AG
Page 2 of 11
SAP Best Practices
Consultant and End User Security Guide
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
© SAP AG
Page 3 of 11
SAP Best Practices
Consultant and End User Security Guide
Icons Icon
Meaning Caution Example Note Recommendation Syntax
Typographic Conventions Type Style
Description
Example text
Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation.
Example text
Emphasized words or phrases in body text, titles of graphics and tables.
EXAMPLE TEXT
Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.
Example text
Screen output. This includes file and directory names and their paths, messages, source code, names of variables and parameters as well as names of installation, upgrade and database tools.
EXAMPLE TEXT
Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.
Example text
Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
© SAP AG
Page 4 of 11
SAP Best Practices
Consultant and End User Security Guide
Content 1 2 3
Purpose ......................................................................................................................... 6 Required Access Levels for Consultants ......................................................................... 6 Backend Security (PFCG Roles)..................................................................................... 6 3.1 Employee Self-Service PFCG Composite Role SAP_EMPLOYEE_ESS_WDA_1 . 7 3.1.1 Authorizations .................................................................................................. 7 3.1.1 Role Menu........................................................................................................ 8 3.2 Manager Self-Service PFCG Composite Role SAP_MANAGER_MSS_NWBC_2.. 8 3.2.1 Authorizations .................................................................................................. 9 3.2.2 Role Menu........................................................................................................ 9 4 SAP NetWeaver Enterprise Portal Roles ........................................................................ 9 4.1 Employee Self-Service Portal Role ..................................................................... 10 4.2 Manager Self-Service Portal Role ....................................................................... 10
© SAP AG
Page 5 of 11
SAP Best Practices
Consultant and End User Security Guide
Consultant and End User Security 1 Purpose The purpose of this document is to ensure that the appropriate security roles have been built into the system to handle the roles for consultants, HR professionals, managers, and employees. Consultants will need to have access that will allow them to perform the technical aspects of the implementation, as well as the functional access to test the setup. For this reason, consultants should be assigned a consultant-specific role including the access described in Section 2, plus all other end-user roles as detailed below.
2 Required Access Levels for Consultants In case the client security policy does not support assignment of SAP_ALL in development systems, consultants will require the following access levels: Switch framework (transaction SFW5) and Service Activation (transaction SICF) Creating iViews and roles through the Portal Content Directory (PCD) Portal roles: o Content administration o User administration o System administration roles Backend roles (transaction PFCG) Tables within the Implementation Guide (IMG, transaction SPRO) Web Dynpro ABAP application configuration (ABAP Workbench – transaction SE80) Customizing Launchpad for Object-Based Navigation (transaction LPD_CUST) The consultant will need these access levels to check the backend configuration and system setup. Additionally, the consultant will also need end-user roles, as described in Section 3, to undertake troubleshooting and testing activities.
3 Backend Security (PFCG Roles) In the SAP ERP rapid-deployment solution for employee and manager self-service (using the portal deployment option), the roles below are suggested as a basis for creating customerspecific roles. The implementation consultant can copy them to custom roles in the customer namespace, for example, YRDS_SAP_ESS_USER. The associated authorization values can be adjusted along the lines described below and in accordance with the customer requirements determined in the implementation phase. The back-end (PFCG) configuration for employee and manager roles for deployment in the SAP NetWeaver portal is delivered as part of the solution builder add-on and automated content for this solution. Details of how to download these roles are set out in the Quick Guide for this solution. Details regarding ESS and MSS portal roles are specified in Section 4, below.
© SAP AG
Page 6 of 11
SAP Best Practices
Consultant and End User Security Guide
3.1 Employee Self-Service PFCG Composite Role SAP_EMPLOYEE_ESS_WDA_1 This role was used as the basis for providing access to the ESS international services, included with this package. As stated above, we will deliver a solution-specific ESS composite role provided with the solution builder add-on, as follows: SAP_NBPR_XX_ESS_WDA_EP_S (ESS WDA Composite Role (ESS/MSS Portal RDS)) Copies of the following single roles will be delivered as part of the composite role above, in active status: SAP_NBPR_XX_ESS_WDA-S1 (ESS International Single Role) SAP_NBPR_XX_FITV_ESS_TRAVEL-S2 (ESS Single Role for the Traveler) SAP_NBPR_XX_PM_EMPL_HCM_CI-S3 (ESS Single Role for HCM PM Services) SAP_NBPR_XX_TMC_EMPLOYEE-S4 (Employee in Talent Management) Copies of the standard SAP country-specific single roles forming part of the role SAP_EMPLOYEE_ESS_WDA_1 were included in the above roles as per the table below, but in an inactive status for reference purposes. Therefore, if a customer wishes to implement country specific or additional functionality, the delivered roles would need to be enhanced. Role
Description
SAP_NBPR_AU_ESS_WDA-S
ESS Single Role for Australia
SAP_NBPR_CA_ESS_WDA-S
ESS Single Role for Canada
SAP_NBPR_CH_ESS_WDA-S
ESS Single Role for Switzerland
SAP_NBPR_CN_ESS_WDA-S
ESS Single Role for China
SAP_NBPR_DE_ESS_WDA-S
ESS Single Role for Germany
SAP_NBPR_HK_ESS_WDA-S
ESS Single Role for Hong Kong
SAP_NBPR_IN_ESS_WDA-S
ESS Single Role for India
SAP_NBPR_JP_ESS_WDA-S
ESS Single Role for Japan
SAP_NBPR_MY_ESS_WDA-S
ESS Single Role for Malaysia
SAP_NBPR_OTH_ESS_WDA-S
ESS Single Role Containing Non-EA-HR Services
SAP_NBPR_PT_ESS_WDA-S
ESS Single Role for Portugal
SAP_NBPR_SG_ESS_WDA-S
ESS Single Role for Singapore
SAP_NBPR_TH_ESS_WDA-S
ESS Single Role for Thailand
SAP_NBPR_US_ESS_WDA-S
ESS Single Role for the United States
3.1.1
Authorizations
The above role provides access to in-scope employee self services, as supported by this rapid-deployment solution. It is assumed the employee assigned the role will have a system user name maintained in subtype 0001 of the Communication Infotype (0105).
© SAP AG
Page 7 of 11
SAP Best Practices
3.1.1
Consultant and End User Security Guide
Role Menu
The activities the role of Employee can perform correspond to these services by way of the adapted PFCG role, the portal role and associated Object-based navigation configuration, as follows: My Processes > Status Overview for employee (based HCM P&F processes) Personal Information > Personal Profile: Maintain Personal Data, Bank Information, Addresses, Family Members/Dependents, Communication, Internal Data, Personal ID’s & Alternative Names Asia (relevant for Asian countries only) Working Time > Create Leave Request, Leave Overview, Record Working Time (CATS), View Time Account Balances Benefits and Payments > Salary Statement, Total Compensation Statement Career and Development > Appraisal Documents, Talent Profile, Job Opportunities Travel and Expense > Traveler Work Center, Create Travel Request, Create Travel Plan, Create Third-Party Travel Plan, Create Expense Report, Express Expense Sheet, Find Route, Open Travel Profile, Unlock Personnel Number, Delete Travel Request, Cancel Travel Plan, Display Form Further details can be found in the Configuration Guides for this rapid-deployment solution, as well as the various service assets that can be accessed via the Step-by-Step Guide for this package. The actual Role menu to be deployed by the customer will depend on the scope determined during the project preparation phase.
3.2 Manager Self-Service PFCG Composite Role SAP_MANAGER_MSS_NWBC_2 This role was used as the basis for the back-end role for MSS services with the portal deployment option. This role should be assigned, together with the relevant portal role, for users requiring access to MSS. We will deliver a solution-specific MSS composite role provided with the solution builder add-on, as follows: SAP_NBPR_XX_MSS_WDA_EP_M (MSS WDA Composite Role (ESS/MSS Portal RDS)) Copies of the following single roles will be delivered as part of the composite role above, in active status: SAP_NBPR_XX_ASR_MANAGER-M1 (HR Administrative Services : Manager) SAP_NBPR_XX_FITV_WEB_APPROV-M2 (Travel Approver) SAP_NBPR_XX_HR_LSO_MANAGER-M3 (SAP Learning Solution: HR Manager Training) SAP_NBPR_XX_HR_LSO_MANAGER-M4 (SAP Learning Solution: Manager) SAP_NBPR_XX_MSS_OTH-M5 (Manager single role for the Applications from Remote systems) SAP_NBPR_XX_RCF_MANAGER-M6 (Manager) SAP_NBPR_XX_TIME_MGR_ESSWDA-M7 (Time Approval Role for ESS) SAP_NBPR_XX_TMC_MANAGER-M8 (Manager in Talent Management) SAP_NBPR_XX_MGR_MSS_SRNWBC-M9 (Single Role for the Manager Containing Menu Structure for NWBC)
© SAP AG
Page 8 of 11
SAP Best Practices
Consultant and End User Security Guide
The above roles support only the in-scope services delivered with this solution. Therefore, if a customer wishes to implement additional (or less) functionality, the delivered roles would need to be enhanced as appropriate.
3.2.1
Authorizations
The above role provides access to in-scope manager self services, as supported by this rapid-deployment solution. It is assumed the employee assigned the role will have a system user name maintained in subtype 0001 of the Communication Infotype (0105) and will occupy a valid chief position in the organization structure.
3.2.2
Role Menu
The activities the role of Manager can perform correspond to these services by way of the adapted PFCG and portal roles, as follows: Home page, including personal profile ‘On Behalf of’ maintenance of employee data for their team Work Overview (workflow tasks/notifications) Team page, including Attendance Overview, Team Calendar, Employee Information, Employee Related Process Overview, Processes for Employees, Employee Course Assignment Recruiting, including Create a Requisition Request, Requisition Monitor, Request a Substitution Talent Management, including Talent Management Overview, Talent Management Assessment, Talent Information, Performance Management, Compensation Management Organization, including Organizational Information, Organizational Services > Organization-related Processes, Position information, Start Organizational Process, Search Processes Further details can be found in the Configuration Guides for this rapid-deployment solution, as well as the various service assets that can be accessed via the Step-by-Step Guide for this package. The actual Role menu to be deployed by the customer will depend on the scope determined during the project preparation phase.
4
SAP NetWeaver Enterprise Portal Roles
The PFCG roles for ESS and MSS roles are called from the SAP NetWeaver Enterprise Portal, where it is also necessary for portal roles to be assigned to the ESS or MSS user as appropriate for their role(s) in the client organization. SAP delivered Portal roles are contained in the relevant business packages that should have been downloaded to the client portal as part of the implementation pre-requisites. Further details can be found in the Quick Guide for this rapid-deployment solution. In addition, the standard ESS and MSS roles from SAP Enterprise Portal will be copied as delta links and delivered as a Business Package in the Y_RDS namespace, see below.
© SAP AG
Page 9 of 11
SAP Best Practices
Consultant and End User Security Guide
Sample roles copied from the SAP-delivered ESS and MSS portal roles were created and instructions for implementing them in the portal can be found in the internal Consulting Note, as follows: SAP Note #
Description
Component
1675537
SAP ERP rapiddeployment solution for employee and manager self service import
SV-RDS_HCM
Area
Remark Provides guidance on importing portal content for the solution.
The sample roles were designed to derive delta links from the SAP-delivered roles, in case of change to the latter. These sample roles incorporate links to the WDA configuration implemented as part of this solution.
4.1 Employee Self-Service Portal Role When implementing this deployment option for the SAP ERP rapid-deployment solution for employee and manager self-service, employees will access their information via ESS in SAP NetWeaver Enterprise Portal. The employee’s role for ESS will need to be modified to allow customer-specific access, but is based on the following: The following roles should be added to the user or group: Role: Employee Self-Service, technical name: pcd:portal_content/com.sap.pct/every_user/com.sap.pct.erp.ess.w da.bp_folder/com.sap.pct.erp.ess.wda.roles/com.sap.pct.erp.ess. wda.Employee_Self_Service_WDA Role: ERP Common, technical name: pcd:portal_content/com.sap.pct/every_user/com.sap.pct.erp.commo n.bp_folder/com.sap.pct.erp.common.roles/com.sap.pct.erp.common .erp_common The above ESS role was copied to the sample role referenced in SAP Note 1564758, as follows: Role: Employee Self-Service, technical name: pcd:portal_content/com.RDS_ESS_MSS_EP.Y_RDS_ESS_MSS/ESS/Roles/c om.sap.pct.erp.ess.wda.Employee_Self_Service_WDA
4.2 Manager Self-Service Portal Role When implementing this deployment option for the SAP ERP rapid-deployment solution for employee and manager self-service, managers will access their information via MSS in SAP NetWeaver Enterprise Portal. The employee’s role for MSS will need to be modified to allow customer-specific access, but is based on the following: The following roles should be added to the user or group: Role: Manager Self-Service, technical name: pcd:portal_content/com.sap.pct/line_manager/com.sap.pct.addon.m ss.PACKAGEMSS/com.sap.pct.addon.mss.Rolesmss/com.sap.pct.addon. mss.Manager_Self-Service Role: ERP Common, technical name: pcd:portal_content/com.sap.pct/every_user/com.sap.pct.erp.commo
© SAP AG
Page 10 of 11
SAP Best Practices
Consultant and End User Security Guide
n.bp_folder/com.sap.pct.erp.common.roles/com.sap.pct.erp.common .erp_common The above MSS role was copied to the sample role referenced in SAP Note 1564758, as follows: Role: Manager Self-Service, technical name: pcd:portal_content/com.RDS_ESS_MSS_EP.Y_RDS_ESS_MSS/MSS/Roles/c om.sap.pct.addon.mss.Manager_Self-Service
© SAP AG
Page 11 of 11
