Versions Compared

Old Version 5

changes.mady.by.user BIDALIA-ext, Kuldeep

Saved on

compared with

New Version Current

changes.mady.by.user TORRES-ext, Benedict

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Security changes
Status

Page Status

OwnerBIDALIA-ext, Kuldeep 
Stakeholders

UPADHYAY-ext, Anjali CONNELLY-ext, Delia FRUTEAU-ext, SabrinaMOREAU, Patrick 

Jira Request ID

Jira
serverSyensqo's Jira
serverIdd8efc1ef-48bd-3b4e-8714-ad827f4f059b
keyERP-167

Jira Development ID

Jira
serverSyensqo's Jira
serverIdd8efc1ef-48bd-3b4e-8714-ad827f4f059b
keyERP-512

High- Level Specification

ParameterValue
Application SystemS/4Hana ROW, S/4Hana China, S/4Hana CUI
Business Process Reference

10.02.01.01. Manage Project/WBS Changes

10.01.03.01. Manage Initiatives and Items

Functional Overview

In the standard SAP S/4HANA system, named users are typically assigned to the Standard fields "Person Responsible No." and "Applicant No." fields within both the are utilized in Project Definition and Work Breakdown Structure (WBS) elements of a project . These assignments are used to track accountability and facilitate project-related notifications & workflows.However, under the I2M proposed solution, this approach is being redefined. Instead of linking these fields to individual named users, the system will utilize Role based HR position. Given that standard fields are maintained through manual configuration. In Syway design , it is intended to use Position numbers in this table based on the roles assigned. This means-

  • HR positionsassigned to specific
    • roles, rather than specific named user,
  • Security Roles via SAP User IDs will be designated as the responsible entities at the PPM Item, Project Definition and WBS
    • levels.This enables a role-based project system, allowing for greater flexibility and scalability in project governance
  • element levels.
  • It supports organizational continuity, as responsibilities are tied to HR Position rather than
    • individuals—reducing
  • individuals- reducing the need for manual updates when personnel changes occur.
  • Enhanced search help will be enabled for "Person Responsible No." and "Applicant No." fields.

Scope and Objectives

Scope- This enhancement defines a scheduled SAP batch job that extracts HR positions based on their role relationships Security Role assignment and updates-

  1. Person Responsible No. Table: Populated with positions linked to
    2. Security Roles ‘Person
  2. TCJ04 specific security roles i.e. ‘Person Responsible - Project’, ‘Person Responsible - WBS’
  3. Applicant No. Table: Populated with positions linked to
    4. Security Role ‘Project Financial Controller’.Enhance Search Help: Enhance the search help tab to find Position based on Position Name, Personnel ID, Personnel name etc.  
  4. TCJ05 specific security role/s i.e. ‘Project Financial Controller’.

Objective- The key objective are to improve data accuracy and timeliness in project and financial role assignments and reduce manual intervention in HR-Role mapping updatesis to auto populate the Person Responsible and Applicant tables with relevant Positions based on relevant Security Roles.


Process Flow Diagram

N/AImage Added

Process steps are-

Step

Description

Comment

1Create a HR Position Create a HR Position and assign organizational units and necessary information.2Assign Security Role to SAP User IDAssign Security Role TCJ04 specific security Roles e.g. ‘Person Responsible - Project’ OR ‘Person Responsible - WBS’ OR TCJ05 specific security Role/s 'Project Financial Controller' to newly created PositionSAP User ID/s
2Assign SAP User ID to a HR Position SAP User ID assigned to existing active HR Position 
3Execute Batch Job manually

Based Position will be derived based upon the defined Security Role assigned assignment to the Position  SAP User ID. Person Responsible No. or Applicant No. table will be appended as-

  1. If Positions derived via Security Role Roles ‘Person Responsible - Project’ OR ‘Person Responsible - WBS’ is assigned then Person Responsible No. table will be updated with new record.
  2. If Positions derived via Security Role Role ‘Project Financial Controller’ is assigned then Applicant No. table will be updatedupdated with new record.
4Check Positions available in Project Definition and WBS elements

Open a project and select project definition/ WBS element-

If Security Role Roles‘Person Responsible - Project’ OR ‘Person Responsible - WBS’ is assigned to the Position via SAP User ID then search the Position in the Person Responsible No. field.

If Security Role Role ‘Project Financial Controller’ is assigned to the Position via SAP User ID then search the Position in the Applicant No. field.

5Check Positions available in the PPM Item

Open an PPM Item-

If Security Role Roles ‘Person Responsible - Project’ OR ‘Person Responsible - WBS’ is assigned to the Position via SAP User ID then search the Position in the Person Responsible Project Owner field.

If Security Role Role ‘Project Financial Controller’ is assigned to the Position via SAP User ID then search the Position in the Project Financial Controller field.

DELETE-

Internal testing, TCode PO13, Position 50000038, Infotype Communication B 007

Assumptions

Role-to-position relationships are maintained in standard HR Infotype. 

  • The system will have predefined and stable Security Role
    • . Security Roles like
  • . TCJ04 specific security roles i.e. ‘Person Responsible – Project’, ‘Person Responsible – WBS’, and TCJ05 specific security role/s i.e. ‘Project Financial Controller’ are expected to be consistently
    • available.
  • active. These Security Role name could vary based on Syensqo's nomenclature standards. 
  • One Position will be assigned to a single user.
  • HR positions do not have direct security role assignments.
  • HR position master data will be replicated in S/4 as HR mini-master
  • The current design is based on the existing understanding of the design as of December 2025. Changes to design, such as Job Architecture, might result to changes in this RICEF. This logic will be determined post HR and Security design finalization. 

Dependencies

  • HR mini master data must be
    • up to date i.e. applicable Security Roles
  • replicated and kept current in SAP S/4HANA. Positions must be assigned to
    • project management specific Position
  • relevant Personnel Nos.
  • Table structures for Person Responsible No. and Applicant No. must allow maintenance via Batch Job without creating Transport Request.
  • Given that HR Position is Tier-1 master data, they will be replicated across all instances along with its associated infotypes.
  • An interface will be developed to replicate entries from the Person Responsible and Applicant tables into all instances tables.

Security, Integrity and Controls

  • Authorization Checks: Batch The application job runs will run under a non-dialog technical user with restricted read access to required mini master HR  tables and infotypes and write access to Person Responsible No. and Applicant No. tables .Data Validation: Security Role codes and position IDs are validated before update(TCJ04 and TCJ05).

Configuration Requirements

N/A

Language Requirements

N/A

Special Requirements

N/A


Design Rationale

Functional Requirements

The proposed application job must fulfil functional requirement to ensure accurate, Security Role based HR Positions via SAP User ID are available and extracted for the project governance.

Once extracted, the batch logic must filter positions based on Security Role: positions linked to "Person Responsible- Project", "Person Responsible- WBS" Security Roles must be inserted or updated in the Person Responsible table, while those linked to the Project Financial Controller Security Role must populate the Applicant table. 

Additionally, the application job must record every update, capturing metadata such as the timestamp and whether a record was added, modified, or deleted, to ensure audit traceability.


  Note : Alternatively, Find the Jobs assigned to the role and find the corresponding position of the jobs. ( logic to be determined post HR and Security role design)

Proposed Technology to Use

N/A

Data Source Considerations

N/A

TableField NameComments/Calculation/Field Manipulation
HRP1001OBJIDField for picking Personnel No. (OTYPE = P) and Position (OTYPE = S) 
AGR_USERSUNAMESource for SAP User ID based on Security Roles
HRP1000MC_STEXTSource for Position Text

Data Validation Considerations

  • Data Validation: Position IDs are validated for active status before update.
TableField NameComments/Calculation/Field Manipulation
HRP1001BEGDAThe system date must be on or after the start date
HRP1001ENDDAThe system date must be earlier than the end date
HRP1014REDUNObsolete indicator must not be assigned to the Position

Custom Tables

N/A

Master Data

N/A

FieldDescriptionData Type/LengthValidation rule/ Value Help








Configuration Table

Configuration tables TCJ04 (for Person Responsible No.) and TCJ05 (Applicant No.) will be maintained via Batch Job without creating Transport Request.

FieldDescriptionData Type/LengthValidation rule/ Value Help

TCJ04-VERNR

Pers.Resp.No.NUMC/ 8

Filled by derived Position IDs 

TCJ05-ASTNRApplicant no.NUMC/ 8Filled by derived Position IDs

Selection Screen Enhancement

Field NameDescription

Select:

Data Type/LengthDefault Value/ Validation rule/ Value HelpSelection Logic
AGR_NAMEPerson Responsible RolesParameterCHAR/ 30

TCJ04 specific security roles-

Person Responsible- Project

Person Responsible- WBS

Multiple Roles can be selected
AGR_NAMEApplicant RolesParameterCHAR/ 30

TCJ05 specific security role/s-

Project Financial Controller

Multiple Roles can be selected

Processing Logic

This enhancement is initiated through a daily application job to ensure that Job based positions are consistently maintained within the TCJ04 & TCJ05 tables, sequence is-

  1. Identify Person Responsible Positions

           Pick all active Positions based on Person Responsible Roles or TCJ04 specific security roles-

a. Pass the roles defined in the "Person Responsible Roles" in the selection to the field AGR_USERS-AGR_NAME, and retrieve all SAP users (AGR_USERS-UNAME) whose validity period is active i.e., the current date falls between the latest start date (AGR_USERS-FROM_DAT) and end date (AGR_USERS-TO_DAT).

b. Retrieve the User ID and determine the active Personnel Number from table PA0105. Pass the User ID to field PA0105-USRID where PA0105-USRTY = 0001.

Ensure that the Personnel Number is active, i.e., the current date falls within the validity period defined by start date (PA0105-BEGDA) and end date (PA0105-ENDDA). Finally, and select the Personnel Numbers from field PA0105-PERNR.

c. Pass the Personal nos. to HRP1001-OBJID to get the active Position. Pass below information to HRP1001 to pick active position i.e. HRP1001-SOBID

OTYPE = P
OBJID = Personnel No.
PLVAR = 01
RSIGN = 008
Current date between Latest Start (BEGDA) and End date (ENDDA) to ensure Person to Position mapping is active
SCLAS = S
Pick SOBID

Pass the selected position to table HRP1014 and verify that the obsolete check is inactive i.e., field REDUN is blank or no corresponding record exists in HRP1014. Ignore Position if entry found.

d. Pick Position description from HRP1000- where     

OTYPE= S
OBJID= Position no.
Current date between Latest Start (BEGDA) and End date (ENDDA) to ensure Person to Position mapping is active
Pick MC_STEXT

List of Position IDs with Description will be collected, remove the duplicate entries if found.

            

        2. Identify Applicant Positions

          Pick all active Positions based on Applicant Roles or TCJ05 specific Security Role/s-

    1. Follow same steps as above for TCJ05 specific Security Role/s and collect Position IDs with Description.


          Note for step 1 & 2 : Alternatively, Find the Jobs assigned to the role and find the corresponding position of the jobs. ( logic to be determined post HR and Security role design)

       3. Update Tables TCJ04 and TCJ05-

  • New Position added
    • Person Responsible table

                      For TCJ04 specific Security Roles, Compare TCJ04 table entry with Step-1 data.

                      If new Positions are found in Step-1 data, then insert them as new Records in TCJ04 i.e. Position in VERNR and respective Position text in VERNA.

    • Applicant table

                     For TCJ05 specific Security Role/s, Compare TCJ05 table entry with Step-2 data.

                     If new Positions are found in Step-1 data, then insert them as new Records in TCJ05 i.e. Position in ASTNR and respective Position text in ASTNA.

  • Existing Position Name changed
    • Person Responsible table

                      For TCJ04 specific Security Roles, Compare TCJ04 table's data with Step-1 data.

                      If same Positions are found in both the tables, then update each Position text i.e. TCJ04-VERNA.

    • Applicant table

                     For Job i.e. HRP1001-SOBID = "TCJ05 specific Security Role/s", Compare TCJ05 table's data with Step-2 data.

                     If same Positions are found in both the tables, then update each Position text i.e. TCJ05-ASTNA.

  • Delete- If the Position is inactive, Role is no longer assigned or Position not in validity date

                     Get list of Positions from TCJ04 & TCJ05 tables and pass to HRP1000 to check inactive positions-

OTYPE = S
OBJID = Position
ENDDA is before system date

Also, get list of Positions from TCJ04 & TCJ05 tables and pass to HRP1014 to get obsolete positions-

OTYPE = S
OBJID = Position
REDUN = X

          Collect all positions from above steps and delete the records from respective TCJ04 & TCJ05 tables.


Volumetrics

N/A


Performance Considerations

N/A


Error Handling

The application job log must display added and deleted positions from both TCJ04 and TCJ05 tables.

Application Job would be monitored via standard fiori application that monitors all Application Job processing in the system

Testing

How to Test

Specific HR positions are required, and these positions are associated with SAP User IDs to which defined security roles are assigned.

Test Conditions and Expected Results

IDConditionExpected Result
1

Valid new Position assigned to SAP User ID having security role "Person Responsible- Project" or "Person Responsible- WBS"

Entry in Person Responsible table will be maintained after executing batch job manually. Open a project, new Position will appear in the Person Responsible field of Project Definition and WBS Element.

2

Valid new Position assigned to SAP User ID having security role "Project Financial Controller"

Entry in Applicant table will be maintained after executing batch job manually. Open a project, new Position will appear in the Applicant No. field of Project Definition and WBS Element.

3

Security Role to SAP User ID i.e. defined roles of Person Responsible and Applicant are not assigned 

No update in OPS6 or OPS7 after executing batch job manually

4

Change existing Position Description which is already maintained in either t-code OPS6 or OPS7

Position text will be updated after executing batch job manually. Open a project, Position updated text will appear in the Person Responsible search field of Project Definition and WBS Element. 

5

Position with mixed jobs i.e. "Person Responsible- Project"/ "Person Responsible- WBS" and "Project Financial Controller"

Batch job will process and TCJ04 & TCJ05 tables will be maintained for the same record.

6

Position with mixed jobs i.e. "Person Responsible- Project" and "Person Responsible- WBS"

Batch job will process and TCJ04 table will be maintained.

7

The position is inactive, or its validity period has already expired

Position will be deleted from OPS6 or OPS7 after batch job execution. 

When a project is opened that still references an inactive or expired position, the position will continue to display against the Project Definition and WBS element without triggering any error. If necessary, the position can be overwritten.

Test Considerations/Dependencies

  • The H2R team to allocate 5 positions assigned to some Personnel nos. (with SAP User IDs provided by the Security team) to support the execution of the various tests outlined above.

  • The Security team to share few SAP User IDs reflecting assignments to the roles "Person Responsible – Project", "Person Responsible – WBS", and "Project Financial Controller", in varying combinations for test validation.


Other Information

N/A

Development Details

Package

Package NameParent Package




Enhancement Implementation

Enhancement TypeStandard Definition NameCustom Implementation NameDesign Rationale Reference









Other Development Objects

Object TypeObject NamePurpose/High Level LogicDesign Rationale Reference








Appendix

Custom Authorization Group Naming Convention

This table is based on the Syensqo development standards document. It provides the naming conventions for authorization groups to associated with custom reports and tables to comply with security requirements.

ABAP

ZFIZMMZPSZCOZSDZBCZFIZCA
TABLESZFITZMMTZPSTZCOTZSDTZBCTZFITZCAT

See also


Attachments
previewfalse
patterns^(?!.*\.(png|jpg|jpeg|svg)$).*
sortOrderdescending

Change log

Change History
limit10