Security
The SAP Business Technology Platform has two concepts relevent for security of the Redfig Partnerflow Solution.
Security Groups are used to group users by function. These are maintained on a near-daily basis, as users are created in the system, they are added to one or more Security Groups.
Role Collections are are mapped to Security Groups, and give users authorization to perform certain functions within the Redfig Partnerflow. These are only maintained when initially configuring the solution, or when new Security Groups or Scenarios that require new functinoality are added.
The relationship between Security Groups and Role Collections is Many-to-Many (M:M). That means One Security Group can give a user access to multiple Role Collectinos, and one Role Collection can be made available to multiple Security Groups.
For simplicity, the standard Security Groups and Role Collections pre-delivered with the Redfig Partnerflow solution have a one-to-one (1:1) relationship. However, as a subscriber, when you create your own Rolle Collections and Security Groups (and you should, more on that below), you are free to assign multiple Role Collections to a single Security Group and vice-versa.
Below is a list of pre-delivered Security Groups and Role Collections that comes with every Redfig Partnerflow Subscription.
Role Collection | Description | Groups | FLP Tiles |
|---|---|---|---|
PartnerflowExternal | Default Role Collection for temporary External users | RF_Partnerflow_External | My Tasks Documentation |
PartnerflowInternal | Can view and process requests assigned to them | RF_Partnerflow_Internal | My Tasks Documentation |
PartnerflowRequestor | Can request new workflows | RF_Partnerflow_Requestor | New BP Request Documentation |
PartnerflowViewAll | Same as PartnerflowInternal, but they can view other people's requests. This would be a regular Partnerflow user that needs to see all other requests as well. Perhaps they are a department head, like a Finance Director that needs to make sure there are no requests awaiting on someone from their Finance team. Can view all workflow requests, but not necessarily act on any request not assigned to them. | RF_Partnerflow_View_All | Documentation Global Report Throughput Turnaround |
PartnerflowManager | Main business user or Master Data owner. Responsible for the daily effective execution of the Partnerflow solution. Has all of the access of PartnerflowViewAll, but can also take actions on requests that are not assigned to them. Can view all requests and change the processor any request. Can therefore also approve requests on behalf of others. | RF_Partnerflow_Manager | Documentation Global Report Throughput Turnaround |
PartnerflowUserManager | Can maintain regular (non-admin) users via the User Management application. Can be the same user as the PartnerflowManager, or PartnerflowAdmin. | RF_Partnerflow_User_Manager | Documentation User Management |
PartnerflowConfigurator | IT or Master Data resource that can maintain configuration settings for the Partnerflow Solution. | RF_Partnerflow_Configurator | Documentation Config Cockpit |
PartnerflowAdmin | IT resource responsible for ensuring effective technical operations of the the Partnerflow Solution. This person can alter any information about a specific workflow request (processor, context data, etc.) although this will always be logged. | RF_Partnerflow_Configurator | Documentation Admin Alerts Global Report User Management |
In addition to the standard Role Collection and Groups above, Partnerflow subscribers can and should also create their own role collections and groups to represent users that can approve/process certain workflows.
For example
Role Collection | Description | Groups | FLP Tiles |
|---|---|---|---|
AP_Finance_US | Accounts Payable team in the US. | AP_Finance_US | Not needed if user is also assigned to group RF_Partnerflow_Internal |