1. Security Management Logic
Security Management is split by Role and Scope depending on the object you want to give users access to.
1.1 Role
- One user needs to have at least one role (but can have multiple ones).
- The role is a user group.
- The objective is to give access to Workspaces (Remote and/or Web), Models, Shortcuts.
- The list of roles by GBU has been defined and should not change frequently.
- For example: two users can be Sales Manager for one GBU - they will see the same workspaces, shortcuts, models... The process will be identical.
1.2 Scope
- One user needs to have one scope/perimeter only (in order to avoid conflict/blocking between several users.)
- The scope is a user group.
- The objective is to give access to a specific list of DFUs or any other dimension (depending on an aggregated level).
- The scope is changing frequently depending on the Commercial Team organization in SAP/GBU.
- For example: two users can be Sales Managers for one GBU but with two different scopes - they will be able to work on the same workspace at the same time on a different set of DFUs.
2. Security by GBU
The logic and best practices are to:
- Use exclusively User Groups “Role” to set-up Models security - no exception for user group scope;
- Set-up security at the highest level of the structure: set-up will be inherited at each disaggregated level;
- Apply “deny” when data is not used for this user role, by Models - never at a more detailed level (and in the opposite way, apply "Allow" when data is used for the user role).
If a business request can’t follow these rules, a new user group "role" needs to be created - no exception can be applied.
As explained above, security is applied based on GBU and role. Here is the summary of GBU roles list.
| GBU | Data base | Role | Scope | Model security | User profile | Type of access |
|---|---|---|---|---|---|---|
| AROMA PERFORMANCE | DP1 | Demand Planner | Zone | Global Planner | Remote | |
| Sales Rep. | Sales group code (WP1) Account Manager code (PF1) | Collaborator | Remote (Migration to web in progress) | |||
| Global Key Account Manager | GBU Ship-To Group name/code | Viewer | Remote (Migration to web in progress) | |||
| NOVECARE | DP3 | S&OP Manager | Windows Login + set-up by Main Shipping plant / Main Production plant | U00 - Impot - IN U99 - Export - OUT x. Supersession x. Master Tables Update x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget | Global Planner | Remote |
| Sales Manager | Sales group code (WP1) Account Manager (PF1) | U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget | Collaborator | Web | ||
| Sales Assistant (CSR - Customer Service Representative) | ZI Partner code (WP1) CSS Representative code (PF1) | U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget | Collaborator | Web | ||
| Global Key Account Manager | Ship-To KA name/code | U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget | Viewer | Web | ||
RMD (Regional Market Director) | Zone and BfC Market | U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget | Viewer | Web | ||
| BDM (Business Development Manager) | Zone and BfC Market | U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget | Viewer | Web | ||
| TS | DP1 | Demand Planner | BU | F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management | Global Planner | Remote |
| Product Manager | Material (updated manually through data field) | F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management | Collaborator | Web | ||
| Sales Employee | Sales Employee Code | F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management | Collaborator | Web | ||
| RSD | No condition (list of Sales Rep. through users group) | F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management | Collaborator | Web | ||
| Pricing Team | Full GBU (no condition) | F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management | Collaborator | Remote |
3. Examples
Here are some examples on concrete cases, raised by tickets through the years.
3.1 Example #1 - Simple
For ex: for a Sales Employee of a given GBU
| # | Description | Screenshot |
|---|---|---|
| 1 | right click the master table Sales Employee ID, then click Security In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups, |
|
| 2 | right click the master table Material:shipto@DC, click Security In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups, |
|
3.2 Example #2 - Complex
| # | Description | Screenshot | Reference view |
|---|---|---|---|
Problem Reporting! | |||
| 1 | user SANTOSMA all black view while open the work space, |
|
|
Trouble Shooting! | |||
| 2 | The grid view has a split on dimension Material:Shipto@DC into
|
| |
| 3 | If you connect as the user into the rich client and right click => Configure |
| |
| 4 | The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material | TS : Yes' : |
| |
| 5 | User belongs to those groups : |
| |
| 6 | The only group having a security configured on the master table 'Material' is TS - US / Marcio Santos, with the visibility condition 'GBU - SA&D' Finally, a right click => hierarchy view (with a super user account) on the master table 'Material' shows that there is no intersection between the combination of the conditions used to filter the grid and the condition of visibility : |
| |
| 7 | select here the 3 conditions (pressing control key allows to multiple select them) : |
| |
| 8 | And we can see that no material fulfills the 3 conditions : |
| |
Fix! | |||
| 9 | The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material | TS : Yes' : To remove the condition 'GBU - SA&D' in Material table associated with user group TS - US / Marcio Santos |
| |
