20. hr940 authorizations in hr

HR940Authorizations in HR

mySAP Human Resources

Date

Training Center

Instructors

Education Website

Participant HandbookCourse Version: 2003 Q2Course Duration: 3 Day(s)Material Number: 50065804

An SAP course - use it to learn, reference it for work

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Copyright

Copyright © 2003 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for anypurpose without the express permission of SAP AG. The information contained herein maybe changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Trademarks

� Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® areregistered trademarks of Microsoft Corporation.

� IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®,S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBMCorporation.

� ORACLE® is a registered trademark of ORACLE Corporation.� INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered

trademarks of Informix Software Incorporated.� UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.� Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®,

VideoFrame®, MultiWin® and other Citrix product names referenced herein aretrademarks of Citrix Systems, Inc.

� HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®,World Wide Web Consortium, Massachusetts Institute of Technology.

� JAVA® is a registered trademark of Sun Microsystems, Inc.� JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under

license for technology invented and implemented by Netscape.� SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow,

WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.comLogo and mySAP.com are trademarks or registered trademarks of SAP AG inGermany and in several other countries all over the world. All other productsmentioned are trademarks or registered trademarks of their respective companies.

Disclaimer

THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAPEXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED,INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALSAND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHERMATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BELIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL,OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUTLIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THEUSE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

About this HandbookThis handbook is intended to complement the instructor-led presentationof this course, and serve as a source of reference. It is not suitable forself-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The followingtypographic conventions are also used.

Type Style Description

Example text Words or characters that appear on the screen.These include field names, screen titles,pushbuttons as well as menu names, paths, andoptions.

Also used for cross-references to otherdocumentation both internal (in thisdocumentation) and external (in other locations,such as SAPNet).

Example text Emphasized words or phrases in body text, titlesof graphics, and tables

EXAMPLE TEXT Names of elements in the system. These includereport names, program names, transaction codes,table names, and individual key words of aprogramming language, when surrounded bybody text, for example SELECT and INCLUDE.

Example text Screen output. This includes file and directorynames and their paths, messages, names ofvariables and parameters, and passages of thesource text of a program.

Example text Exact user entry. These are words and charactersthat you enter in the system exactly as theyappear in the documentation.

<Example text> Variable user entry. Pointed brackets indicatethat you replace these words and characters withappropriate entries.

2003/Q2 © 2003 SAP AG. All rights reserved. iii

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

About this Handbook HR940

Icons in Body TextThe following icons are used in this handbook.

Icon Meaning

For more information, tips, or background

Note or further explanation of previous point

Exception or caution

Procedures

Indicates that the item is displayed in theinstructor�s presentation.

iv © 2003 SAP AG. All rights reserved. 2003/Q2

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

ContentsCourse Overview ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Course Goals .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Unit 1: Introduction..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Authorization Types .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Users and Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Unit 2: Setting Up General Authorization Checks ..... . . . . . . . . . . . 19Master Data Authorizations and Personnel Number Check ... . . 21Applicant Infotype Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Personnel Planning Authorization... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Transaction Code Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Cluster Data Authorization ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Customer-Specific Authorization Object . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Double Verification Principle... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Unit 3: Indirect Role Assignment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Indirect Role Assignment .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Unit 4: Determining the Period of Responsibility .... . . . . . . . . . . . . 85The Period of Responsibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Time Logic .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Unit 5: Authorization Objects for Payroll ... . . . . . . . . . . . . . . . . . . . . . . . 101Authorization Objects for Payroll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102Authorization for Schemas and Personnel Calculation Rules..106

Unit 6: Authorization Check for Evaluations ..... . . . . . . . . . . . . . . . . 117Authorization Check in Reporting... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118The Authorization Object HR: Reporting... . . . . . . . . . . . . . . . . . . . . . . .124

Unit 7: Structural Authorization Checks..... . . . . . . . . . . . . . . . . . . . . . . 137The Personnel Planning Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138The Definition of Structural Authorizations ... . . . . . . . . . . . . . . . . . . . .144Determining the Period of Responsibility .. . . . . . . . . . . . . . . . . . . . . . . .152The Overall Authorization Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157Report RHPROFL0 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

2003/Q2 © 2003 SAP AG. All rights reserved. v

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Contents HR940

Indexes for Structural Authorization Profiles.. . . . . . . . . . . . . . . . . . . . .175

Unit 8: The Context Solution ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Context Problems in HR Authorizations... . . . . . . . . . . . . . . . . . . . . . . . .186Context Authorization Objects.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Unit 9: Additional Aspects of the General AuthorizationCheck ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

The Organizational Key .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206Test Procedures ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Unit 10: Examples and Tips ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Examples and Tips .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224

Appendix 1: Additional Material .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Appendix 2: Flowcharts of the Authorization Check ..... . . . 257

vi © 2003 SAP AG. All rights reserved. 2003/Q2

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Course OverviewSetting up authorizations in Human Resources.

The information contained in this course applies to the following SAPsoftware components and releases.

� SAP R/3 Enterprise (SAP R/3 Enterprise Core 4.70)� SAP R/3 Enterprise Extension Set 1.10

Target AudienceThis course is intended for the following audiences:

� Project team� Consultants

Course PrerequisitesRequired Knowledge� ADM940 SAP Authorization Concept� SAPHR Solution Overview of mySAP Human Resources� HR100 Essentials of Personnel Administration

Recommended Knowledge� HR505 Organizational Management

Course GoalsThis course will prepare you to:

� Configure roles and authorizations in Human Resources.

Course ObjectivesAfter completing this course, you will be able to:

� Set up general and structural authorization checks and assign these tousers directly or via Organizational Management.

SAP Software Component InformationThe information in this course pertains to the following SAP SoftwareComponents and releases:

2003/Q2 © 2003 SAP AG. All rights reserved. vii

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Course Overview HR940

viii © 2003 SAP AG. All rights reserved. 2003/Q2

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 1Introduction

Unit OverviewThis unit introduces the course. The instructor reviews important termsused in the SAP Authorization Concept for participants or introducesthese terms to participants who have not attended the ADM940 course.At this point, the instructor should also mention the difference betweengeneral authorization checks and the HR-specific structural authorizations.The unit concludes with an explanation of how you work with the ProfileGenerator.

Unit ObjectivesAfter completing this unit, you will be able to:

� Describe the essential features of the authorization concept in HR� Create users and roles� Create a role with the Profile Generator.

Unit ContentsLesson: Authorization Types .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Lesson: Users and Roles .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Exercise 1: Users and Roles.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2003/Q2 © 2003 SAP AG. All rights reserved. 1

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 1: Introduction HR940

Lesson: Authorization Types

Lesson OverviewGeneral Authorization Check � Structural Authorization Check

Lesson ObjectivesAfter completing this lesson, you will be able to:

� Describe the essential features of the authorization concept in HR� Create users and roles

Business ExampleThe employees in the various HR departments need differentauthorizations to perform their tasks.

Authorization Types

Figure 1: Authorization Types

Authorizations control system users� access to system data and aretherefore a fundamental prerequisite for the implementation of businesssoftware. There are two main ways to set up authorizations for mySAPHuman Resources:

2 © 2003 SAP AG. All rights reserved. 2003/Q2

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Authorization Types

You must create general authorizations. General authorizationsinclude the authorizations that are particularly important for PersonnelAdministration and that control access to HR data, which must be strictlycontrolled due to the sensitive nature of personnel data.

You can set up HR-specific structural authorizations. Structuralauthorizations check by organizational assignment if a user is authorizedto perform an activity. If you want to use structural authorizations,you should have mapped your enterprise�s structure in OrganizationalManagement.

You can set up both authorization types (general access authorizationsand structural authorizations) simultaneously. Thus, you can achieve acomplex authorization concept.

General Authorization Check

Figure 2: General Authorization Check

The general authorization check for mySAP HR controls access to HumanResources infotypes and forms part of the general SAP authorization check.

Authorizations are defined by authorization objects. An authorizationobject defines the fields (max. 10) that occur in an authorization. Thesystem checks in the user master record if a user has the correspondingauthorization for certain field specifications.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


You define an authorization for an authorization object by specifyingvalues for the individual fields of the object. You can create any number ofauthorizations, each with different values and names, for an authorizationobject.

Authorizations are grouped together in an authorization profile.

A user�s authorizations for the different authorization objects in the systemare determined from the authorization profiles assigned to the user inthe user master data record.

Structural Authorization Check

Figure 3: Structural Authorization Check

From a business point of view, the structural authorization check performsexactly the same function as the general authorization check in HR. Itcontrols access specifically to data stored in time-dependent structures(organizational structures, business event hierarchies, qualificationscatalogs, and so on).

The flexibility of this concept ensures that the maintenance of structuralauthorizations is minimal, even if a change is made within the structure,and at the same time ensures that users still have access only to objectsthey are responsible for.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Authorization Types

Lesson Summary

You should now be able to:� Describe the essential features of the authorization concept in HR� Create users and roles


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Users and Roles

Lesson OverviewRoles and Role Editing with the Profile Generator


� Create a role with the Profile Generator.

Business ExampleEmployees should be assigned a menu especially adapted suit to the tasksthey have to perform and containing the authorizations they require.

Users, Roles and Authorization Profiles

Figure 4: Users and Roles

A user can only log on to the system if there is a user master record witha corresponding password stored for him or her. In the master record, auser menu and the corresponding authorization profiles are assigned tothe user using one or several roles.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Users and Roles

A role is a collection of activities that enable a user to participate in one ormore business scenarios in the organization. User menus provide accessto the transactions, reports or Web-based applications contained in theroles. A user menu should only contain the functions that are typicallyperformed by the user in his or her daily work.

The assignment of users to roles safeguards the integrity of business data.A n authorization profile is generated for the activities contained in therole. This defines the boundaries within which the user may performactions in the SAP System.

Figure 5: Roles and Authorization Profiles

The authorizations an employee needs to be able to access certain objectsin the SAP system depend on the activities he or she performs at work.

The authorizations required for a specific task area (role) in the enterpriseare grouped together in an authorization profile.

In Role Maintenance, select Transactions and Menu Paths. The selectedfunctions correspond to the task area of a user or a group of users.

A profile generator automatically provides the correspondingauthorizations for the selected functions. Now you can generate anauthorization profile from these authorizations.

In the current release, SAP delivers more than 1,200 single roles from allapplication areas. You find the roles for Human Resources under thegeneric name SAP_HR*. You can either copy these roles unchanged orcopy the roles, change them, and then assign them to users.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Editing Roles

Figure 6: Editing Roles (1)

As of Release 4.6A you set up authorizations in the form of roles using theprofile generator (formerly referred to as activity groups). Roles provide abusiness perspective by representing the tasks and activities that a useris authorized to perform in the system. Authorizations are parts of rolesand are generated by the profile generator. You can generate severalauthorization profiles for each role.

When you generate roles, you also define the authorization objects withthe necessary field specifications.

User menus provide access to the transactions, reports or web-basedapplications contained in the roles. A user menu should therefore containonly the functions that are required by a specific user with a specific taskprofile for daily work.

In the SAP Easy Access menu, choose Create Role (or call transactionPFCG). You access role maintenance. Note that the roles delivered by SAPbegin with the prefix �SAP_�. If you want to create your own user roles orcopy existing ones, do not use the SAP namespace.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Figure 7: Editing Roles (2)

In theMenu tab page, assign transactions, reports, and/or Web addressesto the role. By doing this, you set the user menu that is automaticallycalled up when the user assigned to this role logs on to the SAP system.When you assign transactions and so on, the user�s role or task profile isdefined. The transactions defined in theMenu tab page are then used bythe system to create authorizations automatically.

If necessary, you can change the authorizations that were automaticallycreated by the system when it generated the menu on the Authorizationstab page. To do so, on this tab page choose Expert Mode underMaintainAuthorization Data and Generate Profile. You can, for example, createadditional authorizations when you change the authorizations that youhave already created by choosing additional authorization objects andso on.

When you have finished any postprocessing required on the automaticallycreated authorizations, generate the authorization profile belonging to therole on the Authorizations tab page.

Finally, on the User tab page, assign users to the generated role. Youcan also assign users to roles through user master records or throughOrganizational Management objects (for example, job).

The generated profile is only entered in the user master record when auser comparison has taken place.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 1: Users and Roles

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create a user master record� Determine a suitable role for personnel administrators from the

standard roles� Copy a suitable SAP sample role in the customer name range so that

you can then edit the role

Business ExampleThe personnel administrators require a user master record with a role thatcontains a user menu with the required steps for daily work.

You have found a sample role with a suitable menu for the personneladministrators in your company. Copy this role so that you can store therequired authorizations for your company in a customer-specific role.

Task 1Do the following exercise:

1. Create a user master record for a dialog user PATEL-## (##= groupnumber) for your employee 540995##, Iffat Patel.

2. Maintain the address data with entries of your choice.

3. Specify an initial password and assign the user to the TRAININGuser group for authorization check.

4. Assign the logon language that you are logged on in.

5. Save your user master record.


1. Create a record of the Communication infotype (0105) with subtypeSystem User Name (0001) for your employee 540995##.


Continued on next page


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. Take a look at the standard roles for Human Resources. Select theSAP_HR_PA_HR-ADMINISTRATOR role �HR AdministratorPersonnel Administration� and take a look at the role menu.

Copy the role to the name PA_HR-ADMINISTRATOR-## (## =group number).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 1: Users and RolesTask 1Do the following exercise:

1. Create a user master record for a dialog user PATEL-## (##= groupnumber) for your employee 540995##, Iffat Patel.

a) SAP Menu:

Tools→ Administration→ User Maintenance→ User (SU01)

Enter PATEL-## and choose Create.

2. Maintain the address data with entries of your choice.

a) on the Address tab page

3. Specify an initial password and assign the user to the TRAININGuser group for authorization check.

a) on the Logon Data tab page

4. Assign the logon language that you are logged on in.

a) on the Defaults tab page

5. Save your user master record.

a) Save your user master record.


1. Create a record of the Communication infotype (0105) with subtypeSystem User Name (0001) for your employee 540995##.

a) SAP Menu:

Human Resources→ Personnel Management→ Administration→HR Master Data→Maintain (PA30)

Enter 540995##in the Personnel Number field and 0105 in theInfotype field. Then choose Create. On the next screen, select thesubtype 0001 System User Name SAP System. In the ID/Numberfield, enter PATEL-## and save your entries.




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. Take a look at the standard roles for Human Resources. Select theSAP_HR_PA_HR-ADMINISTRATOR role �HR AdministratorPersonnel Administration� and take a look at the role menu.

Copy the role to the name PA_HR-ADMINISTRATOR-## (## =group number).

a) SAP Menu:

Tools→ Adm inistration→User Maintenance→ Role Administration→ Roles (PFCG)

Use the input help (F4) for the Role field. A dialog boxappears. In the Single Role field of the dialog box, enterSAP_HR* to restrict the display to HR roles. Select theSAP_HR_PA_HR-ADMINISTRATOR role (double-click).

Now choose Display Role to take a look at the role. In theMenutab page, you can see the user menu of the role.

To copy the role, go back to the role maintenance screen andchoose Copy.

On the following screen, in the To Role field, enter the name ofyour new role: PA_HR-ADMINISTRATOR-##. Then chooseCopy all.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Create a role with the Profile Generator.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940

Unit SummaryYou should now be able to:� Describe the essential features of the authorization concept in HR� Create users and roles� Create a role with the Profile Generator.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Test Your Knowledge

Test Your Knowledge

1. What are the prerequisites for using structural authorizations?

2. The authorization profile generated in role maintenance is entered inthe user master record of the users to which the role is assignedDetermine whether this statement is true or false.

TrueFalse


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Test Your Knowledge HR940

Answers

1. What are the prerequisites for using structural authorizations?

Answer: You must first map your enterprise�s structure inOrganizational Management.

2. The authorization profile generated in role maintenance is entered inthe user master record of the users to which the role is assigned

Answer: False

The generated profile is only entered in the user master record whena user comparison has taken place.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 2Setting Up General Authorization

Checks

Unit OverviewThis chapter covers the most important authorization objects in HR, theauthorization main switch and its significance. At the end of the unit, thedouble verification principle is introduced and explained. In the exercises,the participants create a practical role for a master data administrator.


� Create an administrator�s authorizations for the HR master data ofthe employees in the administrator�s area of responsibility.

� Configure the administrator�s authorizations for accessing his or herown data separately

� Describe the function of the authorization main switch� Set up an administrator�s authorizations for applicant infotypes.� Set up authorizations for the data objects and infotypes in the

Personnel Planning components.� Create authorizations for HR transactions that do not have their own

authorization object� Set up the authorization for access to cluster data in the PCLx HR

database tables.� Create a customer-specific authorization object so that you can use

additional fields of the Oganizational Assignment infotype in theauthorization check

� Specify authorizations for certain infotypes so that two employees arealways required for data entry. One employee maintains the data andthe other employee checks the correctness of the data entered.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 2: Setting Up General Authorization Checks HR940

Unit ContentsLesson: Master Data Authorizations and Personnel Number Check .. . . . 21

Exercise 2: Master Data Authorizations and Personnel NumberCheck .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Lesson: Applicant Infotype Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Lesson: Personnel Planning Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Lesson: Transaction Code Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Lesson: Cluster Data Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Exercise 3: Cluster Data Authorization .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Lesson: Customer-Specific Authorization Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Lesson: Double Verification Principle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Exercise 4: Double Verification Principle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Master Data Authorizations and Personnel Number Check

Lesson: Master Data Authorizations and PersonnelNumber Check

Lesson OverviewThe authorization objects for the master data checks and the authorizationmain switches


� Create an administrator�s authorizations for the HR master data ofthe employees in the administrator�s area of responsibility.

� Configure the administrator�s authorizations for accessing his or herown data separately

� Describe the function of the authorization main switch

Business ExampleEmployees in your HR department require differentiated authorizationsfor editing HR data.

Authorization Objects

Figure 8: Authorization Objects


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


There are a number of authorization objects you can use to defineauthorizations for mySAP HR. You can view these authorization objectsusing transaction SU03 (HR object class) in the SAP system.

Authorization objects enable complex checks of an authorization, whichallows a user to carry out an action. An authorization object groups up toten authorization fields that are checked in an AND relationship.

For an authorization check to be successful, all field values of theauthorization object must be maintained accordingly. The fields in anobject should not be seen as input fields on a screen. Instead, fieldsshould be regarded as system elements, such as infotypes, which are tobe protected.

In the documentation, you can find information about maintainingauthorization values.

You can define as many system access authorizations as you wish for anobject by creating a number of allowed values for the fields in an object.These value sets are called authorizations. The system checks theseauthorizations in OR relationships.

HR Master Data Authorizations

Figure 9: HR: Master Data

The Authorization Object HR: Master Data is used during the authorizationcheck on HR infotypes. The checks take place when HR infotypes areedited or read. The system queries the contents of the fields during theauthorization check.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The authorization level field specifies the access mode. The followingauthorization levels exist:

� R (�read�) for read access� M (�matchcode�) for read access using input help (F4)� W (�write�) for write access� E and D (�enqueue� and �dequeue�) for write access using the

asymmetrical double verification principle. E allows the user to createand change locked data records and D allows the user to change lockindicators.

� S(�symmetrical�) for write access using the Symmetric DoubleVerification Principle

� * always includes all other authorization levels simultaneously

See �Additional Aspects of the Authorization Check� for detailedinformation on the special characteristics of the organizational key field.

Figure 10: HR: Master Data - Extended Check

The object HR: Master Data � Extended Check is used during theauthorization check on HR infotypes. The checks take place when HRinfotypes are edited or read.

The fields SACHA, SACHP, SACHZ and SBMOD are filled from theOrganizational Assignment infotype (0001). Since this infotype hastime-dependent specifications, an authorization may only exist for certaintime intervals depending on the user�s authorization. A user�s period ofresponsibility is represented by all the time intervals for which he or shehas P_ORGXX authorizations.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


In the administrator group, all administrators who are responsible foran organizational area in Personnel Administration or in ApplicantManagement are grouped together.

In the standard system, the check of this object is not active. You can usethemain authorization switch (transaction OOAC) to determine whetherthis check is to be carried out in addition to or instead of the HR: MasterData check.

If the additional check is activated, an authorization check according toHR: Master Data takes place first. If the result of this check is positive, afurther check based on HR: Master Data � Extended Check is performed.

Personnel Number Check

Figure 11: HR: Master Data - Personnel Number Check

The Authorization Object HR: Master Data - Personnel Number Check is usedwhen you want to assign users different authorizations for accessing theirown personnel number. If this check is active and the user is assigned apersonnel number in the system, it can directly override all other checkswith the exception of the test procedures.

The following values are possible for the PSIGN field:

� I = Authorization for personnel number assigned, that is for theuser�s own personnel number.

� E =Authorization for all personnel numbers excluding one�s ownpersonnel number.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


You can assign a user a personnel number using infotype 0105, subtype0001 (in earlier releases using the V_T513A view).

This check does not take place if the user has not been assigned a personnelnumber, or if the user accesses a personnel number other than his or herown. In other words, this check is completely irrelevant for personnelnumbers that are not assigned to the user.

Figure 12: Example: Personnel Number Check (1)

In our example, the user is an administrator responsible for the basicpay (infotype 0008) of a personnel area (since the administrator has thecorresponding HR: Master Data authorization). The employee should alsobe able to display his or her own data at all times but not change his orher basic pay, irrespective of the personnel area for which the employeeis responsible. Authorization for the object HR: Personnel Number Checkmust be set as in this example.

The first authorization grants the employee read authorization for allinfotypes that are stored under the employee�s personnel number. Thesecond authorization denies write authorization for all data records ofinfotype 0008 stored under the employee�s personnel number.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The authorization checks for all other personnel numbers and for writeauthorizations for all infotypes (except 0008) run according to HR: MasterData.

Hint: If you use personnel-number-based authorizations, youshould always set up all the authorizations that are not basedon personnel numbers first. As soon as you have done this, youshould create different access authorizations for the personnelnumbers that are assigned to users using appropriate P_PERNRauthorizations. This is always possible since the P_PERNRauthorizations override all other authorizations directly (exceptTest Procedures).

Figure 13: Example: Personnel Number Check (2)

In our example, the user is an administrator responsible for the basicpay (infotype 0008) of a personnel area (since the administrator has thecorresponding HR: Master Data authorization). The employee should alsobe able to display his or her own data at all times but not change his orher basic pay, irrespective of the personnel area for which the employeeis responsible. Authorization for the object HR: Personnel Number Checkmust be set as in this example.

The first authorization grants the employee read authorization for allinfotypes that are stored under the employee�s personnel number. Thesecond authorization denies write access to all data records of infotype


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


0008 for the employee�s own personnel number in case the administratoris responsible at some point in the future for the personnel area to whichhe or she belongs.

The Authorization Main Switches

Figure 14: The Authorization Main Switches (1)

The authorization main switches are stored in table T77S0 under thegroup name AUTSW. Up to Release 4.5B the switches were stored in theMPPAUTSW include.

You can use these switches to adjust the behavior of the authorizationcheck on HR infotypes to meet your requirements. You can specify theswitch settings at client level differently.

The graphic shows you the standard switch settings.

You can use the master data check (ORGIN) and the extended check(ORGXX) additively (both switches are set to 1) or alternatively (only oneof the switches is set to 1).

Hint: You can make the settings using transaction OOAC or inthe IMG for Personnel Administration under Tools→ AuthorizationManagement→ Edit Authorization Main Switch.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 2: Master Data Authorizationsand Personnel Number Check

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create an administrator�s authorizations for the HR master data in

his or her area of responsibility� Set up an administrator�s authorizations for accessing his or her own

data� Check the settings of the authorization main switches

Business ExampleThe personnel administrators in your company require authorizationsfor the HR master data infotypes. The administrators should have readaccess only to their own data.

Task 1All administrators should have authorization for:

� Personnel area:CABB

� Employee group:1

� Employee subgroup:*

� Organizational key:*

1. In your role PA_HR-ADMINISTRATOR-## (##= group number),maintain the authorization for the HR: Master data. Assign full accessat all authorization levels for the following inftotypes and theirsubtypes: 0000 � 0004, 0007, 0008, 0009 � 0128 and 0165 - 0999.

Task 2The personnel administrators should have access authorization that isrestricted to certain subtypes or wage types for the following infotypes:



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


� 0006 Addresses only subtype 1 Permanent residence

� 2006 Absence Quotas only subtype 10 Leave

� 2010 Employee Remuneration Information only wage type 20 ##Weather bonus (##= group number)

1. In your role PA_HR-ADMINISTRATOR-##, add three moreauthorizations for the object HR: Master Data.

Task 3The personnel administrators are authorized to display their own HR data,even if they do not belong to personnel area CABB. They are not authorizedto maintain infotype 0008 Basic Pay for their own personnel number.

1. In your role, add two authorizations for the HR: Master Data -Personnel Number Check.

2. All employees are authorized to enter their vacation absences inthe system. Add the authorization from the HR940_VACATIONtemplate to your role.


1. Open a new session and call transaction OOAC. Check theauthorization main switches with regard to the personnel numbercheck. Record the switch and the required value to activate thepersonnel number check:

� Switch:__________

� Value:__________


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 2: Master Data Authorizationsand Personnel Number CheckTask 1All administrators should have authorization for:

� Personnel area:CABB

� Employee group:1

� Employee subgroup:*

� Organizational key:*



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. In your role PA_HR-ADMINISTRATOR-## (##= group number),maintain the authorization for the HR: Master data. Assign full accessat all authorization levels for the following inftotypes and theirsubtypes: 0000 � 0004, 0007, 0008, 0009 � 0128 and 0165 - 0999.

a) SAP Menu:


In the Role field, enter PA_HR-ADMINISTRATOR-## (## =group number) and choose Change. On the Authorizations tabpage, select Change Authorization Data.

Expand the Human Resources object class. Open theauthorization objectHR: Master Data. Maintain the fields ofthe authorization:

Field Name Values

Authorization level *

Infotype 0000-0004, 0007, 0008, 0009-0128,0165-0999

Personnel area CABB

Employee group 1

Employee subgroup *

Subtype *

Organizational key *

Task 2The personnel administrators should have access authorization that isrestricted to certain subtypes or wage types for the following infotypes:

� 0006 Addresses only subtype 1 Permanent residence

� 2006 Absence Quotas only subtype 10 Leave

� 2010 Employee Remuneration Information only wage type 20 ##Weather bonus (##= group number)



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. In your role PA_HR-ADMINISTRATOR-##, add three moreauthorizations for the object HR: Master Data.

a) You must add three additional authorizations to thisauthorization object. Therefore, choose Manual entry ofauthorization objects and on the next screen, enter P_ORGIN inthe Authorization object field.

Maintain the fields of the authorizations:

Field Name Values


Infotype 0006

Personnel area CABB

Employee group 1

Employee subgroup *

Subtype 1


Field Name Values


Infotype 2006

Personnel area CABB

Employee group 1

Employee subgroup *

Subtype 10


Field Name Values


Infotype 2010

Personnel area CABB

Employee group 1

Employee subgroup *



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Field Name Values

Subtype 20## (##= group number)


Task 3The personnel administrators are authorized to display their own HR data,even if they do not belong to personnel area CABB. They are not authorizedto maintain infotype 0008 Basic Pay for their own personnel number.

1. In your role, add two authorizations for the HR: Master Data -Personnel Number Check.

a) You must add authorizations for the authorization object HR:Master Data - Personnel Number Check.

To do so, chooseManual entry of authorization objects and on thenext screen, enter P_PERNR in the Authorization object field.

Maintain the fields of the authorizations:

Field Name Values

Authorization level M, R

Infotype *

Interpretation of assignedpersonnel number

I

Subtype *

Field Name Values

Authorization level D, E, S, W

Infotype 0008

Interpretation of assignedpersonnel number

E

Subtype *



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. All employees are authorized to enter their vacation absences inthe system. Add the authorization from the HR940_VACATIONtemplate to your role.

a) To add the authorization from theHR940_VACATION template,choose Edit→ Insert authorization(s)→ From template.... Select thetemplate in the dialog box that appears and choose Continue.

Now save your role and confirm the default profile name.


1. Open a new session and call transaction OOAC. Check theauthorization main switches with regard to the personnel numbercheck. Record the switch and the required value to activate thepersonnel number check:

� Switch:__________

� Value:__________

a) Choose Create new session and enter OOAC in the commandfield. (Note: If the command field is not visible, open it byclicking the arrow to the right of Enter.) Then record the name ofthe switch and its value:

� Switch:PERNR

� Value:1


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Create an administrator�s authorizations for the HR master data of

the employees in the administrator�s area of responsibility.� Configure the administrator�s authorizations for accessing his or her

own data separately� Describe the function of the authorization main switch


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Applicant Infotype Authorization

Lesson: Applicant Infotype Authorization

Lesson OverviewThe authorization object for applicant infotypes


� Set up an administrator�s authorizations for applicant infotypes.

Business ExampleThe personnel officer in your company requires authorization to editapplicant data.

HR: Applicants

Figure 15: HR: Applicants

The object HR: Applicants is used during the authorization check on HRapplicant infotypes. The checks take place when these infotypes are editedor read.

The PERSA, APGRP, APTYP, VDSK1 and RESRF fields are filled fromthe Organizational Assignment infotype (0001). Since this infotype hastime-dependent specifications, an authorization may only exist for certain


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


time intervals depending on the user�s authorization. A user�s period ofresponsibility is represented by all the time intervals for which he or shehas P_APPL authorizations.

Hint: Unlike the P_ORGIN and P_ORGXX authorization objects,the check on this authorization object cannot be deactivated (thatis, there is no corresponding authorization main switch).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Applicant Infotype Authorization

Lesson Summary

You should now be able to:� Set up an administrator�s authorizations for applicant infotypes.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Personnel Planning Authorization

Lesson OverviewThe authorization object for Personnel Planning


� Set up authorizations for the data objects and infotypes in thePersonnel Planning components.

Business ExampleThe organizational planner in your company requires authorization toedit Personnel Planning data.

The authorization object for Personnel Planning

Figure 16: Personnel Planning

You can use this authorization object to check the authorization for specificfields in the Personnel Planning components (Organizational Management,Personnel Development, Training and Event Management, and so on).

Plan versionThis field specifies which plan versions the user is authorized toaccess.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Personnel Planning Authorization

Object typeThis field specifies which object types the user is authorized to access.

InfotypeThis field specifies which infotypes the user is authorized to access.

SubtypeThis field specifies which subtypes of the infotpyes the user isauthorized to access.

Planning StatusThis field specifies the planning status in which the user is authorizedto access information.

Function CodeThis field specifies the editing mode for which the user hasauthorization (display, change, and so on).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Set up authorizations for the data objects and infotypes in the

Personnel Planning components.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Transaction Code Authorization

Lesson: Transaction Code Authorization

Lesson OverviewThe Authorization Object for HR Transactions


� Create authorizations for HR transactions that do not have their ownauthorization object

Business Example

The Authorization Object HR: Transaction Code

Figure 17: HR: Transaction Code

This authorization object enables you to check whether a user is authorizedto start the different HR transactions. The transaction code is checked.Note that this object is not used in all HR transactions. We distinguishbetween:

� HR transactions with a natural (their own) authorization object� HR transactions without a natural (their own) authorization object


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


This authorization object contains the HR transaction codes without theirown authorization object.

The P_TCODE authorization object is the HR equivalent of the CheckTransaction Code at Start of Transaction authorization object (S_TCODE). TheP_TCODE authorization object was implemented before the S_TCODEauthorization object. Given the increased need to protect data in HR, itwas retained as an additional protection measure.

Hint: Do not manually change the S_TCODE and P_TCODEauthorization objects by inserting additional transaction codes.Instead, add additional transactions to your role�s menu. Thesystem then automatically enters these transactions in bothauthorization objects.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Transaction Code Authorization

Lesson Summary

You should now be able to:� Create authorizations for HR transactions that do not have their own

authorization object


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Cluster Data Authorization

Lesson OverviewThe authorization object for cluster data


� Set up the authorization for access to cluster data in the PCLx HRdatabase tables.

Business ExampleThe employees in charge of the payroll archiving process require accessauthorization for the payroll results stored in clusters.

The Authorization Object HR: Clusters

Figure 18: HR: Clusters

The Authorization Object HR: Clusters is used during the authorizationcheck for access to PCLx HR files (x = 1, 2, 3, 4) if these files are accessedvia the PCLx buffer (interface supported by HR).

The possible values for the area indicator are the fixed values of theRELID_PCL domain. The fixed values and definitions of what they meanare stored in the T52RELID table (transaction PECLUSTER).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Cluster Data Authorization

Exercise 3: Cluster Data Authorization

Exercise ObjectivesAfter completing this exercise, you will be able to:� Assign read authorization for payroll results� Assign authorization for a transaction that does not have its own

authorization object� Add a report to the user-specific menu Information Systems� Assign a user to the role

Business ExampleThe personnel administrators in your company should be authorized toaccess to the payroll remuneration statement and infotype 0003 PayrollStatus.

Task 1All administrators should have read authorization for the internationalpayroll results (Cluster RX). They also require read authorization for theCluster Directory (cluster CU) in which the directory of the payroll resultsis stored. For the PC and TX clusters, the administrators should have fullauthorization.

1. Maintain the authorizations for the HR: Clusters object in yourrole, PA_HR-ADMINISTRATOR-## (## = group number):Cluster. Change the first of the two authorizations by creating readauthorization for the CU and RX clusters.

Task 2The personnel administrators require authorization to change the PayrollStatus infotype (0003) of employees in their area of responsibility.

1. Add transaction PU03 Change Payroll Status to the menu of your rolePA_HR-ADMINISTRATOR-##.

2. In Expert Mode for Profile Generation, maintain the authorizations foryour role.




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. The payroll remuneration statement does not yet appear in yourrole menu. Therefore, in the Information Systems node, run theRPCEDTX0 report to extend the menu of your role.

Then generate the authorization profile for your role.


1. Assign your user PATEL-## (##= group number) to your role andperform the user compare.

Now log on to the system with this user master record and test theassigned authorizations.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 3: Cluster Data AuthorizationTask 1All administrators should have read authorization for the internationalpayroll results (Cluster RX). They also require read authorization for theCluster Directory (cluster CU) in which the directory of the payroll resultsis stored. For the PC and TX clusters, the administrators should have fullauthorization.

1. Maintain the authorizations for the HR: Clusters object in yourrole, PA_HR-ADMINISTRATOR-## (## = group number):Cluster. Change the first of the two authorizations by creating readauthorization for the CU and RX clusters.

a) SAP Menu:


In the Role field, enter PA_HR-ADMINISTRATOR-## (## =group number) and choose Change. On the Authorizations tabpage, select Change Authorization Data.

Expand the Human Resources object class.

Open the authorization objectHR: Clusters.

Edit the fields of the first authorization:

Field Name Values

Authorization level R

Area indicator for cluster CU, RX

Do not change the fields of the second authorization:

Field Name Values


Area indicator for cluster PC, TX

Task 2The personnel administrators require authorization to change the PayrollStatus infotype (0003) of employees in their area of responsibility.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. Add transaction PU03 Change Payroll Status to the menu of your rolePA_HR-ADMINISTRATOR-##.

a) Now choose theMenu tab page to extend the menu of your role.

On theMenu, choose Add Transaction. On the next screen,enter PU03 in the Transaction code field. Confirm your entry bypressing Enter. Save your changes.

2. In Expert Mode for Profile Generation, maintain the authorizations foryour role.

a) On the Authorizations tab page, choose Expert Mode for ProfileGeneration. In the dialog box that appears, select and confirmthe option Read old status and merge with new data. Since thenew authorization for infotype 0003 is already contained inthe authorization you maintained, you can deactivate the newauthorizations by clicking the appropriate icon. Tip: The iconlegend is under Utilities→ Legend.


1. The payroll remuneration statement does not yet appear in yourrole menu. Therefore, in the Information Systems node, run theRPCEDTX0 report to extend the menu of your role.

Then generate the authorization profile for your role.

a) On theMenu tab page, choose Add Report. On the next screen,enter RPCEDTX0 in the Report field. Confirm your entry bypressing Enter.

In your role menu, open the Info System node and then theEmployee node. Select Remuneration Statements and drag itholding the left mouse key down to where you want it. Saveyour changes. Now maintain the authorizations as described inthe previous exercise and generate the authorization profile.


1. Assign your user PATEL-## (##= group number) to your role andperform the user compare.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Now log on to the system with this user master record and test theassigned authorizations.

a) On the User tab page, enter the user PATEL-## in the User IDfield. Then choose User Compare and on the next screen CompleteCompare to enter the role and the profile belonging to the role inthe user master record.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Set up the authorization for access to cluster data in the PCLx HR

database tables.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Customer-Specific Authorization Object

Lesson: Customer-Specific Authorization Object

Lesson OverviewCheck on other fields of the Organizational Assignment infotype using acustomer-specific authorization object.


� Create a customer-specific authorization object so that you can useadditional fields of the Oganizational Assignment infotype in theauthorization check

Business ExampleYou want to include the fields Personnel Subarea and Business Area.

HR: Master Data - Customer-Specific Object

Figure 19: HR: Master Data - Customer-Specific Object

If you have requirements that cannot be met using the P_ORGIN andP_ORGXX authorization objects (for example, because you want to buildyour authorization checks on additional fields of the OrganizationalAssignment infotype (0001) that are customer-specific), you can include anauthorization object in the authorization checks yourself.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Create the authorization object using transaction SU21. Make sure youkeep to the customer name range (Z/Y). To be able to use the newauthorization object you have created in the master data authorizationcheck, the object must contain the INFTY, SUBTY, and AUTHC fields. Youcan use any other fields of the Organizational Assignment infotype (0001)as the other fields. You can also use customer-specific additional fieldsprovided they are CHAR or NUMC type fields.

After you have created the object, you must start the report RPUACG00.This report overwrites the MPPAUTZZ standard include with the codethat is needed to evaluate the authorization object you created. Note:Technically speaking, this involves a modification. However, SAP fullysupports this procedure. And you should not have more maintenancework as a result of this modification.

Note that if you use customer-specific authorization objects, you mustmaintain these objects in transaction SU24 (Maintain Assignment ofAuthorization Objects to Transactions) in the same way as you maintain theauthorization objects P_ORGIN, P_ORGXX, and P_PERNR.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Customer-Specific Authorization Object

Lesson Summary

You should now be able to:� Create a customer-specific authorization object so that you can use



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Double Verification Principle

Lesson OverviewThe double verification principle divides the tasks of data entry and datacontrol among two employees.



Business ExampleTwo administrators should always edit the Additional Payments infotype.

The Asymmetrical Double Verification Principle

Figure 20: Asymmetrical Double Verification Principle

In this procedure, two users are always required to be able to create orchange an infotype�s data. The users do not have the same authorizations,which is why the process is called asymmetrical. User A is grantedauthorizations with the authorization level E (�enqeue�), R (�read�) andM (�matchcode�) for the P_ORGIN (or P_ORGXX) authorization object


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Double Verification Principle

instead of complete write authorizations (authorization level W or *).These authorizations allow the user to create, change or delete lockedrecords only.

User B is granted authorizations with the authorization level D(�dequeue�), R and M for the authorization object P_ORGIN (orP_ORGXX) instead of complete write authorizations. These authorizationsallow the user to unlock locked records (or lock unlocked records) only.

New data is entered by user A and unlocked by user B. Existing data canbe changed in two ways: User B locks the data, user A changes the data,and user B unlocks the data again. Alternatively, user A creates a lockedcopy from the unlocked data and changes this copy. User B then unlocksthe data. To delete unlocked data, user B locks the data which is thendeleted by user A.

In this process, user A is always responsible for entering and changingdata and user B for approving the changes.

The Symmetrical Double Verification Principle

Figure 21: Symmetrical Double Verification Principle

In this procedure, two users are always required to be able to createor change an infotype�s data. The users have the same authorizationsfor this. The process functions as follows: Both users are grantedauthorizations with the authorization level S (�symmetrical�), R (�read�)and M (�matchcode�) for the P_ORGIN (or P_ORGXX) authorizationobject instead of full write authorizations (authorization level W or *).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


These authorizations allow each user to create locked data records, changelocked data records, and relock unlocked data records. In addition, eachuser can unlock data as long as he or she is not the last person to havechanged the locked data. Neither user can delete data.

New data is created by user A (or user B) and locked by user B (or user A).

To change existing data: user A (or user B) locks and changes the data anduser B (or user A) unlocks the data.

Another user must be consulted to delete existing data.

Example: Double Verification Principle

Figure 22: Example: Double Verification Principle

You want to ensure that the Additional Payments infotype (0015) can onlybe edited by two administrators together. To achieve this, you wantto set up the asymmetrical double verification principle where one ofthe administrators is responsible for recording the data and the otheradministrator for controlling the process.

The administrator responsible for recording the data requires theauthorization for the P_ORGIN authorization object shown in the top-leftgraphic. The administrator responsible for controlling the data requiresthe authorization in the right graphic.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 4: Double Verification Principle

Exercise ObjectivesAfter completing this exercise, you will be able to:� Assign authorization for the Basic Pay infotype according to the

double verification principle

Business ExampleThe personnel administrators in your company should be able to storenew records of infotype 0008 in the system as locked records only. Thehead of the HR department checks the correctness of the entered data andactivates the data by removing the lock indicator.

TaskIn the double verification principle, we differentiate between twoprocedures; the symmetrical double verification procedure and theasymmetrical double verification procedure. Which procedure shouldyou use here?

Answer:

1. The asymmetrical asymmetrical procedure.Fill in the blanks to complete the sentence.

2. In your role PA_HR-ADMINISTRATOR-##, maintain theauthorizations for the object HR: Master data.

Hint: Remove infotype 0008 from the authorization youcreated in the first exercise of this unit.

Create an appropriate authorization for the Basic Pay infotype (0008).

3. Then log on to the system with the user PATEL-## (## = groupnumber). Create a new record for the Basic Pay infotype with a validfrom date as of the following calendar month for employee ElinaLopez, personnel number 250995##by copying the existing record.Store the E04 pay scale group in the new record for the employee.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Result

Hint: When you save the new record of the Basic Pay infotype,the system displays the maintenance screen of the Monitoringof Tasks infotype (0019) with the task type Pers. Interview.This is due to a dynamic action that is triggered by the lockindicator. Save this infotype.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 4: Double Verification PrincipleTaskIn the double verification principle, we differentiate between twoprocedures; the symmetrical double verification procedure and theasymmetrical double verification procedure. Which procedure shouldyou use here?

Answer:

1. The asymmetrical procedure.

Answer: asymmetrical

2. In your role PA_HR-ADMINISTRATOR-##, maintain theauthorizations for the object HR: Master data.

Hint: Remove infotype 0008 from the authorization youcreated in the first exercise of this unit.

Create an appropriate authorization for the Basic Pay infotype (0008).

a) You must add an authorization to the authorization object HR:Master data. Therefore, choose Manual entry of authorizationobjects and on the next screen, enter P_ORGIN in theAuthorization object field.

Maintain the fields of the authorization:

Field Name Values

Authorization level E, M, R

Infotype 0008

Personnel area CABB

Employee group 1

Employee subgroup *

Subtype *




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


3. Then log on to the system with the user PATEL-## (## = groupnumber). Create a new record for the Basic Pay infotype with a validfrom date as of the following calendar month for employee ElinaLopez, personnel number 250995##by copying the existing record.Store the E04 pay scale group in the new record for the employee.

a) SAP Menu:


Enter 250995## in the Personnel Number field and 0008 in theInfotype field. Now choose Copy. On the infotype screen, enterthe first day of the next month in the Start field. Change thecontents of the Group field to E04 and save the infotype record.

Result

Hint: When you save the new record of the Basic Payinfotype, the system displays the maintenance screen ofthe Monitoring of Tasks infotype (0019) with the tasktype Pers. Interview. This is due to a dynamic action thatis triggered by the lock indicator. Save this infotype.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Specify authorizations for certain infotypes so that two employees are

always required for data entry. One employee maintains the data andthe other employee checks the correctness of the data entered.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940

Unit SummaryYou should now be able to:� Create an administrator�s authorizations for the HR master data of

the employees in the administrator�s area of responsibility.� Configure the administrator�s authorizations for accessing his or her

own data separately� Describe the function of the authorization main switch� Set up an administrator�s authorizations for applicant infotypes.� Set up authorizations for the data objects and infotypes in the

Personnel Planning components.� Create authorizations for HR transactions that do not have their own

authorization object� Set up the authorization for access to cluster data in the PCLx HR

database tables.� Create a customer-specific authorization object so that you can use




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. The authorization check for the object HR: Master Data - PersonnelNumber Check is performed as a rule.Determine whether this statement is true or false.

TrueFalse

2. The master data authorization check differentiates between analternative and an additional version. Which of the statements applyto the additional check?Choose the correct answer(s).

A A check is performed on the authorizations for the objectsHR: Master Data and HR: Personnel Number Check.

B A check is performed on the authorizations for the objectsHR: Master Data or HR: Master Data � Extended Check.

C First, a check is performed on the authorizations for HR:Master data. If the result of this check is positive, a furthercheck based on HR: Master Data � Extended Check.

D In the case of the additional master data authorizationcheck, the age of the user is checked as well.

3. The check on the object HR: Applicants can be deactivated in theauthorization main switch.Determine whether this statement is true or false.

TrueFalse

4. The check for the Personnel Planning object can be deactivated inthe authorization main switch.Determine whether this statement is true or false.

TrueFalse

5. No manual changes should be made to the authorization for theobject: HR Transaction Codes.Determine whether this statement is true or false.

TrueFalse


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


6. To access payroll results, do you require authorization for the objectHR : Clusters?

7. You can add fields from any infotypes to a customer-specificauthorization object.Determine whether this statement is true or false.

TrueFalse

8. Which of the statements are true for the double verification principle?Choose the correct answer(s).

A In this procedure, two users are always required to be ableto enter or change data of an infotype.

B The double verification principle compensates an oversightby a user.

C The double verification principle has a symmetrical and anasymmetrical version.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. The authorization check for the object HR: Master Data - PersonnelNumber Check is performed as a rule.

Answer: False

The check is only performed for the personnel number that isassigned to the user in infotype 0105 subtype 0001.

2. The master data authorization check differentiates between analternative and an additional version. Which of the statements applyto the additional check?

Answer: C

Additional means that the switches ORGIN and ORGXX in the mainauthorization switch are set to 1. Then, the authorizations for bothobjects are checked.

3. The check on the object HR: Applicants can be deactivated in theauthorization main switch.

Answer: False

The check on this object cannot be deactivated in the authorizationmain switch because no such switch exists.

4. The check for the Personnel Planning object can be deactivated inthe authorization main switch.

Answer: False

The check for this object cannot be deactivated in the authorizationmain switch with the switch ORGPD. The switch ORGPD letsyou control whether the structural authorization checks are to beperformed in Personnel Administration.

5. No manual changes should be made to the authorization for theobject: HR Transaction Codes.

Answer: True

You maintain this authorization using the Profile Generator. Whenyou add HR transactions to the menu, the transaction codes areauthomatically entered in the authorization.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


6. To access payroll results, do you require authorization for the objectHR : Clusters?

Answer: Yes.

7. You can add fields from any infotypes to a customer-specificauthorization object.

Answer: False

You can only add fields from the Organizational Assignment infotype(0001) to a customer-specific authorization object.

8. Which of the statements are true for the double verification principle?

Answer: A, C

Symmetrical double verification means that the two users have thesame authorizations, while with asymmetrical double verification,one user may only enter data but not check it.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 3Indirect Role Assignment

Unit OverviewIn the previous unit, the role was assigned to the user directly. Now, rolesare linked with objects in Organizational Management. This simplifies andautomates user maintenance when an employee changes position.


� Assign roles indirectly in Organizational Management� Compare indirect user assignment

Unit ContentsLesson: Indirect Role Assignment .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Exercise 5: Indirect Role Assignment.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 3: Indirect Role Assignment HR940

Lesson: Indirect Role Assignment

Lesson OverviewIndirect assignment of roles and comparison of user assignments


� Assign roles indirectly in Organizational Management� Compare indirect user assignment

Business ExampleYou want to simplify authorization administration in your company bysetting up a link with objects in HR Organizational Management.

Authorizations in Organizational Management

� Problem:

� Maintaining direct role assignments to users can be very timeconsuming for large implementations.

� If users in the company change department or function, youhave to adjust their authorizations.

� Solution:

� Create roles on the basis of organizational objects, for examplepositions in your company such as sales executive, accountant,secretary, and so on.

� Assign roles to your organizational plan. Users then inherit theauthorizations according to their position in the organizationalplan.

Indirect role assignment means that you do not assign the role to one ormultiple users directly in transaction SU01, SU10, or PFCG. Instead, youlink the role using HR-ORG to an organizational unit, job, position, and soon. This has the following advantages:

Replacement and Change

� If you assign roles to individual users directly, you have to adjust thisassignment each time an employee�s responsibilities change.

� However, if you base the assignment on positions, you do not have toadjust the agent assignment of roles.

Time-Dependent Planning for Reorganizations


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Indirect Role Assignment

� SAP Organizational Management enables you to plan and activatethe validity and assignment of organizational objects according to thetime frame available. You must schedule the program for updatinguser master records to ensure the profiles can be added or deleted inaccordance with the changes to the organizational plan.

Figure 23: Comparing the User Master

For users to be authorized to execute the transactions contained in themenu tree of their role, their user master record must contain the profilefor the corresponding roles.

You can start the user compare from role maintenance (User tab page andchoose User compare). As a result of the comparison, the role and thegenerated profile are entered in the user master record.

Caution: Never enter generated profiles directly into the usermaster record (using transaction SU01, for example). Duringautomatic user compare (by report PFCG_TIME_DEPENDENCY,for example), generated profiles are removed from user masters ifthey do not belong to the roles assigned to the user.

If you assign roles to users for a limited period of time only, youmust perform a comparison at the beginning and at the end of thevalidity period. You are recommended to schedule the background jobPFCG_TIME_DEPENDENCY in such cases.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


User Assignment View

Figure 24: User Assignment View (Role)

To be able to assign components to your organizational plan, you must callrole maintenance (PFCG) by choosing Goto→ Settings Overall View.

Choose Org. Management to access maintenance mode for Role: ChangeUser Assignment. The �indirect user assignments� that have already beenmaintained are displayed here.

If when you are creating an assignment, you select the agent type Position,you can assign users to a role using positions. One of the followingprerequisites must be fulfilled:

1. The position is related with a person (P) whose user is entered ininfotype 0105 Communication.

2. The position is related with a user (US).

You can define the following relationships by choosing Create assignment:

Role→ Organizational unit/position/user/job/work center/person.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Figure 25: Comparing Indirect User Assignment

If you choose Indirect user assignment reconciliation, the system reconcilesthe positions and the users assigned. Users that were newly added areentered, and user assignments that are no longer current are deleted.

During the reconciliation process, the users assigned on the basis ofpositions are entered as �indirect user assignments� for the role.

Since assignments in Organizational Management are time-dependent, youmust take this time dependency into account when you assign users. Thisoccurs during the reconciliation process, when the relationship period iscopied from Organizational Management for the indirect user assignments.

The status display of the button Org.Management indicates whether or notyou have to update the indirect user assignments:

� Green:

User assignments are up to date

� Red:

User assignments are not up to date; the indirectly assigned users arenot displayed in full on the tab page

If you run a user master compare (see next slide), the indirect userassignment is automatically reconciled. The same applies if you run thePFCG_TIME_DEPENDENCY report.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Comparing Indirect User Assignment

Figure 26: Comparing the User Master

If you change the users assigned to the role or generate an appropriateauthorization profile, you must compare the user masters (choose Usercompare). In this process, the system compares the authorization profileswith the user master records. This means that profiles that are no longerup-to-date are removed from the user master records, and the up-to-dateprofiles are entered in the user master records.

Figure 27: Comparing User Master Records


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


You can specify a time limit when you assign roles to user master records.You cannot specify a time restriction for authorization profiles and theirentries in the user master record.

To ensure that only the authorization profiles valid for a specific day areincluded in the user master record, you must perform a daily comparison.When you start report RHAUTUPD_NEW, a complete comparison of theuser master records takes place for all roles. The authorizations in the usermaster records are updated. The profiles with invalid user assignmentsare removed from the user master record. The authorization profiles forvalid user assignments for the role are entered.

There are two ways to run the comparison:

1. If report PFCG_TIME_DEPENDENCY runs nightly as a backgroundjob, the authorization profiles in the user master record are up to dateevery morning (if the job runs without errors).

2. Use transaction PFUD, User Master Data Reconciliation. Asadministrator, you should run the transaction regularly for controlpurposes. This gives you the opportunity to manually correct anyerrors that occurred in the background.

You can specify whether HR Organizational Management shouldbe included in the reconciliation (Reconcile with HR OrganizationalManagement).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 5: Indirect Role Assignment

Exercise ObjectivesAfter completing this exercise, you will be able to:� Relate a role with a position� Compare an indirect user assignment� Compare user master records

Business ExampleYou want to simplify authorization administration by linking roles withobjects in Organizational Management.

Task 1Copy the SAP_HR_PA_HR-MANAGER role as PA_HR-MANAGER (##= group number).

1. Choose the complete view for the maintenance view of the role.

2. In your role, maintain the authorization for the HR: Master Dataobject. Assign read authorization for all infotypes and subtypes inpersonnel area CABB and activate the authorization profile.

3. Assign the role to position ##HR Dir and run the indirect userassignment reconciliation.


1. Assign your own user HR940-## to your role and save the rolewithout running a user compare.


1. Now run the user master compare using the User Master DataReconciliation transaction (PFUD). Check whether the role has beenentered in your user.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 5: Indirect Role AssignmentTask 1Copy the SAP_HR_PA_HR-MANAGER role as PA_HR-MANAGER (##= group number).

1. Choose the complete view for the maintenance view of the role.

a) SAP Menu:


In the Role field enter SAP_HR_PA_HR-MANAGER and chooseCopy. On the next screen, in the To Role field, enter the name ofyour new role: PA_HR-MANAGER-##. Then choose Copy all.

Menu: Goto→ Settings

On the next screen, choose Overall View.

2. In your role, maintain the authorization for the HR: Master Dataobject. Assign read authorization for all infotypes and subtypes inpersonnel area CABB and activate the authorization profile.

a) On the Authorizations tab page, select Change AuthorizationData. Maintain the fields of the authorization HR: Master Data:

Field Name Values


Infotype *

Personnel area CABB

Employee group *

Employee subgroup *

Subtype *




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


3. Assign the role to position ##HR Dir and run the indirect userassignment reconciliation.

a) On the User tab page, choose Org. Management.

In the Role: Change User Assignment screen, choose CreateAssignment.

The Choose agent type dialog box appears. Select the agent typePosition.

In the next dialog box, Choose Position, enter the search term ##HR Dir*. Create the relationship with the period the systemsuggests.

Now choose Indirect user assignment reconciliation.


1. Assign your own user HR940-## to your role and save the rolewithout running a user compare.

a) On the User tab page, enter HR940-## in the User ID field. Savethe role without running a user compare.


1. Now run the user master compare using the User Master DataReconciliation transaction (PFUD). Check whether the role has beenentered in your user.

a) SAP Menu:

Tools→ Adm inistration→User Maintenance→ Role Administration→ User Master Data Reconciliation (PFUD)

In the Role field, enter PA_HR-MANAGER-## and chooseExecute.

Check your user HR940-##. You should now find the role andits associated profile entered in your user.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Assign roles indirectly in Organizational Management� Compare indirect user assignment


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Unit Summary

Unit SummaryYou should now be able to:� Assign roles indirectly in Organizational Management� Compare indirect user assignment


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. What are the advantages of relating a role with a position?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. What are the advantages of relating a role with a position?

Answer: Users then inherit the authorizations according to theirposition in the organizational plan.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 4Determining the Period of

Responsibility

Unit OverviewThis unit explains how an administrator�s period of responsibility isdetermined and then linked with the access mode and the validity periodof the required data record by the system (time logic) to grant or denyaccess.


� Explain how a user�s period of responsibility is determined in thegeneral authorization check

� Explain time logic.

Unit ContentsLesson: The Period of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Lesson: Time Logic.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 4: Determining the Period of Responsibility HR940

Lesson: The Period of Responsibility

Lesson OverviewA user has authorization to access personnel data in the period ofresponsibility.


� Explain how a user�s period of responsibility is determined in thegeneral authorization check

Business ExampleIn your company, employees often move from one area of the company toanother because of organizational reassignments. This often means thatthe personnel officer responsible for the employee in the HR departmentmay change too.

Period of Responsibility and Time Logic

Figure 28: Period of Responsibility and Time Logic

The validity period of a data record may only partly be in a user�s periodof responsibility. For this reason, there is a time logic, which then decideson the authorization.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Period of Responsibility

Determining the Period of Responsibility

Figure 29: Determining the Period of Responsibility (1)

Determination Process: First the system reads the organizationalassignment of the personnel number (data records of the 0001 infotype).

Then an authorization check is performed for P_ORGIN for eachorganization assignment (data record of infotype 0001):

1. for 01/01/2000 � 12/31/2000:

On the basis of the authorization in the profile, the authorizationcheck is successful. The period lies within the period of responsibility.

2. for 01/01/2001 � 12/31/2001:

The authorization does not permit access to PERSA = US01. Theauthorization check is unsuccessful and the period does not lie withinthe period of responsibility.

3. 01.01.2002 � 31.12.9999:

On the basis of the authorization, the authorization check issuccessful. The period lies within the period of responsibility.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



When all the organizational assignments of the personnel number havebeen evaluated, the period of responsibility is returned. If the periodof responsibility is empty, �not authorized� is returned as the result.Otherwise, the result is �authorized�.

In this example, the period of responsibility consists of the periods01/01/2000 � 31/12/2000 and 01/01/2002 � 31/12/9999.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Tolerance Time of the Authorization Check

Figure 31: Tolerance Time of the Authorization Check

If the ADAYS authorization main switch is active, that is, if it contains avalue greater than zero, the organizational reassignment of an employee,which results in the authorization of the administrator currentlyresponsible for the employee being revoked, is delayed by the tolerancetime. The tolerance time enables an administrator to make any necessarychanges to the data of an employee after this employee has left theadministrator�s area of responsibility by providing a transition period, inwhich the administrator still has access authorization to the data.

Hint: You can make the setting using the OOAC transaction. Inthe standard system , ADAYS is set to 15.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Time Dependency of the Authorization Check

Figure 32: Time Dependency of the Authorization Check

If the access authorization indicator is not set in view T_582A, anadministrator already has access to the relevant infotypes on the basisof his or her authorization profile if the person concerned had, has, orwill have an organizational assignment at any time that falls in theadministrator�s responsibility according to his or her authorization profile.

If the indicator is set, the authorization check is dependent on the currentdate (system date).

The term period of responsibility is used in the following examples forthe sake of simplicity: If at any given period a person has one (or more)organizational assignment(s) for which the administrator is responsible onthe basis of his or her authorization profile, the entire validity period of theorganizational assignment(s) is defined as the period of responsibility.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Explain how a user�s period of responsibility is determined in the

general authorization check


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Time Logic

Lesson OverviewThe time logic decides whether access to personal data is permitted. Indoing so, it takes the period of responsibility, the access type, and thevalidity period of the infotype record into account.


� Explain time logic.

Business ExampleThe head of the HR department wants to be informed of the details of theauthorization check when there is a change of administrator.

Time Logic for Read Access

Figure 33: Time Logic for Read Access

The system determines whether the authorization check should beperformed on a time-dependent basis or not. If the check should notbe performed on a date-dependent basis, the time logic check returns�authorized�. If the check should be performed on a date-dependent basis,the following steps are carried out:

The tolerance time and the end date of the period of responsibility aredetermined. The following results are possible:


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Time Logic

1. If the current date (SY-DATUM) does not lie further than the tolerancetime past the end date of the period of responsibility, the period01/01/1800 to 12/31/9999 is set as the new period of responsibility.

2. If the current date lies further than the tolerance time past the enddate of the period of responsibility, the period 01/01/1800 to the enddate of the old period of responsibility is set as the new period ofresponsibility.

Finally, the check establishes whether the validity period BEGDA -ENDDA of the infotype has a full intersection with the newly definedperiod of responsibility, that is whether there is at least one day that liesin both periods:

a) If the intersection is not empty, the time logic check returns �authorized�.

b) If the intersection is empty, the time logic check returns �not authorized�.

Time Logic for Write Access

Figure 34: Time Logic for Write Access

The following steps are carried out: If the first day of the period ofresponsibility concurs with the first day of the organizational assignment(BEGDA of the first infotype record of infotype 0001, normally the dateof the initial setting), the period of responsibility is extended to begin onJanuary 1, 1800. This is necessary to ensure that users can access dates thatare before the initial setting (for example, infotype 0002).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


If the current date is within the period of responsibility or is not afterthe end of a responsibility interval by more than the tolerance time, theperiod January 1, 1800 to December 31, 9999 is set as the new periodof responsibility.

If the current date is outside a responsibility interval and by more than thetolerance time after the end of each responsibility period, all responsibilityintervals that are before the current date are deleted.

The check establishes whether the validity period BEGDA - ENDDA ofthe infotype to be written is completely within the newly defined periodof responsibility:

1. If the validity period is within the period of responsibility, the timelogic check returns �authorized�.

2. If the validity period is not within the period of responsibility, thetime logic check returns �not authorized� and terminates.

Time-Dependent Examples

Figure 35: Time Dependency: Example 1

The following examples apply to this situation: An employee movesfrom personnel area 0001 to personnel area 0002 on January 1, 2002.Administrator A is responsible for personnel area 0001, administratorB for personnel area 0002.

Example 1:


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The period of responsibility begins in the future:

If administrator B has write authorization for the correspondinginfotype/subtype, this authorization is also valid for all infotype recordswith a validity period contained in the period of responsibility. In thisexample, an authorization exists for the record of infotype 0001 with thestart date January 1, 2002.

A read authorization exists for all infotype records with a validity periodthat overlaps with the period of responsibility or with a start date that isbefore the period of responsibility. In the example, administrator B hasread authorization for both records of infotype 0008.


Example 2:

The period of responsibility begins before the current date. The end ofthe period of responsibility is before the current date by a maximum ofa specified tolerance time.

In this case, a write or read authorization is extended to cover each period.This means that there are no restrictions on the authorization of theadministrator A currently responsible with regard to the validity period ofthe corresponding infotype records.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Example 3:

The period of responsibility ends in the past. The end of the period ofresponsibility, postponed for the length of the tolerance time, is also beforethe current date.

In this case, administrator A no longer has write authorization. Readauthorization exists for the infotype records with a validity period thatoverlaps with the period of responsibility. In the example, administrator Ahas read authorization for both records of infotype 0008.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Explain time logic.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940

Unit SummaryYou should now be able to:� Explain how a user�s period of responsibility is determined in the

general authorization check� Explain time logic.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. What infotype is read to determine the period of responsibility?

2. What factors are processed by the time logic for master data access?Choose the correct answer(s).

A The user�s period of responsibilityB The time of accessC The access type (read or write)D The validity area of the infotype


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. What infotype is read to determine the period of responsibility?

Answer: The Organizational Assignment infotype.

2. What factors are processed by the time logic for master data access?

Answer: A, C, D

The time logic processes the factors: user�s period of responsibility,access type, and validity area of infotype.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 5Authorization Objects for Payroll

Unit OverviewThis chapter introduces the authorization objects required to customizepayroll and to manage, run, and post payroll results.


� Assign differentiated authorizations for administering and postingpayroll results.

� Protect schemas and personnel calculation rules from unauthorizedaccess.

Unit ContentsLesson: Authorization Objects for Payroll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102Lesson: Authorization for Schemas and Personnel Calculation Rules ..106

Exercise 6: Authorization for Schemas and Personnel CalculationRules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 5: Authorization Objects for Payroll HR940

Lesson: Authorization Objects for Payroll

Lesson OverviewThe authorization objects for payroll administration and for postingpayroll results to Accounting.


� Assign differentiated authorizations for administering and postingpayroll results.

Business ExampleYour company implements HR Payroll. The employees responsible forrunning payroll and posting payroll results to Accounting require therelevant authorizations.

The Personnel Control Record

Figure 38: HR: Personnel Control Record

This authorization object is used by the authorization check for the payrollcontrol record. This check takes place when the control record is displayedusing transaction PA03, or when the control record is maintained. Thecheck also takes place in particular during maintenance using the payrollmenu.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Authorization Objects for Payroll

Posting Results to Accounting

Figure 39: HR: Posting Run

You can use this authorization object to control the actions possible forposting runs.

The following entries are possible in the run type field:

� AP Posting tax/SI Austria� PP Payroll posting� TP Posting Third-Party Remittance� TR Travel Expenses Posting� ZA Payroll Evaluation South Africa


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Figure 40: HR: Posting Document

You use this authorization object to protect actions on posting documents.

The Off-Cycle Workbench

Figure 41: HR: Activities in the Off-Cycle Workbench

This authorization object is used during the authorization check for theoff-cycle workbench.

Each administrator sees only the off-cycle activities that he or she isauthorized to perform.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Authorization Objects for Payroll

Lesson Summary

You should now be able to:� Assign differentiated authorizations for administering and posting

payroll results.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Authorization for Schemas and PersonnelCalculation Rules

Lesson OverviewAccess Protection for Schemas and Personnel Calculations Rules


� Protect schemas and personnel calculation rules from unauthorizedaccess.

Business ExampleSeveral employees in your company have authorization for the schemaand rule editors.

Authorization for Schemas and Personnel CalculationRules

Figure 42: Authorization for Schemas and Personnel Calculation Rules

Access authorization to payroll schemas (transaction PE01) and personnelcalculation rules (transaction PE02) is granted by an authorization for theHR: Transaction Code.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Authorization for Schemas and Personnel Calculation Rules

If change authorization should only be granted to the employee specifiedin the attributes of the schema or rule as the person responsible, you mustactivate the field Changes Only by Person Responsible in the attributes. If thisindicator is set, other employees are granted only read authorization forthe schema or rule.

This attribute can only be removed by the employee responsible or byrunning the RPUCTF00 report, Change Attributes for Schemas and PersonnelCalculation Rules.

Hint: The authorization objects contained in the object class HRHR:Authorization for Personnel Calculation Schemas andHR: Authorizationfor Personnel Calculation Rules are not used in the standard system.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 6: Authorization for Schemasand Personnel Calculation Rules

Exercise ObjectivesAfter completing this exercise, you will be able to:� Maintain a suitable role for payroll administrators

Business ExampleThe payroll administrators require a role for all activities involved incustomizing and running the payroll.


1. Copy the HR940_PAYROLL role to the name HR940_PAYROLL-##(## = group number).


1. Accept the predefined authorizations of the role. Specify CABB as thecompany code for the organizational levels.

Task 3Perform the following steps:

1. In your role, check the authorizations for the HR: Cluster. Deactivatethe authorization that is not required.

2. Maintain the authorization for HR: Personnel Control Record.Assign full authorization for payroll area 60 + ##.


1. Then generate the authorization profile and ignore the openauthorizations.




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. Assign your employee Sharon WhitmanWHITMAN-## (##= groupnumber) to your role and perform the user compare. Now log on tothe system with this user master record (password INITPASS) andtest the assigned authorizations by calling the payroll control record.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 6: Authorization for Schemas andPersonnel Calculation RulesTask 1Do the following exercise:

1. Copy the HR940_PAYROLL role to the name HR940_PAYROLL-##(## = group number).

a) SAP Menu:


In the Role field, enter HR940_PAYROLL and choose CopyRole. On the next screen, in the To Role field, enter the nameof your new role: HR940_PAYROLL-## (##= group number).Then choose Copy all.


1. Accept the predefined authorizations of the role. Specify CABB as thecompany code for the organizational levels.

a) Choose Change to edit your role. On the Authorizations tabpage, select Change Authorization Data. On the next screen, enterCABB for the organizational level in the From Value field. Nowchoose Transfer.

Task 3Perform the following steps:

1. In your role, check the authorizations for the HR: Cluster. Deactivatethe authorization that is not required.

a) Now edit the authorizations for your role.

Open the authorization objectHR: Cluster.

Deactivate the authorization with empty fields by clicking therelevant icon.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. Maintain the authorization for HR: Personnel Control Record.Assign full authorization for payroll area 60 + ##.

a) Open the objectHR: Personnel Control Record.

Maintain both fields of the authorization:

Field Name Values

Payroll area 60 + ##

Activity *


1. Then generate the authorization profile and ignore the openauthorizations.

a) Choose Generate and ignore the message about openauthorizations.


1. Assign your employee Sharon WhitmanWHITMAN-## (##= groupnumber) to your role and perform the user compare. Now log on tothe system with this user master record (password INITPASS) andtest the assigned authorizations by calling the payroll control record.

a) On the User tab page, enter the userWHITMAN-## in the UserID field. Then choose User Compare and on the next screenComplete Compare to enter the role and the profile belonging tothe role in the user master record.

Log on to the system.

SAP Menu:

Human Resources→ Payroll→ International→ Tools→ ControlRecord

In the Payroll area field, enter your payroll area 60 + ## andchoose Display.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Protect schemas and personnel calculation rules from unauthorized

access.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940

Unit SummaryYou should now be able to:� Assign differentiated authorizations for administering and posting

payroll results.� Protect schemas and personnel calculation rules from unauthorized

access.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. What are the authorization objects for the payroll posting run?

2. How can you ensure that only the person authorized may change aschema or personnel calculation rule?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. What are the authorization objects for the payroll posting run?

Answer: HR: Posting Run and HR: Posting Document

2. How can you ensure that only the person authorized may change aschema or personnel calculation rule?

Answer: You can do so by setting a flag in the field Changes Onlyby Person Responsible in the attributes of the schema or personnelcalculation rule.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 6Authorization Check for Evaluations

Unit OverviewThis unit explains how the authorization check works in reporting and inwhich context the special authorization object HR: Reporting can be usedor must be used.


� Describe the special features of the authorization check in Reporting� Simplify the authorization check for reports� Create the required authorizations for time evaluation using program

RPTIME00� Achieve improved performance for certain programs� Create the authorization for payment medium programs in

Accounting

Unit ContentsLesson: Authorization Check in Reporting ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118Lesson: The Authorization Object HR: Reporting ... . . . . . . . . . . . . . . . . . . . . . . .124

Exercise 7: The Authorization Object HR: Reporting ... . . . . . . . . . . . . . . .129


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 6: Authorization Check for Evaluations HR940

Lesson: Authorization Check in Reporting

Lesson OverviewSpecial features of the authorization check in Reporting


� Describe the special features of the authorization check in Reporting

Business ExampleManagement in your company wants to be informed about the details ofdata protection in reporting.

Authorization Check: Person Authorization and DataAuthorization

Figure 43: Authorization Check in Reporting

The HR logical databases are used in many reports and provide certaingeneric functions such as selection and the authorization check.

The authorization check establishes whether the user who starts theevaluation has the required authorizations for the data to be evaluated.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Authorization Check in Reporting

In reporting for HR master data, we distinguish between an authorizationfor persons and an authorization for data.

Figure 44: Authorization for Persons

For the authorization for persons: At the GET PERNR point in theauthorization check and for the set of selected employees, the systemchecks whether the user has authorization for the organizational featuresof the employee. In the example, the administrator has authorization onlyfor the personnel area.

During the evaluation, the system skips employees for whom noauthorization exists. At the end of the evaluation, the number ofemployees skipped because of missing authorizations is returned.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Figure 45: Authorization for Data

Authorization for data: The system checks whether the user hasauthorization for all the infotypes used in the evaluation.

In this example, the user has authorization for the Personal Data infotype(0002) but not for the Addresses infotype (0006).

If the user has no authorization for an infotype, the evaluation is stoppedand an error message appears.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Partial Authorization for Data

Figure 46: Partial Data Authorization (1)

In this example, the user has authorization for the Personal Data infotype(0002). For the Addresses infotype (0006), the user has authorization onlyfor the Permanent Residence subtype (1) but not for the Temporary Residencesubtype (2).

If there is no authorization for certain data selected on a personnel number(in the example, the personnel number that is read by the logical databasehas a record of infotype 0006, subtype 2), the logical databases cannotdetermine how best to respond to the special request. As long as nothingto the contrary is determined in the code, personnel numbers for which alldata records except one can be accessed by users are completely skipped.

A report, such as the one in the example, that should output only addressdata can continue to run using partial data of a personnel number. Insuch a case, you can program the logical database not to skip personnelnumbers. However, only the data for which authorizations exist ismade available to the relevant reports. There is no direct way to accessthe data that was not read by the authorization check. The setting ismade in the report at the INITIALIZATION processing time by thePNP_SW_SKIP_PERNR = �N� statement.

This option is available in the SAPDBPNP logical database only.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Figure 47: Partial Data Authorization (2)

A report that runs evaluations by personnel number generally works bestif it can read all the data requested on the personnel number concerned.

However, it can happen that the evaluation for a certain selection periodwould be possible but not for a longer selection period. Normally, thelogical database always selects all the data of an infotype and checks theauthorization. If you want the system to read and check only the data ofthe selection period, you can use the RP_SET_DATA_INTERVAL macro(START-OF-SELECTION) for this.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Describe the special features of the authorization check in Reporting


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: The Authorization Object HR: Reporting

Lesson OverviewSimplified Authorization Check and Enhanced Performance with theAuthorization Object HR: Reporting


� Simplify the authorization check for reports� Create the required authorizations for time evaluation using program


Accounting

Business ExampleYou want to simplify the authorization check for selected HR reports.

The Authorization Object HR: Reporting

Figure 48: HR: Reporting

You can use relevant authorizations for this object to control how theobjects P_ORGIN, P_ORGXX, and the customer-specific authorizationobject P_NNNNN are used in the specified reports to check the


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Authorization Object HR: Reporting

authorization for HR infotypes. You can also use reports to control theinfotype authorization check. This can be useful for functional reasons orto improve performance (for example, of the payroll run) at runtime ofthe corresponding reports.

For this object, enter one or more report names and a degree ofsimplification (COARS field) that the check is to use for the report(s)concerned.

If you regard certain HR reports (telephone lists and so on) as uncritical withrelation to access protection, enter the corresponding reports in the Reportname field and * in the Degree of Simplification field. The effect of this is thatno other checks are performed for these reports apart from the check onthe object S_PROGRAM ABAP: Program Flow Checks.

Hint: Note that a P_ABAP authorization, for example for reportSAPDBPNP with COARS = 2, means that all HR reports basedon the PNP logical database can perform no more authorizationchecks. In general, you will only want to deactivate theauthorization checks for a very small number of reports. In caseof doubt, do not assign your users authorizations for the P_ABAPobject.

Figure 49: HR: Reporting in Time Evaluation

A time administrator should perform time evaluations (Time Evaluationreport, RPTIME00) for employees assigned the organizational key0001TIMEXXX. To obtain certain additional information that is requiredinternally (information that the program user cannot see or can see onlypartially), the system must read the Basic Pay (0008) infotype, amongst


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


others, during time evaluation. To be able to carry out time evaluation,the time administrator must have display authorization for this infotype.However, the administrator should not have general display authorizationfor the Basic Pay (0008) infotype. To restrict the read authorization forthe Basic Pay (0008) infotype for employees with the 0001TIMEXXXorganizational key in report RPTIME00, use the authorizations shown inthe graphic.

A simple check is carried out for the infotype authorization checkin conjunction with the RPTIME00 report: An independent check isperformed on the one hand on infotype, subtype, and level, and on theother hand, on organizational assignment (in the example represented bythe field organizational key) based on the degree of simplification 1 - thus,infotype 0008 can be read in report RPTIME00. However, if the check isnot made in connection with this report, all fields of the object HR: MasterData are checked together - this does not result in read access for the BasicPay infotype.

Improved Performance

Figure 50: Improved Performance and Accounting

If the runtime of the payroll driver is very long due to the large numberof personnel numbers to be processed, it makes sense to switch off theauthorization check to improve performance.

Evaluations of the logged changes in infotype data are subject to infotypeauthorization checks. The person who starts this kind of evaluationnormally has extensive infotype authorizations. In this case, it makes moresense to assign the user a global authorization using the RPUAUD00 report


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


(Logged Changes to Information Types Data) rather than to check individualdata. To do so, use an authorization for the existing object that has thevalue RPUAUD00 in the Report name field (REPID) and the value 2 or * in theDegree of simplification field (COARS).

The payment medium programs in Accounting process extremely sensitiveperson-related data. As an additional security measure, the system checkswhether the user has a corresponding authorization for the existing objectand checks whether the user is authorized to start the program. The nameof the payment medium program must be entered in the Report Name field,the value 2 or * must be entered in the Degree of simplification field.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 7: The Authorization Object HR:Reporting

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create authorization for the object: HR Reporting for the payroll

reports.

Business ExampleIn their role, payroll administrators require authorization to run all payrollreports for the employees in the CABB personnel area. They should not,however, have general authorization for infotypes.

TaskChange your role HR940_PAYROLL-## (##= group number).

1. Maintain the authorizations for the object HR: Master Data. Inthe first authorization, assign read access to all infotypes and theirsubtypes. In the second authorization, assign read access to the CABBpersonnel area.

2. Maintain the authorization for the object HR: Reporting. Anindependent check of infotype and organizational assignment shouldbe performed for reports with the generic names RP*.

3. Then generate the authorization profile and perform the usercompare. Now log on to the system with the user master recordWHITMAN-##and test the assigned authorizations. Call the payrollaccount for the employees Josef Lutzel (personnel number 50991) andJules Verne (personnel number 1908).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 7: The Authorization Object HR:ReportingTaskChange your role HR940_PAYROLL-## (##= group number).



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. Maintain the authorizations for the object HR: Master Data. Inthe first authorization, assign read access to all infotypes and theirsubtypes. In the second authorization, assign read access to the CABBpersonnel area.

a) SAP Menu:


In the Role field, enter HR940_PAYROLL-##-## (## = groupnumber) and choose Change.

On theAuthorizations tab page, select Change Authorization Data.

Expand the Human Resources object class. Open theauthorization objectHR: Master Data. Maintain the fields ofboth authorizations:

Field Name Values


Infotype *

Personnel area

Employee group

Employee subgroup

Subtype *

Organizational key

Field Name Values


Infotype

Personnel area CABB

Employee group *

Employee subgroup *

Subtype




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. Maintain the authorization for the object HR: Reporting. Anindependent check of infotype and organizational assignment shouldbe performed for reports with the generic names RP*.

a) Open the authorization objectHR: Reporting. Maintain bothfields of the authorization:

Field Name Values

Degree of Simplification of theAuthorization Check

1

ABAP Report name RP*

3. Then generate the authorization profile and perform the usercompare. Now log on to the system with the user master recordWHITMAN-##and test the assigned authorizations. Call the payrollaccount for the employees Josef Lutzel (personnel number 50991) andJules Verne (personnel number 1908).

a) Choose Generate and ignore the message about openauthorizations. On the User tab page, choose User compare andComplete compare on the next screen.

Log on to the system.

SAP Menu:

Human Resources→ Payroll→ International→ Information System→ Employee→ Payroll Account

Choose Execute.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Simplify the authorization check for reports� Create the required authorizations for time evaluation using program


Accounting


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940

Unit SummaryYou should now be able to:� Describe the special features of the authorization check in Reporting� Simplify the authorization check for reports� Create the required authorizations for time evaluation using program


Accounting


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. Does reporting in HR require additional authorizations?

2. What program names may not be entered in the authorization forobject HR: Reporting?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. Does reporting in HR require additional authorizations?

Answer: No. The same authorization checks are performed forreporting as in dialog processing.

2. What program names may not be entered in the authorization forobject HR: Reporting?

Answer: You may never enter the name of the logical databaseprograms (e.g. SAPDBPNP) because this would switch off theauthorization checks for all reports that use these logical databases.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 7Structural Authorization Checks

Unit OverviewOnce the options associated with general authorizations have beendiscussed, there follows an explanation of how you can use structuralauthorizations to restrict access to the personnel data in certainsubstructures of an organizational unit.


� Explain the function of evaluation paths as the central element of thedata model in the Personnel Planning components

� Explain the meaning of the fields in a structural profile.� Create structural authorization profiles and assign them to a user.� Explain how the period of responsibility is determined for the general

authorization check in a structural authorization check.� Explain the intersection of general and structural authorization

profiles in an overall authorization profile� Generate user authorizations for users in an organizational plan

using the RHPROFL0 report� Generate person-related indexes for structural authorization profiles

to improve the performance of the structural authorization check

Unit ContentsLesson: The Personnel Planning Data Model.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138Lesson: The Definition of Structural Authorizations .. . . . . . . . . . . . . . . . . . . . . . .144Lesson: Determining the Period of Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . .152Lesson: The Overall Authorization Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

Exercise 8: The Overall Authorization Profile . . . . . . . . . . . . . . . . . . . . . . . . . . .159Lesson: Report RHPROFL0... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Exercise 9: Report RHPROFL0 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171Lesson: Indexes for Structural Authorization Profiles .. . . . . . . . . . . . . . . . . . . . .175


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 7: Structural Authorization Checks HR940

Lesson: The Personnel Planning Data Model

Lesson OverviewKnowledge of the Personnel Planning data model and evaluation paths isessential for understanding structural authorization profiles.


� Explain the function of evaluation paths as the central element of thedata model in the Personnel Planning components

Business ExampleYou company organizational structure is already mapped in the system. Asauthorization administrator, your task is to set up structural authorizations.

Data Model

Figure 51: The Data Model of the Personnel Planning Components

The example shows a section of the data model in OrganizationalManagement. The model is based on the concept that each element inan organization is represented as an independent object with individualattributes. These objects are created and maintained individually. They


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Personnel Planning Data Model

are then linked to each other using relationships (see graphic) to map anetwork, which has the flexibility to perform personnel planning, planningforecasts, and PA reporting.

The cost center is an external object type, since it is not maintained inOrganizational Management.

This data model (object types and relationships) is also the basis forother applications in Personnel Planning, such as Training and EventManagement (business event hierarchies) and Personnel Development(qualifications catalog).

Figure 52: Mapping an Organizational Structure

Structural authorization profiles use the data model of the PersonnelPlanning components Organizational Management, Personnel Developmentand Training and Event Management to build hierarchies using objects andrelationships. Different types of objects (object types) and different typesof relationships are used in this process. The organizational structure ofa company is mapped as shown in the graphic.

The central elements of this data model are used to manage theauthorizations for the model effectively: objects, relationships andevaluation paths.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Evaluation Paths

Figure 53: Evaluation Paths

An evaluation path describes a chain of relationships that exists betweenobjects in a hierarchical structure. The evaluation path O-S-P, for example,describes the relationship chain organizational unit � position � person.

Evaluation paths �collect� objects from a start object in an existingstructure according to their definition: The evaluation path determinesthe start object and defines which object types are selected using whichrelationships.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The Evaluation Path O-S-P

Figure 54: Evaluation Path O-S-P (1)

One example of an evaluation path (which is a standard evaluation pathof central importance for authorizations) is the path O-S-P: Along thisevaluation path the system finds the positions (S) and position holders (P)assigned to a given organizational unit (O). The lower-level organizationalunits are processed in a similar way.

The convention A = bottom up and B = top down can be taken in accountwhen a relationship is defined for the first time. However, this conventionis not a compulsory rule.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Figure 55: Evaluation Path O-S-P (2)

This evaluation path starts selection from an organizational unit (O) that isused as the start object (the organizational unit O1 is used in the followingexample). The evaluation path first selects all organizational units fromrow 1 of the definition. The following organizational units are selected forthe example structure in the graphic: O1, O4, and O5.

Second, the evaluation path starts selection from the selectedorganizational units according to row 2 of the definition and selects allpositions: S1, S2, and S3.

Last, the evaluation path starts selection from the selected positionsaccording to row 3 of the definition and selects all persons: P1, P2, and P3.

A combination of start object and evaluation path returns a specificnumber of objects from an existing structure. This exact combination,that is, the set of objects returned by this combination, represents a user�sstructural profile. Note that neither the number of objects nor the specificobjects that are returned by a structural profile are constant, nor is thisdesirable. The concrete objects that are returned by a structural profilechange as the organizational structure (under the start object) changes.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Explain the function of evaluation paths as the central element of the

data model in the Personnel Planning components


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: The Definition of Structural Authorizations

Lesson OverviewCreating structural authorization profiles and assigning users.


� Explain the meaning of the fields in a structural profile.� Create structural authorization profiles and assign them to a user.

Business ExampleThe employees in managerial positions at your company require structuralauthorization profiles to enable them to access selected HR data of theemployees in their span of control.

Defining Structural Authorizations

Figure 56: Defining Structural Authorizations

You use the Plan version field to determine the plan version to whichthe defined profile applies. If you use a system that integrates thePersonnel Administration (PA-PA) and Organizational Structure (PA-OS)components, note that plan version 01 is generally the integrated planversion.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Definition of Structural Authorizations

In the Object type field, you can specify only object types that have aneight-character key. In general, structural authorization checks are notcarried out for external objects with a different key (for example, costcenters).

In the Object ID field, you enter the number of the start object if you areusing evaluation paths.

You can use the processing mode to control whether a read authorizationor authorization for the relevant set of objects should be assigned. Thisfield corresponds to theMAINT field in table T77FC. All function codesthat have �X� in this field can be processed.

By entering a specific evaluation path, you can determine that the user isonly authorized to access objects along this evaluation path. You must alsoassign a root object for the structure when you use an evaluation path.This root object can either be entered directly in the Object type field ordetermined dynamically by a suitable function module.

Only use the Sign field if you want to create structural authorizationprofiles that process the structure �bottom up�.

The Status Vector in Relationships

Figure 57: The Status Vector in Relationships

You use the status vector to determine which relationships are consideredwhen the structure is created. If you define the status vector as 12,for example, all relationships that have the status active or planned areevaluated. The choice of status vector has no real effect on the status ofobjects. The status vector simply refers to the status of the relationships.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Display Depth

Figure 58: Display Depth

If you enter 0 as the value for the display depth, the corresponding treeis set up with no limit to its depth.

Period

Figure 59: Period

You can use this parameter to define the profile according to the validityperiod of the structure. The parameter has no influence on the period forwhich a user is authorized to access a given object. In other words, unlike


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


the general authorization check, the structural authorization check doesnot return periods of responsibility. Instead, the system indicates whetheror not the user has authorization for a specific object.

If you select D (current day) for example, the structural authorization isextended to include only the structures valid on the current day. If youdefine a structural authorization like this for a manager, the manager isauthorized to access data on all persons who are currently in his or hergroup.

If you do not make an entry, there is no restriction by validity period ofthe structures. In this case, the manager is authorized to access data onformer or future employees in addition to the authorization in the previousexample.

For the following examples, assume the system date is February 6, 2002:

Example 1: If you enter the value D, the user is only authorized to accessP2. Since the user in this case only has authorization for objects in thestructure valid on February 6, 2002 and since the relationship between S1and P1 ends before February 6, 2002, the user is not granted access to P1.

Example 2: If you enter BLANK, the user is granted access to P1 and P2.

Function Module

Figure 60: Function Module

When you define a structural authorization, you can specify a functionmodule, which dynamically determines a root object during runtime.

In the area in which you have specified the organizational assignment tobe determined dynamically, do not make an entry in the Object ID field ofthe structural authorization. However, make sure you enter a plan versionand an object type.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The advantage of using function modules is that a user-specific profile iscreated by the dynamic definition of a root object at runtime. If a managerchanges department, for example, the corresponding profile does not needto be changed. What is more, the number of structural authorizations canbe significantly reduced by using function modules.

There are two function modules in the standard system:

� RH_GET_MANAGER_ASSIGNMENT (Determine OrganizationalUnits for Manager). This function module determines the root objectof the organizational unit to which the user is assigned by the A012relationship (= manages). This function module works on the basis ofa key date and can determine only the organizational units assignedto the user as manager on the key date or within the specified period.

� RH_GET_ORG_ASSIGNMENT (Organizational Assignment) Thisfunction module determines the organizational unit assigned to theuser organizationally as the root object.

Examples of Structural Authorization Profiles

Figure 61: Examples of Structural Authorization Profiles

Example 1: Due to the user�s authorization profile, he or she is authorizedto access organizational units in plan version �01�.

Example 2: Due to the user�s authorization profile, he or she is authorizedto access organizational units in plan version �01�.

Example 3: Due to the user�s authorization profile, he or she is authorizedto access organizational units in plan version �01� from a root object (entryin theObject ID field) along the �Organizational Structure� evaluation path.

Example 4: Due to the user�s authorization profile, he or she is authorizedto access organizational units in the structure valid on the current day inplan version �01� from root object 200.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Example 5: Due to the user�s authorization profile, he or she is authorizedto access objects along the Staffing Assignments Along OrganizationalStructure evaluation path from a root object in plan version �01�. Theroot object is determined in this case using the function module, that is,no entry should be made in the Object ID field. The user is then grantedaccess authorization to the organizational unit he or she manages and toall lower-level objects along the SBESX evaluation path.

Show Authorization Views

Figure 62: Show Authorization Views

You can call the RHAUTH01 report by clicking Info. This program givesyou the number of objects contained in the structural authorization andlists these objects.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Assignment of Structural Authorizations

Figure 63: Assignment of Structural Authorizations

Structural profiles are assigned in a different way to general authorizationprofiles. To assign structural profiles, you use table T77UA, not the ProfileGenerator (PFCG transaction) as with general authorization profiles.

First, the system searches at runtime for entries in table T77UA for thecurrent user. If one or more entries exist, the set of objects is mappedaccording to the profile definition. The set of objects is then checked againstthe specific object and the action (Display or Edit). The authorizationis granted only if the object to be checked exists with the necessaryprocessing indicator in the set of objects.

Note: If table T77UA contains no entry for the current user, the abovecheck is made in the same way for the entry SAP* in table T77UA. If stillno entry exists, the authorization is denied. In the standard system, thereis an entry for user SAP* with the profile ALL. This means that when youfirst implement the HR components, all users have complete authorizationas far as structural authorization is concerned

You can edit this table in the Implementation Guide (IMG) forOrganizational Management: Basic Settings→ Authorization Management→Structural Authorization→ Assign Structural Authorization.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Explain the meaning of the fields in a structural profile.� Create structural authorization profiles and assign them to a user.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Determining the Period of Responsibility

Lesson OverviewDetermine the period of responsibility for the general authorization checkthrough the structural authorization check.


� Explain how the period of responsibility is determined for the generalauthorization check in a structural authorization check.

Business ExampleIn your company, it often happens that the HR administrator responsiblefor an employee changes when the employee transfers to a new position.

Determine Period of Responsibility

Figure 64: Determine the Period of Responsibility (1)

The Period field in the definition of the structural authorization check doesnot influence the time logic of the general authorization check. This field isonly used in structural authorizations to determine the set of objects forwhich authorization exists or the set of objects that is passed on to the


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Determining the Period of Responsibility

general authorization check for further processing. The determination ofthe period of responsibility for the general authorization check is describedin the following examples.

Example 1a:

In the structural authorization, BLANK = all is specified as the period.When evaluating the structure, the system first follows the relationshipsand forms intersections. The system starts with the period January 1,1900 - December 31, 9999. After the first relationship (O1⇒ O2) has beenevaluated, January 1, 200 - December 31, 9999 is initially returned as theperiod of responsibility.The second relationship (O2⇒ S) returns January1, 2000 - December 31, 2002 as the period. The last relationship (S⇒P) covers this period and January 1, 2000 - December 31, 2002 remainsthe period of responsibility. In other words, the system "arrives" at thepersonnnel number with a full period of responsibility. Once this has beensuccessfully checked, the validity period of the last relationship is alwaysused as the period of responsibility, which is the period January 1, 1995 -December 31, 2005.

Example 1b:

In the structural authorization, Y = current year is specified as the period.In contrast to example 1a, the system starts with the period January 1,2002 - December 31, 2002 to determine the period of responsibility. Sinceall of the relationships affected cover this period, the period January 1,2002 - December 31, 2002 is still the intersection for personnel number P.The period of responsibility is then determined, as in example 1a, fromthe period of responsibility of the last relationship, which is the periodJanuary 1, 1995 December 31, 2005.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Example 2:

The personnel number is located in the organizational structure as shownin the graphic. The current date is February 6, 2002.

In the structural authorization, D = key date is specified as the period. Thesystem starts with February 6, 2002 and cannot, therefore, move from O1 toO2. However, the system can reach P from O1 via S3. Therefore, the periodof the last relationship (S3→ P) is used as the period of responsibility,which is January 1, 2001 � December 31, 2010 in this example.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Determining the Period of Responsibility


The following periods of responsibility are determined depending on thesettings of the period in the structural authorization:

BLANK (= all): 01/01/1999 - 12/31/1999 and 01/01/2003 -12/31/2003

D (= key date): no periodM (= currentmonth): no period

Y (= current year): no periodP (= past): 01.01.1999 - 31.12.1999F (= future): 01.01.2003 - 31.12.2003


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Explain how the period of responsibility is determined for the general

authorization check in a structural authorization check.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Overall Authorization Profile

Lesson: The Overall Authorization Profile

Lesson OverviewThe combination of all general and structural authorization checks in anoverall authorization profile.


� Explain the intersection of general and structural authorizationprofiles in an overall authorization profile

Business ExampleManagers in your company should have authorization to accessorganizational objects and data of persons in their areas of responsibility.

The Two-Part Authorization Concept

Figure 67: The Two-Part Authorization Concept

If you use both structural and general authorizations, a user�s overallprofile is determined from the intersection of his or her structural andgeneral authorization profiles.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The structural profile determines which objects in the organizationalstructure the user may access. The general profile determines which data(infotype, subtype) and which access mode (read, write, ...) the user hasfor these objects.

Overall Authorization Profile

Figure 68: Overall Authorization Profile

The following authorizations or restrictions apply to a user who has theoverall profile shown in the graphic:

The user has read authorization for positions S1 to SN in infotypes 1000 to1010 (structural profile and profile 2 using PLOG).

The user is not authorized to access organizational units with this profilesince the user has no corresponding PLOG authorization.

The user has read authorization for persons P1 to PN in infotypes 0000to 0007. (structural profile and profile 1 using P_ORGIN). The period ofresponsibility for persons is also determined accordingly.

For the user to be able to access data on persons, you need to assign theuser a corresponding PLOG authorization for persons. The infotype doesnot have to be specified. (profile 3 using PLOG).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 8: The Overall AuthorizationProfile

Exercise ObjectivesAfter completing this exercise, you will be able to:� Create structural authorization profiles using a start object� Create structural authorization profiles using the dynamic

determination of the start object� Assign structural authorizations to a user

Business ExampleThe employees in managerial positions at your company should be able toview the organizational structure of the company and create new positionsfor their current organizational unit. In addition, they should be able todisplay the personnel data of the employees assigned to them.

Task 1Create two structural authorization profiles for the current plan version01 and object type O.

1.

a) The first profile should give the assigned users read access to theobjects valid on the current day along the ORGEH evaluationpath, Organizational Structure. The start object is organizationalunit 30014997. Use the name SP01_GR##with the descriptionORGEH GR## (##= group number).

b) The second profile should give the users full access to theobjects valid as of the current day along the O-S-P evaluationpath, Staffing Assignment Along Organizational Structure.Determine the root object for the evaluation path using theRH_GET_MANAGER_ASSIGNMENT function module. Usethe name SP02_GR##with the description O-S-P GR## (##= group number).

2. Assign your structural authorization profiles to the userHR940-## forthe current calendar year.

3. Create a record in the Communication infotype (0105) with subtypeSystem User Name SAP System (0001) for your employee 540991##(Winnie Chung). Enter your user HR940-##here.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Now you can check the structural authorizations of the manager,Winnie Chung, using your training user.

Task 2Log on to the system again using your HR940-##user.

1. In Organizational Management, call Change General Structures.

Take a look at the staffing assignment along the organizationalstructure for the organizational unit 30014997 using the evaluationpath O-S-P.

2. Find out where Winnie Chung can create a new position in theorganizational structure.

3. In another session, call HR master data maintenance and check whichpersonnel numbers Winnie Chung is authorized to access. DoesWinnie Chung have access authorization for the data of personnelnumber 50994?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 8: The Overall AuthorizationProfileTask 1Create two structural authorization profiles for the current plan version01 and object type O.

1.

a) The first profile should give the assigned users read access to theobjects valid on the current day along the ORGEH evaluationpath, Organizational Structure. The start object is organizationalunit 30014997. Use the name SP01_GR##with the descriptionORGEH GR## (##= group number).

b) The second profile should give the users full access to theobjects valid as of the current day along the O-S-P evaluationpath, Staffing Assignment Along Organizational Structure.Determine the root object for the evaluation path using theRH_GET_MANAGER_ASSIGNMENT function module. Usethe name SP02_GR##with the description O-S-P GR## (##= group number).

a) SAP Menu:

Tools→ AcceleratedSAP→ Customizing→ Edit Project

Under Edit Project, choose SAP Reference IMG.

In the Implementation Guide, choose:

Personnel Management→ Organizational Management→ BasicSettings→ Authorization Management→ Structural Authorization

Select theMaintain Structural Profiles activity. On the nextscreen, choose New entries, enter SP01_GR## in the Authoriz.profile field and ORGEH GR## in the Auth. profile name field.Press Enter and select the row with your entry by clicking thebutton beside it. In the Dialog structure window, double-clickAuthorization profile maintenance to select it. On the next screen,choose New entries and enter the first profile.

Profile SP01_GR##

No. 0

Plan version 01



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Object type O

Object ID 30014997

Maintain

Evaluation path ORGEH

Status Vector 12

Period D

Func. module

Choose Back (F3) to return to the dialog structure for theauthorization profile.

On the next screen, choose New entries, enter SP02_GR## in theAuthoriz. profile field and O-S-P GR## in the Auth. profile namefield. Press Enter and select the row with your entry by clickingthe button to the left.

In the Dialog structure window, double-click Authorizationprofile maintenance to select it.

On the next screen, choose New entries and enter the secondprofile.

Profile SP02_GR##

No. 0

Plan version 01

Object type 0

Object ID

Maintain X

Evaluation path O-S-P

Status Vector 12

Period F

Func. module RH_GET_MANAGER_ASSIGNMENT



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. Assign your structural authorization profiles to the userHR940-## forthe current calendar year.

a) Select the Assign Structural Authorization activity. On the nextscreen, choose New entries and enter your user HR940-## in theUser name field and SP01_GR## in the Auth. profile field. In theStart date and End date fields, enter the first and last day of theyear. Now, perform this step for the second profile, SP02_GR##.

3. Create a record in the Communication infotype (0105) with subtypeSystem User Name SAP System (0001) for your employee 540991##(Winnie Chung). Enter your user HR940-##here.

Now you can check the structural authorizations of the manager,Winnie Chung, using your training user.

a) SAP Menu:


Enter 540991##in the Personnel Number field and 0105 in theInfotype field. Choose Create and on the next screen select thesubtype 0001 System User Name SAP System. In the ID/Numberfield, enter HR940-## and save your entries.

Task 2Log on to the system again using your HR940-##user.

1. In Organizational Management, call Change General Structures.

Take a look at the staffing assignment along the organizationalstructure for the organizational unit 30014997 using the evaluationpath O-S-P.

a) After you have logged on:

SAP Menu:

Human Resources→ Organizational Management→ OrganizationalPlan→ General Structures→ Change

In the Object Type field, enter O, in the Organizational Unit field,enter 30014997 and in the Evaluation Path field, enter O-S-P.Then press Enter. Expand the displayed organizational unit tosee the assigned positions and their holders.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. Find out where Winnie Chung can create a new position in theorganizational structure.

a) Select an organizational unit and choose Create object. The Chooserelationship dialog box appears. Double-click relationship B003Position to select it. On the next screen Create Position, enter anabbreviation and a name for your new position.

Winnie Chung is authorized to create a new position for theorganizational unit to which she is assigned as manager only.

3. In another session, call HR master data maintenance and check whichpersonnel numbers Winnie Chung is authorized to access. DoesWinnie Chung have access authorization for the data of personnelnumber 50994?

a) SAP Menu:


Winnie Chung is authorized to access the personnel data of theemployees in her responsibility only. She has no authorizationfor personnel number 50994.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Explain the intersection of general and structural authorization

profiles in an overall authorization profile


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Report RHPROFL0

Lesson OverviewGeneration of authorizations for users in an organizational plan


� Generate user authorizations for users in an organizational planusing the RHPROFL0 report

Business ExampleStructural authorizations should be assigned or revoked automaticallywhen a position staffing change takes place.

Assigning Authorizations to Organizational Objects

Figure 69: Assigning Authorizations to Organizational Objects

You can create a relationship between authorization profiles and thefollowing objects using the infotypes PD Profiles and Standard Profiles:organizational units, jobs, positions, and tasks (or standard tasks if you useWorkflow Management). The profiles related to organizational units, jobs,positions, or tasks are used for all employees linked with these objectswhen you run the RHPROFL0 report.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Report RHPROFL0

In the PD Profiles infotype (1017), specify the structural authorizationprofiles that you want to relate with a task, job, position, or organizationalunit. If, for example, the authorization profiles for all employees of anorganizational unit tend to be fairly similar, it may be most effective to useprofiles for entire organizational units. If, however, authorizations vary byjob or task, it may be better to use the profile for the job or task concerned.

The Standard Profiles infotype (1016) enables you to assign a manuallycreated authorization profile to an organizational unit, job, or position andso on. You should not enter authorization profiles in this infotype that youcreated for a role using the Profile Generator. Assign the generated profilesto Organizational Management using role maintenance (transactionPFCG).

Report RHPROFL0

Figure 70: The RHPROFL0 Report (1)

The RHPROFL0 report creates authorization profiles for a user withinan organizational plan. The report differentiates between standardauthorization profiles and authorization profiles for structural PDauthorizations. When authorization profiles are generated using the ProfileGenerator, the user is also assigned user roles that are linked to the profile.

The system searches along the PROFL0 evaluation path for all persons inthe structure and saves them temporarily. Using these persons as a basis,the system reads, up to the next higher organizational unit, all relatedobjects for a given key date that are valid at this time and have infotype1016 and/or 1017 appended.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The system then checks whether users already exist in the system for thepersons found. This is necessary because users also created in the systemcannot be entered in infotype 0105 (subtype 0001) for the person.

If the user has not yet been created in the system, it is created automatically.The authorization profiles for all users found in the organizational planare then entered.

You can check the results of the standard authorization profiles and userroles with transaction SU01. The structural PD authorizations can bedisplayed using transaction OOSB.


If the Generate standard authorizations parameter is set, the correspondingstandard authorization profiles are changed. The same applies to theGenerate PD authorizations parameter and the structural PD authorizationprofiles. If the appropriate parameter is not set, the authorization profilesassigned to the users remain unchanged.

Caution: If the Delete standard authorizations parameter is set,the system deletes all profiles maintained manually for the userthrough transaction SU01. It only reassigns the new authorizationprofiles derived from the organizational plan. An exception is theSAP_ALL profile. If you want this profile to be deleted as well, youmust set the Delete SAP_ALL profile parameter.

If the parameter is not set (default setting), the system onlydeletes those authorization profiles resulting from a user rolethat - according to the current organizational plan - is no longerassigned to the user. These authorization profiles are also flaggedas generated profiles in transaction SU01. All other authorizationprofiles that were maintained manually (infotype 1016) remain.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Caution: If the Delete PD authorizations parameter is set, thesystem deletes all structural PD authorization profiles that weremaintained manually in table T77UA . Note that a user who has nostructural authorization profiles automatically receives the SAP*authorization profile. However, this profile is not entered in tableT77UA. If the parameter is not set (default setting), the system onlydeletes authorization profiles that were previously assigned byreport RHPROFL0.


If the Include invalid users parameter is set, the system also selects thoseusers who are no longer valid on the key date, but who still exist in thesystem.

If the Generate new users parameter is set, the system generates usersthat are assigned to a person in infotype 0105 (subtype 0001) but not yetcreated in the system. If the Transfer relationship period between personand user parameter is also set, the system creates the new user with thesame validity period that is maintained for the person in infotype 0105(subtype 0001). If this parameter is not seet, the system creates the userwith a validity period from the key date until the latest possible date(12.31.9999). If you have not stored any authorization profiles in theStandard Profiles infotype (1016), you must activate the parameterWithoutassigned basis profiles. You use the parameter User Data to assign the initialpassword and the user group.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


All messages that were generated during the profile comparison are savedin an application log. This application log is newly generated each timethe RHPROFL0 report is run. You can make it visible by choosing Displaylog(s).

If the report is planned and automatically executed in a batch job, theoutput list is printed out. In this case, you can make the application logvisible using transaction SLG1. On the selection screen, enter RHPROFL0in the Object field. The Subobject and Ext. number fields remain empty.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 9: Report RHPROFL0

Exercise ObjectivesAfter completing this exercise, you will be able to:� Generate user authorizations using report RHPROFL0

Business ExampleIn your company, selected structural profiles should be stored in theorganizational unit and in the position so that they can be assigned toemployees using report RHPROFL0.


1. Store your structural authorization profile SP01_GR## in infotype1017 PD Profiles for organizational unit Exec. Board ##.

Store your structural authorization profile SP02_GR## in infotype1017 PD Profiles for position HR Dir ##.

Change infotype 0105 Communication with subtype 0001 for youremployee 540991## (Winnie Chung): Enter the user CHUNG-##here.


1. Call report RHPROFL0 for your organizational unit ##Board.Activate the Without assigned basis profile parameter and selectTRAINING as user group.

Start the program as a test run first.

Check if the users CHUNG##and PATEL-## are included in the Usermaster compare list of the program. If they are, deactivate the TestRun parameter and run the report.


1. Check if assignments to the structural profiles SP01_GR## andSP02_GR##have been entered in the T77UA table for these users.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 9: Report RHPROFL0Task 1Do the following exercise:

1. Store your structural authorization profile SP01_GR## in infotype1017 PD Profiles for organizational unit Exec. Board ##.

Store your structural authorization profile SP02_GR## in infotype1017 PD Profiles for position HR Dir ##.

Change infotype 0105 Communication with subtype 0001 for youremployee 540991## (Winnie Chung): Enter the user CHUNG-##here.

a) SAP Menu:

Human Resources→ Organizational Management→ Expert Mode→ General

In the Plan version field, select the Current Plan and in the Objecttype field, select Organizational unit. Call the input help for theObject ID field and then choose Other search help. Select Searchterm from the list of input helps.

On the next screen, enter ##Board in the Search term field. Nowselect the PD Profiles infotype and choose Create. In the Profilefield, enter SP01_GR## and save the infotype.

In the Object type field, select Position. Call the input help forthe Object ID field and in the following screen, enter ##HR Dirin the Search term field. Now select the PD Profiles infotypeand choose Create. In the Profile field, enter SP02_GR## andsave the infotype.

Change infotype 0105 for your personnel number 540991##:

SAP Menu:


Enter 540991##in the Personnel Number field and 0105 in theInfotype field. Choose Change and on the next screen select thesubtype 0001 System User Name SAP System. In the ID/Numberfield, enter CHUNG-## and save your entries.




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. Call report RHPROFL0 for your organizational unit ##Board.Activate the Without assigned basis profile parameter and selectTRAINING as user group.

Start the program as a test run first.

Check if the users CHUNG##and PATEL-## are included in the Usermaster compare list of the program. If they are, deactivate the TestRun parameter and run the report.

a) Calling the Report: System→ Services→ Reporting

In the Program field, enter RHPROFL0 and choose Execute.

In the Object type field, enterO. Search for the object ID using thesearch term ##Board

Activate the parameterWithout assigned basis profiles and in thefield User group enter TRAINING. Choose Execute.


1. Check if assignments to the structural profiles SP01_GR## andSP02_GR##have been entered in the T77UA table for these users.

a) SAP Menu:





Select the Assign Structural Authorization activity and checkif assignments to the structural profiles SP01_GR## andSP02_GR##have been entered for the users.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Generate user authorizations for users in an organizational plan

using the RHPROFL0 report


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Indexes for Structural Authorization Profiles

Lesson: Indexes for Structural Authorization Profiles

Lesson OverviewImproved performance for complex structural authorization profiles.


� Generate person-related indexes for structural authorization profilesto improve the performance of the structural authorization check

Business ExampleStructural authorization profiles containing a large number of objects cancause runtime problems.

Indexes for Structural Authorization Profiles

Figure 73: Indexes for Structural Authorization Profiles (1)

If you have created structural authorizations with a large number ofobjects, it is advisable for performance tuning reasons to generate indicesfor users assigned to these structural authorizations. You can do this usingthe RHBAUS00 report.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Before you can run this report, you should have specified in table T77UU(User Data in SAP Memory) which users� structural authorization datashould be permanently stored in the SAP memory and how often the datashould be refreshed (Days field).

There are two possible ways to fill the index with data:

1. The index can be filled automatically at fixed intervals. In this case,you have to ensure that the user�s view is up-to-date on a daily basisbecause data is refreshed after a batch input session that runs at night.

2. The index can be filled manually by means of the report. This reportupdates the data in the SAP memory immediately.

Once the report has been run, you obtain a log that contains a list of theusers whose index was regenerated and the number of objects that wereincluded in the index for a user.

Figure 74: Indexes for Structural Authorization Profiles (2)

You can use the report RHBAUS01 to perform a comparison of the INDX(INDX System Tables ) and T77UU (Save User Data in SAP Memory)tables. The report generates a list of users who have data of the structuralauthorization in the SAP Memory but who are no longer entered in theT77UU table. The report also enables you to delete the entries of the usersno longer in the T77UU table from the INDX table.

You can use the RHBAUS02 report to enter users that have authorizationfor a large number of objects in table T77UU (User Data in SAP Memory) orto delete users with a small number of objects from this table.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Indexes for Structural Authorization Profiles

This report enters users in the T77UU table or deletes users from this tableif they have too small a number of objects depending on a threshold value.You can define the threshold value for the report (for example, 1000 for1000 objects).

The report can then automatically perform the Customizing activity SaveUser Data in SAP Memory.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Generate person-related indexes for structural authorization profiles



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Unit Summary

Unit SummaryYou should now be able to:� Explain the function of evaluation paths as the central element of the

data model in the Personnel Planning components� Explain the meaning of the fields in a structural profile.� Create structural authorization profiles and assign them to a user.� Explain how the period of responsibility is determined for the general

authorization check in a structural authorization check.� Explain the intersection of general and structural authorization

profiles in an overall authorization profile� Generate user authorizations for users in an organizational plan

using the RHPROFL0 report� Generate person-related indexes for structural authorization profiles



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. Name the central elements of the Personnel Planning data model.

2. What advantages does the function module RH_GET_MAN-AGER_ASSIGNMENT offer in structural authorization?

3. What periods does the system evaluate to determine the period ofresponsibility?

4. What points do you have to consider if you want to grant access toHR master data in an overall profile?

5. What prerequisite must be fulfilled before you can assign structuralauthorizations to users using report RHPROFL0?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


6. When should you generate indexes for structural authorizations?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. Name the central elements of the Personnel Planning data model.

Answer: The central elements are: objects, relationships andevaluation paths.

2. What advantages does the function module RH_GET_MAN-AGER_ASSIGNMENT offer in structural authorization?

Answer: The function module determines the ID of the organizationalunit headed by the manager. Thus, you can use one structuralauthorization for multiple managers.

3. What periods does the system evaluate to determine the period ofresponsibility?

Answer: The relationship periods between the objects along theevaluation path.

4. What points do you have to consider if you want to grant access toHR master data in an overall profile?

Answer: You need a PLOG authorization for object type P (Person).

5. What prerequisite must be fulfilled before you can assign structuralauthorizations to users using report RHPROFL0?

Answer: You must first enter the structural authorization profiles inthe PD Profiles infotype stored for the organizational unit, the job,the position, or the task.

6. When should you generate indexes for structural authorizations?

Answer: You should generate indexes when you have structuralauthorizations containing a large number of objects.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 8The Context Solution

Unit OverviewNow that you have discussed structural authorization profiles, youwant to introduce the context problem in HR authorizations. Thisproblem arises from the technical separation of general and structuralauthorization profiles and as of R/3 Enterprise, can be solved using twonew authorization objects.


� Relate individual general and structural authorization profiles to eachother to avoid authorizations being overwritten unintentionally.

� Create context-sensitive authorizations

Unit ContentsLesson: Context Problems in HR Authorizations .. . . . . . . . . . . . . . . . . . . . . . . . . .186Lesson: Context Authorization Objects .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Exercise 10: Context Authorization Objects .. . . . . . . . . . . . . . . . . . . . . . . . . . .195


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 8: The Context Solution HR940

Lesson: Context Problems in HR Authorizations

Lesson OverviewProblem caused by technical separation of general and structuralauthroization profiles.


� Relate individual general and structural authorization profiles to eachother to avoid authorizations being overwritten unintentionally.

Business ExampleIn your company, some managers are in charge of several departments.However, the managers� authorizations for accessing certain infotypesof the employees in their span of control should not be the same for alldepartments.

Context Problems in HR Authorizations

Figure 75: Context Problems in HR Authorizations (1)

The technical separation of general and structural authorization profilescan cause context problems for users who perform different roles in acompany (see graphic). This is due to the fact that you cannot simply addany number of structural and general authorization profiles required fordifferent tasks (in different contexts) without overriding something.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Context Problems in HR Authorizations

A user is a manager in the Accounting department and should beauthorized to edit infotypes 0000 through 0007 of the employees in hisor her team.

The manager is also manager for another organizational structure (Payroll).In this second context, the manager has access to all payroll-relevantinfotypes (0008 and 0015) for the employees in this organizationalstructure.

This cannot be mapped without the context solution because there is norelationship of any kind between an individual structural profile and anindividual basis authorization. This consequently leads to overridings.

Figure 76: Context Problems in HR Authorizations (2)

You cannot create an assignment between a user�s specific structuralprofile (here, for example, structural profile 2) and a specific general profile(profile 2 with P_ORGIN).

What in fact happens is that the structural profiles (that is, the set ofobjects) and the general profiles are added (in this case, using P_ORGIN)to give the overall profile. For this reason, the following occurred in theexample in the graphic: the manager has full read and write authorizationfor all objects from both structural profiles. When the authorizationprofiles are added together, the following overall profile is produced:

1. All employees in the manager�s team and organizational structure

2. Full read and write authorization for infotypes 0000 to 0008 and for0015.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


If you use a separate user for each context, it is easier to map differentcontexts (roles) with the correct authorizations.

For example, if the manager wants to carry out his or her activities asAccounting Manager, the manager uses his or her user name. As soon asthe manager wants to perform his or her role as Payroll Manager, he orshe needs a second system user (with the respective authorizations as inthe above example).

The problem is that you may need many users to map the user-specificcontexts in your company. This is why the context solution has beendeveloped for HR master data.

The Context Solution

Figure 77: The Context Solution

The context-sensitive realization of authorizations for HR master dataenables you to avoid overriding authorizations unintentionally. In turn,this enables you to relate individual general and structural authorizationprofiles to each other.

The context solution creates a technical connection between general andstructural authorization profiles using special context authorizationobjects. These context authorization objects differ from the P_ORGIN andP_ORGXX authorization objects in that they contain an additional fieldPROFL. You can enter structural profiles in this field.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Context Problems in HR Authorizations

Lesson Summary

You should now be able to:� Relate individual general and structural authorization profiles to each

other to avoid authorizations being overwritten unintentionally.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson: Context Authorization Objects

Lesson OverviewContext authorization objects enable you to link general and structuralauthorizations together.


� Create context-sensitive authorizations

Business ExampleYour company wants to implement the context solution.

HR: Master Data with Context

Figure 78: HR: Master Data with Context

The Authorization Object HR: Master Data with Context is used duringthe authorization check on HR infotypes. The checks take place whenHR infotypes are edited or read. The system queries the contents of thefields during the authorization check.

The PROFL field (Authorization profile) is used to determine whichstructural profiles the user is authorized to access.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Context Authorization Objects

In the standard system, the check of this object is not active. You can use theINCON authorization main switch to control the use of P_ORGINCON.

Hint: Note: Note that the structural profiles assigned to a user aredetermined from table T77UA User Authorizations (= Assignmentof Profile to Users). Therefore, you should only use structuralprofiles that are entered in this table in the PROFL field of thecontext authorization objects.

HR: Extended Check with Context

Figure 79: HR: Extended Check with Context

The objectHR: Extended Check with Context is used during the authorizationcheck on HR infotypes. The checks take place when HR infotypes areedited or read.


In the standard system, the check of this object is not active. You can use theXXCON authorization main switch to control the use of P_ORGXXCON.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


The Authorization Main Switches

Figure 80: The Authorization Main Switches (2)

The graphic shows you the standard switch settings.

Hint: You can make the settings using transaction OOAC or inthe IMG for Personnel Administration under Tools→ AuthorizationManagement→ Edit Authorization Main Switch.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Creating a Customer-Specific Object with Context

Figure 81: Creating a Customer-Specific Object with Context

Create the authorization object using transaction SU21. Make sure youkeep to the customer name range (Z/Y). To be able to use the newauthorization object you have created in the master data authorizationcheck, the object must contain the INFTY, SUBTY, AUTHC, and PROFLfields.


In the standard system, the check of this object is not active. You canuse the NNCON authorization main switch to control the use of yourauthorization object.

Note that if you use customer-specific authorization objects, you mustmaintain these objects in transaction SU24 (Maintain Assignment ofAuthorization Objects to Transactions) in the same way as you maintain theauthorization objects P_ORGIN, P_ORGXX, and P_PERNR.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 10: Context AuthorizationObjects

Exercise ObjectivesAfter completing this exercise, you will be able to:� Link structural authorization profiles using special context

authorization objects to the general authorization check

Business ExampleThe managers in charge of several departments should have differentaccess authorizations for the master data of employees in their span ofcontrol for each department.


1. Create a structural profile for organizational unit 30015365Research/Development by copying profile SP02_GR## to the nameSP03_GR## (##= group number).

2. In the Object ID field, enter organizational unit 30015365 and deletethe entry in the Function module field.

3. Assign authorization profile SP03_GR## to user CHUNG-## for thecurrent calendar year.

Task 2Now modify your role PA_HR-MANAGER-##. The manager has readauthorization for all infotypes of persons selected along evaluationpath O-S-P and structural profile SP02_GR##. For structural profileSP03_GR##, the manager has read authorization for infotypes 0000 � 0007only.

1. In your role, replace the authorizations for the HR: Master Data withan authorization for the object HR: Master Data with Context withthe same values. In the Authorization profile field, enter SP02_GR##.

2. Copy the authorization for HR: Master Data with Context. Assignthe authorization for infotypes 0000 � 0007 and in the Authorizationprofile field, enter structural profile SP03_GR##.

3. Generate the authorization profile of your role and test theauthorizations by logging on with the user CHUNG-##.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 10: Context AuthorizationObjectsTask 1Do the following exercise:

1. Create a structural profile for organizational unit 30015365Research/Development by copying profile SP02_GR## to the nameSP03_GR## (##= group number).

a) SAP Menu:





Select theMaintain Structural Profiles activity. Select yourauthorization profile SP02_GR## and choose Copy As. Changethe name in the Authorization profile field to SP03_GR## andthen press Enter.

In the Specify object to be copied dialog box, select Copy all.

Select profile SP03_GR## and then in the Dialog Structurewindow, double-click the Authorization profile maintenance optionto select it.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. In the Object ID field, enter organizational unit 30015365 and deletethe entry in the Function module field.

a) Change the Object ID and Function module fields.

Profile SP03_GR##

No. 0

Plan version 01

Object type O

Object ID 30015365

Maintain X

Evaluation path O-S-P

Status Vector 12

Period F

Func. module

3. Assign authorization profile SP03_GR## to user CHUNG-## for thecurrent calendar year.

a) Select the Assign Structural Authorization activity.

On the next screen, choose New entries and enter your userCHUNG-## in the User name field and SP03_GR## in the Auth.profile field. In the Start date and End date fields, enter the firstand last day of the year.

Task 2Now modify your role PA_HR-MANAGER-##. The manager has readauthorization for all infotypes of persons selected along evaluationpath O-S-P and structural profile SP02_GR##. For structural profileSP03_GR##, the manager has read authorization for infotypes 0000 � 0007only.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


1. In your role, replace the authorizations for the HR: Master Data withan authorization for the object HR: Master Data with Context withthe same values. In the Authorization profile field, enter SP02_GR##.

a) You must add an authorization to the P_ORGINCONauthorization object. To do so, choose Manual entry ofauthorization objects and on the next screen, enter P_ORGINCONin the Authorization object field. Maintain the fields of thenew authorization and then deactivate the authorization forP_ORGIN.

Field Name Values


Infotype *

Personnel area CABB

Employee group *

Employee subgroup *

Authorization profile SP02_GR##

Subtype *




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


2. Copy the authorization for HR: Master Data with Context. Assignthe authorization for infotypes 0000 � 0007 and in the Authorizationprofile field, enter structural profile SP03_GR##.

a) Position your cursor on the new authorization and choose Edit→ Copy authorization. Change the values in the Infotype andAuthorization profile fields.

Field Name Values


Infotype 0000 - 0007

Personnel area CABB

Employee group *

Employee subgroup *

Authorization profile SP03_GR##

Subtype *


3. Generate the authorization profile of your role and test theauthorizations by logging on with the user CHUNG-##.

a) Generate the authorization profile of your role and test theauthorizations by logging on with the user CHUNG-##.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Create context-sensitive authorizations


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Unit Summary

Unit SummaryYou should now be able to:� Relate individual general and structural authorization profiles to each

other to avoid authorizations being overwritten unintentionally.� Create context-sensitive authorizations


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. When do context problems arise?

2. What is the difference between context authorization objects andthe other authorzation objects?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. When do context problems arise?

Answer: Context problems arise when you want to relate a certainauthorization for the authorization objects HR: Master Data with astructural authorization profile.

2. What is the difference between context authorization objects andthe other authorzation objects?

Answer: The context authorization objects have an additional fieldwhere you can enter the name of the related structural profile.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 9Additional Aspects of the General

Authorization Check

Unit OverviewThis chapter explains how to refine the authorization check using theorganizational key. In addition, this unit introduces the test procedure as amethod of preventing subsequent changes being made to data after thedata, entered by an employee, has been checked.


� Store the creation rule for the organizational key in Customizing.� Use the test procedures for decentralized time data recording� Ensure that no further changes can be made to recorded time data

by the user who created it once the data has been checked. You useinfotype 0130 (Test Procedures) to achieve this.

Unit ContentsLesson: The Organizational Key .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206Lesson: Test Procedures .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Exercise 11: Test Procedures... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 9: Additional Aspects of the General Authorization Check HR940

Lesson: The Organizational Key

Lesson OverviewThe organizational key enables differentiated authorization checks fororganizational assignment.


� Store the creation rule for the organizational key in Customizing.� Use the test procedures for decentralized time data recording

Business ExampleThe HR department in your company wants to use the cost center to whichan employee is assigned for the authorization check.

The Organizational Key

Figure 82: The Organizational Key

The organizational key (P0001-VDSK1 field) used to run differentiatedauthorization checks on the organizational assignment (using theP_ORGIN authorization object). The content of the organizational keyis either derived by the system from the fields of the OrganizationalAssignment infotype (0001) or entered manually by the user.

The organizational key consists of a 14-character field in infotype 0001that you can structure freely. You can use specific control and rule tablesto help you structure the field. Do not confuse the organizational keywith the organizational unit.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Organizational Key

In the standard system, the organizational key is built up as follows: thefirst four places contain the personnel area and the following ten placescontain the cost center.

The corresponding menu path in Customizing is Personnel Management→Personnel Administration→Organizational Data→Organizational Assignment→ Set Up Organizational Key.

Figure 83: Creating the Organizational Key

The organizational key is created and validated by the Organization Keyfeature (VDSK1) and these tables: Organizational Key: Control (T527),Organizational Key: Creation Rules (T527A), Organizational Key: Validation(T527O).

A variable key (VARKY) is determined for this purpose using the VDSK1feature. This key is used according to table T527 to determine how theorganizational key (VDSK1) should be created or validated.

The organizational key is stored in the Organizational Assignmentinfotype of the employee. When a user accesses the personnel data of theemployee, the system checks whether authorization exists for the concretevalue of the organizational key field.

In the example in the graphic, authorization exists for employees inpersonnel area 1200 who have been assigned cost center 1000.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Create Organizational Key

Figure 84: Creating the Organizational Key - Steps (1)

A variable key is determined using the VDSK1 feature.

This key is used according to table T527 (Organizational Key: Control todetermine how the organizational key should be created and validated.The fields Default/Validation and Rule for Creating Organizational Keys areevaluated for this purpose. The Default/Validation field can contain thefollowing values:

1 = optional entry without validation

2 = optional entry with validation

3 = required entry with validation

4 = default that cannot be overwritten without validation

5 = default that can be overwritten without validation

6 = default that can be overwritten with validation

7 = default that cannot be overwritten with validation

If you make an entry for Default/Validation which causes a default valueto be created (entries 4, 5, 6 or 7), you must also maintain the Rule forCreating Organizational Key field. This entry is used according to tableT527A (Organizational Key: Creation Rules to determine how to create theorganizational key.

If you make an entry for Default/Validation which causes the organizationalkey to be validated, you must enter the values that should be recognized bythe system as permitted in the Organizational Key Validation table (T527O).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: The Organizational Key

Figure 85: Creating the Organizational Key - Steps (2)

If you make an entry for Default/Validation which causes the organizationalkey to be validated, you must enter the values that should be recognized bythe system as permitted in the Organizational Key Validation table (T527O).

The Organizational Key: Validation table contains a list of the permittedentries for the Organizational Key field (VDSK1). Only entries with hierarchy= 1 are relevant for validation. All other entries are ignored whenvalidating the organizational key.

The Organizational Key column contains the organizational key that shouldbe permitted during the validation.

In the Short Name and Name columns, you can store a short text or adescription for each organizational key. The texts appear when you callinput help for the Organizational Key field. The texts are irrelevant for theactual validations.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Store the creation rule for the organizational key in Customizing.� Use the test procedures for decentralized time data recording


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Test Procedures

Lesson: Test Procedures

Lesson OverviewYou can use the test procedures to create test data for specified infotypes.


� Ensure that no further changes can be made to recorded time databy the user who created it once the data has been checked. You useinfotype 0130 (Test Procedures) to achieve this.

Business ExampleCompany management plans to introduce decentralized time datarecording and wants to protect this data from being changed after it hasbeen checked.

Test Procedures

Figure 86: Test Procedures

You can use the test procedures to create test data for specified infotypes.Example: With decentralized time recording, employees can enter certainabsences (for example, leave) themselves. At first, the time administratorscan create and change any data within the scope of their authorizations. Ifa tester checks the entered data at a later date, he or she sets the check date


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


for each personnel number checked in the corresponding subtype of theTest Procedures infotype (0130) to the date on which he or she finished thechecks. This date normally lies in the past but it can also be the currentdate.

You can use the Test Procedures infotype (0130) to check if data has beenchecked and the date when this happened for each employee. Completedchecks are indicated by a flag in a subtype in infotype 0130. If a testprocedure has been carried out for an employee up to a certain releasedate, this employee can no longer change data in the period before therelease date.

As soon as a test procedure is set, employees can only enter data, whichis after the check date. Only administrators that have authorization tochange the check date (that is, to change the corresponding subtype of theTest Procedures infotype) may change data that lies before the check date.

If the tester does not have write authorization for the data to be checkedand the employee does not have authorization for the test procedures, datachecks and data entry are completely separated from each other.

Setting Up Test Procedures

Figure 87: Setting Up Test Procedures

First, define the test procedures that are to apply. Technically speaking,these test procedures are subtypes of the Test Procedures infotype (0130).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Second, specify a test procedure for the desired infotype (or subtype).For infotypes without subtypes, always specify BLANK as the subtype.For infotypes that support subtypes, you must specify each subtype tobe checked explicitly.

The APPRO authorization main switch must be set to 1 so that the systeminterprets the Test Procedures infotype as authorization-dependent.

When you have completed this step, you can create a data record of theTest Procedures infotype. The subtype of this data record is one of thetest procedures defined earlier. This data record contains the check dateamongst other things. As soon as this check date is entered, a user, who isnot authorized to change the check date (that is the subtype correspondingto the test procedure of the 0130 infotype), cannot make any changesthat lie before the check date to the infotype to be checked. The testprocedures are similar to the asymmetrical double verification principle.The difference is that the entered data is payroll-relevant even if it hasnot yet been checked. It can, however, only be changed after a successfulauthorization check by a user with special authorization.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Exercise 11: Test Procedures

Exercise ObjectivesAfter completing this exercise, you will be able to:� Set up and use the test procedure for the Absences infotype

Business ExampleThe employees in your company record their absence data for leavethemselves. After the time administrator has checked the recorded data,employees should not be able to change the data.


1. In the Implementation Guide, set up the test procedure 9G##with thetext Check Group ## (##= group number).

2. Assign the Absences infotype (2001) subtype 0100 Leave to yourtest procedure.


1. Enter leave for the user PATEL-##, personnel number 540995##, forthe beginning of the current year.

Task 3Create the Test Procedures infotype (0130) for personnel number 540995##using your HR940-## user.

1. Use user PATEL-## to test if this user can still make changes afterthe absence has been checked.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Solution 11: Test ProceduresTask 1Do the following exercise:

1. In the Implementation Guide, set up the test procedure 9G##with thetext Check Group ## (##= group number).

a) SAP Menu:




Personnel Management→ Personnel Administration→ Tools→Authorization Management→ Special Authorizations for PersonnelAdministration→ Test Procedures

Select the Create Test Procedures activity. In the Subtype field,enter your test procedure 9G## and in the Name field, enterCheck Group ##. Save your entries and return to the IMG.

2. Assign the Absences infotype (2001) subtype 0100 Leave to yourtest procedure.

a) Select the Assign Infotypes to Test Procedures activity. Defineinfotype 2001 as the work area. On the next screen, choose Newentries, enter 0100 in the Type field and 9G## in the Test field.Save your entries and return to the IMG.


1. Enter leave for the user PATEL-##, personnel number 540995##, forthe beginning of the current year.

a) SAP Menu:


Enter 540995## in the Personnel Number field, enter 2001 in theInfotype field, and enter 0100 in the Type field. Then in the PeriodFr/To fields, enter the start and end date of the leave. ChooseCreate and save the infotype record.



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Task 3Create the Test Procedures infotype (0130) for personnel number 540995##using your HR940-## user.

1. Use user PATEL-## to test if this user can still make changes afterthe absence has been checked.

a) SAP Menu:


Enter 540995##in the Personnel Number field and 0130 in theInfotype field. Then choose Create. In the Test for field, enter thetest procedure 9G##and in the Released by field, enter the releasedate.

Try to delete the infotype record.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Ensure that no further changes can be made to recorded time data



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Unit Summary

Unit SummaryYou should now be able to:� Store the creation rule for the organizational key in Customizing.� Use the test procedures for decentralized time data recording� Ensure that no further changes can be made to recorded time data



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. What is the function of the organization key in the OrganizationalAssignment infotype?

2. The Test Procedures infotype only enables you to protect decentrallyrecorded time data from later change.Determine whether this statement is true or false.

TrueFalse


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. What is the function of the organization key in the OrganizationalAssignment infotype?

Answer: The organization key enables you to use differentiatedauthorization checks for the authorization object HR: Master Data.

2. The Test Procedures infotype only enables you to protect decentrallyrecorded time data from later change.

Answer: False

You can use the Test Procedures infotype to create test data for anyinfotypes.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 10Examples and Tips

Unit OverviewThis unit concludes the course with a few examples and helpful tips onthe topic of authorizations.


� Avoid errors in your company, which often lead to problems.

Unit ContentsLesson: Examples and Tips ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit 10: Examples and Tips HR940

Lesson: Examples and Tips

Lesson OverviewSupplementary notes about authorizations in HR.


� Avoid errors in your company, which often lead to problems.

Business ExampleIn your company, there are several outstanding issues that need to beclarified.

Report RHUSERRELATIONS

Figure 88: Report RHUSERRELATIONS

This report enables you to evaluate all the HR authorization profiles thatexist for a user. This includes the structural authorization profiles as wellas the HR Basis authorization profiles that are assigned to the user directly(using role maintenance) or indirectly (in Organizational Management).

In this report you can access several functions that enable selectiveevaluation of the authorization profiles. You can display the followinginformation:


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Lesson: Examples and Tips

� The complete list of authorization main switches with the values setfor them (in the function bar on the selection screen)

� All of the persons assigned to the user in the Communicationinfotype(0105) (in the function bar on the selection screen)

� The organizational units with which the user is related� The structural authorization profiles� The user�s role assignments and standard profiles� The authorizations based on HR authorization objects (of Personnel

Administration/Personnel Planning - multiple selection is possible)

Employee Self-Service

Figure 89: Employee Self-Service

Prerequisites: The AUTSW PERNR main switch must be activated toenable the authorization check by personnel number.

The user assignment for all employees who use the SAP EmployeeSelf-Service must be maintained in infotype 0105.

Users who are not administrators should not be granted P_ORGINauthorizations.

Every employee who uses the SAP Employee Self-Service is granted thetwo authorizations mentioned above for the P_PERNR authorizationobject: The first authorization grants the employee read authorization forall infotypes that are stored under the employee�s personnel number. Thesecond authorization grants write authorization for all data records of the0006 infotype of the employee�s own personnel number.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


No Maintenance of Own Data By Administrator

Figure 90: No Maintenance of Own Data By Administrator

Prerequisites:

The AUTSW PERNR main switch must be activated to enable theauthorization check by personnel number.

The user assignment for the corresponding administrator must bemaintained in infotype 0105.

Each employee affected is granted the P_PERNR authorization shown inthe graphic.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Special Feature of the Subtype Check in Dialog

Figure 91: Special Feature of the Subtype Check in Dialog

Problem:

For certain infotypes (such as 0014, 0015, and 2010), you can create anew record without having to specify a subtype on initial access to theindividual record maintenance. If an administrator wants to create a newrecord without specifying a subtype, the authorization check consequentlytakes place using the subtype <BLANK>. This often results in users withlimited subtype authorizations not being able to access the infotype screen.There are two ways to avoid this:

1. Users always explicitly specify a subtype for which they haveauthorization.

2. Users are granted an additional authorization for the dummy subtype<BLANK>.

Hint: Solution 2 is preferred. In principle, users are not granted anyunnecessary authorizations by this, since the <BLANK> subtypedoes not exist and is always explicitly checked when users accessexisting data records and when they create new data records.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Decentralized Time Recording

Figure 92: Decentralized Time Recording

You record working time decentrally. Once the time data has been recordeddecentrally, it is checked centrally. The employees who entered the datashould not be able to change it once it has been checked. The central timeadministrators, however, should still be able to change the data.

In addition to the authorization checks using P_ORGIN, activate the TestProcedures (AUTSW APPRO main switch).

Create an entry in the T584A table for all time management infotypes andsubtypes. You can use one test procedure for all infotypes. You can alsouse a different test procedure for each infotype or the same test procedurefor several infotypes only. The decision depends on whether the infotypesshould each be checked together or separately.

Employees who enter data require an authorization for the P_ORGINauthorization object such as the one shown in the left graphic The testersrequire an authorization such as the one shown in the right graphic.

Hint: If you have different time administrators for different testprocedures, you must list each test procedure instead of * in theSUBTY field.

The testers who should also be able to change time data alsorequire write authorization.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Authorizations for Batch Input Sessions

Figure 93: Authorizations for Batch Input Sessions

You can define report-specific prefixes to protect batch input sessions. Theprefix is set before the actual session name and can be checked genericallylater. This ensures that sessions are not processed without authorization.

Using the object Batch Input Authorizations (technical name: S_BDC_MONI)in the object class Basis Administration, you can create authorizationsbased on the session name and actions, for example, processing a batchinput session or displaying a processing log.

You can define report-specific prefixes using the BIMAP feature to protectbatch input sessions. The prefix is set before the actual session name and isthen checked generically by the Batch Input Authorizations object. Example:The session name MEYERS becomes MEYERS2 if a corresponding entryexists in the feature.

In the example shown in the graphic, the system proposes the HR2 prefixfor the session name of the RPITUM00 program. All other programs donot use a prefix.

Hint: The BIMAP feature is delivered by SAP with an emptydecision tree.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Redundant Read of Objects

Figure 94: Redundant Read of Objects

To avoid unnecessary loss of performance, ensure that there are as fewredundancies as possible when you define structural authorizations. Inother words, the entries for a user in table T77PR should not overlap ifpossible (see graphic). This type of profile (several evaluation paths used)is often used to implement authorization requirements that cannot be metusing a standard evaluation path.

In the present example, the profile needs to contain authorization fororganizational units, jobs, positions, and persons. This combination is notcovered by any standard evaluation path, which is why the two evaluationpaths in the graphic are used.

However, this can lengthen the creation of the set of objects for thestructural authorization because specific objects (O, S) are read severaltimes. If the O-S-P and O_O_S_P evaluation paths are used simultaneously,organizational units (O) and positions (S) are read redundantly during thecreation of the set of objects.

Proposed Solution:

You can avoid this if you define your own evaluation path that meets all therequirements of the authorization profile and reads the necessary objectsonly once. In the example used here, you could define a Z_O_S_C_Pevaluation path, for instance.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Customer Enhancements Using BAdIs

Figure 95: Customer Enhancements Using BAdIs

You find the HRPAD00AUTH_CHECK BAdI in the ImplementationGuide (IMG) for Personnel Management under Personnel Administration→ Tools→ Authorization Management→ BAdI: Set Up Customer-SpecificAuthorization Check. You can find information on implementing a BAdIin the documentation of the corresponding IMG activity. As soon as animplementation for this BAdI is active, all HR master data authorizationchecks of the standard system are stopped, and instead only the activatedimplementation is performed.

As for general authorization checks, you can also implement acustomer-specific test procedure for the structural authorization checkusing a BAdI. You can find the Business Add-In HRBAS00_STRUAUTHin the IMG for Personnel Management under Organizational Management→Basic Settings→Authorization Management→ Structural Authorization→BAdI: Structural Authorization. You can find information on implementinga BAdI in the activity documentation.

The BAdI HRBAS00_GET_PROFL is of particular interest if youimplement the context solution: It means that you do not need tomaintain table T77UA (User Authorizations). You find the BAdI inthe Implementation Guide (IMG) for Personnel Management underOrganizational Management→ Basic Settings→Authorization Management→Structural Authorization→ BAdI: Define Assigned Structural Profiles. You canfind information on implementing a BAdI in the documentation of thecorresponding IMG activity.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Lesson Summary

You should now be able to:� Avoid errors in your company, which often lead to problems.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Unit Summary

Unit SummaryYou should now be able to:� Avoid errors in your company, which often lead to problems.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Unit Summary HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Test Your Knowledge

1. Employees that use Employee Self-Service require authorization forthe authorization object HR: Master data.Determine whether this statement is true or false.

TrueFalse

2. In an authorization, if you list individual subtypes in the Subtypefield, you should also enter the subtype Blank. What is the reasonfor this?


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Answers

1. Employees that use Employee Self-Service require authorization forthe authorization object HR: Master data.

Answer: False

Employees that use Employee Self-Service may only haveauthorization for the authorization object HR: Master data - personnelnumber check.

2. In an authorization, if you list individual subtypes in the Subtypefield, you should also enter the subtype Blank. What is the reasonfor this?

Answer: With certain infotypes, it is possible to create a new recordwithout having to specify a subtype in the Subtype field when youaccess individual record maintenance. If the dummy subtype Blank isnot stored in the user�s authorization, the user must always specify asubtype for which he or she has authorization.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Course Summary

Course SummaryYou should now be able to:

� Set up general and structural authorization checks and assign these tousers directly or via Organizational Management.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Course Summary HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Appendix 1Additional Material

The Profile Generator

Figure 96: The Profile Generator

What is the Profile Generator?

� The Profile Generator is the central tool for generating authorizationsand authorization profiles, and for assigning them to users.

� In the Profile Generator, the system administrator selects transactions,menu paths (from the SAP menu), or area menus. The selectedfunctions correspond to the task area of a user or a group of users.The Profile Generator has various maintenance views:

� a simple maintenance view (Workplace menu maintenance)� a basic maintenance view (meuns, profiles, other objects), and


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Appendix 1: Additional Material HR940

� a complete view (Organizational management and workflow)� The menu tree a system administrator uses to put together for users

with a specific role in the company, corresponds to the user menuthat appears when a user (who is assigned the corresponding role)logs on to the SAP system.

� The profile generator automatically provides the correspondingauthorizations for the selected functions. Some of these authorizationshave default values. Traffic light icons show you which values youneed to be maintain.

� Finally, the Profile Generator generates an authorization profile fromthis and assigns the role to users.

Profile Generator: Work Steps

Figure 97: The Profile Generator: Work Steps

To call the Profile Generator, choose �Create menu� from the SAP EasyAccess screen, or choose Tools⇒ Administration⇒ User Maintenance⇒Roles. The corresponding transaction code is PFCG.

In the first step, you define the activities intended for the user role. Theresult of this definition process is a role (or several roles) that collectsall activities of the role - represented by transactions, reports, and Webaddresses.

At the same time, you define how the menu tree will be displayed forthe new user role.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Appendix 1: Additional Material

Afterwards, the authorizations for the activities selected are generated.This step normally involves the highest administrative maintenance effort.

Subsequently, the users are assigned to the roles.

Finally, the user master records of the users assigned to the roles areadjusted.

Profile Generator: Views

Figure 98: Profile Generator: Views

In simple maintenance, you can define roles for the workplace.

Basic maintenance allows you to

� Access all the functions for role maintenance� Assign roles exclusively to SAP R/3 users

The complete view (Organizational Management) displays all assignmentsand data for a role.

This view is useful for users in Personnel Planning and Development,especially for Organizational Management and workflow. Basicmaintenance allows you to

� Access all the functions for role maintenance� Change the validity period of the role� Link tasks with a role� Assign roles to objects in the organizational plan and delimit the

validity dates for each assignment


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Defining Role Names and Descriptions

Figure 99: Defining Role Names and Descriptions

Note that the roles delivered by SAP begin with the prefix �SAP_�. If youwant to create your own user roles, do not use the SAP namespace.

SAP does not differentiate between single and composite roles byname. When you create your own roles or when you name then, youshould develop a naming concept that differentiates between single andcomposite roles.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Determining Activities

Figure 100: Determining Activities

Definition of Roles:

You use roles to define which activities are assigned to a specific role in thecompany. The authorization administrator chooses those transactions inthe Profile Generator that users with a specific role in the company mustperform regularly. The administrator also chooses any Web addresses ifthese are useful for the daily work of a role holder (for example, a weatherforecast service would be of interest to field service personnel). In addition,frequently needed reports can also be added to the user menu.

You can create completely new roles if required. In most cases, however, itis easier to use the roles delivered by SAP as a template, to copy these andthen change them to meet your requirements. In the following example, anSAP role was copied as the role MY_ROLE. (To copy a role, choose �Copyrole� on the initial screen and �Copy selectively� in the dialog box thatappears next.) This new role is then modified slightly. You can choose anynames for roles. Names may not begin with �SAP_�.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Designing Menus

Figure 101: Designing Menus

Changing the functionality: You can change the transactions listed in themenu tree of a role to meet your requirements:

� You can delete transactions you do not need and add new ones (bychoosing �Transaction� or by copying them from other menus orroles).

� You can add reports (Choose �Report�). The Profile Generatorgenerates a transaction code (which is either created automaticallyor which you define yourself) that you can use to start the reportfrom the menu.

� You can add Internet pages (choose �Other�). Similarly, you can addlinks to documents (such as Excel files). You add links to documentsin the same way as you add links to Internet pages. Instead of theURL, you then enter the path of the required file.

Changing Menus:

You can create, delete, move, and rename directories. The principle ofoperation is similar to that of common graphical file managers.

If you want to distribute the role to a particular target system, enter thetarget system (it must be an SAP R/3 Release 4.6C System) and chooseDistribute. This function is primarily of importance when used with theWorkplace.

As of Release 4.6C, menus from roles can also be compared and adjustedon a cross-system basis using the ROLE_CMP transaction.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Maintaining Authorization Data

Figure 102: Maintaining Authorization Data

Creating Authorizations and Authorization Profiles:

The profile generator automatically generates authorizations on the basisof menu functions you selected beforehand. The Profile Generator cannot,however, propose �default values� for all authorizations that would fitany company. Therefore, the authorization administrator must normallypostprocess the authorizations manually in cooperation with the userdepartments and the audit division. By using organizational levels, youcan simultaneously maintain a large number of authorization fields. Thisgreatly simplifies the manual postprocessing work.

In the example, transaction SO01 (SAPOffice) was added to role MY_ROLE(which was created by copying the SAP template). As a result, the yellowtraffic lights appear in the menu tree in the example in the graphic. Youcan explain the need for manual maintenance using the example of dataaccess authorization: The Profile Generator cannot �know� whether whattype of access (read or other) should be permitted for files.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Maintaining Authorizations Manually

Figure 103: Inserting Authorizations Manually

Although the Profile Generator automatically generates the authorizations,you can also add authorizations manually to an existing profile, whichmight be desirable in some cases. To do so, on the �Authorizations� tabpage choose �Change Authorizations� and then �Edit⇒ Insert Auth.� Thefollowing options are available:

SelectionHere you can find authorizations for objects grouped by object class.

Manual EntryIf you know the name of the authorization object for which you wantto manually add authorizations, you can enter it here directly.

Full AuthorizationThis option inserts all authorizations with the value *.

From profile...Here you can use authorizations from individual profiles.

From template...If you want to create a user with �almost all� authorizations, you canuse the SAP authorization templates designed for this purpose.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Authorization Maintenance: Icon Legend

Figure 104: Authorization Maintenance: Icon Legend

The current maintenance status of the authorizations at the various levelsis shown by traffic lights:

� Green: All fields below this level have been filled with values. Checkwhether the values given are appropriate.

� Yellow: Below this level, there is at least one field (but not anorganizational level) for which no data has been entered.

� Red: Below this level, there is at least one field for which noorganizational level has been maintained.

� If you single-click a red or yellow traffic light, the system displaysall unmaintained fields, except organizational levels with completeauthorization (*).

Inactive: Double-clicking on this icon has the following effects:

� At authorization object level: All subordinate authorizations aremarked as inactive.

� At authorization level: This authorization is marked as inactive.

Reactivate: Clicking this icon has the effect that the authorization, and allsubordinate authorizations, of an authorization object are reset to active.

Delete: This can mean deletion of a field�s contents, or deletion of aninactive authorization or deletion of all inactive authorizations.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Authorization Maintenance: Status Texts

Figure 105: Authorization Maintenance: Status Texts

Standard: All field values in the subordinate levels of the hierarchy areunchanged from the SAP defaults.

Maintained: At least one field in the subordinate levels of the hierarchywas empty by default and has since been filled with a value.

Changed: The value of at least one field in the subordinate levels of thehierarchy has been changed from the SAP default value. The status alsochanges to Changed if you change an organizational level which waspreviously set globally. (The exception to this is if you make the change inthe Maintain organizational levels dialog box).

Manual: There is at least one authorization on the subordinate hierarchylevels which you have added.

Old: The comparison found that all field values in the subordinate levelsof the hierarchy are still current and that no new authorizations have beenadded.

New: The comparison found that at least one new authorization has beenadded to the subordinate levels of the hierarchy. If you now click on New,all new authorizations in the subordinate levels will be expanded.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Generating the Authorization Profile

Figure 106: Generating the Authorization Profile

If the authorizations for the company concepts are appropriatelymaintained, you can generate an authorization profile. Only then do theauthorizations contained in the profile take effect. A maximum of 150authorizations can be contained in a profile. If there is a greater numberof authorizations, the Profile Generator automatically creates additionalprofiles for the role. The name of the profile consists of 12 characters (seeSAP Note 16466), of which the first 10 can be changed when the profileis first generated; the other two characters act as a counter. The secondcharacter must not be an underscore (_).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Assigning Users to Roles

Figure 107: Assigning Users to Roles

Assigning Users:

So that users are provided with the menu tree for their role when they logon to the system, you must assign roles to them.

You assign roles to users by adding the corresponding names to the list onthe User tab of the Profile Generator. Users can be assigned to more thanone role. It makes sense to define roles for specific cross-role activities. Anexample is the activity �Print�. Regardless of their function, all users (whoare authorized to print) can be assigned to a role with the activity �Print�.This eliminates the need to add the �Print� transaction to a large numberof roles, which is a cumbersome task.

It is also possible to assign roles to users for a limited time only. This makessense, for example, for year-end closing. Physical inventory activitiesshould only be allowed for a limited time. So that a time-dependentassignment of an activity profile to a user master record becomes effective,you must perform a comparison (see next page). You are recommendedto schedule the background job pfcg_time_dependency in such cases.Alternatively, you can perform the comparison in dialog mode usingtransaction PFUD.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Derived Roles

Figure 108: Derived Roles

Derived roles refer to roles that already exist. The derived roles inherit themenu structure and the functions included (transactions, reports, Weblinks, and so on) from the role referenced. A role can only inherit menusand functions if no transaction codes have been assigned to it before.

The higher-level role passes on its authorizations to the derived role asdefault values which can be changed afterwards. Organizational leveldefinitions are not passed on. They must be created anew in the inheritingrole. User assignments are not passed on either.

Derived roles are an elegant way of maintaining roles that do not differ intheir functionality (identical menus and identical transactions) but havedifferent characteristics with regard to the organizational level.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Menus of Derived Roles

Figure 109: Menus of Derived Roles

The menus passed on cannot be changed in the derived roles. Menumaintenance takes place exclusively in the role that passes on its values.Any changes immediately affect all inheriting roles.

You can remove the inheritance relationship, but afterwards the inheritingrole is treated like any other normal role. Once a relationship is removed,it cannot be established again.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Composite Roles

Figure 110: Composite Roles

A composite role is a container which can collect several different roles.For reasons of clarity, it does not make sense and is therefore not allowedto add composite roles to composite roles. Composite roles are also calledroles.

Composite roles do not contain authorization data. If you want to changethe authorizations (that are represented by a composite role), you mustmaintain the data for each role of the composite role.

Creating composite roles makes sense if some of your employees needauthorizations from several roles. Instead of adding each user separatelyto each role required, you can set up a composite role and assign theusers to that group.

The users assigned to a composite role are automatically assigned to thecorresponding (elementary) roles during comparison.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Menus of Composite Roles

Figure 111: Menus of Composite Roles

The menu tree of a composite role is, in the simplest case, a combinationof the menus of the roles contained. When you create a new compositerole, the initial menu tree is empty at first. You can set up the menu treeby choosing �Read menu� to add the menus of all roles included. Thismerging may lead to certain menu items being listed more than once.For example, a transaction or path contained in role 1 and role 2 wouldappear twice.

If the set of roles contained in a composite role changes, the menu tree isalso affected. In such a case, you can completely rebuild the menu treeor process only the changes. If you choose the latter option, the ProfileGenerator removes all items from the menu which are not contained inany of the roles referenced.

It is possible (and often necessary) to change the menu of a compositerole at any time. You adjust these menus in the same way as the menusfor roles (see above).


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly


Customizing Roles

Figure 112: Customizing Roles

You can assign projects or project views of the Implementation Guide(IMG) to a role. The purpose of such an assignment is to specificallygenerate the authorization for certain IMG activities and assign it to users.When the profile is generated, the system creates the authorization whichis necessary to perform all activities of the IMG projects/project viewsassigned.

If a project or project view has been assigned to a role, it is no longerpossible to manually assign transactions to this role. This means thatsuch a role can only be used for generating and assigning Customizingauthorizations. Vice versa, a role with transactions assigned manuallycannot be used for Customizing authorizations.

The transactions of the project or project view are not displayed in theSession Manager and the �SAP Easy Access� menu. If the EnterpriseIMG or Project IMG is changed, the authorization data of this role mustbe regenerated.

Since Customizing activities are performed on a project-related basis andfor a limited period, you should maintain the end date for the users in theuser assignment. This ensures that the users assigned to the role lose theauthorization for the projects/project views assigned upon completion ofthe project.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly



Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Appendix 2Flowcharts of the Authorization Check

Flowcharts

Figure 113: Flowchart 1


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Appendix 2: Flowcharts of the Authorization Check HR940




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

HR940 Appendix 2: Flowcharts of the Authorization Check




Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Appendix 2: Flowcharts of the Authorization Check HR940


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

FeedbackSAP AG has made every effort in the preparation of this course toensure the accuracy and completeness of the materials. If you have anycorrections or suggestions for improvement, please record them in theappropriate place in the course evaluation.


Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

Fo

r

in

te

rn

al

u

se

b

y

CS

C

on

ly

20. hr940 authorizations in hr

Documents

payment medium programs

personnel calculation rules

double verification principle

task 2now modify

personnel planning components

relate individual general

employees josef lutzel

authorization main switches