HR STRUCTURAL AUTHORIZATIONS

by Ken Bowers SAIC

Structural Authorization Defined

HR Structural Authorization permit access to personnel data based on the users position or span of authority within the organizational structure.

Structural Authorization

General Authorization

Org, PD, TEM, Quals

Personnel Admin

TC: OOSB

TC: PFCG

Structural Authorization High Level Process

Configuration & Switch Settings Create Structural Authorization Profile Link Structural Authorization Profile to User Id

Evaluation Path

Determine Root Org Unit

STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART

PA/PD Integration Turned On (POLGI/ORGA)

Evaluation Paths Maintained (T778A/ V_T77AW))

Dynamically assign Root Org Unit (Function Module)

Manually assign Root Org Unit

Organizational Structure (Org Unit/Position)

Structural Authorization Activated via (TC: OOAC or T77S0)

Structural Authorization Waiting Period (TC: OOAC or T77S0)

Organizational Structure Developed

Structural Authorization Profiles Developed (TC: OOSP or T77PR)

Dynamically

Structural Auth Profiles Linked PD Object (IT1017)

SAP User ID linked to PA via IT0105 Record

Employee Record assigned IT0001

SAP Program RHPROFLO Executed

Manually

SAP User ID linked Structural Auth. Profile (TC: OOSB or T77UA

Execute Reports to Optimize Performance

User Access Restricted Based on Org Structure

PA/PD Integration Active

Structural Authorizations Activated

Change from 0 to 1 4.6 and below

Refer to OSS Note 339367 refers to OSS Note 363083 Maintenance of the switch AUTH_SW P_ORGPD to import 4.7 functionality

TC: OOAC T77S0

Structural Authorizations Activated

4.7

Activation Options
Value 1: Org Unit Checked No Authorization. Value 2: Org Unit Not Checked No Authorization. Value 3: Org Unit Checked Authorization Value 4: Org Unit Not Checked Authorization

Structural Authorizations Waiting Period

Create Organizational Structure

Transaction code PPOME Create organizational units (object type O) Create jobs (object type C) Create positions (object type S) Assign chief positions especially if the relationship A012 is being used in function modules

Create Organizational Structure

Create Personnel Master Records

All personnel require personnel number Create IT0105, subtype 0001 record for all EEs linking SAP user id to personnel number which is linked to the org structure All personnel require IT0001 record

Create Personnel Master Records

IT0105
IT0001

Evaluation Paths
Use SAP standard evaluation paths SAP standard function modules read delivered evaluation paths Create customer defined evaluation paths Customer defined function modules specify customer defined evaluation paths

Evaluation Paths
T778A

V_T77AW

Create Structural Authorization Profiles

Transaction code OOSP or T77PR Screen # 1
Profile: Enter profile name and description Save Structural Authorization Profile

Assign Root Org Unit Option 1: Dynamically.

Function Module: RH_GET_MANAGER_ASSIGNMENT determines the root organizational unit to which the user is assigned as Manager via the A012 chief relationship. Assign function module in T77PR In field PFUNC

Screen # 2 T77PR
When Function Module is being used, leave Object ID field Blank

RH_GET_MANAGER_ASSIGNMENT: Determines the root org unit object to which the user is assigned as Manager via the A012 chief relationship. (Supervisor)

 Screen # 2 (Continued)
Auth Profile: Select profile for pop-up box No.: Enter Line/Sequence/Interval numbers 5, 10, 15 etc. Plan version: Enter active plan. Ex. 01 Object type: Enter object type end user will be authorized to change or display (O Org Unit, S Position, C Job, P- person, and any customer defined objects) Object ID: If assign root org unit is being used, enter org unit id value. If you are using function modules to dynamically determine the root org unit, leave this field blank Maintenance: If checked, maintain authorization is granted for object type, if uncheck, only display authorization granted. Evaluation Path: Enter evaluation path defined inT77UA

 Screen # 2 (Continued)
Status vector: Planning status authorization
1 Active 2 Planned 3 Submitted 4 Approved 5 Rejected To grant access to Active and Planned status(s) enter 12

Depth: Enter the number of levels from the root org unit of the org structure. Sign: Process structural authorization top down (+) or bottom-up (-)

 Screen # 2 (Continued)
Time period: Restrict access based on the validity period of the org structure.
D Current Day M Current Month Y Current Year P Past F Future

Function module:
Leave this field blank if root org unit is defined in field Object id Determine the root org unit using SAP standard or Customer defined function modules

 Screen # 2 (Continued)
Add multiple rows in this table for all PD objects the structural authorizations are permitting to change and/or display

Assign Root Org Unit Option 2: Dynamically.

Function Module: RH_GET_ORG_ASSIGNMENT determines the root organizational unit to which the user is organizationally assigned. Assign function module in T77PR In field PFUNC

Screen # 2 T77PR

A customer defined Function Module may be used

RH_GET_ORG_ASSIGNMENT

Determines the root organizational unit to which the user is organizationally assigned.

Assign Root Org Unit Option 3: Dynamically.

Customer Defined Function Module: Copy and modify SAP standard function modules to specify customer defined evaluation paths Assign function module in T77PR In field PFUNC

Assign Root Org Unit Option 4: Manually

Function Module not used. Manual assignment of root organizational unit Define root organizational unit in T77PR In field OBJID

Screen # 2 T77PR

When Object ID is being used, leave Function Module field Blank

Structural Authorization Profile Completed

Link User ID to Structural Authorization Option # 1

Assign Structural Authorization to PD Object

Restrict user access based on PD objects. Assign structural authorization defined in transaction code OOSP or T77PR by creating an IT1017 to a PD object. Example: Create IT1017 to org unit or position depending on your requirements This is linking the structural authorization to the organizational structure. IT1017 is required if you are going to dynamically populate T77UA by linking user id to structural authorization profile.

Assign IT1017 to Position

Execute transaction code PP01 > Create PD Profiles > Assign Structural Authorization Profile

Link User ID to Structural Authorization

Execute SAP Program RHPROFL0 on a nightly or emergency basis. Report dynamically links the user id (IT0105, Subtype 0001) to the designated structural authorization profile in T77UA based on the assignment of IT1017 to PD objects.

RHPROFL0 program report output

T77UA auto populated by the RHPROFL0 program

Link User ID to Structural Authorization Option # 2

Can be assigned manually IT1017 is not necessary Transaction code OOSB or T77UA Ensure customizing of the table in permitted in Production client This method is no recommended. Can be very labor intensive

Manually Link User ID to Structural Authorization

Execute transaction code OOSB > Click on New Entries > Enter user id, corresponding structural authorization profile, enter start date, enter end date and click on the save icon.

Optimize Structural Authorization Performance

Manually enter user ids in T77UU User Table for Batch Input. Stores user id in SAP memory (T77UU). Not recommended. Dynamically add/remove user ids in T77UU executing program RHBAUS02 based on the number of objects. Execute nightly program RHBAUS00 to regenerate indexes saved in table INDX. Indexes regenerated and saved in table INDX ODD note 836478 dated 4/21/05: Display Index Report: RHAUTH_VIEW_INDX

Congratulations !
You have completed the configuration of structural authorizations. Do not know of any method to trace structural authorizations Test, test user ids for both structural authorizations and PA/PD authorization assigned to roles in TC: SU01.

Customer Defined Structural Authorizations

Use BADl: HRBAS00_STRUAUTH Customer defined logic for Structural Authorization Use BADI: HRPAD00AUTH_CHECK, which allows the customer to input their own coding into this customer exit for HR Master Data.
Example: Restrict authorizations based on Business Area, Plant, etc.

Reporting Considerations
Customer Defined Reports: Use HR Macros in your custom program to engage structural authorizations from the LDB. If LDB is not being accessed, need to code structural authorizations in program SAP Standard Reports: There may be some circumstances you do not want structural authorizations checked. Copy standard reports and remove authorization checks.

Lessons Learned
Keep in mind, users with new structural authorizations will not be effective until next day if RHPROFLO is ran nightly. Remember to assign Authorization Groups to customer defined z-tables in order to maintain in Production client. Assign all end users structural authorizations.

WHATS NEW IN 4.7

Transaction code SU53: Reasons for failed Structural authorizations are displayed

Context Structural Authorizations

Context Structural Authorizations

Context Structural Authorizations

Context Structural Authorizations

Context Structural Authorizations

Questions ?

Contact Information kenneth.p.bowers.jr@saic.com 864-940-7282