SAP Commissions – Implementing Authorization With User Roles (RBAC)


This article goes through the best practice of authentication flow to identify who the user is and then goes through authorization flows if the user has permission for the roles assigned at a Group level.

In this blog, we are also covering Top-Down User Sync Best Practice as well when users are assigned with appropriate group from your HR System or IDM and syncs to different SAP Applications for authorization.

What Is RBAC ?

Role-based access control (RBAC) is a security approach that uses roles to define what a user is and isn’t allowed to do. In an SAP Commissions application, users are assigned roles with varying permissions for different resources, including workflow, territory & quote, and embedded analytic applications

So, when a user tries to access a application, the system will first find the roles associated with the user and then check if any of the roles have the appropriate permission. If so, the user is allowed to access the application. If not, the user is denied access

Let’s see the High Level Understanding flow


What Is Authorization?

Authorization is about answering the question, “Is this user allowed to do a certain operation?”. This is different from Authentication, in which we answer the question, “Which user is this request coming from?”

Both are essential to most applications, and as such, we first go through authentication flows to identify who the user is. Then we go through authorization flows in which we decide if the user has permission to do certain operations.

Example : SAP Identity Authentication Service(IAS) is maintaining all the users with groups which is received from Successfactors, Azure, Sailpoint, Workday or any other systems for users Authorization access while going through Authentication process.
Follow step by step to have RBAC Process in place for SAP Commissions Application


How to Assign Permissions to a particular Role ?

Go to User Administration > Select Roles > Expand Callidus Portal > Select Role to assign Permissions

Select anyone of the Role to see Permissions are added correctly according to the role defined.

How to Create a Group ?

Go to Groups and Click + and New Dialog box will be displayed

How to assign a role at a Group Level ?

From the previous step, you have created a Group, so you can select the Group and Click Add in Assigned Roles and pick the roles displayed in your dialog screen and assign it.

Another example for Administrator role to assign it to Group Level
Now, we can see Users are synced with appropriate User Groups which is as per your IDM or HR System according to the Authorization process.

Exact User Groups are matching from above step in both systems (from the Identity Management system maintained by your HR System or from Azure, Okta, SailPoint or any other systems)


Advantages of RBAC

  • Easy to understand: The structure of roles and permissions is very intuitive. It can be understood by new employees fairly quickly.
  • Easy changes: As the org structure changes, assigning new roles to employees automatically gives them all the right access – there is no extra coding required, and the change can be made via a dashboard in minutes.
  • Improving compliance: RBAC forces executives to think about and organize access control. This information can then be used by compliance officers during an audit.
  • Decrease risk of data breaches/leakage: Due to its ease of use, developers can easily implement the right access control policies in their APIs, reducing the chances of data leaks.

References

SAP Commissions – Must to know about IAS/IPS Process

Top-Down Documentation

KB Article for Bottom-up & Top-Down Approach (2999357)