Orgset Management and Field Replicator – The XAMS Role Replicator

Introduction

In the XAMS environment, the Role Replicator provides various tools for mass editing of users, roles, organizational settings, and other elements necessary in the authorization management of SAP systems, aligning with concepts from organizational behaviour and human resources. In this series, we are focusing today on the orgset replication tools, a process crucial in organizational communication and within various organizational contexts.

Managing organizational structures and non-organizational fields can often pose a challenge for companies and their SAP authorization concepts, as studied extensively in the academy of management review and administrative science quarterly. These concepts are influenced by organizational culture and organizational psychology, which play pivotal roles in shaping permissions, attributions, and emotional labor within the organization. While the SAP standard offers the derivation concept to alleviate this, derived roles need to be manually created, changes related to granted or non-granted fields must be incorporated into each individual role, and discrepancies between source and derived roles need to be identified manually, addressing issues of attributions and antecedents. Additionally, the SAP transaction PFCGMASSVAL offers limited mass processing tools for role management, which can be seen as a limitation in higher levels of hierarchies. For a deeper insight into the PFCGMASSVAL function in the SAP standard, which can assist with the mentioned topics, you can refer to a blog post by my colleague Erwin Lachenmaier. With the Role Replicator, authorization differentiations for organizational settings and other fields can be quickly and extensively carried out, contributing to efficient organizational behaviour. For instance, it is possible to define company code values for multiple roles within a short period, enhancing authentication protocols. In the following, a practical example using a fictional production company named “Xiting” will elaborate on the process within the Role Replicator, showcasing how face-to-face interactions can be replicated in digital settings.

Practical Example

The following is intended to explain the procedure in the Role Replicator using a practical example based on a fictional production company called “Xiting.”

To begin, a group named “GLOBAL” is created, to which various production sites in different countries can be assigned, aligning with the concept of global organizational contexts. With this group, roles can be replicated in a way that they inherit the characteristics of all associated and subordinate orgsets and orgset groups, exemplifying how organizational settings and hierarchies can influence attributions of roles. This enables, for instance, granting a CEO permission to access all locations through a role associated with the characteristics of the group.

Next are the country orgset groups, representing different global locations in the case of Xiting. For example, there could be a group for Xiting AG Switzerland, one for Xiting GmbH Germany, and potentially more, showcasing how organizational communication is maintained across different geographies. Normal orgsets and referenced orgsets are assigned to this group. The orgset contains location-specific values for organizational levels such as company code, plant, etc., addressing the need for higher levels of authorization differentiation. Additionally, it can be supplemented with values for non-organizational level fields if required, contributing to a comprehensive understanding of the authentication process. These values can be easily added through a right-click, akin to granting permissions in face-to-face interactions. In our example, the authorization object V_VBAK_AAT is listed, which is technically not an organizational level and is needed to restrict access to the location-dependent sales document type “ZCH” or “ZDE”, further illustrating the concept of attributions in organizational behavior.

The referenced orgset is depicted in the following figure, providing insights into how the system functions at different organizational levels.

In the referenced orgset, values are stored that apply across locations, such as a central warehouse accessible to all sites. This eliminates the need to maintain these characteristics multiple times in each individual orgset, showcasing the concept of efficiency in organizational settings. Instead, a central orgset is created to store these globally applicable values, and it is referenced in other areas. As a result, roles can be replicated to the location groups, inheriting the location-specific organizational level characteristics and also the characteristics from the central warehouse, enhancing consistency across the organization.

To further reduce manual maintenance efforts, the Role Replicator offers easy and fast mass maintenance through Excel uploads, aligning with modern methods of managing organizational data. A dedicated upload/download area is provided for this purpose, containing instructions for successful execution (see Figure 4). It’s easiest to download an example and work within it, as it allows you to work directly in the correct format and provides guidance.

To transfer the values into the roles, you switch to the actual Replicator. Here, role pairs can be created. These pairs consist of a source role defining the functional scope and a replicated role taking on the role menu of the source and the chosen orgset values, similar to SAP’s derivation concept. This process is similar to how attributions are assigned in face-to-face interactions.

In the following example, an accounting role has been replicated into a role with the Swiss orgset, exemplifying how organizational behavior and hierarchical structures are integrated.

By synchronizing, via a double-click on the arrow in the RRO (Role Replicator Overview), after creating the replication pair, all replicated roles are created in PFCG and overwritten with values from the Swiss or German orgset group, as well as being equipped with the menu from the source role, aligning with the concept of synchronization in organizational settings.

The arrow at the top ensures that all roles are synchronized, while the other arrows below can be used to selectively choose specific roles for synchronization, providing flexibility in the replication process.

The following figures illustrate a comparison between a role pair in PFCG, showcasing how changes are reflected across replicated roles.

Changes in the source role or the orgsets can be easily distributed through the Role Replicator, enhancing the concept of efficient communication within organizational settings. Faulty adjustments, such as extending an organizational level in replicated roles, are directly displayed to avoid inconsistencies, aligning with the principle of maintaining accuracy in the authorization structure. Synchronization can be initiated, as described above, through the arrow in the role replication pair or en masse for all roles, providing control over the replication process.

In the shown role pairs above, some asynchronous organizational levels are marked with a red circle in the “Org.” column. Yellow triangles indicate that the replicated role could only take dummy values from the source role, as there are no specifications in the orgset or orgset group. The following example illustrates this comparison, showcasing how discrepancies are handled in the replication process. The replicated role temporarily adopts values from the source role if there’s nothing in the orgset and marks them for later tracking in the correct location.

If permissions have been adjusted in the source role (even for non-organizational level fields), this is visible in the “NOrg.” column (see Figure 11). A red circle indicates this inconsistency, highlighting potential issues in the authorization structure.

The Xiting RRO (Role Replicator Overview) for orgsets provides additional tools for efficient processing of pairs, further enhancing the management of organizational settings. For example, the area of role maintenance, as well as the company structure, can be uploaded and downloaded via Excel, showcasing how technological tools support organizational communication.

With the new service pack, it is now possible to categorize roles into groups for clearer and easier management, addressing the need for streamlined organizational structures. For instance, all roles per business area can be grouped together. When selecting this group, only its contents will be displayed, enhancing efficiency in role management.

In XAMS customization, there is a function that also supports SAP standard derivations, aligning with established practices in the field of human resources. This enables a deriving PFCG role to be directly set as a source role, streamlining the process of organizational behavior.

However, it should be noted that when integrating this SAP standard derivation, adjustments to organizational field data are possible, reflecting the flexibility and adaptability of the system.

Furthermore, reporting functions are available for conducting consistency checks of orgsets and roles, contributing to effective management within organizational contexts. These facilitate the identification of error sources or redundant role assignments, which in the SAP standard would typically require manual SUIM reports or table evaluations.

The first report lists replicated roles that have no users assigned to them, providing insights into role necessity. For these roles, consideration can be given as to whether they are even necessary or if they can be removed from the system landscape. The data from the productive system is crucial for this, so the report should be executed there.

The second report indicates whether users are authorized for a specific organizational unit through a role for which they already have superior permissions through another role, showcasing the concept of hierarchical authorization. Thus, the assignment to the subordinate organizational unit becomes redundant and can potentially be removed, as it’s already covered by the superior permissions.

A consistency check can be carried out using the last reporting option. Three comparison options are available, which can be executed individually or together. The first comparison checks the organizational fields, i.e., the values from the AGR_1252 table, against the orgset values from the Role Replicator, ensuring alignment in organizational settings. The second option compares the menu objects of the source with the replicated roles, and the last comparison compares the authorization values, i.e., the values from the AGR_1251 table, with all replication pairs, contributing to accuracy and consistency.

Most of the aforementioned comparisons, especially the first three, are already checked directly within the replication area when the status assessment is turned on, highlighting the system’s proactive approach to maintaining consistency. Therefore, the reporting options offer additional features that can be useful for targeted ad-hoc evaluations.

Conclusion: Orgset Management and Field Replicator – The Xiting Role Replicator

As evident from the above discussion, the Role Replicator stands as an excellent tool for efficiently managing organizational structures and non-organizational fields within complex organizational contexts. It empowers you to flexibly align your corporate organization according to your authorization concept, reflecting the core principles of organizational behavior.

The actual Replicator allows for the swift and straightforward creation of role pairs and the synchronization of replicated roles into PFCG, showcasing how modern technology supports traditional organizational concepts. It displays inconsistencies and erroneous adjustments, ensuring an efficiently maintained consistent authorization structure that adheres to the principles of hierarchical organization.

Within the XAMS environment, the Xiting Role Replicator introduces a revolutionary solution for companies grappling with the complex challenge of managing organizational structures and non-organizational fields, combining concepts from multiple domains. Where SAP’s standard capabilities set limits on mass editing tools and derivation concepts, the Role Replicator substantially expands the possibilities:

1. Efficient Mass Editing: The Role Replicator enables rapid and mass differentiation of authorizations for various elements, such as organizational structures, in line with modern concepts of dropdown#toggle” data-dropdown-menu-id-param=”menu_term_280699388″ data-dropdown-placement-param=”top” data-term-id=”280699388″ style=”box-sizing: border-box; background-color: #fff2cc;”>human resources.
2. Practical Functionality: Practical examples, like that of a fictional production company “Xiting,” highlight the potential of the Role Replicator, showcasing its relevance in real-world organizational scenarios.
3. Error Identification and Avoidance: One of the tool’s greatest strengths lies in its automated identification of inconsistencies and faulty adjustments, enhancing the quality and security of authorization structures, aligning with principles of accuracy in organizational settings.
4. Reporting and Analysis: The Role Replicator provides comprehensive reporting functions that facilitate efficient review of orgsets and roles, identifying redundancies or sources of error, in accordance with principles of transparency.
5. Flexibility and User-Friendliness: Features like mass maintenance through Excel uploads, intuitive synchronization options, and support for SAP standard derivations showcase that the Role Replicator is not only powerful but also user-friendly, catering to diverse organizational needs.

In summary, the Xiting Role Replicator offers an innovative and efficient solution for managing organizational structures and authorizations, allowing companies to optimize their authorization concepts and significantly reduce administrative efforts while adhering to established principles of organizational behavior and human resources.

If I’ve piqued your interest, you can also request a practical demonstration through our individual webinar, including a demo, providing hands-on experience with the technology. You can also book a customized training or inquire about implementation consulting for your company, aligning with best practices in organizational management. We are available to provide you with advice and assistance at any time to determine the best support for your needs, reflecting our commitment to organizational success.

Xiting stands as a 360-degree solution provider in SAP Security, equipped with years of expertise and know-how to tackle numerous challenges. Secure your SAP systems in a safe environment with our comprehensive solutions:

• Execution of authorization projects and authorization audits (SAP Authorizations), ensuring compliance with best practices in organizational behavior.
• Cleanup of custom developments in ABAP environments, promoting efficiency and accuracy in the organizational structure.
• Accelerated S/4HANA migration, leveraging the latest technologies to enhance organizational performance.
• Reduction of risks during Go-Live, ensuring smooth transitions in organizational processes.
• Development of an SAP security concept, aligning with the principles of hierarchical organization.
• Assessment of access rights for users in ERP systems, ensuring adherence to established authorization concepts.
• And much more, reflecting our commitment to comprehensive organizational support and success.

• Author
• Recent Posts

Laura Göthlich

SAP Security Consultant at Xiting GmbH

Laura Göthlich is SAP Security Consultant at Xiting since 2021. She graduated with a Bachelor of Engineering in Business Administration and Engineering. Her focus at Xiting is on the implementation of redesign and migration projects of authorizations with the help of XAMS.

Latest posts by Laura Göthlich (see all)

• Orgset Management and Field Replicator – The XAMS Role Replicator - 25. August 2023