HRAuthorization

What Well Cover

Overview of Standard authorizations

Introduction to structural authorizations
Designing structural profiles
Identifying context conflicts in HR security
Understanding how context authorizations work
Changing over to context-based HR security

Quick Review of Standard R/3

Security
To access business objects or execute SAP
transactions, a user requires authorizations
Authorizations are combined in authorization
profiles
Authorization profiles are then associated to roles
Roles are assigned to users and/or positions so that
users can access the appropriate transactions and
objects for their daily tasks

Standard R/3 Security:

General authorizations include the authorizations that are
particularly important for Personnel Administration and
that control access to HR data, which must be strictly
controlled due to the sensitive nature of personnel data.

Authorization
Objects
Authorization objects enable complex checks of an
authorization, which allows a user to carry out an action.
An authorization object groups up to ten authorization fields
that are checked in an AND relationship.

P_ORGIN
P_PERNR

The Authorization Main Switches

The authorization main switches are stored in table T77S0 under the
group name AUTSW (transaction OOAC).

Standard R/3 Security:

Essential HR Authorization objects
(cont.)
P_PERNR (users own HR master data check)
Defines what HR master data (in the PA module) users can access
about themselves, as well as the level of access (read, write, etc.)

PLOG (personnel planning check)

Defines what objects within Organizational Management (OM),
Training and Event Management (PE), and Personnel
Development (PA-PD) modules a user can access (e.g., infotype,
plan version, object type, etc.)

P_HAP_DOC (appraisal documents)

Defines access to appraisal documents (e.g., appraisal template ID,
level of access, etc.)
Specific to the new Performance Management functionality
(Objective Setting and Appraisals [OSA])

P_ORGINCON (Context-sensitive HR master data check)

- Same as above P_ORGIN, but can be used in conjunction with
structural authorization

Standard R/3 Security:

Essential HR Authorization
Objects
P_ORGIN (HR master data check)

Defines what HR master data (in the Personnel Administration [PA]

module) users can access (infotype, personnel area, employee group,
subgroup) as well as the level of access (read, write, etc.)

S_TCODE and P_TCODE (Transaction checks)

- Define which transactions users can start
- P_TCODE specific for HR (provides an additional level of security)
With authorization object, P_TCODE, enables you to check whether
a user is authorized to start the different HR transactions.
This authorization object contains the HR transaction codes without
their own authorization object

P_PCLX (HR: Clusters)

Area identifiers for clusters (T52RELID values) & Auth level (R, U, S)

Standard R/3 Security:

Essential HR Authorization
Objects
HR: Master Data - Customer-Specific Object

Standard and Structural

Authorization
Together

Structural authorization does not replace standard

authorization, but instead works in conjunction with
it
The intersection of users structural and standard
authorization profiles determine their overall
security access

Structural Authorizations
Overview
Structural authorizations are used to grant access to view
information for personnel where HR has been implemented.
Access is granted to a user implicitly by the users position on
the organizational plan. Structural authorizations are not
integrated into the standard authorization concept and
structural authorization profiles are not the same as standard
authorization profiles.

Example
A manager can typically view or maintain information on
employees in her organizational unit but not employees in
other organizational units. When an employee moves from one
unit to another his previous manager will no longer be able to
view or maintain information about them. Similarly if a
manager moves from one unit to another she will be able to
see the employees in her new unit.

Introduction to Structural
Authorization
Structural authorizations provide a level of security
specific to SAP HR, and are based on hierarchical
structures in addition to the standard authorization
concept
Structural authorization controls access to HR data
based on objects and/or attributes that are stored in
structures (e.g., organizational structures, business
event hierarchies, and the qualifications catalog)
Sample Org. Structure
Catalog

Sample Qualifications

The Structure Part of

Structural
Authorization

To manage the authorizations effectively, the

central elements of this data model are used:
objects, relationships, and evaluation paths.
The combination of root object and evaluation path
returns an object hierarchy
The check is dynamic in nature: The objects that a
structural profile returns change as the structure
changes
Examples include:
Organizational unit changes like RIFs and
reorganizations
Employee movement like transfers and position
changes

Common Uses for Structural

Authorization

Decentralized Human Resources

HR Generalists specific for a client group
Should see only those in their client group, and not HR

Dual-role positions (i.e., context challenges)

Example: Payroll managers need access to an area of the
organization for research purposes, but they are chief
managers themselves

Business Warehouse Integration

Standard extractors can bring structural authorizations to
your BW system
Full refresh of roles on a customer-selected frequency

Implement Structural
Authorizations
A structural profile contains at least one authorization profile,
the sum of which combines to one overall structural profile
Step 1 Turn on PD PA Switch
Go To OOPS PLOGI ORGA is X

No other values need to be checked or changed.

PD and PA sub modules of HR are not configured to share data by
default in the SAP delivered system. This switch must be on for
data to flow between both modules.

Implement Structural
Authorizations
Step 2 - Turn on Structural Authorizations Main Switches
Go To OOAC
maintain main authorization switches in HR as per the screen below

Step
Step
Step
Step

3
4
5
6

Create
Create
Create
Create

Organizational Plan
Personnel Master Record
User IDs
Infotype 105

Implement Structural
Authorizations
Step 7 - Create Structural Authorization Profiles
Field

Value

Profile:

Authorization profile (should start with Z)

No.

Choose an interval e.g. 10

Plan vers.

Select a plan version probably 01

Obj. type

In this case we are securing by Org unit. Enter O

Object ID

In this case we are securing by Org unit. So enter the Org unit number

Maintenanc
e

Check this on

Eval.path

Defines how objects and relationships should navigate through the organizational
structure (e.g., O-S-P)

Status vec

Controls which planning statuses (active, planned, etc.) are available. Active = 1,
Planned = 2, etc

Depth

Defines how many levels of the structure a user can access

Sign

Determines which direction to use : - for up, Blank for down

Period

Restricts authorization level based on validity period (e.g., today, future, no restriction,
etc.)

Function
modul
e

Dynamically determines the root object for the user. Possible entries:
RH_GET_MANAGER_ASSIGNMENT (Determine organizational units for manager) - finds
the root organizational unit with which the user is related via the position and
relationship A012 (manages).
RH_GET_ORG_ASSIGNMENT (Organizational assignment) - finds the root organizational

Implement Structural
Authorizations
Step 8 - Create Infotype 1017
Go To : PO10 (Organizational Unit) or PO13 (Position)
Select Unit
Option PD Profile
This would link the structural authorization profile to a
node on the organizational plan.
Step 9 - Assign Structural Authorization Profiles to User IDs
1. Use report RHRPROFL0 to automatically assign the
appropriate structural authorization profile to each User ID.
This program will update the table in transaction OOSB.
2. This report assigns a structural authorization profile to the
user ID based on the Organizational Plan.
3. This report should be run daily to update the authorizations
of users based on changed made in the Organizational Plan
4. Ensure that the Infotype 1017 has been populated for all
relevant nodes on the Organizational Plan

Implement Structural
Authorizations
Step 10 - Setup Regular Security
Go To PFCG Create regular security role and assign to User ID
Create a role that gives access to regular HR transactions
for all employees. E.g. Time Entry CAT2, PA20, PR20 Enter
expenses
Create a role that gives access to manager HR transactions.
E.g. Time Approval CADO , PPMDT Managers Desktop, PR05
Approve Expenses

Assigning Authorizations to
Organizational
Objects
Report RHPROFL0 - Structural authorizations
should be assigned or revoked automatically when a
position staffing change takes place.

A Quick Review

Standard Authorization vs. Structural Authorizations

Standard HR authorizations define which transactions,
infotypes, and subtypes the user can maintain and/or
display
Standard HR authorization = WHAT the user can do
The structural authorization will grant access to personnel
data for employees within a specific area of the organization
Structural authorization = WHO the user has access to

Whats New?
A link between a standard HR authorization, which
defines the infotypes and subtypes the user can maintain
and/or display, and a structural authorization, which
defines a group of employees within a specific area of
the organization, is established
Standard HR authorizations can be linked to different
structural authorizations, thereby granting distinct
infotype access to separate groups of employees
Multiple combinations of standard and structural
authorizations can be defined within a single user role,
thereby eliminating the need for users to have more than
one user ID to avoid context conflicts

Introduction :
Context-sensitive security
solution
As decentralized data management expands within
companies, users are requiring access to separate sets of
HCM information for different groups of personnel
Until the release of R/3 Enterprise, multiple user IDs
would be required to avoid a context conflict and meet
these requirements
The context-sensitive security solution simplifies the HR
user roles and meets these requirements by
incorporating the user roles into a single user ID

What Is a Context Conflict?

Occurs when a user:
Performs more than one job function as part of their regular
work
Has two or more distinct roles that require different infotype
access to separate groups of employees

The users standard HR authorizations list all the infotypes

that the user can access
Authorizations may be contained in multiple roles

The users structural authorizations outline which personnel

the user can access
Different groups of personnel may be defined in separate
structural profiles
Issue - When the users access is evaluated, the user can access
all infotypes for all groups of personnel defined in the structural
profiles. Structural authorizations cannot discern that certain
access should only be granted to one group and not to another.

Examples of Context
Conflicts
The Customer Service Manager is required to approve time for
his/her employees in the department. As Customer Service
Manager, he/she also needs to be able to search for anyone in the
company with a particular qualification.
P_ORGIN authorizations are defined, giving maintenance access to time
Infotypes
A structural profile is defined, giving him/her access to everyone under
the org unit he manages
P_ORGIN authorizations are defined in a second role allowing display
access to name, organizational assignment, and contact details of
employees

A second structural profile grants access to all employees that

have qualifications or skills data
Context conflict
The manager can approve time data for all employees with
qualifications, not just those reporting to him/her in the org unit

Solving Context Conflicts

Implement the context-sensitive solution
Context-sensitive authorizations link the relevant
infotype access and the structural authorizations
Users access the necessary HCM data for the applicable
groups of personnel
The context-sensitive authorization objects are:
HR: Master Data with Context (P_ORGINCON)
HR: Master Data Extended Check with Context
(P_ORGXXCON)
Personnel Planning with Context (PLOG_CON)
HR: Customer-Specific Authorization Check with Context

Context-Sensitive Authorization
Objects
P_ORGINCON HR: Master Data with Context
P_ORGIN with the additional field, Authorization Profile
Authorization Profile = link to structural authorizations
Must activate the INCON authorization switch and deactivate
the ORGIN authorization switch

P_ORGXXCON HR: Master Data Extended Check with

Context
P_ORGXX with the additional field, Authorization Profile
Authorization Profile = link to structural authorizations
Must activate the XXCON authorization switch and deactivate
the ORGXX authorization switch

PLOG_CON Personnel Planning with Context

PLOG with the additional field, Authorization Profile
Authorization Profile = link to structural authorizations
No authorization switches to activate or deactivate

Context-Sensitive Authorization
Objects (Cont.)
HR: Customer-Specific Authorization Check with Context
Customer-Specific Authorization Check with the additional
field, Authorization Profile
Authorization Profile = link to structural authorizations
Must activate the NNCON authorization switch and
deactivate the NNNN authorization switch
Fields comprising the Customer-Specific Authorization
Check:
Authorization Level, Infotype and Subtype mandatory
Any other fields from IT 0001 Organizational Assignment,
including custom fields
Transaction code (TCD) optional
Infotype-subtype combination field (INFSU) optional

Setting the Authorization

Switches
In the Implementation Guide (IMG) or transaction OOAC
IMG path:

Setting the Authorization Switches

(cont.)
Activate the context-based authorization switch you wish
to utilize and deactivate the original non-context switch

1 = Active; 0 = Inactive

SAP Recommended
Settings of Authorization
Switches
Implement the context solution for all authorization objects
All context switches are on, all non-context are off
Structural authorizations switch off

INCON on

ORGIN off

ORGPD
off

XXCON on

ORGXX off

NNCON
on

NNNNN off

Structural authorizations are still defined, but are invoked

through context-sensitive authorizations and not used
independently

SAP Recommended
Settings of Authorization
Switches (Cont.)
Implement a combination of context-authorization objects
and non-context authorization objects
For example, ORGINCON and ORGXX
Structural authorizations switch on
INCON on

ORGIN off

ORGPD
on

XXCON off

ORGXX on

NNCON
off/on

NNNNN off/on

Structural authorizations are defined and invoked through

context-sensitive authorizations or used independently

The Authorization Main

Switches
A combination of context-authorization objects and non-context
authorization objects is most typical
Master data with context will satisfy most companies requirements
If you do not utilize the Administrator fields in IT 0001, Organizational
Assignment to restrict user access, both ORGXX and XXCON should be
switched off
If you do not require custom authorization objects, both NNNN and NNCON
should be switched off
No switches need to be activated or deactivated to make use of contextsensitive Personnel Planning authorizations, just define PLOG_CON
authorizations instead of PLOG
Since structural authorizations are invoked through context-sensitive
authorizations, such as P_ORGINCON and PLOG_CON, the need to invoke them
separately dwindles

Other Authorization
Switches
DFCON HR: Default Position (Context)
Controls whether the user can access personnel data of an employee
assigned to the default position (99999999), such as after termination
The Organizational Unit in IT 0001 may be factored in, to determine
whether the user can access the employees records
Interpretation of the value is the same as for ORGPD switch in a noncontext sensitive environment
Possible values for the switch are 0, 1, 2, 3, or 4
0 = Inactive/switched off
1 = Evaluate org unit. If user can access org unit but employee is
in default position, deny access.
2 = Do not evaluate org unit. If employee is in default position,
deny access.
3 = Evaluate org unit. If user can access org unit and employee is
in default position, grant access.
4 = Do not evaluate org unit. If employee is in default position,
grant access.

Other Authorization
Switches
PERNR HR: Master data Personnel Number Check
There is no context-sensitive switch for the Personnel
Number Check, as this is extraneous
The P_PERNR authorization object has no context-sensitive
equivalent
P_PERNR authorizations specify which infotypes the user
can access of his/her own personnel information
Since P_PERNR targets a specific personnel number;
applying a structural profile to this authorization would be
meaningless

Converting to Context-Based
Authorizations
Identify which standard HR authorizations need to be linked to the
relevant structural profiles in order to resolve context conflicts
A good design document is invaluable

Helps to identify and analyze areas of overlap in authorizations

Saves time in the long run by eliminating redesigning on the fly
Enforces consistency in the design of HCM security roles
Ensures more stable and secure HCM authorizations

Copy all non-context authorizations to context authorizations or create

newly-designed context authorizations
For example, copy P_ORGIN authorizations to P_ORGINCON authorizations
with the addition of the structural authorization in the Authorization Profile
field

Once the switch to context-based security is made, the old non-context

authorizations will no longer be used
For example, the current P_ORGIN authorizations will not be used in user
roles
Other non-context authorizations, such as P_PERNR, will still be referenced if
the relevant switches are activated/on

Converting to Context-Based
Authorizations (Cont.)
Examine structural authorizations to ensure that they
adequately isolate groups of personnel
New structural authorizations and function modules may be
required to dynamically determine personnel based upon
the users position in the organization
Existing structural profiles can be linked to context
authorizations

Once the switch to context-based security is made,

structural authorizations will still be referenced
If the ORGPD switch is off, you may not need to assign
structural authorizations to user IDs in transaction OOSB

Tip 1:
How to Assign Structural
Authorizations
User-based
In Table T77UU via transaction OOSB
Most maintenance-intensive

Tip 1:
How to Assign Structural
Authorizations (cont.)
Position-based
In Organizational Management via transaction PP01, using PD
Profiles infotype 1017
Reduces maintenance as long as you practice good position maintenance
procedures

Tip 1:
How to Assign Structural Authorizations
(cont.)
Via Business Add-In (BAdI) Enhancement
HRBAS00_GET_PROFL via SE19
Standard logic determines the users structural profiles
by reading the values in the users P_ORGINCON
authorization object

Tip 2:
How to Mitigate Performance Issues
RHBAUS00 (structural profile indexing)
Report generates an index of users to structural profiles (for
those users maintained in Table T77UU)
Used heavily with the BW integration solution
IMG Path: Maintain this list of users in the IMG here:
Personnel Management Organizational Management
Basic Settings Authorization Management Structural
Authorization
Save User Data in SAP Memory

Tip 3: How to Utilize

New HR Authorization Object
P_ORGINCON
As of R/3 Enterprise 4.7, P_ORGINCON can replace
P_ORGIN if desired
In system T77S0, update switches AUTSW/INCON to 1 and
AUTSW/ORGIN to 0

P_ORGINCON (Context-sensitive HR master data check)

Defines what type and level of HR master data (in PA) a user
can access given a certain organization context
Structural profile is now a part of the authorization object
Case study: A payroll manager who has two roles
Payroll manager needing access to a specific part of the
org as part of his/her normal job duties
Chief manager of his/her own organization

Key Points to Take Home

Structural authorization provides a robust way of utilizing SAPs advanced

authorization concept
Structural authorization works in conjunction with standard R/3 authorizations
It is extremely important to maintain an accurate organizational structure, as
most structural authorization is based on personnel planning objects (e.g.,
positions, org units)
Structural authorization is not a requirement for implementing MSS
Consider performance concerns before deployment; mitigate by using
program RHBAUS00
Context-sensitive authorization is now available, as of 4.7 Enterprise
Activate BADI HRBAS00_GET_PROFL to eliminate duplication of assigning the
structural profiles to the user IDs
Identify context conflicts from excess user access or need for multiple user IDs
Select the right combination of context-sensitive and non-context
authorization switches to meet your needs
There is no switch for PLOG_CON Personnel Planning with Context
Set DFCON to deny or grant access to personnel in the default position, and
indicate whether the org unit is to be assessed
Invest in a good design document for stable and robust HCM data security and
to reduce implementation time
Do not activate context switches too soon in order to avoid locking out users
from all HCM data

Resources

Authorizations in SAP HR
Available on SAPs Help Web site http://help.sap.com
Case Study: Build Your Organizational Structure to
Support SAPs Managers Self-Service
Danielle Larocca Signorile, HR Expert, Jan. 2006
http://www.hrexpertonline.com
Authorizations in Performance Management
Available on SAP Service Marketplace
http://service.sap.com*
Requires login credentials to the SAP Service Marketplace