best practices for self service in sap portal

Best Practices for Securing a Self-Service Portal Using Standard SAP ERP HCM Settings

© 2012 Wellesley Information Services. All rights reserved.

David ShanahanAspireHR

What We’ll Cover …

• Example of a new employee’s encounter with ESS• Prerequisites for self-service user • Keeping tabs on your self-service users with HRUSER • Manager Self-Service user setup • Connecting SAP ECC to SAP NetWeaver Portal for user store• Automating role assignment and auto-removal• Putting it all together• User creation helpful hints and additional configuration

possibilities

1

possibilities• Wrap-up

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

An Employee’s First Encounter with Self-Service

• First day – Kim Gentry is hired and asked to log into our PortalKim signs in and sees:

2

After a Few Minutes, the Problem Is Determined:

• Someone forgot to create the Portal ID

3

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Portal ID Is Created and Kim Tries Again

• Login success! But then:

W till h k t d

4

• We still have some work to do

The Self-Service Role Is Added to the Portal ID

• It should work now

5

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Hope It Is Fixed This Time

• Not quite, but we’re getting closer …

S thi i till i i

6

• Something is still missing

No Employee Associated to the Back-End ID

Th U ID i i t d t th l b I f t

7

• The User ID is associated to the employee number on Infotype 105, subtype 0001, and Kim tries again

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

One More Time

• At last!

8

How Can We Prevent This Mess?

9

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________



possibilities

10


What Went Wrong with Kim’s First Self-Service Experience

• Problem #1: Employee hired in SAP and back-end user ID created, but Portal user ID not set up

• Problem #2: Portal user ID did not have role assignmentP bl #3 B k d ID did t h l i t• Problem #3: Back-end user ID did not have role assignment

• Problem #4: Back-end user ID not associated to employee number

11

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

What’s Needed for a Self-Service User

• Employee hired in SAP with (at least) infotypes:0000 – Actions0001 – Organizational Assignment0002 – Personal Data

• SAP back-end user ID createdSelf-services role assignmentParametersDefaults

P t l ID t d

12

• Portal ID createdSelf-Service role assignment

• Employee Number associated to user IDInfotype 0105 subtype 0001



possibilities

13


_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

SAP Transaction HRUSER Dissected

• PreparationAssignment of roles to existing usersCopy SAP role customer namespace

• User/authorization assignmentChange user attributes/key dateSelect employees using employee masterSelect employees using org. assignment

• User attributesU

14

User groupRole assignment

Main Menu

• SAP transaction HRUSER

15

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Assignment of Employees to Existing Users

• Shows all current user IDs and employees so you can make the Infotype 105 subtype 0001 assignment – attaching user ID to employee

• Used when self-services is implemented after being live with back • Used when self-services is implemented after being live with back end (SAP)

• Program ESS_USERCOMPARE Default period start = today’s date

16

date

Select All users radio button

Output of ESS_USERCOMPARE

• Mainly used when ESS is implemented after other modules• All valid user IDs appear, and assignment can be made manually

by selecting user, then Assign Employees

17

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Using ESS_USERCOMPARE – Assign Employees

• Step 1: Select user by clicking on the ID – it will change color:

• Step 2: Select Assign employees button

• Step 3: Type name into pop-up

• Step 4: Create relationship by clicking Create

18

• At the bottom of the screen – confirmation of assignment

Copy SAP Role Customer Namespace

• Copy via transaction PFCG – Role Maintenance

Step 1: Enter SAP_ESSUSER in Role field and select Copy

19

Step 2: Enter role name (Y or Z) and select Copy all

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Copy SAP Role Customer Namespace (cont.)

• Step 3: Select Change

• Step 4: Select Authorizations tab We will modify and generate the role here

20

• Step 5: Select Change Authorization Data• Step 6: Modify role to meet your needs and generate role

ESS Role Helpful Hints

• Test ESS user ID with SAP_ALL profileUse transaction ST01 – User Trace – to see what is needed

Not everything in the user trace is required• P_PERNR

For display M, R; for update M, R, WInterpretation

I – Grants access to the employee assignedE – Excludes these infotypes from the employee assigned

If th Wh ’ Wh Q ID i i P ABAP bj t d t t

21

• If the Who’s Who Query ID is in P_ABAP object, no need to grant access to infotypes 0, 1, 2, etc. for Who’s Who access!

ESS role template to help build your company’s role

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Change User Attributes/Key Date

• Globally modify user information

Password selection –Fixed, DOB or Function

Insert role created in Copy role step

22

Copy role step

This area defaults into User Master Record

Select Employees Using Employee Master

• Check employees without a user assignment

• Program ESS_SEL_PERNR_VIA_PNPStep 1: Click onStep 2: Select Employees without usersStep 3: Click Execute

23

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Select Employees Using Employee Master (cont.)

• Check employees without a user assignment output:

Executing hereCan add/remove

24

• Select Overview next to Employees without users

Can add/removeassignments


• Report shows all employees without user assignments

St 1 Cli k h kb t t th l t

25

• Step 1: Click checkbox next to name then select

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________


• Step 2: Modify any of the Attributes for user

26

• Step 3: Click Execute button• The report will show the user created and assigned:


• Check report regularly if users created manually

Number of usersusers without ESS Role

Number of inactive employees with user IDs

27

Number of employees with deleted user IDs

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________



possibilities

28


Manager Self-Service Setup

• Managers are also employeesUse HRUSER for user ID creation

• Role assignment on the Manager’s position In the “Automation of Role Assignment” section

• Utilize portal role mapping for automation of MSS portal roleIn the “Connecting SAP ECC to SAP NetWeaver® Portal for user store” section

• MSS Role sample template to help build your MSS role

29

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

MSS Role Helpful Hints

• Test MSS user ID with SAP_ALL profile in your development clientUse transaction ST01– User Trace – to see what is neededDon’t add everything SAP shows in the trace

• Structural authorizations typically not required for MSS access

MSS role template to help build your

30

MSS role template to help build your company’s role



possibilities

31


_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Connecting SAP Back End to Portal

• Why make this connection?ABAP user store brought into portal

No need to create portal users any moreABAP roles can be mapped to portal role

Eliminate the time needed to also assign portal roles

32

Instructions on tying SAP back end to your Portal

ABAP Users Brought into Portal

• Check ABAP connection in PortalUser Administration tab

If you see ABAP in User Search Criteria – success!• Search for our ABAP user created previously

33

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Mapping ABAP Roles to Portal Roles

• Step 1: In back end, copy Self-Service role name via PFCG • Step 2: In Portal, go to User Administration tab• Step 3: Select Group search criteria (not role)

• Step 4: Select Modify, then search for your Portal role:

34

Mapping ABAP Roles to Portal Roles (cont.)

• Step 5: Select Add, then Save

• End result: Back-end user and role assignments are now added to portal user store (UME) and portal role assignments are made for

35

portal user store (UME), and portal role assignments are made for you!

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________



possibilities

36


Automation of Role Assignments

• Why?Roles are assigned automatically based on position assignmentRoles are removed automatically when an employee is moved

t f th i itiout of their position

Instructions on set up of position-based role assignment/removal

37

assignment/removal

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Automation of Role Assignments (cont.)

• Step 1: In back end, go to transaction PFCG – Role Maintenance

• Step 2: Select Goto – Settings

38

• Step 3: In pop-up box, select Complete view • Step 4: Select Copy


• Step 5: Select your self-service role in the Role field

• Step 6: Select Change • Step 7: Select User tab • Step 8: Select Organization Management button• Step 9: Select Create Assignment button• Step 10: In pop-up box, select Position:

39

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________


• Step 11: In pop-up box, enter Position number, then Copy

• Step 12: Pop-up box shows relationship. Select Create.

40


• Step 13: Select Indirect user assignment reconciliation

• Confirmation of reconciliation (red to green):

• Step 14: Select Back, then User comparison• End result: Role assignment created for user ID assigned to

person

41

person

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________



possibilities

42


Putting It All Together

• New steps to complete self-services user:Hire employee in back endRun HRUSER – Select employees using employee masterGive new hire user ID, Portal URL and password

• Done• 8 steps the old way – down to 3 steps!

8 complex and manual steps have been reduced to 3 simple steps

43

p p

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________



possibilities

44


Creating Your Own Users – Helpful Hints

• Reference UserUser ID can be used to create all of your users

Functions like User CopyCopy defaults, parameters, and roles

• For MSS usersUse position-based security to assign and remove roles automatically

• Use HRUSER reports to tell you when:New IDs are created without employee assignments

45

New IDs are created without employee assignmentsNew employees are created in SAP without user ID assignmentsExisting employee status changes and terminations

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Additional Configuration Possibilities

• Using Active Directory as Portal User Management Engine (UME) AD account and credentials used for portal logon

• SAP Identity Management (IDM)Automation of role assignment based on employee attributesIDM can:

Assign and remove SAP ECC and Portal rolesAssign defaults/parameters

• Using a single sign-on product U di tl i t t l ith t th ti ti

46

Users go directly into portal without authenticationWorks for SAP ECC users as well (via SNC)



possibilities

47


_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

Additional Resources

• http://help.sap.com/nw2004/Security Information Security Guide English User Administration and Authentication

htt // d• http://sdn.sap.comFollow Security and Identity Management

• http://help.sap.com/saphelp_nw04s/helpdata/en/34/76bd3b6e74d708e10000000a11402f/frameset.htm

Follow Portal Portal Administration Guide User Administration

48

• Templates for creating ESS/MSS rolesOn Insider Learning Network

7 Key Points to Take Home

• HRUSER simplifies ID creation, ensures employee assignment, and provides follow-up reports for maintaining your self-service users Use position based security role automation for roles like MSS to • Use position-based security role automation, for roles like MSS, to automatically assign and remove roles

• By tying your ABAP user store to your portal UME, you no longer need to maintain users in your portal

• You can use back-end role assignment to also assign portal roles via portal groups

This automatic assignment prevents you from needing to create Portal users and complete Portal role assignments manually

49

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

7 Key Points to Take Home (cont.)

• Use the templates supplied on Insider Learning Network to create your ESS/MSS roles based on your users' needs

Consider which infotypes the user will need access to when you design your rolesyou design your roles

• Use tools like Reference User to ensure users have the correct defaults, parameters, and roles

Remember, Copy user can copy attributes the ID would not need

• If creating user IDs manually, use HRUSER to ensure that your users are created and all are assigned to employees

50

Your Turn!

51

How to contact me:David Shanahan

[email protected]

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

52

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

_________________________________

best practices for self service in sap portal

Documents

selfservice portal

selfservice users

sap netweaver portal

dothe selfservice role

portal id3

portal kim signs

user store

sap ecc