HR2012: Leverage your Organizational Structure for User Access Provisioning (Part 1)

by Juliet Henry

March 7, 2012

In business, we strive to find ways to smooth the path of information from one person or department to another where that data can grow in significance, becoming more meaningful in its purpose and adding value to the business as a whole, ultimately greater in value than the sum of all its parts.  Does this describe an idealistic world?  Or does it describe the vision of an integrated system?

Close integration of user access control and HR data seems to fall into the realm of that idealistic world.  You can almost not imagine two departments more different from one another.  Security is a highly technical area where geeks find comfort amongst intangible concepts of encryption, single sign-on and biometric scanners and gadgets.  Human Resources is a "people" place, where you welcome new employees into your organization, grow their talent, and assist them in navigating their desired career path.  Successful marriage of these two departments would be clear proof of the theory that opposites attract.

So let's test that theory out.  Can we indeed successfully integrate Access Control and HCM, and in doing so improve the business processes of both departments?  I dare say that it's hard to keep them apart!  They become so intertwined that it's hard to definitively say where the responsibility of Access Control ends and that of HCM begins, and vice versa.  Let us explore the relationship of Indir ect Role Assignment, whereby users' access is provisioned via the Organizational Structure in HCM.

Indirect Role Assignment is an alternate methodology for managing and provisioning user access, rather than assigning roles directly to user IDs.  It is a more efficient, streamlined way to provision security roles to users, especially if the organization has a stable, well-maintained organizational structure that is updated in a timely manner when organizational changes are made.  These criteria are imperative if the organization has structural authorizations for HCM security, in which case, both needs are simultaneously satisfied.  (Note that structural authorizations are just another way in which HCM org structures and Security are closely tied.)

Indirect Role Assignment will ensure that an employee automatically inherits the necessary roles to perform their job as soon as they are hired, or transfer to another position.   Additionally, roles are automatically removed when the employee vacates a position due to retirement or separation.  This certainly cuts down on any manual processes that might be in place to assign roles directly to users.  Not only does the user have the right roles, but you avoid the problem of users amassing roles that they no longer need - but never get removed from their user id as they change jobs - with the potential for undesired combinations of access when roles interact with one another. I believe that the value of this increases exponentially relative to the size of the organization, not only with reduction in maintenance, but also with the increased confidence that users are remaining compliant with reduced risk of Segregation of Duties (SOD) violations.  I would recommend Indirect Role Assignments for especially large organizations.

The benefi t within HCM is clear: when a new manager is moved into his position, access to managerial functions is automatically granted and the manager can access the personnel within the org unit(s) for which he is responsible.  There is no delay while someone deciphers what user roles the new manager should be assigned, entering the access request, waiting for approval, and then processing the access request.  Additionally, a greater consistency is achieved in user access.  HR and Security have previously worked together to establish which roles the position requires.  No matter who occupies the position, their user ID will inherit the predetermined access defined for their position.  The users can in turn be productive sooner within the system as they have the necessary access to perform their jobs.  The HCM and Security business processes are thus smoother, faster, and integrated.

In Part 2 of this blog, I will delve into some real-life challenges from day-to-day access management and HCM business scenarios, such as backfilling someone out on Leave of Absence, and how Indirect Role Assignment can assist with these.

Please stop by my session at HR2012 if you would like to learn about the inner workings of Indirect Role Assignment, how it can be customized for specific business needs, and integration with GRC Access Control.

Add my session to your HR2012 schedule here:

Session Title: How to leverage your organizational structure for user access provisioning

Session Time: 2:30 pm - 3:45 pm

Session Date: Thursday, March 15, 2012

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!