ken bowers structural authorizations

Structural Authorization

Defined HR Structural Authorization permit access to personnel

data based on the user’s position or span of authority

within the organizational structure.

Structural

Authorization General

Authorization

TC: OOSB

TC: PFCG

Personnel

Admin

Org, PD,

TEM, Quals

Structural Authorization

High Level Process

Create Structural

Authorization

Profile

Link Structural

Authorization

Profile

to User Id

Configuration &

Switch Settings

Evaluation Path

Determine Root

Org Unit

SAP User ID

linked to PA via

IT0105 Record

PA/PD Integration

Turned

“On”

(POLGI/ORGA)

Structural

Authorization

Activated via

(TC: OOAC or

T77S0)

Structural

Authorization

Profiles

Developed (TC:

OOSP or T77PR)

Structural Auth

Profiles

Linked

PD Object

(IT1017)

Dynamically

Organizational

Structure

Developed

SAP User ID linked

Structural Auth.

Profile

(TC: OOSB or

T77UA

SAP Program

RHPROFLO

Executed

Manually

Evaluation Paths

Maintained

(T778A/

V_T77AW))

Dynamically

assign

Root Org Unit

(Function Module)

Employee Record

assigned

IT0001

Manually

assign

Root Org Unit

STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART

User Access

Restricted

Based on Org

Structure

Organizational

Structure

(Org Unit/Position)

Structural

Authorization

Waiting Period

(TC: OOAC or

T77S0)

Execute Reports to

Optimize

Performance

PA/PD Integration “Active”

Structural Authorizations

„Activated”

4.6 and

below

Refer to OSS Note 339367 refers to OSS Note 363083

Maintenance of the switch AUTH_SW P_ORGPD to

import 4.7 functionality

Change from 0 to 1

TC: OOAC

T77S0


“Activated”

4.7


Waiting Period

Create Organizational Structure

• Transaction code PPOME

• Create organizational units (object type O)

• Create jobs (object type C)

• Create positions (object type S)

• Assign chief positions especially if the

relationship A012 is being used in function

modules

Create Organizational Structure

Create Personnel Master Records

• All personnel require personnel number

• Create IT0105, subtype 0001 record for all

EE’s linking SAP user id to personnel

number which is linked to the org structure

• All personnel require IT0001 record

Create Personnel Master Records

IT0105 IT0001

Evaluation Paths

• Use SAP standard evaluation paths

– SAP standard function modules read

delivered evaluation paths

• Create customer defined evaluation paths

– Customer defined function modules

specify customer defined evaluation paths

Evaluation Paths

T778A

V_T77AW

Create Structural Authorization

Profiles

• Transaction code OOSP or T77PR

• Screen # 1

– Profile: Enter profile name and description

– Save Structural Authorization Profile

Assign Root Org Unit

Option 1: Dynamically.

• Function Module:

RH_GET_MANAGER_ASSIGNMENT

determines the root organizational unit to

which the user is assigned as Manager via

the A012 chief relationship.

• Assign function module in T77PR In field

PFUNC

Screen # 2 T77PR

When Function

Module is

being used,

leave Object

ID field “Blank”

RH_GET_MANAGER_ASSIGNMENT:

Determines the root org unit object to

which the user is assigned as Manager

via the A012 chief relationship.

(Supervisor)

• Screen # 2 (Continued) – Auth Profile: Select profile for pop-up box

– No.: Enter Line/Sequence/Interval numbers 5, 10, 15 …etc.

– Plan version: Enter active plan. Ex. 01

– Object type: Enter object type end user will be authorized to change or display (O – Org Unit, S – Position, C – Job, P- person, and any customer defined objects)

– Object ID: If assign root org unit is being used, enter org unit id value. If you are using function modules to dynamically determine the root org unit, leave this field blank

– Maintenance: If checked, maintain authorization is granted for object type, if uncheck, only display authorization granted.

– Evaluation Path: Enter evaluation path defined inT77UA

• Screen # 2 (Continued) – Status vector: Planning status authorization

• 1 – Active

• 2 – Planned

• 3 – Submitted

• 4 – Approved

• 5 – Rejected

• To grant access to Active and Planned status(s) enter

“12”

– Depth: Enter the number of levels from the

root org unit of the org structure.

– Sign: Process structural authorization top –

down (+) or bottom-up (-)

• Screen # 2 (Continued) – Time period: Restrict access based on the

validity period of the org structure. • D – Current Day

• M – Current Month

• Y – Current Year

• P – Past

• F – Future

– Function module: • Leave this field “blank” if root org unit is defined in

field “Object id”

• Determine the root org unit using SAP standard or

Customer defined function modules

• Screen # 2 (Continued) – Add multiple rows in this table for all PD

objects the structural authorizations are

permitting to change and/or display



• Function Module:

RH_GET_ORG_ASSIGNMENT

determines the root organizational unit to

which the user is organizationally assigned.


PFUNC

Screen # 2 T77PR

RH_GET_ORG_ASSIGNMENT

Determines the root organizational unit to

which the user is organizationally assigned.

A customer defined Function

Module may be used



• Customer Defined Function Module:

– Copy and modify SAP standard function

modules to specify customer defined

evaluation paths


PFUNC


Option 4: Manually

• Function Module not used.

• Manual assignment of root organizational

unit

• Define root organizational unit in T77PR In

field OBJID

Screen # 2 T77PR

When Object

ID is being

used, leave

Function

Module field

“Blank”

Structural Authorization Profile

Completed

Link User ID to Structural

Authorization Option # 1 Assign Structural Authorization to PD Object

• Restrict user access based on PD objects.

• Assign structural authorization defined in transaction code OOSP or T77PR by creating an IT1017 to a PD object. Example: Create IT1017 to org unit or position depending on your requirements

• This is linking the structural authorization to the organizational structure.

• IT1017 is required if you are going to dynamically populate T77UA by linking user id to structural authorization profile.

Assign IT1017 to Position

Execute transaction code PP01 > Create PD Profiles > Assign Structural

Authorization Profile


Authorization

• Execute SAP Program RHPROFL0 on a

nightly or emergency basis.

• Report dynamically links the user id

(IT0105, Subtype 0001) to the designated

structural authorization profile in T77UA

based on the assignment of IT1017 to PD

objects.

RHPROFL0 program report output

T77UA auto

populated by the

RHPROFL0

program


Authorization Option # 2

• Can be assigned “manually”

• IT1017 is not necessary

• Transaction code OOSB or T77UA

• Ensure customizing of the table in permitted

in Production client

• This method is no recommended. Can be

very labor intensive

Manually Link User ID to

Structural Authorization Execute transaction code OOSB > Click on New Entries > Enter user id,

corresponding structural authorization profile, enter start date, enter end

date and click on the save icon.

Optimize Structural

Authorization Performance • Manually enter user id’s in T77UU User Table for

Batch Input. Stores user id in SAP memory (T77UU). Not recommended.

• Dynamically add/remove user id’s in T77UU executing program RHBAUS02 based on the number of objects.

• Execute nightly program RHBAUS00 to regenerate indexes saved in table INDX.

• Indexes regenerated and saved in table INDX

• ODD note 836478 dated 4/21/05: Display Index Report: RHAUTH_VIEW_INDX

Congratulations !

• You have completed the configuration of

structural authorizations.

• Do not know of any method to trace

structural authorizations

• Test, test user id’s for both structural

authorizations and PA/PD authorization

assigned to roles in TC: SU01.

Customer Defined Structural

Authorizations

• Use BADl: HRBAS00_STRUAUTH Customer defined logic for Structural Authorization

• Use BADI: HRPAD00AUTH_CHECK, which allows the customer to input their own coding into this customer exit for HR Master Data.

– Example: Restrict authorizations based on Business Area, Plant, etc.

Reporting Considerations

• Customer Defined Reports: Use HR Macros in

your custom program to engage structural

authorizations from the LDB. If LDB is not being

accessed, need to code structural authorizations in

program

• SAP Standard Reports: There may be some

circumstances you do not want structural

authorizations checked. Copy standard reports and

remove authorization checks.

Lessons Learned

• Keep in mind, users with new structural authorizations will not be effective until next day if RHPROFLO is ran nightly.

• Remember to assign Authorization Groups to customer defined z-tables in order to maintain in Production client.

• Assign all end users structural authorizations.

WHAT’S NEW IN 4.7

Transaction code SU53: Reasons for failed Structural authorizations are

displayed

Context Structural Authorizations

Questions ?

Contact Information

[email protected]

864-940-7282

mailto:[email protected]

ken bowers structural authorizations

Documents