hr security overview
TRANSCRIPT
HR Security Overview
Agenda
• High level HR security strategy• What is a role?• What is a structural profile?• Assignment of access• Security tasks• HR tasks• ESS / MSS Considerations
High Level Security Strategy
• The purpose of HR security is to control:– What functionality users have access to– Which personnel numbers users have access to
• The access to functionality is controlled by roles.
• The access to personnel numbers is controlled by structural profiles
What is a role
• There are two types of roles, simple and composite.
• Simple roles are a collection of transactions that form a concise task grouping, ie run payroll. Simple roles also control which infotypes a user has access to and whether they can display or maintain the information.
• Composite roles are a collection of simple roles that represent a job, ie payroll administrator
What is a role (cont)
Natash Price
Payroll Administrator
Payroll Maintain PD HR reports Process financials
Transactions:PC00_M13_CALC_SIMU – SimulationPC00_M99_PA03_CHECK - Check resultsPC00_M99_PA03_CORR – CorrectionsPC00_M13_CEDT - Pay slipsEtc…
Infotypes:Maintain: 0000, 0001, 0002, 0003,
0006, 0007, 0008, etc…Display: 0004, 0005, 0011, 0016
0023, 0083, 0261, etc…
Composite role
Transactions contained in the role
Infotype access contained in the role
SAP User
Simple roles
What is a role (cont)
• Access granted by roles is cumulative, i.e. if a user has access to display infotype 0008 through a payroll role, they will be able to display infotype 0008 as required in any transactions granted through another role.
What is a structural profile?
• Structural profiles (PD profiles) are used to limit what personnel records a user can interact with.
• PD profiles use the organisational chart to determine who reports to who and who belongs to what organisational unit.
What is a structural profile? (cont)
8
• There are two types of structural profiles:– A dynamic structural profile that determines
who reports to a “chief”. A chief is a manager of an organisational unit. A dynamic structural profile will evaluate the org structure and only permit access to those people that report to the chief. These assigned to line managers.
– An explicit structural profile has an organisational unit assigned to it and allows access to all people within that org unit. These are assigned to users who are not managers but require access to HR data.
What is a structural profile? (cont)
A dynamic structural profile assigned to a chief position will allow access to all positions that report to that chief
What is a structural profile? (cont)
An explicit structural profile assigned to an organisational unit will allow access to all positions that are a part of that organisational unit
Assignment of access
• Where possible access will be assigned to a position as this provides increased control. A user will inherit the access when assigned to the position and lose it when they are moved to a different position.
• In cases such as contractors where no position is held, the access will be assigned directly to the user ID.
Assignment of access (cont)
• In order to assign access through positions, it is important to maintain infotype 0105. This maps the user ID to the personnel record.
Security Tasks
• Creation and maintenance of roles that reflect HR requirements for transactional and infotype access.
• Creation and maintenance of structural profiles that reflect HR requirements for organisational access.
• Assignment of access to new positions that require HR access.
• Assignment of access to new users that do not hold a position in the organisational structure.
HR tasks
• Advise security of HR control requirements.• Complete position moves to ensure users
inherit / lose the appropriate access.• Maintain infotype 0105 for all personnel.
Approval Process
• Any user who requires access to the HR module must be approved by the HR System Owner.
ESS / MSS Considerations
• For ESS and MSS the correct assignment of users to personnel numbers through infotype 0105 is critical.
• Functionality is in place to restrict users to display only their own information once ESS access is granted, however this needs to be tested rigorously prior to go live.