Authorisations SIG

Structural Authorisations
& The Context Solution

Roger Povey
Senior HCM/Campus Management Consultant
SAP (UK) Ltd.
22 June 2005
 Contents

•Availability

•General Authorisations in SAP HCM

•Structural Authorisation Check SAP HCM

•Context Solution for HR Master Data

•Customer Example

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 2

 Availability

Generally Available in Version 4.7

Can install in 4.6c – Work done by SAP AG

8 Days Work

Approx Cost Per day 1520 euro

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 3

 General Authorisations in SAP HCM

Authorisation Concept

User

User Master
Record

Composite Role
Role
Profile
Role Composite
Role Authorisation Authorisation
Object

Field & Fields

Values

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 4

 General Authorisations in SAP HCM

Roles

Formally known as Activity

Groups

Provide the access to the

system

Produced using the Profile

Generator

Define the Easy Access Menu

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 5

 General Authorisations in SAP HCM

Authorisations
The menu definition determines the authorisations required

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 6

 Structural Authorisation Check in SAP HCM

SAP Structural Security

Separate security principle from standard SAP securities

Secures which areas of the organisation structure a user is able to

access

Very labour intensive

Table based system

No audit reports

Can cause performance issues

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 7

 Structural Authorisation Check in SAP HCM

Structural Authorisation

On top of the general authorization check, which is based on authorization

objects, you can define additional authorizations by hierarchical structures (for
example, organizational structures) called structural authorizations.

H R T r a in in g C o m p a n y

F in a n c e S a le s

H u m a n R e s o u rc e s P a y r o ll S a le s N o r th S a le s S o u th

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 8

 Structural Authorisation Check in SAP HCM

Not only the Org Structure…

Qualifications Catalogue

Appraisals Models

Training Catalogue

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 9

 Structural Authorisation Check in SAP HCM

Evaluation Path
Chain of relationships that exists between objects in a hierarchical structure.
The evaluation path O-S-P, for example, describes the relationship chain
organizational unit  position  person.
Evaluation paths are used, for example, to select objects during evaluations.
You choose an evaluation path and the system evaluates the structure along
this evaluation path.

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 10

 Structural Authorisation Check in SAP HCM

Evaluation Path

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 11

 Structural Authorisation Check in SAP HCM

Creating Structural Profiles – Not in PFCG

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 12

 Structural Authorisation Check in SAP HCM

Creating Structural Profiles

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 13

 Structural Authorisation Check in SAP HCM

Creating Structural Profiles

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 14

 Structural Authorisation Check in SAP HCM

Creating Structural Profiles

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 15

 Structural Authorisation Check in SAP HCM

Assigning Structural Profiles

Structural profiles are assigned in a different way to general

authorization profiles. To assign structural profiles, you use
table T77UA.
T77UU is used to store user data
in SAP memory

Report RHBAUS00 – Refreshes

the objects….

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 16

 Overall Profile

A user’s Overall Profile is determined from the intersection of his or her

structural and general authorization profiles, when you use both structural and
general authorizations.

Structural Authorisations are activated by setting the Structural Authorisation

Switch in T77S0 – the HR system table

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 17

 The Context Problem

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 18

 The Context Problem

The Workaround without implementing the Context Solution is to

have 2 Users for an employee… one for each functional role.

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 19

 Context Solution in SAP HCM – Authorisation Objects

New Authorisation Objects

P_ORGINCON (HR: Master Data with Context)

P_ORGXXCON (HR: Extended Check with Context)

P_NNNNNCON (HR Master Data: Customer-Specific

Authorization Object with Context)

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 20

 Context Solution in SAP HCM – Authorisation Objects

P_ORGINCON (HR: Master Data with Context)

Authorization Object that is used during the authorization check for HR data. This check takes
place when HR infotypes are edited or read. You can map user-specific contexts in HRMaster Data
using P_ORGINCON.
The authorization object P_ORGINCON consists of the same fields as P_ORGIN and has been
expanded to include the PROFL field:

The PROFL field is used to determine which structural profile the user is authorized to
access. Note that you can only enter structural profiles in this field that are assigned
to the user in table T77UA (User Authorizations = Assignment of Profile to User).

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 21

 Context Solution in SAP HCM - Authorisation Objects

P_ORGXXCON (HR: Extended Check with Context)

The authorization object P_ORGXXCON consists of the same fields as P_ORGXX and
has been expanded to include the PROFL field:

P_NNNNNCON (HR Master Data: Customer-Specific

Authorization Object with Context)
If you have requirements that cannot be mapped using the P_ORGINCON and
P_ORGXXCON authorization objects (for example, because you want to build your
authorization checks on additional fields of the Organizational Assignment infotype (0001 )
that are customer-specific) and if you want to implement the context solution, you can include
an authorization object in the authorization checks yourself.

Report RPUACG00 (Code Generation: HR Infotype

Authorization Check)
You can use this report to generate the necessary ABAP coding for a customer-
specific authorization object that is to be included in the HR infotype authorization
check.

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 22

 Context Solution in SAP HCM

Switches in T77S0 – Once set – Global!

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 23

 Context Solution in SAP HCM

Switches in T77S0
AUTSW INCON (HR Master Data (Context))
Authorization Main Switch that controls whether the P_ORGINCON authorization object
should be used in the authorization check.

AUTSW XXCON (HR Master Data: Extended Check (Context))

Authorization Main Switch that controls whether the P_ORGXXCON authorization
object should be used in the authorization check.

AUTSW NNCON (Customer Authorization Object (Context))

Authorization Main Switch that controls whether the P_NNNNNCON customer-

specific authorization object should be used in the authorization check.

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 24

 Context Solution in SAP HCM

Switches in T77S0

AUTSW DFCON (Authorization Check for a Person with Default Position)

Authorization Main Switch that controls how the system should react, if the context
solution is set up, to personnel numbers that are not linked to the organizational
structure (in other words, personnel numbers that have position entered as the
default position in the Organizational Assignment infotype (0001)).

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 25

 Copyright

 No part of this presentation may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior notice.
 Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
 Microsoft®, WINDOWS®, NT®, EXCEL®, Word® and SQL Server® are registered trademarks of Microsoft
Corporation.
 IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®,
OS/390®, and OS/400® are registered trademarks of IBM Corporation.
 ORACLE® is a registered trademark of ORACLE Corporation, California, USA.
 INFORMIX®-OnLine for SAP is a registered trademark of Informix Software Incorporated.
 UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of The Open Group.
 HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web
Consortium, Laboratory for Computer Science NE43-358, Massachusetts Institute of Technology, 545
Technology Square, Cambridge, MA 02139.
 JAVA® is a registered trademark of Sun Microsystems, Inc. , 901 San Antonio Road, Palo Alto, CA 94303
USA.
 JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
 SAP, SAP Logo, mySAP.com, mySAP.com Marketplace, mySAP.com Workplace, mySAP.com Business
Scenarios, mySAP.com Application Hosting, WebFlow, R/2, R/3, RIVA, ABAP, SAP Business Workflow,
SAP EarlyWatch, SAP ArchiveLink, BAPI, SAPPHIRE, Management Cockpit, SEM, are trademarks or
registered trademarks of SAP AG in Germany and in several other countries all over the world. All other
products mentioned are trademarks or registered trademarks of their respective companies.

 SAP (UK) – Roger Povey Authorisations SIG 22 June 2005 - Page 26