best practices for self service in sap portal
DESCRIPTION
Best Practices for Self Service in SAP PortalTRANSCRIPT
Best Practices for Securing a Self-Service Portal Using Standard SAP ERP HCM Settings
© 2012 Wellesley Information Services. All rights reserved.
David ShanahanAspireHR
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
1
possibilities• Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
An Employee’s First Encounter with Self-Service
• First day – Kim Gentry is hired and asked to log into our PortalKim signs in and sees:
2
After a Few Minutes, the Problem Is Determined:
• Someone forgot to create the Portal ID
3
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Portal ID Is Created and Kim Tries Again
• Login success! But then:
W till h k t d
4
• We still have some work to do
The Self-Service Role Is Added to the Portal ID
• It should work now
5
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Hope It Is Fixed This Time
• Not quite, but we’re getting closer …
S thi i till i i
6
• Something is still missing
No Employee Associated to the Back-End ID
Th U ID i i t d t th l b I f t
7
• The User ID is associated to the employee number on Infotype 105, subtype 0001, and Kim tries again
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
One More Time
• At last!
8
How Can We Prevent This Mess?
9
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
10
possibilities• Wrap-up
What Went Wrong with Kim’s First Self-Service Experience
• Problem #1: Employee hired in SAP and back-end user ID created, but Portal user ID not set up
• Problem #2: Portal user ID did not have role assignmentP bl #3 B k d ID did t h l i t• Problem #3: Back-end user ID did not have role assignment
• Problem #4: Back-end user ID not associated to employee number
11
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What’s Needed for a Self-Service User
• Employee hired in SAP with (at least) infotypes:0000 – Actions0001 – Organizational Assignment0002 – Personal Data
• SAP back-end user ID createdSelf-services role assignmentParametersDefaults
P t l ID t d
12
• Portal ID createdSelf-Service role assignment
• Employee Number associated to user IDInfotype 0105 subtype 0001
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
13
possibilities• Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
SAP Transaction HRUSER Dissected
• PreparationAssignment of roles to existing usersCopy SAP role customer namespace
• User/authorization assignmentChange user attributes/key dateSelect employees using employee masterSelect employees using org. assignment
• User attributesU
14
User groupRole assignment
Main Menu
• SAP transaction HRUSER
15
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Assignment of Employees to Existing Users
• Shows all current user IDs and employees so you can make the Infotype 105 subtype 0001 assignment – attaching user ID to employee
• Used when self-services is implemented after being live with back • Used when self-services is implemented after being live with back end (SAP)
• Program ESS_USERCOMPARE Default period start = today’s date
16
date
Select All users radio button
Output of ESS_USERCOMPARE
• Mainly used when ESS is implemented after other modules• All valid user IDs appear, and assignment can be made manually
by selecting user, then Assign Employees
17
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Using ESS_USERCOMPARE – Assign Employees
• Step 1: Select user by clicking on the ID – it will change color:
• Step 2: Select Assign employees button
• Step 3: Type name into pop-up
• Step 4: Create relationship by clicking Create
18
• At the bottom of the screen – confirmation of assignment
Copy SAP Role Customer Namespace
• Copy via transaction PFCG – Role Maintenance
Step 1: Enter SAP_ESSUSER in Role field and select Copy
19
Step 2: Enter role name (Y or Z) and select Copy all
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Copy SAP Role Customer Namespace (cont.)
• Step 3: Select Change
• Step 4: Select Authorizations tab We will modify and generate the role here
20
• Step 5: Select Change Authorization Data• Step 6: Modify role to meet your needs and generate role
ESS Role Helpful Hints
• Test ESS user ID with SAP_ALL profileUse transaction ST01 – User Trace – to see what is needed
Not everything in the user trace is required• P_PERNR
For display M, R; for update M, R, WInterpretation
I – Grants access to the employee assignedE – Excludes these infotypes from the employee assigned
If th Wh ’ Wh Q ID i i P ABAP bj t d t t
21
• If the Who’s Who Query ID is in P_ABAP object, no need to grant access to infotypes 0, 1, 2, etc. for Who’s Who access!
ESS role template to help build your company’s role
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Change User Attributes/Key Date
• Globally modify user information
Password selection –Fixed, DOB or Function
Insert role created in Copy role step
22
Copy role step
This area defaults into User Master Record
Select Employees Using Employee Master
• Check employees without a user assignment
• Program ESS_SEL_PERNR_VIA_PNPStep 1: Click onStep 2: Select Employees without usersStep 3: Click Execute
23
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Select Employees Using Employee Master (cont.)
• Check employees without a user assignment output:
Executing hereCan add/remove
24
• Select Overview next to Employees without users
Can add/removeassignments
Select Employees Using Employee Master (cont.)
• Report shows all employees without user assignments
St 1 Cli k h kb t t th l t
25
• Step 1: Click checkbox next to name then select
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Select Employees Using Employee Master (cont.)
• Step 2: Modify any of the Attributes for user
26
• Step 3: Click Execute button• The report will show the user created and assigned:
Select Employees Using Employee Master (cont.)
• Check report regularly if users created manually
Number of usersusers without ESS Role
Number of inactive employees with user IDs
27
Number of employees with deleted user IDs
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
28
possibilities• Wrap-up
Manager Self-Service Setup
• Managers are also employeesUse HRUSER for user ID creation
• Role assignment on the Manager’s position In the “Automation of Role Assignment” section
• Utilize portal role mapping for automation of MSS portal roleIn the “Connecting SAP ECC to SAP NetWeaver® Portal for user store” section
• MSS Role sample template to help build your MSS role
29
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
MSS Role Helpful Hints
• Test MSS user ID with SAP_ALL profile in your development clientUse transaction ST01– User Trace – to see what is neededDon’t add everything SAP shows in the trace
• Structural authorizations typically not required for MSS access
MSS role template to help build your
30
MSS role template to help build your company’s role
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
31
possibilities• Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Connecting SAP Back End to Portal
• Why make this connection?ABAP user store brought into portal
No need to create portal users any moreABAP roles can be mapped to portal role
Eliminate the time needed to also assign portal roles
32
Instructions on tying SAP back end to your Portal
ABAP Users Brought into Portal
• Check ABAP connection in PortalUser Administration tab
If you see ABAP in User Search Criteria – success!• Search for our ABAP user created previously
33
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Mapping ABAP Roles to Portal Roles
• Step 1: In back end, copy Self-Service role name via PFCG • Step 2: In Portal, go to User Administration tab• Step 3: Select Group search criteria (not role)
• Step 4: Select Modify, then search for your Portal role:
34
Mapping ABAP Roles to Portal Roles (cont.)
• Step 5: Select Add, then Save
• End result: Back-end user and role assignments are now added to portal user store (UME) and portal role assignments are made for
35
portal user store (UME), and portal role assignments are made for you!
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
36
possibilities• Wrap-up
Automation of Role Assignments
• Why?Roles are assigned automatically based on position assignmentRoles are removed automatically when an employee is moved
t f th i itiout of their position
Instructions on set up of position-based role assignment/removal
37
assignment/removal
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Automation of Role Assignments (cont.)
• Step 1: In back end, go to transaction PFCG – Role Maintenance
• Step 2: Select Goto – Settings
38
• Step 3: In pop-up box, select Complete view • Step 4: Select Copy
Automation of Role Assignments (cont.)
• Step 5: Select your self-service role in the Role field
• Step 6: Select Change • Step 7: Select User tab • Step 8: Select Organization Management button• Step 9: Select Create Assignment button• Step 10: In pop-up box, select Position:
39
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Automation of Role Assignments (cont.)
• Step 11: In pop-up box, enter Position number, then Copy
• Step 12: Pop-up box shows relationship. Select Create.
40
Automation of Role Assignments (cont.)
• Step 13: Select Indirect user assignment reconciliation
• Confirmation of reconciliation (red to green):
• Step 14: Select Back, then User comparison• End result: Role assignment created for user ID assigned to
person
41
person
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
42
possibilities• Wrap-up
Putting It All Together
• New steps to complete self-services user:Hire employee in back endRun HRUSER – Select employees using employee masterGive new hire user ID, Portal URL and password
• Done• 8 steps the old way – down to 3 steps!
8 complex and manual steps have been reduced to 3 simple steps
43
p p
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
44
possibilities• Wrap-up
Creating Your Own Users – Helpful Hints
• Reference UserUser ID can be used to create all of your users
Functions like User CopyCopy defaults, parameters, and roles
• For MSS usersUse position-based security to assign and remove roles automatically
• Use HRUSER reports to tell you when:New IDs are created without employee assignments
45
New IDs are created without employee assignmentsNew employees are created in SAP without user ID assignmentsExisting employee status changes and terminations
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Additional Configuration Possibilities
• Using Active Directory as Portal User Management Engine (UME) AD account and credentials used for portal logon
• SAP Identity Management (IDM)Automation of role assignment based on employee attributesIDM can:
Assign and remove SAP ECC and Portal rolesAssign defaults/parameters
• Using a single sign-on product U di tl i t t l ith t th ti ti
46
Users go directly into portal without authenticationWorks for SAP ECC users as well (via SNC)
What We’ll Cover …
• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration
possibilities
47
possibilities• Wrap-up
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Additional Resources
• http://help.sap.com/nw2004/Security Information Security Guide English User Administration and Authentication
htt // d• http://sdn.sap.comFollow Security and Identity Management
• http://help.sap.com/saphelp_nw04s/helpdata/en/34/76bd3b6e74d708e10000000a11402f/frameset.htm
Follow Portal Portal Administration Guide User Administration
48
• Templates for creating ESS/MSS rolesOn Insider Learning Network
7 Key Points to Take Home
• HRUSER simplifies ID creation, ensures employee assignment, and provides follow-up reports for maintaining your self-service users Use position based security role automation for roles like MSS to • Use position-based security role automation, for roles like MSS, to automatically assign and remove roles
• By tying your ABAP user store to your portal UME, you no longer need to maintain users in your portal
• You can use back-end role assignment to also assign portal roles via portal groups
This automatic assignment prevents you from needing to create Portal users and complete Portal role assignments manually
49
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
7 Key Points to Take Home (cont.)
• Use the templates supplied on Insider Learning Network to create your ESS/MSS roles based on your users' needs
Consider which infotypes the user will need access to when you design your rolesyou design your roles
• Use tools like Reference User to ensure users have the correct defaults, parameters, and roles
Remember, Copy user can copy attributes the ID would not need
• If creating user IDs manually, use HRUSER to ensure that your users are created and all are assigned to employees
50
Your Turn!
51
How to contact me:David Shanahan
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.
52
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2012 Wellesley Information Services. All rights reserved.