SAP HR Structural Authorizations

General Authorizations Structural Authorizations

HR Structural Authorizations
Overview Structural authorizations are used to grant access to view information for personnel where HR has been implemented. Access is granted to a user implicitly by the users position on the organizational plan.

Issue A manager can view or maintain information on employees in isorganizational unit but not employees in other organizational units

When an employee moves from one unit to another his previous manager will no longer be able to view or maintain information about them. Similarly if a manager moves from one unit to another he will be able to see the employees in her new unit.

Step by step approach check PLOGI - ORGA have a value 'X' in transaction OOPS

Go to HR Authorizations main switch , transaction OOAC check group AUTSW and Sem.Abbr.PERNR value as 1 Make sure that ORGPD = 1 It is important to run structural authorizations

Create Organization Plan using transaction ppom_old create the root of your organization plan If you have already created organization plan make it ensure that the above steps has been taken care of f before creating . Check the positions and its holder assignments has been done properly

Ideally the created plan looks like this

Structural authorizations work based on this hierarchy

Structural Authorization Profile generation Tcode: OOSP or table: t77pr

click here for new entries

enter the auth.profile and profile name and save

Select the created profile and double click on authorization profile maintenance

Here you can define authorizations for hr objects

Field Value Profile: Select a structural authorization profile No. Choose an interval e.g. 10 Plan vers. 01 Obj. type enter organization unit i.e O Object ID enter orgnization unit id Maintenance Check this on Eval.path O-O-S-P Status vec Recommend 12 Depth Sign Period D Function module RH_GET_MANAGER_ASSIGNMENT When you use the function module , you dont need to provide Object id this function module will execute in runtime and gives the result based on the evealuation path you selected. You can select the evaluation path one wich suits your profile for object type O

Significance of Period perameter and its importance.

Period : D - Key date If you enter D the system date will be set to current date and he will be able to access the records of employees under the organization where he is a manager as on current date.

this parameter will resolve and restrict to access the data of employees where he was manager formerly.

You can not debug and check your profile is working properly or not you can find the organization structure data based on the evaluation path you selected by clicking the information button

Click here to check information

Here you can check the profile gives the access to the data
however if you use the function module the results will geneate in runtime

Assign the profile to position

Created profile should be assigned to the position occupied by the manager so that he will inherit the authorization profile

Steps involved in assigning the profile to position

You can assign the profile to position using tcode. PO13 select the position and select the pd profiles(1017) infotype and create

select the created profile and save.

Maintain communication infotype 0105

maintain user id in it0105 subtype 9001(system user name)to the person whom the profile should be attached.

Maintain userids with profile in tcode oosb

Maintain User authorizations in tcode oosb or table t77ua where you assign the profile the userid's and save.

Enter the user id in table t77UU and run the below reports for authentication rhbaus00 rhbaus02

Means permission to perform a particular function in the SAP System. It is achieved by assigning authorizations profiles to users.

Steps involved in creating General Authorizations

Create a profile. Before that create a work area for that profile Profile creation using SU02 transaction. (Create a work area for profile first)

Go to profile generator. In PFCG transaction

Click create button

Save the Role first

Enter Description

Click Change authorization data button

Either you can insert authorizations you want through selection criteria or you can insert manually or you can copy from standard existing roles

p_orgin

In this step authorizations can be given based on Infotype, subtype, personnel area, employee group, subgroup. Authorization level can also be defined in this step.

Specify Infotypes for which you want to give authorizations. Same way for employee group, subgroup, personnel area, authorization level.

Auth.Object P_PERNR Authorization object that is used to assign users different authorizations for accessing their own personnel number. These authorizations differ from those defined in users P_ORGIN profiles. If this check is active and the user has been assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures. This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. System id should maintained in IT0105 subtype 9001(Olympus specific)for employee for which the authorizations are applied.

The PSIGN field (Interpretation of Assigned Authorization) can have the following values: I: include (for additional authorizations) E: exclude (for authorizations that are to be removed)

In this case authorization denies write read and modify authorization for all data records of the 0001 and 0008 stored under the employees personnel number.

The authorization checks for all other personnel numbers run according to P_ORGIN.

Enter transaction codes here Generate the profile after making changes. Use the generate button or shift+F5 key on keyboard. Give the profile name wich you have created in tcode su02 initially

Assign this role to user in transaction SU01 after generating the profile.

You can find out what system has checked the defined authorizations for the assigned role to the user in tcode su53