Org Management in CRM

Like SAP HR, SAP CRM also supports organizational management. Org Management allows the assignment of Business Roles to OM objects (like positions, org units, etc). The transaction to maintain OM structure in CRM is PPOMA_CRM. PPOMA_CRM allows us to search for particular OM objects and create new ones. The below screen shows a typical org hierarchy.

PPOMA_CRM - Define OM structure
PPOMA_CRM - Define OM structure

As you can see from the above, PPOMA_CRM is very similar to the ECC transaction PPOMA. Since we have already talked at length about Org Management in SAP HCM, I would not repeat the same here. Please feel free to have another look at the posts for Org Management under SAP HCM security.

For a user to work on CRM processes, the user needs to be assigned to a business partner. In the example above, we have the BP HR00160008 assigned to the Position 30002593.

Assign Roles in CRM

SAP CRM allows role assignment in two basic ways, indirectly through Business Roles in PPOMA_CRM or directly through security roles assigned to user masters in SU01.

Indirecty role assignment is recommended by SAP as for large organisations with many CRM users and business roles it can lead to significant reduction in maintenance effort. For indirect maintenace, the Business Roles are maintained on a position for a user.

Define OM structure - PPOMA_CRM
Define OM structure - PPOMA_CRM

To maintain the business role for an OM object like a position, we select the position in PPOMA_CRM and the menu path goto>detail object>Enhanced Object Description which opens transaction PP01.

PP01 - Initial Screen
PP01 - Initial Screen

From the initial PP01 screen, we can maintain the appropriate value for Business Role for the chosen position.

PP01 - Assigning Business Roles
PP01 - Assigning Business Roles

With the position linked to a user and a business role assigned to the position we are now in a position to assign a security role to the user. While its also possible to directly assign a security role to the user at this stage, SAP provides the report CRMD_UI_ROLE_ASSIGN to make our job easier.

Report CRMD_UI_ROLE_ASSIGN
Report CRMD_UI_ROLE_ASSIGN

The report can be run for both users or user groups. It basically looks up positions linked to the respective users, checks the business roles assigned to these positions and finally assigns the security roles corresponsing to them to the user masters. The report log after role assignment is shown below

Report CRMD_UI_ROLE_ASSIGN - Log
Report CRMD_UI_ROLE_ASSIGN - Log

It is also possible to directly assign a security role to a user rather than go through these intermediate steps outlines above. To make this work, in addition to the security role the user parameter CRM_UI_PROFILE needs to be maintained with the correct business role as part of the user master. This removes the need of maintaining the Business Role on the position. However, since all CRM users need to be part of OM structure, it makes sense to use the indirect assignement rather than the direct one.

Profile Assignment via OM

In the last article we have already looked at the process of indirect role assignment through OM objects. SAP provides another option to achieve indirect assignment of security through the org structure of the enterprise. This method involves indirect assignment of authorization profiles. Though much less common now-a-days as most companies have moved to a system where access is based on roles instead of authorization profiles, there is really nothing preventing its use in even a role based system.

The basic concept of indirect assignment remains the same. Instead of creating B007 relationships, between the user’s position and object type AG, we maintain infotype 1016 for the position with the profile names. An example screen-shot is given below. Through configuration, its also possible to maintain IT 1016 for other org objects like jobs, org units, tasks, etc.

PP01 - Create IT 1016 (Standard Profiles)
PP01 - Create IT 1016 (Standard Profiles)

To copy the profiles from HR objects to users, the report RHPROFL0 is used with the options shown below. This report can also be scheduled to run in the background everyday at midnight to sync up user access (both PD profiles and general authorization profiles) with a changing org structure.

RHPROFL0 - Copy IT 1016-1017 values to users
RHPROFL0 - Copy IT 1016-1017 values to users

Indirect Role Assignment via OM

We have come across the Organizational Management (OM) component while talking about SAP HCM. The OM component in SAP is used to map the Organizational Hierarchy of an enterprise by means of HR objects and Relationships between these objects. In this post we will discuss about the possibility of using OM to simplify some of the user-role assignments tasks that need to be handled by a security administrator.

Lets start with an sample org hierarchy created in PPOME transaction as shown below. We start with a root org unit ( HR obj O) “IDES Root” with “IDES India” and “IDES Bangalore” under it. ” IDES India” includes the position (HR obj S) of “Director – India” which is also set as the Line Manager for it. The position is filled by person (HR obj P) “Mister Director”. We make the basic assumption that the SAP access for a user corresponds to his position in the org structure of the enterprise.

PPOME - A Sample Org Hierarchy
PPOME - A Sample Org Hierarchy

Consider the access for “Mister Director”. In the case of direct role assignment, any role would be assigned to the user id for “Mister Director” through SU01 or PFCG. Now lets consider, that “Mister Director” get promoted to be the CEO of “IDES Root” and a new person comes to take his place. However, since the roles for the India Director were directly assigned to his user id, he will continue to keep his old access even in his new position. Also the new person filling the position of “Director – India” will have to be manually assigned with enough access to enable him to do his job. This same situation will repeat for every transfer, promotion, demotion (and most other org changes in general) that takes place in an enterprise. For an enterprise with more than a few thousand employees, the effort involved in keeping user access in sync with the org hierarchy is substantial. In addition to the monetary cost of the effort, their is a time penalty as users would need to wait for the User Admin team to adjust their security before they can start using SAP. Indirect role assignment comes to the rescue in such situation and if configured correctly can reduce the routine maintenance effort appreciably. In indirect assignment, instead o directly assigning the roles to user id for “Mister Director” we assign the roles to the position “Director India” (The standard SAP configuration allows role assignments to the OM objects – Position, Org Unit, Work Center, Task and can be used depending on business cases) such that any user occupying the position would automatically get the access needed for “Director India”.

There are four technical prerequisites for the use of indirect role assignment through Org Mgmt

  • An active planning version must be defined in the system. Roles/profiles are assigned to the OM objects defined in the active plan.
  • The User and Personnel masters are linked via the IT 0105 (communication) subtype 0001 (system id). This translates to maintaining the SAP user id for a user in IT 0105, 0001 for the user’s personnel number with an active validity date.
  • The HR_ORG_ACTIVE customizing switch is set to YES in the PRGN_CUST table either as the default value or as an entry in the table.
  • The evaluation path US_ACTGR is defined and suitably adjusted in the system. The evaluation path is actually used by SAP to assign roles to the users during user comparison and is the last and the most vital cog in the wheel. The screen-shot below shows the default definition of the evaluation path in OOAW.
  • OOAW - Definition of US_ACTGR evaluation path
    OOAW - Definition of US_ACTGR evaluation path

Once the above prerequisites are met, we can just go ahead and create indirect role assignments between roles and HR objects. Indirect role assignment through PFCG can be accessed through the “Organization Management” button shown below. The blue lines correspond to indirect role assignments.

PFCG - Indirect Role Assignment through OM
PFCG - Indirect Role Assignment through OM

Clicking the Org Mgmt button opens the below screen where we can check the existing assignments for the role (both direct and indirect). New role assignments can e created using the highlighted button

PFCG - Indirect Role Assignment through OM 2
PFCG - Indirect Role Assignment through OM 2

Roles can also be assigned through PP01. An indirect role assignment is a relationship between object type AG (Activity Group or Role) and HR objects like positions, org units, etc. Below screen shows a new assignment (relationship B007) between the users’ position and the role object (object type AG)

PP01 - Create B007 reln between S and AG
PP01 - Create B007 reln between S and AG

The final step in the process of indirect role assignment is to copy the roles from the HR objects to the users. One of the most common way to achieve this is to execute the PFUD transaction with the option for HR reconciliation checked. In productive systems, this program is normally scheduled to run everyday at midnight to sync user access with a changing org structure.

PFUD - User Master Reconciliation

PFUD - User Master Reconciliation

The critical success factor for indirect role assignment is to understand how correctly your org hierarchy mirrors the roles/ responsibilities of your users. Some of the questions that need to be discussed with your business owners, functional consultants and security team are

  • What is the correlation between the roles/responsibilities users and their position in the org structure?
  • Who will be responsible for maintaining the org structure and how frequently?
  • Will users need their old access even if they move to a new position?
  • How will contractors be given access? Contractors are normally not part of the org structure and don’t occupy a position. So do you continue to directly assign roles to contractors or do you link them to the org structure in some way (for example through positions/jobs/tasks)?
  • Are you only concerned about a central ECC system or are there other systems in the landscape (BW, CRM, SRM, APO, etc)? Will the roles assigned in these other systems also be determined by the users’ positions in ECC?