In a typical SAP barcoding deployment there are many users and various roles. Each role defines the type of SAP barcoding transactions that users with that role can run. Roles are controlled through a user access profile. These user access profiles can be defined on a general level, (for example, shipping, receiving, production, etc.) or on an individual level for each transaction. The purpose of a user access profile is to ensure that users without the proper authorizations are not able to use any SAP barcoding transactions they are not supposed to.
In a corporate setting, these roles are normally defined using groups in active directory (or LDAP) and managed as part of the routine user account management performed by corporate IT. However, in situations where frequent changes are routinely required it can sometimes be beneficial to have the local barcode system administrator manage users and roles to avoid taking up the time (and goodwill) of the corporate IT group. In our experience, these changes are made faster, more accurately and more efficiently by the person best equipped to know why such changes are needed.
There are a number of situations where having to rely on the corporate IT group to maintain the SAP barcoding user access profiles this way can become problematic:
- If the list of users changes with relatively high frequency. For example, where contractors or temporary (either seasonal or high turnover) workers are frequently added and removed.
- If the access validity period is short or changes frequently. For example, in situations where users frequently need to be provided temporary or short-term access to certain barcoding transactions.
- If functional access is controlled by the physical location and users are frequently moved between locations. For example, if location data is stored in the user profile and users are frequently re-assigned to different locations their profiles must be changed each time they are moved.
The following options are designed to address these user access management challenges.
Option 1: Include User Access Profile Settings in the Employee Badge Barcode
The simplest method to address this challenge is to design the barcode on the employee badge to include user access profile information, along with any static values unique to the employee (for example, plant, location, cost center, etc.). Each employee begins the process by scanning their badge. The employee access profile information is parsed out of the barcode, temporarily (and securely) stored by the system, and applied to all of the SAP barcoding transactions used by this employee until the employee logs off. The profile is validated as the employee attempts to access various SAP barcoding transactions during their session.
Using this approach, given that users must scan their badges in order to start using the system, the user access privileges are effectively locked-down by the profile data stored in their badge. Whenever a profile change is required, the user simply needs to receive a new barcode, apply it to their badge and they are ready to go.
This approach works well when the number of users is relatively constant but profile changes are required frequently. Corporate IT creates a new user account when a new employee joins the company, as they would normally do, but setup of the user access profile and any subsequent changes to the profile are provided by the SAP barcode system administrator at the plant location. The local administrator simply generates and prints the appropriate barcode label and puts it on the employee badge whenever a change is needed.
Option 2: Lookup the User Access Profile in SQL
A slightly more sophisticated approach to address this challenge is to store the access profile in a SQL environment, (for example, in a Time Management System or some other custom SQL tables). Each employee will begin the process by scanning their badge. The employee badge scan is used to lookup their access profile from the SQL table, which is read, stored and used by the barcode solution for all of the transactions used by this employee until the employee logs off. Profiles are validated individually, by transaction, as the employee attempts to access various SAP barcoding transactions during their session.
A special menu option is provided to allow certain employees, with supervisory roles, to edit each employee’s access profile, or to add new employees along with their profile assignment. This data is then updated in the SQL environment accordingly.
Using this approach, a user with a supervisory role can make changes dynamically to the profiles of any new or existing user; or add new users to the profile list. However, the downside to this approach is that an external source (i.e. a SQL database) must exist to store the user profile data.
This approach works well when the number of users changes quite frequently as contract or temporary workers are added and removed from the system. The ability for the local barcode system administrator to add new users and modify their access profile removes a huge burden from the corporate IT group and ensures that temporary workers are able to be productive almost immediately.
The successful deployment of a SAP barcoding system depends not just on the functionality of the delivered barcoding transactions but also on the flexibility of the overall system. Ongoing maintenance of user access profiles can sometimes become an unanticipated burden for the corporate IT group and a source of frustration for the users who need to wait for changes to be made on their behalf. Passing control of this function back to the local barcode system administrator can be a critical success factor in some SAP barcoding deployments.
Click on the above PDF image to download this NLINK ADC to SAP Solution Case Study in PDF format.