Security Profiles
Greetings all…
I thought today I would post about E-Sourcing / CLM Security Profiles. I have seen some questions on the SAP SDN about these recently and thought it would be a good topic to cover here.
Security Profiles are used in E-Sourcing to establish user roles and the permissions associated with those roles. Once setup, user accounts are associated with one or more security profiles which will result in the specific permissions the user has in E-Sourcing / CLM.
The permissions that are setup in the security profile include typical sorts of permissions such as Create, Edit, and View; there are also some specialized permissions that are available that are unique to the business object, configuration data, or master data. One of those permissions that resulted in a recent discussion is the permission called setup. This permission indicates whether or not the data can be managed via the E-Sourcing / CLM setup area. There are also permissions such as Create Template that are available on the major business objects (e.g., Projects, Auctions, RFx, and Master Agreements) that restrict access to the template creation functionality.
As with much of E-Sourcing / CLM there is a lot of flexibility built into the security profiles and how they are configured and associated with user accounts. Sometimes, however, this flexibility can lead to inconsistencies in the use and longer term maintenance headaches. When deciding how best to configure the security profiles in E-Sourcing / CLM, I suggest you really examine your organization and the roles in it. Here are some things to understand and establish before performing any configuration in the system:
What are the various roles of the members of my sourcing organization? Do these roles align with job titles or job descriptions?
Are the roles of the members of my organization strictly defined? Should the system be deployed with that strict definition?
How do the roles that the users have align with the functionality that will be used in E-Sourcing? For example, will only certain roles create and manage Projects? Contracts? RFxs? Auctions?
How much and how often will users’ roles change?
Could a matrix be created that lists the roles of the users and the functionality that those users will have access to in E-Sourcing / CLM?
Answering these questions will hopefully lead you down a path to a particular configuration approach. Here are a couple of approaches I have used in the past:
Create Security Profiles that align with job titles / job descriptions: With this approach, each job function in your organization has a related security profile in E-Sourcing / CLM. Each user is then assigned the security profile on the user account maintenance. If a user changes roles or leaves the organization the user account can be updated accordingly. If a user has multiple roles in the organization, they can be assigned multiple security profiles.
Create Security Profiles that define rights from a system standpoint and create user groups that associate the security profiles with roles: With this approach, security profiles might be defined based on use of the various modules (e.g., Projects, RFxs, etc). Instead of assigning the security profiles to individual user accounts, profiles are assigned to user groups and users are associated with one or more groups. In this approach, the group will likely align with the job functions.
Both of the above approaches can work well and your choice really will depend on how you want to maintain user accounts, security profiles, and your use of user groups. Regardless of the approach you select, the system provides a good audit report that shows how the security profiles are used. You can access this report from: Setup > System Administration > Administrative Reports > Security Profile Usage Summary.
I hope this article was interesting and you are inspired to review your use of security profiles and their setup in E-Sourcing / CLM.