sap hcm - configuration of structural authorizations.doc
TRANSCRIPT
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
1/13
Configuration of SAP HCM Structural Authorizations
About this document
This document describes how the Structural Authorization, its importance and theconfiguration steps. It can be used as a best practice which includes test scenarios.
Explanation was given with the help of screenshots, but please do not expect that
all the possible customizing options are shown with screenshots. While going
through this document, try to access your own system for perfect understanding.
Authorizations
Authorizations control system users access to system data and are therefore a
fundamental prerequisite for the implementation of business software.
General Authorizations
o Single Role - Individual authorizations either to screens, infotypes,
etc.,
o Composite Role - Group of Single Roles clubbed together and called
as composite role
Structural Authorization
The Structural Authorization determines to which object/objects in the
organizational structure the user has an access.
It describes the special authorizations that you can define in Personnel Planning and
Development in addition to the basic access authorizations
The General Authorization determines which object data (infotype, subtype) and
which access mode (Read, Write ...) the user has an access.
General Data
Structural Authorizations will be assigned to Users with Structural Profiles in table
T77UA (User Authorizations) or using Transaction Code OOSB.
Initially system checks the table T77UA consists of Username with a Structural
Profile attached to it or not. If there is no entry in the table T77UA for the user, then
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
2/13
the system checks whether the User is assigned with profile SAP*, else
authorization is denied.
In the standard system, there will be a User Name - SAP* assigned with Profile -
ALL, which means, when we first implement mySAP HR, all users have complete
authorization concerned to Structural Authorization.
Note: If you delete the SAP* row, no user can pull the report for any
standard org Structure. (Never ever delete the standard entry)
IMG Configuration
Step 1
Node Maintain Structural ProfilesTransaction Code OOSPTable Name T77PQ
Select Maintain Structural Profiles
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
3/13
Below window will get displayed.
Click on Authorization Profiles New Entries
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
4/13
Input Authorization Profile and Authorization profile Name
Save it in a Customizing Request.
Select our profile, and Double Click on Authorization Profile Maintenance
Below Window gets displayed
Input the details
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
5/13
Save it.
Authorization Profile: (Mandatory)
Name of the Authorization Profile which was given earlier
No: (Optional)
Sequential Number
Plan Version: (Mandatory)
Enter the Plan Version to which the profile is authorized for the Organization Plan
Object Type: (Mandatory)
Accessible Objects in the mentioned Plan Version
Object ID: (Optional)
Enter an Object ID of the mentioned Object type. So that employee can access the Org Units under
that object.o When you work with infotype records, this field allows you to use the Fast entry feature. Fast
entry enables you to create numerous infotype records without having to exit and re-enter theinfotype window.
To select the object that the infotype record should belong to, either:
Enter the object's eight-digit code
Use the matchcode feature to search for the object
Maintenance (Optional)
In Personnel Management, a distinction is made between two types of function code:
There are function codes with "maintaining" and others with "non-maintaining" attributes.
In table T77FC, "maintaining" function codes are selected by flagging processing type Maintenance.
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
6/13
If processing type Maintenance is flagged in table T77PR for a profile, it means that function codes
classed as "maintaining" in table T77FC can also be executed for the authorized objects. (Set-up inCustomizing via Environment -> User maintenance -> Structural authorization -> Profiles.)
Evaluation Path (Optional)
Enter the Evaluation Path to focus on the objects involved in the relationship of Evaluation Path or canleave it as blank.
Status Vector (Optional)
Use this field to identify the status that a Relationship infotype must have in order for an object to be
reported on.
1 active
2 planned
3 submitted
4 approved
5 rejected
NOTE:
By Default value 1 (active) is used as the status vector.
Depth (Optional)
Contains a number from one to six digits that corresponds with the different levels of an
organizational structure (one being the highest level, and all subsequent numbers representing lowerlevels).
The level number determines how much information is SHOWN in an inquiry/report
If you do not wish to limit report documentation, leave the field blank
Sign (Optional)
The +/- sign is only used, if structural authorization profiles are to be created that are to process the
structure "from top to bottom",
Example:
An authorization profile should only allow persons within the organizational
structure to be accessed.
Period (Optional)
Use this field if you want to restrict the authorization according to the validity period of the structure.
- All
D Key date
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
7/13
M
Current
month
Y
Current
year
P Past
F Future
Function Module (Optional)
This field allows you to specify a function module to determine the root object of the structural
authorization.
For more information on function modules, refer to the IMG under Maintain PD Profiles.
Step 2
Node Assign Structural AuthorizationTransaction Code OOSB
Table Name T77UA
Select Assign Structural Authorization
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
8/13
Note: Never ever delete the standard entry
If you delete the SAP* row, no user can pull the report for any standard org Structure.
Go to New Entries and give below details
Save it in a Customizing Request.
User Name : UserName to which we give the authorization
Authorization Profile : The one which was created in the earlier step
Start Date : From which date the user should have an access for the
mentioned profile
End Date : Till what date the User can have the access for the mentioned
profile
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
9/13
Exclusion : This field allows to exclude branch structures from structural
authorizations
Conclusion
As per the configured profile, Employee with username TRAIN_INDIA3 will have access toview Org Units only.
Example 1
Transaction Code S_AHR_61016494Organizational Structure with
Positions
Selected the above report S_AHR_61016494 Organizational Structure With
Positions.
Below Screen will be displayed.
Selected the inputs
Plan Version : 01 (System accepts other than 01 as well)
Object Type : O (Org Units. Test 2 consists of Position results)
Evaluation Path : O_S_P (System takes the evaluation path which contains Org
Units only. As the profile is authorized only for Org Units)
Click on Execute.
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
10/13
Output will be displayed with only Org Units. Positions and Persons will not bedisplayed.
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
11/13
Actual Screen will be displayed as below, with all the org units, positions and
persons. If we havent assigned any profile to the User.
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
12/13
Example 2
Selected the above report S_AHR_61016494 Organizational Structure With
Positions.
Below Screen will be displayed.
Selected the inputs
Plan Version : 01 (If you give other than 01, it will accept)
Object Type : S - Position (In the TEST 1, Org Unit O is selected. Check the
output if we select S)
Evaluation Path : O_S_P (System takes the evaluation path which contains Org
Units only. As the profile is authorized only for Org Units)
Click on Execute.
-
7/27/2019 SAP HCM - Configuration of Structural Authorizations.doc
13/13
Output will be displayed with Blank Page, as the authorization exists for Org Units
only.
Function Modules
Enter one of the following function modules in SE37
RH_GET_MANAGER_ASSIGNMENT (Determine organizational units for manager)
This function module finds the root organizational unit with which the user is
related via the position and relationship A012 (manages).
RH_GET_ORG_ASSIGNMENT (Organizational assignment)