Keep Authorizations Synchronized with SAP® On-Premise and SAP Cloud Solutions
Struggling with the integration of authorizations? Keep it easy! The SAP® on-Premise Central User Administration (CUA) as master will propagate authorization changes to external solutions in the cloud - such as SuccessFactors® and SAP Fiori® Launchpad - keeping them always synchronized.
In complex technological landscapes, where an SAP® on-Premise Central User Administration - CUA - coexists with external solutions in the cloud - such as SuccessFactors® or the SAP Fiori® Launchpad hosted in SAP HANA® Cloud Platform (HCP) – how can you avoid the risks of non-corresponding authorizations for the same user in different applications?
Keeping coherent authorizations across all platforms is fundamental to efficiency - users should not be stopped from carrying out their work because of incorrect or outdated authorizations. It is also critical for security reasons, because employees should only perform tasks and have access to data for which they are authorized.
How to keep authorizations synchronized
In order to avoid any incoherence in the authorizations system, three different options can be considered:
- SuccessFactors as master propagating the authorization changes to SAP on-Premise;
- Have an Identity Management (IDM) tool (such as SAP IDM) to handle the authorizations and synchronizing with SF and SAP on-Premise;
- SAP on-Premise as master propagating to SuccessFactors and to other external solutions in the cloud (e.g. SAP Fiori Launchpad).
Having considered the three possible options, our most recent experience in a complex technological landscape led us to choose the third solution. With this approach the structure of the landscape is not affected, because additional resources or tools are unnecessary (e.g. IDM installation).
This article will therefore present the method that has been applied by konkconsulting to meet a recent work challenge.
Taking advantage of the external APIs supplied by SuccessFactors and SAP HANA Cloud Platform, we have developed an additional report that should be executed during the CUA reconciliation process. The report carries out the conversion of the changes applied in the SAP authorization model to equivalent actions that have to be executed in the external systems.
We have isolated the communications with external systems in different adapters.
In this article we focus on the communication with SuccessFactors and SAP Fiori Launchpad hosted in the SAP HANA Cloud Platform, but we also have to highlight that additional solutions can be covered by creating the respective communication adapter.
SAP Fiori Launchpad
According to the current SAP UI roadmap, the SAP Fiori Launchpad will be the “SAP entry point across devices and platforms” (SAP, 2015), with planned SuccessFactors integration until the end of this year.
In fact, the home page of SuccessFactors will be entirely replaced by SAP Fiori Launchpad, according to the available preview images in SAP Fiori roadmap (SAP, 2015). We have already made significant advances in customizing the look and feel of the Launchpad, by creating custom tiles that fit better to business needs and truly provide a single point of access across multiple applications.
As an illustrative example, we will consider that a certain employee changes job from “Developer” to “Project Manager”. Due to his/her promotion, the employee would gain access to additional tiles in the Launchpad containing the necessary project management tools.
After the execution of the organizational transfer, our report would automatically reconcile the employee authorization changes with the configured external solutions. Following the successful synchronization with the SAP Fiori Launchpad, the employee would gain access to the “PWA” Project Center tile, displayed in the complete process flow.
SuccessFactors
SuccessFactors uses the Role based Permission Framework (RBP) to control user security and authorizations. The framework allows granular management of action/ field-level permissions across most of the HCM suite.
Authorization Roles are defined with a set of permissions that are assigned to a group of users. The elements of the group are identified using organizational filters. The permissions assigned to a group of users gives them access to the data of a specific target population (e.g. permission to view the profile of all users inside the granted user location).
Using the illustrative example referred in the previous section (a developer who becomes a project manager), our solution would also reconcile the authorization model changes of SAP with the configured SuccessFactors account. In the example shown in the image bellow, she/he gains access to an additional section of the employee profile: “Project Management”.
Conclusion
In spite of the basic illustrative example that we mentioned in this article – intended to ease the explanation of the process flow – this solution can be implemented in complex situations. Authorization assignments to multiple HR objects can be supported (example: Country, Org. Unit, Position) and directly propagated to external solutions.
Most of the work expected in this architecture is related to the calculation of which actions have to be performed on external solutions when a change in the authorization model occurs. Every external solution can have a different authorization scheme; we have to convert the SAP on-Premise model, so that the permissions are correctly assigned in each external solution.
It is important to refer that the solution implemented by konkconsulting was developed with an SAP on-Premise system (using SAP ABAP), but it could have been developed with other technologies. By leveraging the power of the available SuccessFactors API, other types of dynamic assignment can also be implemented.
References
SAP. (2015, September 18). UI Technology Roadmap. Retrieved from SAP Community Network