1. Security Management Logic
Security Management is split by Role dans Scope depending on the object you want to give users access to.
1.1 Role
- One user needs to have at least one role (but can have multiple ones).
- The role is concretely a user group.
- The objective behind is to give access to Workspaces (Remote and/or Web), Models, Shortcuts.
- The list of roles by GBU has been defined and should not changed frequently.
- For example: two users can be Sales Manager for one GBU - they will see the same workspaces, shortcuts, models... The process will be identical.
1.2 Scope
- One user needs to have one scope/perimeter only (in order to avoid conflict/blocking between several users.)
- The scope is concretely a user group.
- The objective behind is to give access to a specific list of DFUs or any other dimension (depending on an aggregated level).
- The scope is changing frequently depending on Commercial Team organization in SAP/GBU.
- For example: two users can be Sales Managers for one GBU but with two different scopes - they will be able to work on the same workspace at the same time on a different set of DFUs.
2. Security by GBU
As explained above, security is applied based on GBU and role. Here is the summary of GBU roles list.
The logic and best practices are to:
- Use exclusively User Groups “Role” to set-up Models security - no exception for user group scope;
- Set-up security at the highest level of the structure: set-up will be inherited at each disaggregated level;
- Apply “deny” when data is not used for this user role, by Models - never at a more detailed level (and in the opposite way, apply "Allow" when data is used for the user role).
If a business request can’t follow these rules, a new user group "role" needs to be created - no exception can be applied.
2.1. DP2 - Composites (CM)
i. Workspaces
The logic here is to use:
- Remote Workspaces for Demand Planners and PMI/PMI Admin. users;
- Web Workspaces for Regional Sales Managers and Account Managers users.
Workspaces are not visible by default - "Allow" is applied as below:
Workspaces / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
Workspaces / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
| Remote Workspaces | Deny | Deny | Deny | Deny | Deny |
| ![ADMIN SBS] Modify Key Structural Elements | Deny | Deny | Deny | Deny | Deny |
| ![ADMIN SBS] Technical Views | Deny | Deny | Deny | Deny | Deny |
| 0. Admin data [AERO] | Allow | Deny | Deny | Deny | Deny |
00. New DFU Creation & Life Cycle [AERO] | Allow | Deny | Deny | Deny | Deny |
000. Master Data Mass Update | Allow | Deny | Deny | Deny | Deny |
| 1. Statistical forecast [AERO] | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - Amanda | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - back up | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - Kevin | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - Kp | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - only Program | Allow | Deny | Deny | Deny | Deny |
| 3. Forecast reliability & ABC classification [AERO] | Allow | Deny | Deny | Deny | Deny |
| 4. FCN [AERO] | Allow | Deny | Deny | Deny | Deny |
| 5. Budget Review [AERO] | Allow | Deny | Deny | Deny | Deny |
| 6. PMI [AERO] | Allow | Deny | Deny | Allow | Allow |
| 6. PMI [AERO] - Admin only | Allow | Deny | Deny | Allow | Deny |
| 7. Pricing Modification [AERO] | Allow | Deny | Deny | Deny | Deny |
| 8.a Skyline [AERO] | Allow | Deny | Deny | Deny | Deny |
| 8.b Engines [AERO] | Allow | Deny | Deny | Deny | Deny |
| 8.c Build Rate [AERO] | Allow | Deny | Deny | Deny | Deny |
| 9. Simulation [AERO] | Allow | Deny | Deny | Deny | Deny |
| Web. Sales Team Forecast | Allow | Allow | Allow | Deny | Deny |
| Web Workspaces | Deny | Deny | Deny | Deny | Deny |
| 1a. Sales team forecast - Default view. | Allow | Allow | Allow | Deny | Deny |
| 1b. Sales team forecast - Default view with graph. | Allow | Allow | Allow | Deny | Deny |
| 1c. Sales team forecast - List View with full data. | Allow | Allow | Allow | Deny | Deny |
| 1d. Sales team forecast - List View with STF only. | Allow | Allow | Allow | Deny | Deny |
| 1e. Sales team forecast - List View for import and export | Allow | Allow | Allow | Deny | Deny |
| 2. Forecast Change Notice. | Allow | Allow | Allow | Deny | Deny |
| 3. New combination. | Allow | Allow | Allow | Deny | Deny |
| 4. Alerts. | Allow | Allow | Allow | Deny | Deny |
| 5. PMI view | Allow | Allow | Allow | Deny | Deny |
| 6a. Sales Report by Customer | Allow | Allow | Allow | Deny | Deny |
| 6b. Sales Report by Program | Allow | Allow | Allow | Deny | Deny |
| 7. Collaborative review | Allow | Allow | Allow | Deny | Deny |
| Homepage | Allow | Allow | Allow | Deny | Deny |
ii. Models
a. Core Models
Forecast Models are not visible by default - "Allow" is applied as below:
Models / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
| Forecast Models | Deny | Deny | Deny | Deny | Deny |
| F01C-1.Material:Shipto@DC | Allow | Deny | Deny | Deny | Deny |
| F02C-2.Material:Forecast Customer@Spec | Allow | Allow | Allow | Allow | Allow |
| F03C-3.Program | Allow | Deny | Deny | Deny | Deny |
| F04C-4.Market | Deny | Deny | Deny | Deny | Deny |
| Forecast Models (bi-levels) | Deny | Deny | Deny | Deny | Deny |
| 1-2.Cst-Sit | Allow | Deny | Deny | Deny | Deny |
| 2-3.Itm-Fam | Allow | Deny | Deny | Deny | Deny |
| 3-4. Shipto-CustGr | Deny | Deny | Deny | Deny | Deny |
b. User Models
User Models are not visible by default - "Allow" is applied as below:
Models / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
Models / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
| User Models | Deny | Deny | Deny | Deny | Deny |
| _Tech | Deny | Deny | Deny | Deny | Deny |
| ABC DFU (Value) | Allow | Deny | Deny | Deny | Deny |
| ABC lvl1 ( Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl2 (Regular) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl2 (Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl3 (Regular) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl3 (Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl4 (Regular) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl4 (Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl4 (Value) | Deny | Deny | Deny | Deny | Deny |
| ABC Program | Allow | Deny | Deny | Deny | Deny |
ABC Program (Value) | Deny | Deny | Deny | Deny | Deny |
| ABC Resin | Allow | Deny | Deny | Deny | Deny |
| U00 - Import - IN | Allow | Allow | Allow | Deny | Deny |
| U99 - Export - OUT | Deny | Deny | Deny | Deny | Deny |
| x. Currency Management | Deny | Deny | Deny | Deny | Deny |
| x. Master Tables Update | Allow | Deny | Deny | Deny | Deny |
| x. Supersession | Allow | Deny | Deny | Deny | Deny |
| y. GBU - AERO - DP | Allow | Allow | Allow | Allow | Allow |
| y. GBU - AERO - PMI | Allow | Allow | Allow | Allow | Allow |
| z. Budget | Allow | Allow | Allow | Deny | Deny |
| z. KPIs | Deny | Deny | Deny | Deny | Deny |
| z. Pricing Management | Allow | Allow | Allow | Deny | Deny |
iii. Shortcuts
Shortcuts are not visible by default - "Allow" is applied as below by folder:
Shortcuts / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
| 0. SBS | Deny | Deny | Deny | Deny | Deny |
1. USER ROLE | Allow | Deny | Deny | Allow | Allow |
| A. AERO | Allow | Deny | Deny | Deny | Deny |
iv. Master Tables
Security of Master Tables is usually set-up when related to User Management: when a new scope is created (new user or scope transition), the condition should be inputted in both visibility and modification columns.
Master Table / User Group | CM - Scope Demand Planner | CM - Scope Regional Sales Manager | CM - Scope Forecast Account Manager | CM - Scope PMI Admin. | CM - Scope PMI |
|---|---|---|---|---|---|
| Ship-to | None | RSM condition | FAM condition | PMI Admin. condition | None |
| Regional Sales Manager | None | RSM condition | None | None | None |
| Primary Sales Coordinator | None | None | None | None | PMI SC1 condition |
| Material:Shipto:Spec@DC | None | RSM condition | FAM condition | None | None |
| Material:ForecastCustomer@Spec | None | RSM condition | FAM condition | Active Ship-to | CM | PMI SC1 condition |
Forecast Customer | None | RSM condition | FAM condition | PMI Admin. condition | None |
Forecast Account Manager | None | RSM condition | FAM condition | None | None |
2.2 DSCP1 - Soda Ash and Derivatives (SD)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.3 DP3 - Novecare (CS)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.4 DP3 - Oil and Gas (OG)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.5 DP3 - Special Chem (CH)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.6 DP1 - Aroma (PA)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.7 DP1 - Perox (PE)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.8 DP1 - Silica (SI)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.9 DP1 - Technology Solutions (TS)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.10 DSCP2 - Specialty Polymers (SP)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
3. Examples
Here are some examples on concret cases, raised by ticket through the years.
3.1 Example #1 - Simple
For ex: for a Sales Employee of a given GBU
| # | Description | Screenshot |
|---|---|---|
| 1 | right click the master table Sales Employee ID, then click Security In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups, |
|
| 2 | right click the master table Material:shipto@DC, click Security In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups, |
|
3.2 Example #2 - Complex
For example, QSM-285899
| # | Description | Screenshot | Reference view |
|---|---|---|---|
Problem Reporting! | |||
| 1 | user SANTOSMA all black view while open the work space, |
|
|
Trouble Shooting! | |||
| 2 | The grid view has a split on dimension Material:Shipto@DC into
|
| |
| 3 | If you connect as the user into the rich client and right click => Configure |
| |
| 4 | The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material | TS : Yes' : |
| |
| 5 | User belongs to those groups : |
| |
| 6 | The only group having a security configured on the master table 'Material' is TS - US / Marcio Santos, with the visibility condition 'GBU - SA&D' Finally, a right click => hierarchy view (with a super user account) on the master table 'Material' shows that there is no intersection between the combination of the conditions used to filter the grid and the condition of visibility : |
| |
| 7 | select here the 3 conditions (pressing control key allows to multiple select them) : |
| |
| 8 | And we can see that no material fulfills the 3 conditions : |
| |
Fix! | |||
| 9 | The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material | TS : Yes' : To remove the condition 'GBU - SA&D' in Material table associated with user group TS - US / Marcio Santos |
| |
