HR-Authorization

What Well Cover Overview of Standard authorizationsIntroduction to structural authorizationsDesigning structural profilesIdentifying context conflicts in HR securityUnderstanding how context authorizations workChanging over to context-based HR security

Quick Review of Standard R/3 SecurityTo access business objects or execute SAP transactions, a user requires authorizationsAuthorizations are combined in authorization profilesAuthorization profiles are then associated to rolesRoles are assigned to users and/or positions so that users can access the appropriate transactions and objects for their daily tasks

Standard R/3 Security:General authorizations include the authorizations that are particularly important for Personnel Administration and that control access to HR data, which must be strictly controlled due to the sensitive nature of personnel data.

Authorization ObjectsAuthorization objects enable complex checks of an authorization, which allows a user to carry out an action.An authorization object groups up to ten authorization fields that are checked in an AND relationship.

P_ORGINP_PERNR

The Authorization Main SwitchesThe authorization main switches are stored in table T77S0 under the group name AUTSW (transaction OOAC).

Standard R/3 Security: Essential HR Authorization objects (cont.)

P_PERNR (users own HR master data check)Defines what HR master data (in the PA module) users can access about themselves, as well as the level of access (read, write, etc.) PLOG (personnel planning check)Defines what objects within Organizational Management (OM), Training and Event Management (PE), and PersonnelDevelopment (PA-PD) modules a user can access (e.g., infotype, plan version, object type, etc.)P_HAP_DOC (appraisal documents)Defines access to appraisal documents (e.g., appraisal template ID, level of access, etc.) Specific to the new Performance Management functionality (Objective Setting and Appraisals [OSA])P_ORGINCON (Context-sensitive HR master data check)- Same as above P_ORGIN, but can be used in conjunction with structural authorization

Standard R/3 Security: Essential HR Authorization Objects

P_ORGIN (HR master data check) - Defines what HR master data (in the Personnel Administration [PA] module) users can access (infotype, personnel area, employee group, subgroup) as well as the level of access (read, write, etc.)S_TCODE and P_TCODE (Transaction checks)Define which transactions users can startP_TCODE specific for HR (provides an additional level of security)With authorization object, P_TCODE, enables you to check whether a user is authorized to start the different HR transactions.This authorization object contains the HR transaction codes without their own authorization objectP_PCLX (HR: Clusters)Area identifiers for clusters (T52RELID values) & Auth level (R, U, S)

Standard R/3 Security: Essential HR Authorization Objects

HR: Master Data - Customer-Specific Object

Standard and Structural Authorization TogetherStructural authorization does not replace standard authorization, but instead works in conjunction with itThe intersection of users structural and standard authorization profiles determine their overall security access

Structural AuthorizationsOverview Structural authorizations are used to grant access to view information for personnel where HR has been implemented. Access is granted to a user implicitly by the users position on the organizational plan. Structural authorizations are not integrated into the standard authorization concept and structural authorization profiles are not the same as standard authorization profiles. Example A manager can typically view or maintain information on employees in her organizational unit but not employees in other organizational units. When an employee moves from one unit to another his previous manager will no longer be able to view or maintain information about them. Similarly if a manager moves from one unit to another she will be able to see the employees in her new unit.

Introduction to Structural AuthorizationStructural authorizations provide a level of security specific to SAP HR, and are based on hierarchical structures in addition to the standard authorization conceptStructural authorization controls access to HR data based on objects and/or attributes that are stored in structures (e.g., organizational structures, business event hierarchies, and the qualifications catalog) Sample Org. Structure Sample Qualifications Catalog

The Structure Part of Structural Authorization

To manage the authorizations effectively, the central elements of this data model are used: objects, relationships, and evaluation paths.The combination of root object and evaluation path returns an object hierarchyThe check is dynamic in nature: The objects that a structural profile returns change as the structure changesExamples include: Organizational unit changes like RIFs and reorganizations Employee movement like transfers and position changes

Common Uses for Structural Authorization

Decentralized Human ResourcesHR Generalists specific for a client groupShould see only those in their client group, and not HRDual-role positions (i.e., context challenges)Example: Payroll managers need access to an area of the organization for research purposes, but they are chief managers themselves Business Warehouse IntegrationStandard extractors can bring structural authorizations to your BW system Full refresh of roles on a customer-selected frequency

Implement Structural Authorizations A structural profile contains at least one authorization profile, the sum of which combines to one overall structural profile Step 1 Turn on PD PA Switch Go To OOPS PLOGI ORGA is X No other values need to be checked or changed. PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.

Implement Structural AuthorizationsStep 2 - Turn on Structural Authorizations Main Switches Go To OOAC maintain main authorization switches in HR as per the screen below

Step 3 - Create Organizational Plan Step 4 - Create Personnel Master Record Step 5 - Create User IDsStep 6 - Create Infotype 105

Implement Structural AuthorizationsStep 7 - Create Structural Authorization Profiles

Implement Structural AuthorizationsStep 8 - Create Infotype 1017Go To : PO10 (Organizational Unit) or PO13 (Position) Select Unit Option PD Profile This would link the structural authorization profile to a node on the organizational plan.

Step 9 - Assign Structural Authorization Profiles to User IDs Use report RHRPROFL0 to automatically assign the appropriate structural authorization profile to each User ID. This program will update the table in transaction OOSB.This report assigns a structural authorization profile to the user ID based on the Organizational Plan. This report should be run daily to update the authorizations of users based on changed made in the Organizational Plan Ensure that the Infotype 1017 has been populated for all relevant nodes on the Organizational Plan

Implement Structural AuthorizationsStep 10 - Setup Regular SecurityGo To PFCG Create regular security role and assign to User IDCreate a role that gives access to regular HR transactions for all employees. E.g. Time Entry CAT2, PA20, PR20 Enter expensesCreate a role that gives access to manager HR transactions. E.g. Time Approval CADO , PPMDT Managers Desktop, PR05 Approve Expenses

Assigning Authorizations to Organizational ObjectsReport RHPROFL0 - Structural authorizations should be assigned or revoked automatically when a position staffing change takes place.

A Quick Review

Standard Authorization vs. Structural AuthorizationsStandard HR authorizations define which transactions, infotypes, and subtypes the user can maintain and/or displayStandard HR authorization = WHAT the user can doThe structural authorization will grant access to personnel data for employees within a specific area of the organizationStructural authorization = WHO the user has access to

Whats New?

A link between a standard HR authorization, which defines the infotypes and subtypes the user can maintain and/or display, and a structural authorization, which defines a group of employees within a specific area of the organization, is establishedStandard HR authorizations can be linked to different structural authorizations, thereby granting distinct infotype access to separate groups of employeesMultiple combinations of standard and structural authorizations can be defined within a single user role, thereby eliminating the need for users to have more than one user ID to avoid context conflicts

Introduction : Context-sensitive security solution As decentralized data management expands within companies, users are requiring access to separate sets of HCM information for different groups of personnelUntil the release of R/3 Enterprise, multiple user IDs would be required to avoid a context conflict and meet these requirementsThe context-sensitive security solution simplifies the HR user roles and meets these requirements by incorporating the user roles into a single user ID

What Is a Context Conflict?

Occurs when a user:Performs more than one job function as part of their regular workHas two or more distinct roles that require different infotype access to separate groups of employeesThe users standard HR authorizations list all the infotypes that the user can accessAuthorizations may be contained in multiple rolesThe users structural authorizations outline which personnel the user can access Different groups of personnel may be defined in separate structural profilesIssue - When the users access is evaluated, the user can access all infotypes for all groups of personnel defined in the structural profiles. Structural authorizations cannot discern that certain access should only be granted to one group and not to another.

Examples of Context Conflicts

The Customer Service Manager is required to approve time for his/her employees in the department. As Customer Service Manager, he/she also needs to be able to search for anyone in the company with a particular qualification.P_ORGIN authorizations are defined, giving maintenance access to time InfotypesA structural profile is defined, giving him/her access to everyone under the org unit he managesP_ORGIN authorizations are defined in a second role allowing display access to name, organizational assignment, and contact details of employeesA second structural profile grants access to all employees that have qualifications or skills dataContext conflictThe manager can approve time data for all employees with qualifications, not just those reporting to him/her in the org unit

Solving Context Conflicts

Implement the context-sensitive solution Context-sensitive authorizations link the relevant infotype access and the structural authorizationsUsers access the necessary HCM data for the applicable groups of personnelThe context-sensitive authorization objects are:HR: Master Data with Context (P_ORGINCON)HR: Master Data Extended Check with Context (P_ORGXXCON)Personnel Planning with Context (PLOG_CON)HR: Customer-Specific Authorization Check with Context

Context-Sensitive Authorization Objects

P_ORGINCON HR: Master Data with ContextP_ORGIN with the additional field, Authorization ProfileAuthorization Profile = link to structural authorizationsMust activate the INCON authorization switch and deactivate the ORGIN authorization switchP_ORGXXCON HR: Master Data Extended Check with ContextP_ORGXX with the additional field, Authorization ProfileAuthorization Profile = link to structural authorizationsMust activate the XXCON authorization switch and deactivate the ORGXX authorization switchPLOG_CON Personnel Planning with ContextPLOG with the additional field, Authorization ProfileAuthorization Profile = link to structural authorizationsNo authorization switches to activate or deactivate

Context-Sensitive Authorization Objects (Cont.)HR: Customer-Specific Authorization Check with ContextCustomer-Specific Authorization Check with the additional field, Authorization ProfileAuthorization Profile = link to structural authorizationsMust activate the NNCON authorization switch and deactivate the NNNN authorization switchFields comprising the Customer-Specific Authorization Check:Authorization Level, Infotype and Subtype mandatoryAny other fields from IT 0001 Organizational Assignment, including custom fieldsTransaction code (TCD) optionalInfotype-subtype combination field (INFSU) optional

Setting the Authorization Switches

In the Implementation Guide (IMG) or transaction OOACIMG path:

Setting the Authorization Switches (cont.)

Activate the context-based authorization switch you wish to utilize and deactivate the original non-context switch

1 = Active; 0 = Inactive

SAP Recommended Settings of Authorization SwitchesImplement the context solution for all authorization objectsAll context switches are on, all non-context are offStructural authorizations switch off

Structural authorizations are still defined, but are invoked through context-sensitive authorizations and not used independently

SAP Recommended Settings of Authorization Switches (Cont.)Implement a combination of context-authorization objects and non-context authorization objectsFor example, ORGINCON and ORGXXStructural authorizations switch on

Structural authorizations are defined and invoked through context-sensitive authorizations or used independently

The Authorization Main Switches A combination of context-authorization objects and non-context authorization objects is most typical Master data with context will satisfy most companies requirements If you do not utilize the Administrator fields in IT 0001, Organizational Assignment to restrict user access, both ORGXX and XXCON should be switched off If you do not require custom authorization objects, both NNNN and NNCON should be switched off No switches need to be activated or deactivated to make use of context-sensitive Personnel Planning authorizations, just define PLOG_CON authorizations instead of PLOG Since structural authorizations are invoked through context-sensitive authorizations, such as P_ORGINCON and PLOG_CON, the need to invoke them separately dwindles

Other Authorization Switches

DFCON HR: Default Position (Context)Controls whether the user can access personnel data of an employee assigned to the default position (99999999), such as after terminationThe Organizational Unit in IT 0001 may be factored in, to determine whether the user can access the employees recordsInterpretation of the value is the same as for ORGPD switch in a non-context sensitive environmentPossible values for the switch are 0, 1, 2, 3, or 40 = Inactive/switched off1 = Evaluate org unit. If user can access org unit but employee is in default position, deny access.2 = Do not evaluate org unit. If employee is in default position, deny access.3 = Evaluate org unit. If user can access org unit and employee is in default position, grant access.4 = Do not evaluate org unit. If employee is in default position, grant access.

Other Authorization SwitchesPERNR HR: Master data Personnel Number CheckThere is no context-sensitive switch for the Personnel Number Check, as this is extraneousThe P_PERNR authorization object has no context-sensitive equivalentP_PERNR authorizations specify which infotypes the user can access of his/her own personnel informationSince P_PERNR targets a specific personnel number; applying a structural profile to this authorization would be meaningless

Converting to Context-Based Authorizations

Identify which standard HR authorizations need to be linked to the relevant structural profiles in order to resolve context conflictsA good design document is invaluableHelps to identify and analyze areas of overlap in authorizationsSaves time in the long run by eliminating redesigning on the flyEnforces consistency in the design of HCM security rolesEnsures more stable and secure HCM authorizationsCopy all non-context authorizations to context authorizations or create newly-designed context authorizationsFor example, copy P_ORGIN authorizations to P_ORGINCON authorizations with the addition of the structural authorization in the Authorization Profile fieldOnce the switch to context-based security is made, the old non-context authorizations will no longer be usedFor example, the current P_ORGIN authorizations will not be used in user rolesOther non-context authorizations, such as P_PERNR, will still be referenced if the relevant switches are activated/on

Converting to Context-Based Authorizations (Cont.)Examine structural authorizations to ensure that they adequately isolate groups of personnelNew structural authorizations and function modules may be required to dynamically determine personnel based upon the users position in the organizationExisting structural profiles can be linked to context authorizationsOnce the switch to context-based security is made, structural authorizations will still be referencedIf the ORGPD switch is off, you may not need to assign structural authorizations to user IDs in transaction OOSB

Tip 1: How to Assign Structural AuthorizationsUser-basedIn Table T77UU via transaction OOSBMost maintenance-intensive

Tip 1: How to Assign Structural Authorizations (cont.)Position-basedIn Organizational Management via transaction PP01, using PD Profiles infotype 1017Reduces maintenance as long as you practice good position maintenance procedures

Tip 1: How to Assign Structural Authorizations (cont.)

Via Business Add-In (BAdI) EnhancementHRBAS00_GET_PROFL via SE19Standard logic determines the users structural profiles by reading the values in the users P_ORGINCON authorization object

Tip 2: How to Mitigate Performance Issues

RHBAUS00 (structural profile indexing)Report generates an index of users to structural profiles (for those users maintained in Table T77UU)Used heavily with the BW integration solutionIMG Path: Maintain this list of users in the IMG here:Personnel Management Organizational Management Basic Settings Authorization Management Structural AuthorizationSave User Data in SAP Memory

Tip 3: How to Utilize New HR Authorization Object P_ORGINCONAs of R/3 Enterprise 4.7, P_ORGINCON can replace P_ORGIN if desiredIn system T77S0, update switches AUTSW/INCON to 1 and AUTSW/ORGIN to 0P_ORGINCON (Context-sensitive HR master data check)Defines what type and level of HR master data (in PA) a user can access given a certain organization contextStructural profile is now a part of the authorization objectCase study: A payroll manager who has two roles Payroll manager needing access to a specific part of the org as part of his/her normal job dutiesChief manager of his/her own organization

Key Points to Take HomeStructural authorization provides a robust way of utilizing SAPs advanced authorization conceptStructural authorization works in conjunction with standard R/3 authorizationsIt is extremely important to maintain an accurate organizational structure, as most structural authorization is based on personnel planning objects (e.g., positions, org units)Structural authorization is not a requirement for implementing MSSConsider performance concerns before deployment; mitigate by using program RHBAUS00 Context-sensitive authorization is now available, as of 4.7 EnterpriseActivate BADI HRBAS00_GET_PROFL to eliminate duplication of assigning the structural profiles to the user IDsIdentify context conflicts from excess user access or need for multiple user IDsSelect the right combination of context-sensitive and non-context authorization switches to meet your needsThere is no switch for PLOG_CON Personnel Planning with ContextSet DFCON to deny or grant access to personnel in the default position, and indicate whether the org unit is to be assessedInvest in a good design document for stable and robust HCM data security and to reduce implementation timeDo not activate context switches too soon in order to avoid locking out users from all HCM data

Resources

Authorizations in SAP HRAvailable on SAPs Help Web site http://help.sap.comCase Study: Build Your Organizational Structure toSupport SAPs Managers Self-ServiceDanielle Larocca Signorile, HR Expert, Jan. 2006 http://www.hrexpertonline.comAuthorizations in Performance ManagementAvailable on SAP Service Marketplace http://service.sap.com*Requires login credentials to the SAP Service Marketplace

A role is a collection of activities that enable a user to participate in one or more business scenarios in the organization.An authorization profile is generated for the activities contained in the role. This defines the boundaries within which the user may perform actions in the SAP system.SAP delivers more than 1,200 single roles from all application areas. You find the roles for Human Resources under the generic name SAP_HR*.

HR transactions with a natural (their own) authorization object (PA30)HR transactions without a natural (their own) authorization object (PE03, PU03)

The structural profile determines which objects in the organizational structure the user may access. The general profile determines which data (infotype, subtype) and which access mode (read, write, ...) the user has for these objects An evaluation path describes a chain of relationships that exists between objects in a hierarchical structure. The evaluation path O-S-P, for example, describes the relationship chain organizational unit . position . person.Neither the number of objects nor the specific objects that are returned by a structural profile are constant, nor is this desirable. The concrete objects that are returned by a structural profile change as the organizational structure (under the start object) changes.

Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work.***You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work.***

Make sure that ORGPD = 1 otherwise structural authorizations will not work This has to be done manually. SAP documentation may seem to indicate that report RHPROFL0 will do this, it doesnt, this step must be done manually The context solution creates a technical connection between general and structural authorization profiles using special context authorization objects. These context authorization objects differ from the P_ORGIN and P_ORGXX authorization objects in that they contain an additional field PROFL. You can enter structural profiles in this field.

The PROFL field (Authorization profile) is used to determine which structural profiles the user is authorized to access.