GRC
HR
SCM
CRM
BI
Expand +


Article

 

Manage Role-Based Authorization for Cloud-Based SAP Integrated Business Planning

by Anjali Butley, Solution Architect, Tata Consultancy Services

November 11, 2015

Anjali Butley explains how to manage stakeholder access for SAP Integrated Business Planning for sales and operations 4.0. She also describes the challenges of ensuring that SAP Integrated Business Planning for sales and operations data is accessed and shared by the right users.

 

SAP Integrated Business Planning for sales and operations is a periodic business process that involves focusing on and synchronizing financial, demand, and supply planning. Most organizations follow a monthly process that consists of demand review, supply review, pre-sales and operations planning review, and executive review. Organizations may have many process steps according to their requirements.

The sales and operations planning process requires up-to-date forecast data to plan sales, production, inventory, customer lead time, customer back orders, new product developments, strategic initiatives, and financial plans. The planning horizon and frequency to execute the sales and operations planning process vary based on the specific industry and planners. Different planners have different roles and accountability for executing and governing a sales and operations planning cycle. For executing the sales and operations planning cycle, planners require access to sales and operations data based on their roles.

Various planners can plan what-if simulations in real time and plan very quickly at all levels due to the in-memory computing platform. SAP Integrated Business Planning for sales and operations enables real-time collaboration with various stakeholders to take input and consensus with transparent data to achieve an organization’s common goal — volume, revenue, and profitability. The SAP Integrated Business Planning for sales and operations’ user interface is based on Microsoft Excel and web services.

I explain how to manage stakeholders’ authorizations to ensure access to the right planning data at the right time by the right user for better sales and operations planning results in real time.

I also list a few helpful hints for you to use in the “Tips” section.

Roles of Stakeholders

SAP Integrated Business Planning for sales and operations integrates with the following SAP applications:

  • SAP ERP Central Component (ECC)
  • SAP Advanced Planning and Optimization (SAP APO)
  • SAP BusinessObjects Business Intelligence (BI)/SAP Business Warehouse (BW)
  • SAP Business Planning and Consolidation (SAP BPC)
  • SAP Customer Relationship Management (SAP CRM)

 It also integrates with other system applications.

For example, consider a scenario in which an organization has pain points such as  managing role-based authorizations, restricting the planning data maintenance, planning for sales and operations planning on a periodic basis, displaying planning results, viewing dashboards, taking action on alerts, collaborating with other planners for making consensus decisions, and planning meetings with stakeholders. Because SAP Integrated Business Planning for sales and operations is a cloud-based system and can be accessed over the Internet, organizations that use this application need to be assured that sales and operations planning data is secure and cannot be shared or accessed by competitors or unauthorized people.

A security administrator needs to provide authorized access to SAP Integrated Business Planning for sales operations data to ensure that:

  • Unauthorized access is not granted to important information that is critical and sensitive for the organization and its stakeholders
  • Stakeholders’ negligence or attempts to change any sales and operations planning data should not be allowed to adversely affect the organization’s sales and operations planning data

In the next section, I explain the involvement of various SAP Integrated Business Planning sales and operations stakeholders in maintaining sales and operations planning data and executing sales and operations planning processes.

Stakeholders of SAP Integrated Business Planning for Sales and Operations

The following stakeholders are involved in sales and operations planning and are responsible for the right results of the sales and operations planning cycle:

  • Regional marketing manager: Responsible for marketing data input for the sales and operations planning cycle, collaborating with the global marketing manager, sales and operations planner, and finance manager, and attending sales and operations meetings.
  • Global demand planner: Provides input to the sales and operations planning cycle for the demand side. This stakeholder also collaborates with regional demand planners, global salespeople, and marketing managers.
  • Regional demand planner: Collaborates with global demand planners, regional supply planners, and data integrators. This person also provides input to the sales and operations planner for the demand side.
  • Global supply planner: Collaborates with the global demand planner, sales and operations planner, finance manager, and sales and operations executive.
  • Regional supply planner: Collaborates with the global supply planner, regional demand planner, regional sales and marketing manager, and finance manager. This stakeholder provides supply inputs to the sales and operations planner.
  • Sales and operations planner: Responsible for the overall sales and operations planning cycle. He or she collaborates with the global and regional demand planner, global and regional supply planner, finance manager, and data integrator. This stakeholder also conducts sales and operations planning meetings.
  • Finance manager: Responsible for financial data and ensures the profitability at organization levels.
  • Data integrator: Responsible for the sales and operations planning data – master data, transactional data integration from the SAP APO system and SAP ERP Central Component (ECC) system, maintenance of sales and operations planning data on the SAP Integrated Business Planning for sales and operations system, resolving issues for sales and operations planning data maintenance.
  • Sales and operations executive manager: Responsible for overall sales and operations planning results. He or she collaborates with the demand planner, supply planner, and finance manager. This stakeholder also makes final decisions for sales and operations planning.
  • Administrator of the SAP Integrated Business Planning for sales and operations system: Responsible for administrative work such as user management — creating users and their roles and giving permission for data access. SAP’s standard user name for this administrator is SOPADMIN and this stakeholder has all permissions.

An organization may have different roles based on its requirements and involve them for sales and operations planning processes.

SAP Integrated Business Planning Role-Based User Management

In SAP Integrated Business Planning all the authorized stakeholders of sales and operations planning are required to request the creation of a user account and role-based authorization. The administrator of SAP Integrated Business Planning creates user accounts and role-based authorizations in the system. Only stakeholders with authorized user accounts can access the SAP Integrated Business Planning system. SAP Integrated Business Planning for sales and operations requires a web user interface (WUI) and the Excel add-in for Integrated Business Planning to be installed on users’ devices, such as a desktop, laptop, or iPhone, and these devices also require Internet access.

SAP Integrated Business Planning for sales and operations uses SAP HANA tools for maintaining user roles, password management, and user filters in the background. The web client application of SAP Integrated Business Planning provides the functionality of user management. The administrator of SAP Integrated Business Planning is responsible for the stakeholder’s user management to create or update users and provide access to authorized planning data. An SAP system standard user who performs the administrator role has the user ID SOPADMIN and has ALL_INCLUSIVE SAP standard role permissions.

An SAP standard BASIC_USER can view analytics (e.g., charts and dashboards) in the web UI.

For collaboration functionality of SAP Integrated Business Planning use, a separate license for SAP Jam is required. If an organization has purchased this license, then it can take full advantage of SAP Integrated Business Planning for sales and operations for real-time collaboration with stakeholders.

If an organization uses an SAP HANA Cloud Integration (HCI) for data integration with SAP APO and the ECC system, then the data integrator is required to have HCI data integration-related authorizations.

(Note: In this article I limit my scope to user management of the stakeholders’ perspective.)

SAP Integrated Business Planning for sales and operations role-based user management has the following major functionalities: user management, roles, and visibility filters.

User Management

The administrator of SAP Integrated Business Planning can create, modify, and delete users using the SAP Integrated Business Planning web UI (Figure 1). (In my example in this article, I am referring to readers as the administrator.) You can also create a user account with assigning roles permissions and edit the user account based on the time requirement of the organization to perform the SAP Integrated Business Planning for sales and operations business processes.


Figure 1
SAP Integrated Business Planning User Management Using the web UI

To reach the screen shown in Figure 2, the SAP Integrated Business Planning for sales and operations planning administrator authorized to manage the user’s accounts in the SAP Integrated Business Planning system logs on to the web UI. In the screen in Figure 1, the administrator or authorized person clicks the user management icon  in the panel in the left side of the screen. This action opens a menu with the following options: User Management, Roles, and Visibility Filters.

By selecting the User Management option, you can select options for managing user accounts (e.g., to create, edit, or delete an account).

In Figure 1, the user can see the details of users already created in the table format with the following column headings: User Name, First Name, Last Name, Primary E-mail, Roles, Last Login, User Locked, User Activated, Delete, and History Download.

To create a new user, click the + Add New User button (Figure 1). This action opens a screen in which you can enter data for the new user in the General Information section of the screen (Figure 2).


Figure 2
General information for the new user

In Figure 2, enter information in the mandatory fields marked with an asterisk (*) after the field name. User Name, First Name, Last Name, Primary E-mail, New Password, and Confirmed New Password are mandatory fields to enter the information while creating the user account.

Alternate E-Mail and Locked User are alternate fields. Active User and SAML are optional check boxes. You need to select the Alternate E-mail and SAML check boxes for Jam configuration for social collaboration. (Note that SAML is Security Assertion Markup Language that is used to exchange authorization and authentication data for Jam Collaboration, which is used for social collaboration features of the SAP Integrated Business Planning.)

The Active User and Locked User check boxes are selected by the system automatically. You have a right to take the appropriate action to revoke these selections by deselecting these boxes.

If an organization subscribes to SAP Jam for collaboration, then select the SAML check box and maintain the configuration details. To configure SAP Jam collaboration, click the Configure button in the General Information screen (Figure 2). This action opens the Configure SAML screen (Figure 3). To maintain the details, click the Add button to enter data for Identity Provider, User External Mapping, and External Identity. After you enter the details, click the Apply button.


Figure 3
Configure SAP Jam collaboration for a new user

The details you entered complete the general information you need to maintain for the User account. After you enter the mandatory general information data for the user, click the Save button to save your data.  

(Tip: Be sure to save the data screen so that in case you move to any other screens you do not lose the most recent data entered. SAP Integrated Business Planning has many icons and panels on the screen. While working you may wrongly click another area and lose your work.)

Now you are ready to maintain the role and visibility filters. In the User Management screen, scroll down and expand the Assigned roles header (Figure 4).


Figure 4
Assign roles to new users

Click the Assign Roles button. This action opens the pop-up screen with the list of available Roles as shown in Figure 5.


Figure 5
Select predefined roles from the list to assign the roles to the new user

In this screen you can select the predefined multiple roles to be assigned to the new user. After you select the roles you want to assign, click the OK button, which takes you to Figure 6.


Figure 6
Applied visibility filters for new users

(Tip: To select multiple roles select a role, press the Ctrl button on your keyboard, and then select additional roles. Only prior created roles appear as available roles as shown in Figure 5. I explain how to create a role in the “Rolessection.)

Now expand the Apply Visibility Filter section of the User Management screen (Figure 6) and click the Apply Visibility Filter button.

This action opens a pop-up screen that lists the predefined visibility filters (Figure 7). In this screen, you can select the field below Apply Visibility Filter and select an option to filter the planning areas from a drop-down menu (e.g., All Planning Areas). You also can select the required visibility filters from the list and then click the OK button to apply the visibility filters to the new user.


Figure 7
Select visibility filters to apply to new users

(Note: The visibility filters that you create appear on the visibility filter list as available filters. I explain how to create a visibility filter in the “Visibility Filter” section.)

After maintaining all the above details, such as general information, roles, and visibility filer, click the Save button. The user account is now created.

After you create a user account, you are required to inform the stakeholder for authorized access to the SAP Integrated Business Planning for sales and operations system. Now you send the credentials, such as the user’s ID and password, to the user’s authorized and registered email ID, providing the details and guidelines for how to access the SAP Integrated Business Planning system for sales and operations planning.

Roles

Roles provide the permission for task execution and planning data handling permission in SAP Integrated Business Planning. For example, DEMANDPLANNING is a role defined for performing tasks related to demand planning activities.

To create this role, log on to the SAP Integrated Business Planning web UI and select the User Management and Roles menu options from the left side panel on the screen. To add a new role click the Add New Role button at the top of the screen (Figure 8).


Figure 8
Add a new role

This action opens a pop-up screen in which you enter general information, such as the role name, which is mandatory, and a description of the role (Figure 9). In the Permission section select the check boxes for the SAP predefined activities that you want to give users permission to execute.


Figure 9
Permission for the demand planning role

As of now the tasks and activities available for SAP Integrated Business Planning are listed in this screen. Choose the appropriate tasks for demand planning. You can also consult with a functional SAP Integrated Business Planning for sales and operations planning expert to understand the task and assign or select it while creating the role. After entering the details, click the Save button to save the new role.

(Note: In Figure 9, you can only choose to select or deselect the SAP predefined activities or tasks for SAP Integrated Business Planning 4.0. You choose the appropriate activities to grant permission to perform the activity or task. For example, Inventory Optimization is not related to SAP Integrated Business Planning for sales and operations. It is related to SAP Integrated Business Planning for inventory. Therefore, while creating a demand planning role, you cannot select Inventory Optimization.

Based on customer feedback and SAP Integrated Business Planning functionalities, SAP may add more activities its next version of the SAP Integrated Business Planning. According to the roadmap, version 5.0 may have more options than version 4.0. )

After you click the Save button, the Roles screen appears again (Figure 10) with the newly added role visible in the list.


Figure 10
The new role named DEMANDPLANNING

You can restrict the user from accessing master data (Figure 11) for a particular role by assigning a master data type (e.g., All Planning Areas) and selecting Master Data Type ID from the list and then clicking the OK button (Figure 12).


Figure 11
Assign master data access for a role


Figure 12
Select a relevant master data type ID for assigning master data at the planning area level

You can also assign permission levels. In the screen shown in Figure 13, you can choose the master data types maintained globally or version specific. Here are the different levels of permissions for master data types (Figure 13):

  • Manage All: With this permission level, the stakeholder can create, change, delete, and display all master data records. This level of permission is for a stakeholder who wants to copy version-specific data from one version to another version and who is responsible for the master data of sales and operations planning data maintenance.
  • Update All: With this permission level, the stakeholder can edit and display all master data records. The user cannot create or delete any new master data records.
  • Manage Own: With this permission level, the stakeholders can display, edit, and delete all master data records that they have created. The user is restricted to edit or delete another stakeholder’s data. In the Excel add-in stakeholders can do mass maintenance only to master data records that they have created. In the single maintenance, they can display master data, but can only edit their own master data record that they created.
  • Display: The stakeholder can display the master data type and all records. To work on sales and operations the user must have a minimum display level version specific permission to display the data in the Excel add-in and Web UI. You can restrict the user from accessing the key figure level (Figure 13).

Figure 13
Manage permission levels for assigned master data

After you assign the master data, you scroll down and to the Selected Key Figures area (Figure 14). Click the Edit Key Figures button.


Figure 14
Assigned key figures for a role

This action opens a pop-up screen that displays a list of key figures to be selected for the planning area (Figure 15).


Figure 15
Select key figures for roles

After assigning the key figures, the administrator gives the permission to view or edit the key figure (Figure 16).


Figure 16
Manage permission to view or edit of selected key figures for a role

In the SAP Integrated Business Planning 4.0, Patch 5 has the functionality in the assigned key figure version screen area that enables you to define version-specific permissions for key figures.

You also can restrict permissions at the role level for the planning unit ID and restrict the permission for giving planning scope (Figure 17). Planning scopes refers to allowing the user to perform the activities that in scope of the user’s role in the organization.


Figure 17
Assigned planning unit ID for a role

You also can restrict permissions at role level for the visibility filter at the planning area level (Figure 18). The prerequisite is to create visibility filters.


Figure 18
Applied visibility filter for a role

To apply the visibility filter to a role, click the Apply Visibility Filter button shown in Figure 18. The screen that appears lists visibility filters that you can select and apply to your roles (Figure 19).


Figure 19
Select and apply visibility filters for roles

You can also restrict permissions at the role level with Reason codes (Figure 20). A reason code is used to track the changes done in the planning cycle or planning view when the users save the data. Users can select a reason code and comments while editing any planning data in the Excel add-in. Organizations can create their own reason codes in addition to reason codes delivered by SAP Integrated Business Planning.


Figure 20
Reason codes for roles

Now you can click the Save button to save the settings for role creation of DEMANDPLANNING (Figure 20).

Visibility Filters

A visibility filter is mainly used for restricting the access of the planning data at the planning area and version level (Figure 21).


Figure 21
Visibility filters of user management

To add a new visibility filter, click the Add New Visibility Filter button shown in Figure 21. In the pop-up screen that appears (Figure 22), populate the fields as shown and click the Save button.


Figure 22
The Visibility Filters rule

A visibility filter is defined at the planning area level and filter rules are applicable at the attribute level with mathematical operators (e.g., equal and value of the attribute). With this Filter Rule, the stakeholder is granted permission to view the Attribute data Brand whose value is LA. In my example, the visibility filter LA applies to any user who is able to view Brand data that has a value of LA.

The visibility filter’s change history can be downloaded for analysis purposes.

Managing Users’ Reset Passwords, Lock and Unlock User IDs, Active and Deactivate User

Managing stakeholders’ passwords is also very important while providing security and ensuring sales and operations planning data is secured. A password reset request can be sent to the administrator if the users forget their passwords. The system locks the user ID if the wrong password is entered repeatedly. If any unauthorized event is noticed, the administrator can also lock the user’s ID (Figure 23).


Figure 23
User Management – reset password, locked user, active user

You also can complete the following password management tasks:

  • Manage first-time passwords for new users: you can set a user’s password as per the organization’s password policy and send the details to the user by mail.
  • Reset passwords: You can reset the password of users upon their request to reset the passwords and provide the reason of the password reset for internal audit recording purposes. Once the password is reset successfully, you send the details of the reset password to the stakeholder, and the stakeholders have to access their SAP Integrated Business Planning account via the web UI with the new reset password. The system displays a pop-up screen to change the password for security purposes. In this screen, the stakeholder has to change the password.
  • Lock user: Users are locked if they use the wrong password to enter more than three times. After they are locked, they cannot use the system. For security reasons, you can also lock the user.
  • Deactivate user: If any user is not active in the system, the administrator can deactivate his or her user ID. The user then cannot access the system. (A user who can actively access the system is shown as an active user.)

How Stakeholders Can Manage Their Own Passwords

Stakeholders are allowed to manage their own passwords via the web UI (Figure 24).


Figure 24
The Settings link in the web UI home page

After they log on to the system on the upper right corner, the stakeholders can see the user details icon  for user’s information details. Click this icon to view a list of headings on the right side of the screen. Click the Settings link.

To manage their passwords, the stakeholders can click the Settings link in the home screen of the web UI. In the screen that appears, stakeholders can populate the fields in the Reset password section and then click the Save button (Figure 25).


Figure 25
Manage passwords

Once the stakeholder saves the password, a pop-up screen shows the message if any error occurs (Figure 26). Read the error message and click OK.


Figure 26
Manage own password - Error

By clicking the OK button you are taken back to Figure 25 to correct the error.

Correct the error by entering correct password entering in the New Password field and the Re-Type New Password field. Click the Save button. The pop-up window then shows the message Success and Completed (Figure 27). Click OK.


Figure 27
Manage own password – Successful

Tips

Effectively managing stakeholders for SAP Integrated Business Planning for sales and operations is a challenge as SAP Integrated Business Planning for sales and operations is a cloud-based solution, and many stakeholders are accessing the system for planning and data handling. Therefore, sharing data at the right time with the right people is very important. Many organizations are afraid to share the planning and financial data in the cloud as they think there is a threat of confidential data leakage to other partners. Security of the data is more important while collaborating with business partners.

In this section I have covered how to effectively manage stakeholders who are accessing planning and executing the sales and operations planning cycle using SAP Integrated Business Planning sales and operations as below:

  • Identify the stakeholders’ roles and responsibilities by involving business users and understand which planning data the stakeholders are authorized to access
  • Prepare stakeholders’ roles and authorization matrices along with the planning data handling
  • Share the organization’s SAP Integrated Business Planning web link and Excel add-in installation details to only authorized stakeholders.
  • If any stakeholders are not active in the SAP Integrated Business Planning sales and operations planning processes, then remove their authorizations and uninstall the Excel add-in for SAP Integrated Business Planning from their machines or devices after taking consensus from the SAP Integrated Business Planning sales and operations owners
  • Set some process to have a regular audit of the stakeholders’ access of the SAP Integrated Business Planning system for sales and operations planning data. Take necessary action based on feedback from these audits.
  • Limit the access to the stakeholders for administrative work (e.g., reset password of another’s user ID)
  • If any users are not active, then lock them in the system after receiving confirmation from the sales and operations system owner.
  • Copy SAP Integrated Business Planning sales and operations standard users along with their roles and permissions to the organization’s required users so that you do not change any SAP default settings or role permissions of SAP’s objects.
  • Stakeholders performing simulation, what-if scenarios would require edit permissions for their output key figures that can be executed from the Excel add-in.
  • SAP Integrated Business Planning 4.0 has more modules than SAP Integrated Business Planning for sales and operations and the administrator has to provide access to the users based on the roles they are performing. Some stakeholders may have multiple roles and may require different permissions to different roles.
  • SAP is providing more security features in its new releases of SAP Integrated Business Planning. The organization’s SAP Integrated Business Planning owner has to always keep updated and upgrade the system to get maximum benefits of the security features of the SAP Integrated Business Planning (e.g., SAP has provided new security features in SAP Integrated Business Planning 5.0, such as front-end and back-end roles of the users). Users can manage their planning data visibility.
  • Keep an eye on the stakeholders who are managing their own visibility filters. Make sure that they don’t inadvertently maintain the wrong data and end up with the wrong sales and operations planning results.
  • Protect the stakeholder’s SAP Integrated Business Planning working sessions. If they are not working more five minutes, then the session should automatically time out to protect the planning data for security reasons. Session timeouts can be vary from user to user, so set the timeouts accordingly.
  • Mass User Management functionality is not available in SAP Integrated Business Planning 4.0 to allow the administrator to take a corrective action for multiple users (e.g., Unlock Users). The administrator has to check the user status one by one and unlock it. In higher versions of SAP Integrated Business Planning, this functionality of Mass User Management should be available based on customers’ feedback to SAP Integrated Business Planning product development team.

An email has been sent to:





 

Anjali Butley

Anjali Butley has more than 20 years of strong functional, business, and IT experience with domain expertise in supply chain planning and logistics.

She is a business analyst with more than 18 years of SAP experience in design and development of integrated supply chain solutions for large-scale enterprises. Her expertise includes process modeling, business process analysis, application implementations, production support, and presales across multiple client engagements in the SCM domain.



More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ