1. Security Management Logic
Security Management is split by Role dans Scope depending on the object you want to give users access to.
1.1 Role
- One user needs to have at least one role (but can have multiple ones).
- The role is concretely a user group.
- The objective behind is to give access to Workspaces (Remote and/or Web), Models, Shortcuts.
- The list of roles by GBU has been defined and should not changed frequently.
- For example: two users can be Sales Manager for one GBU - they will see the same workspaces, shortcuts, models... The process will be identical.
1.2 Scope
- One user needs to have one scope/perimeter only (in order to avoid conflict/blocking between several users.)
- The scope is concretely a user group.
- The objective behind is to give access to a specific list of DFUs or any other dimension (depending on an aggregated level).
- The scope is changing frequently depending on Commercial Team organization in SAP/GBU.
- For example: two users can be Sales Managers for one GBU but with two different scopes - they will be able to work on the same workspace at the same time on a different set of DFUs.
2. Security by GBU
The logic and best practices are to:
- Use exclusively User Groups “Role” to set-up Models security - no exception for user group scope;
- Set-up security at the highest level of the structure: set-up will be inherited at each disaggregated level;
- Apply “deny” when data is not used for this user role, by Models - never at a more detailed level (and in the opposite way, apply "Allow" when data is used for the user role).
If a business request can’t follow these rules, a new user group "role" needs to be created - no exception can be applied.
As explained above, security is applied based on GBU and role. Here is the summary of GBU roles list.
2.1. DP2 - Composites (CM)
i. Workspaces
The logic here is to use:
- Remote Workspaces for Demand Planners and PMI/PMI Admin. users;
- Web Workspaces for Regional Sales Managers and Account Managers users.
Workspaces are not visible by default - "Allow" is applied as below:
Workspaces / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
| Remote Workspaces | Deny | Deny | Deny | Deny | Deny |
| ![ADMIN SBS] Modify Key Structural Elements | Deny | Deny | Deny | Deny | Deny |
| ![ADMIN SBS] Technical Views | Deny | Deny | Deny | Deny | Deny |
| 0. Admin data [AERO] | Allow | Deny | Deny | Deny | Deny |
00. New DFU Creation & Life Cycle [AERO] | Allow | Deny | Deny | Deny | Deny |
000. Master Data Mass Update | Allow | Deny | Deny | Deny | Deny |
| 1. Statistical forecast [AERO] | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - Amanda | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - back up | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - Kevin | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - Kp | Allow | Deny | Deny | Deny | Deny |
| 2. Demand Review [AERO] - only Program | Allow | Deny | Deny | Deny | Deny |
| 3. Forecast reliability & ABC classification [AERO] | Allow | Deny | Deny | Deny | Deny |
| 4. FCN [AERO] | Allow | Deny | Deny | Deny | Deny |
| 5. Budget Review [AERO] | Allow | Deny | Deny | Deny | Deny |
| 6. PMI [AERO] | Allow | Deny | Deny | Allow | Allow |
| 6. PMI [AERO] - Admin only | Allow | Deny | Deny | Allow | Deny |
| 7. Pricing Modification [AERO] | Allow | Deny | Deny | Deny | Deny |
| 8.a Skyline [AERO] | Allow | Deny | Deny | Deny | Deny |
| 8.b Engines [AERO] | Allow | Deny | Deny | Deny | Deny |
| 8.c Build Rate [AERO] | Allow | Deny | Deny | Deny | Deny |
| 9. Simulation [AERO] | Allow | Deny | Deny | Deny | Deny |
| Web. Sales Team Forecast | Allow | Allow | Allow | Deny | Deny |
| Web Workspaces | Deny | Deny | Deny | Deny | Deny |
| 1a. Sales team forecast - Default view. | Allow | Allow | Allow | Deny | Deny |
| 1b. Sales team forecast - Default view with graph. | Allow | Allow | Allow | Deny | Deny |
| 1c. Sales team forecast - List View with full data. | Allow | Allow | Allow | Deny | Deny |
| 1d. Sales team forecast - List View with STF only. | Allow | Allow | Allow | Deny | Deny |
| 1e. Sales team forecast - List View for import and export | Allow | Allow | Allow | Deny | Deny |
| 2. Forecast Change Notice. | Allow | Allow | Allow | Deny | Deny |
| 3. New combination. | Allow | Allow | Allow | Deny | Deny |
| 4. Alerts. | Allow | Allow | Allow | Deny | Deny |
| 5. PMI view | Allow | Allow | Allow | Deny | Deny |
| 6a. Sales Report by Customer | Allow | Allow | Allow | Deny | Deny |
| 6b. Sales Report by Program | Allow | Allow | Allow | Deny | Deny |
| 7. Collaborative review | Allow | Allow | Allow | Deny | Deny |
| Homepage | Allow | Allow | Allow | Deny | Deny |
ii. Models
a. Core Models
Forecast Models are not visible by default - "Allow" is applied as below:
Models / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
| Forecast Models | Deny | Deny | Deny | Deny | Deny |
| F01C-1.Material:Shipto@DC | Allow | Deny | Deny | Deny | Deny |
| F02C-2.Material:Forecast Customer@Spec | Allow | Allow | Allow | Allow | Allow |
| F03C-3.Program | Allow | Deny | Deny | Deny | Deny |
| F04C-4.Market | Deny | Deny | Deny | Deny | Deny |
| Forecast Models (bi-levels) | Deny | Deny | Deny | Deny | Deny |
| 1-2.Cst-Sit | Allow | Deny | Deny | Deny | Deny |
| 2-3.Itm-Fam | Allow | Deny | Deny | Deny | Deny |
| 3-4. Shipto-CustGr | Deny | Deny | Deny | Deny | Deny |
b. User Models
User Models are not visible by default - "Allow" is applied as below:
Models / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
| User Models | Deny | Deny | Deny | Deny | Deny |
| _Tech | Deny | Deny | Deny | Deny | Deny |
| ABC DFU (Value) | Allow | Deny | Deny | Deny | Deny |
| ABC lvl1 ( Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl2 (Regular) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl2 (Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl3 (Regular) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl3 (Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl4 (Regular) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl4 (Unit) | Deny | Deny | Deny | Deny | Deny |
| ABC lvl4 (Value) | Deny | Deny | Deny | Deny | Deny |
| ABC Program | Allow | Deny | Deny | Deny | Deny |
ABC Program (Value) | Deny | Deny | Deny | Deny | Deny |
| ABC Resin | Allow | Deny | Deny | Deny | Deny |
| U00 - Import - IN | Allow | Allow | Allow | Deny | Deny |
| U99 - Export - OUT | Deny | Deny | Deny | Deny | Deny |
| x. Currency Management | Deny | Deny | Deny | Deny | Deny |
| x. Master Tables Update | Allow | Deny | Deny | Deny | Deny |
| x. Supersession | Allow | Deny | Deny | Deny | Deny |
| y. GBU - AERO - DP | Allow | Allow | Allow | Allow | Allow |
| y. GBU - AERO - PMI | Allow | Allow | Allow | Allow | Allow |
| z. Budget | Allow | Allow | Allow | Deny | Deny |
| z. KPIs | Deny | Deny | Deny | Deny | Deny |
| z. Pricing Management | Allow | Allow | Allow | Deny | Deny |
iii. Shortcuts
Shortcuts are not visible by default - "Allow" is applied as below by folder:
Shortcuts / User Group | CM - Role Demand Planner | CM - Role Regional Sales Manager | CM - Role Forecast Account Manager | CM - Role PMI Admin. | CM - Role PMI |
|---|---|---|---|---|---|
| 0. SBS | Deny | Deny | Deny | Deny | Deny |
1. USER ROLE | Allow | Deny | Deny | Allow | Allow |
| A. AERO | Allow | Deny | Deny | Deny | Deny |
iv. Master Tables
Security of Master Tables is usually set-up when related to User Management: when a new scope is created (new user or scope transition), the condition should be inputted in both visibility and modification columns.
Master Table / User Group | CM - Scope Demand Planner | CM - Scope Regional Sales Manager | CM - Scope Forecast Account Manager | CM - Scope PMI Admin. | CM - Scope PMI |
|---|---|---|---|---|---|
| Ship-to | None | RSM condition | FAM condition | PMI Admin. condition | None |
| Regional Sales Manager | None | RSM condition | None | None | None |
| Primary Sales Coordinator | None | None | None | None | PMI SC1 condition |
| Material:Shipto:Spec@DC | None | RSM condition | FAM condition | None | None |
| Material:ForecastCustomer@Spec | None | RSM condition | FAM condition | Active Ship-to | CM | PMI SC1 condition |
Forecast Customer | None | RSM condition | FAM condition | PMI Admin. condition | None |
Forecast Account Manager | None | RSM condition | FAM condition | None | None |
2.2 DSCP1 - Soda Ash and Derivatives (SD)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.3 DP3 - Novecare (CS)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.4 DP3 - Oil and Gas (OG)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.5 DP3 - Special Chem (CH)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.6 DP1 - Aroma (PA)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.7 DP1 - Perox (PE)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.8 DP1 - Silica (SI)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.9 DP1 - Technology Solutions (TS)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
2.10 DSCP2 - Specialty Polymers (SP)
i. Workspaces
ii. Models
iii. Shortcuts
iv. Master Tables
3. Examples
Here are some examples on concret cases, raised by ticket through the years.
3.1 Example #1 - Simple
For ex: for a Sales Employee of a given GBU
| # | Description | Screenshot |
|---|---|---|
| 1 | right click the master table Sales Employee ID, then click Security In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups, |
|
| 2 | right click the master table Material:shipto@DC, click Security In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups, |
|
3.2 Example #2 - Complex
For example, QSM-285899
| # | Description | Screenshot | Reference view |
|---|---|---|---|
Problem Reporting! | |||
| 1 | user SANTOSMA all black view while open the work space, |
|
|
Trouble Shooting! | |||
| 2 | The grid view has a split on dimension Material:Shipto@DC into
|
| |
| 3 | If you connect as the user into the rich client and right click => Configure |
| |
| 4 | The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material | TS : Yes' : |
| |
| 5 | User belongs to those groups : |
| |
| 6 | The only group having a security configured on the master table 'Material' is TS - US / Marcio Santos, with the visibility condition 'GBU - SA&D' Finally, a right click => hierarchy view (with a super user account) on the master table 'Material' shows that there is no intersection between the combination of the conditions used to filter the grid and the condition of visibility : |
| |
| 7 | select here the 3 conditions (pressing control key allows to multiple select them) : |
| |
| 8 | And we can see that no material fulfills the 3 conditions : |
| |
Fix! | |||
| 9 | The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material | TS : Yes' : To remove the condition 'GBU - SA&D' in Material table associated with user group TS - US / Marcio Santos |
| |
