Escolar Documentos
Profissional Documentos
Cultura Documentos
Authorization
Objects
Authorization objects enable complex checks of an
authorization, which allows a user to carry out an action.
An authorization object groups up to ten authorization fields
that are checked in an AND relationship.
P_ORGIN
P_PERNR
The authorization main switches are stored in table T77S0 under the
group name AUTSW (transaction OOAC).
Structural Authorizations
Overview
Structural authorizations are used to grant access to view
information for personnel where HR has been implemented.
Access is granted to a user implicitly by the users position on
the organizational plan. Structural authorizations are not
integrated into the standard authorization concept and
structural authorization profiles are not the same as standard
authorization profiles.
Example
A manager can typically view or maintain information on
employees in her organizational unit but not employees in
other organizational units. When an employee moves from one
unit to another his previous manager will no longer be able to
view or maintain information about them. Similarly if a
manager moves from one unit to another she will be able to
see the employees in her new unit.
Introduction to Structural
Authorization
Structural authorizations provide a level of security
specific to SAP HR, and are based on hierarchical
structures in addition to the standard authorization
concept
Structural authorization controls access to HR data
based on objects and/or attributes that are stored in
structures (e.g., organizational structures, business
event hierarchies, and the qualifications catalog)
Sample Org. Structure
Catalog
Sample Qualifications
Implement Structural
Authorizations
A structural profile contains at least one authorization profile,
the sum of which combines to one overall structural profile
Step 1 Turn on PD PA Switch
Go To OOPS PLOGI ORGA is X
Implement Structural
Authorizations
Step 2 - Turn on Structural Authorizations Main Switches
Go To OOAC
maintain main authorization switches in HR as per the screen below
Step
Step
Step
Step
3
4
5
6
Create
Create
Create
Create
Organizational Plan
Personnel Master Record
User IDs
Infotype 105
Implement Structural
Authorizations
Step 7 - Create Structural Authorization Profiles
Field
Value
Profile:
No.
Plan vers.
Obj. type
Object ID
In this case we are securing by Org unit. So enter the Org unit number
Maintenanc
e
Check this on
Eval.path
Defines how objects and relationships should navigate through the organizational
structure (e.g., O-S-P)
Status vec
Controls which planning statuses (active, planned, etc.) are available. Active = 1,
Planned = 2, etc
Depth
Sign
Period
Restricts authorization level based on validity period (e.g., today, future, no restriction,
etc.)
Function
modul
e
Dynamically determines the root object for the user. Possible entries:
RH_GET_MANAGER_ASSIGNMENT (Determine organizational units for manager) - finds
the root organizational unit with which the user is related via the position and
relationship A012 (manages).
RH_GET_ORG_ASSIGNMENT (Organizational assignment) - finds the root organizational
Implement Structural
Authorizations
Step 8 - Create Infotype 1017
Go To : PO10 (Organizational Unit) or PO13 (Position)
Select Unit
Option PD Profile
This would link the structural authorization profile to a
node on the organizational plan.
Step 9 - Assign Structural Authorization Profiles to User IDs
1. Use report RHRPROFL0 to automatically assign the
appropriate structural authorization profile to each User ID.
This program will update the table in transaction OOSB.
2. This report assigns a structural authorization profile to the
user ID based on the Organizational Plan.
3. This report should be run daily to update the authorizations
of users based on changed made in the Organizational Plan
4. Ensure that the Infotype 1017 has been populated for all
relevant nodes on the Organizational Plan
Implement Structural
Authorizations
Step 10 - Setup Regular Security
Go To PFCG Create regular security role and assign to User ID
Create a role that gives access to regular HR transactions
for all employees. E.g. Time Entry CAT2, PA20, PR20 Enter
expenses
Create a role that gives access to manager HR transactions.
E.g. Time Approval CADO , PPMDT Managers Desktop, PR05
Approve Expenses
Assigning Authorizations to
Organizational
Objects
Report RHPROFL0 - Structural authorizations
should be assigned or revoked automatically when a
position staffing change takes place.
A Quick Review
Whats New?
A link between a standard HR authorization, which
defines the infotypes and subtypes the user can maintain
and/or display, and a structural authorization, which
defines a group of employees within a specific area of
the organization, is established
Standard HR authorizations can be linked to different
structural authorizations, thereby granting distinct
infotype access to separate groups of employees
Multiple combinations of standard and structural
authorizations can be defined within a single user role,
thereby eliminating the need for users to have more than
one user ID to avoid context conflicts
Introduction :
Context-sensitive security
solution
As decentralized data management expands within
companies, users are requiring access to separate sets of
HCM information for different groups of personnel
Until the release of R/3 Enterprise, multiple user IDs
would be required to avoid a context conflict and meet
these requirements
The context-sensitive security solution simplifies the HR
user roles and meets these requirements by
incorporating the user roles into a single user ID
Examples of Context
Conflicts
The Customer Service Manager is required to approve time for
his/her employees in the department. As Customer Service
Manager, he/she also needs to be able to search for anyone in the
company with a particular qualification.
P_ORGIN authorizations are defined, giving maintenance access to time
Infotypes
A structural profile is defined, giving him/her access to everyone under
the org unit he manages
P_ORGIN authorizations are defined in a second role allowing display
access to name, organizational assignment, and contact details of
employees
Context-Sensitive Authorization
Objects
P_ORGINCON HR: Master Data with Context
P_ORGIN with the additional field, Authorization Profile
Authorization Profile = link to structural authorizations
Must activate the INCON authorization switch and deactivate
the ORGIN authorization switch
Context-Sensitive Authorization
Objects (Cont.)
HR: Customer-Specific Authorization Check with Context
Customer-Specific Authorization Check with the additional
field, Authorization Profile
Authorization Profile = link to structural authorizations
Must activate the NNCON authorization switch and
deactivate the NNNN authorization switch
Fields comprising the Customer-Specific Authorization
Check:
Authorization Level, Infotype and Subtype mandatory
Any other fields from IT 0001 Organizational Assignment,
including custom fields
Transaction code (TCD) optional
Infotype-subtype combination field (INFSU) optional
1 = Active; 0 = Inactive
SAP Recommended
Settings of Authorization
Switches
Implement the context solution for all authorization objects
All context switches are on, all non-context are off
Structural authorizations switch off
INCON on
ORGIN off
ORGPD
off
XXCON on
ORGXX off
NNCON
on
NNNNN off
SAP Recommended
Settings of Authorization
Switches (Cont.)
Implement a combination of context-authorization objects
and non-context authorization objects
For example, ORGINCON and ORGXX
Structural authorizations switch on
INCON on
ORGIN off
ORGPD
on
XXCON off
ORGXX on
NNCON
off/on
NNNNN off/on
Other Authorization
Switches
DFCON HR: Default Position (Context)
Controls whether the user can access personnel data of an employee
assigned to the default position (99999999), such as after termination
The Organizational Unit in IT 0001 may be factored in, to determine
whether the user can access the employees records
Interpretation of the value is the same as for ORGPD switch in a noncontext sensitive environment
Possible values for the switch are 0, 1, 2, 3, or 4
0 = Inactive/switched off
1 = Evaluate org unit. If user can access org unit but employee is
in default position, deny access.
2 = Do not evaluate org unit. If employee is in default position,
deny access.
3 = Evaluate org unit. If user can access org unit and employee is
in default position, grant access.
4 = Do not evaluate org unit. If employee is in default position,
grant access.
Other Authorization
Switches
PERNR HR: Master data Personnel Number Check
There is no context-sensitive switch for the Personnel
Number Check, as this is extraneous
The P_PERNR authorization object has no context-sensitive
equivalent
P_PERNR authorizations specify which infotypes the user
can access of his/her own personnel information
Since P_PERNR targets a specific personnel number;
applying a structural profile to this authorization would be
meaningless
Converting to Context-Based
Authorizations
Identify which standard HR authorizations need to be linked to the
relevant structural profiles in order to resolve context conflicts
A good design document is invaluable
Converting to Context-Based
Authorizations (Cont.)
Examine structural authorizations to ensure that they
adequately isolate groups of personnel
New structural authorizations and function modules may be
required to dynamically determine personnel based upon
the users position in the organization
Existing structural profiles can be linked to context
authorizations
Tip 1:
How to Assign Structural
Authorizations
User-based
In Table T77UU via transaction OOSB
Most maintenance-intensive
Tip 1:
How to Assign Structural
Authorizations (cont.)
Position-based
In Organizational Management via transaction PP01, using PD
Profiles infotype 1017
Reduces maintenance as long as you practice good position maintenance
procedures
Tip 1:
How to Assign Structural Authorizations
(cont.)
Via Business Add-In (BAdI) Enhancement
HRBAS00_GET_PROFL via SE19
Standard logic determines the users structural profiles
by reading the values in the users P_ORGINCON
authorization object
Tip 2:
How to Mitigate Performance Issues
RHBAUS00 (structural profile indexing)
Report generates an index of users to structural profiles (for
those users maintained in Table T77UU)
Used heavily with the BW integration solution
IMG Path: Maintain this list of users in the IMG here:
Personnel Management Organizational Management
Basic Settings Authorization Management Structural
Authorization
Save User Data in SAP Memory
Resources
Authorizations in SAP HR
Available on SAPs Help Web site http://help.sap.com
Case Study: Build Your Organizational Structure to
Support SAPs Managers Self-Service
Danielle Larocca Signorile, HR Expert, Jan. 2006
http://www.hrexpertonline.com
Authorizations in Performance Management
Available on SAP Service Marketplace
http://service.sap.com*
Requires login credentials to the SAP Service Marketplace