HR Security

What is HR System ?
HR System deals with Company Data,Employee data and Payroll Data much of which might be of
sensitive nature.
Ex: After joining a employee into the Organization,every employee maintain some personal,company
and payroll data,so HR system maintain all these data into the system.

HR Data divided into three main Categories.

Company Data :- Organization Hierarchy,Branches,Polices etc.
Employee Data :- Personal Data and Professional Details.
Payroll Data :- Payroll one of the category,either fall under the company or fall under the
employee here we can taken Payroll as a separate category because its very important to any
company’s growth

Note: Payroll is very crucial factor in company’s and important part of the HR System.

HR Security : HR security concept is used to restrict Confidential & Private data,HR security define two
Level of security

HR Security

Level 1

Level 2
Public data
Confidential & Private data

Structural Authorization

Level 1 HR Security
Level 1 security is possible through Standard Authorization Concept - T-code & Authorization

Level 2 HR Security
Restriction based on Designation or Location or Department is not possible with Standard Authorization

P_ORGIN : HR Master Data P_ORGXX : HR Master Data Extended Check P_PERNR : HR Master Data Personal Number Check P_APPL : HR Applicants PD/OM/PP Data (Company Data): its can be controlled by one object. Infotypes are relevant from a security standpoint as SAP provides standard authorization objects which allow us to secure infotype. address of an employee is stored in an unique infotype 0006.Information type which represent all information like related to company or employee or payroll etc anything is represent in form of Infotype. etc. subtype combinations for users. bank details (0009) . In general infotypes are structures to stores related HR data. an example being the address infotype. Level 1 HR Security 1st Level of security can be done through the help of Standard authorization Concept. emergency address.Hence we go for Structural Authorization. etc. So these are the following objects. An address entry can belong to the subtype permanent residence. Similarly we have different infotypes storing personal data (0002). Its represented by 4 digit 0000 to 9999 For example. temporary residence. basic salary (0008). PLOG : HR Personal Planning . Some infotypes are further sub-divided into subtypes. Infotypes : . How to provide or restrict access these infotype ? Ans : This is possible with the help of info type access restrictions through Auth object. in SAP HR the concept of Infotype. PA Data (Employee Data) : PA data can be restricted by following authorization objects.  0000 – 0999 – Personnel Administration (PA)  1000 – 1999 – Personnel Planning (PP)  2000 – 2999 – Time Management (PA)  4000 – 4999 – Recruitment (PA)  9000 – 9999 – Customer Specific (Can store either PA or PP information depending on infotype configuration. mailing address.

Indirect Role assignment : In direct role assignment we are not assigning a role directly to the user. What is difference between UMR and HR Record? Su01. We will go for two types of indirect role assignment.SAP Access PA20 – Employee Record Communication Info type(0105) :.we are assigning position to the user.That’s the link between SU01 and PA20.Payroll Data : P_PCLX : HR Clusters T-Codes PA20 : Display HR Master Data (Employee Data) PA30 : Maintain HR Master data (Employee Data) PO13 : Maintain Position (Company Data) PO10 : Maintain ORG Unit (Company Data) Note : As a Security Consultant we don’t create HR Master Record only HR Master Record are created by HR Functional consultant.   Position Based Org Unit Based Sales Manager (Position) 100096 Person No Communication info type Role .

Bell3 (User_Id) What is Organization Hierarchy ? In every Organization several departments and departments are finally ultimately report to some other departments of the higher level. Organization Sales Department Manager Clerk Finance Department Manager HR Department Clerk Manager Clerk . So Organization Hierarchy is one of the most important part of HR System.the structure to top level to the bottom level who’s going to report to which department and who’s going to handle the position for ex: the head of the department in order to segregate those department.

Tasks. Qualification Catalogs etc. they can restrict access to certain set of persons in the enterprise. PD Profile: PD profile to limit access in structural authorization Role Sales Manager 100096 Person No Bell2 (User_id) Sales PD Profile .  Secondly. As such they are only used while accessing HR data. its important to note that  A person’s total authorization is a result of the interaction between his general authorizations (through roles) and his structural authorizations (through PD profiles). structural authorizations are always used to restrict access. we need to ensure to add access to the corresponding objects are also added to the user’s roles through PLOG.Structural Authorizations Structural Authorizations as the name suggests are used to restrict access to a certain organizational structure. In general. While using structural authorizations. It can only be used to restrict access to a smaller set of objects or people than is already given though a general authorizations.  In interaction with the access to authorization objects for PA master data. You can never use structural authorizations to grant access. Jobs. structural authorizations serve two purposes  Restrict access to certain OM objects like Org Units.  While using structural authorizations to restrict access.

OOSP : PD profiles are created through the OOSP transaction. SAP provides a few standard profiles but to a large extent. PD profiles are created by individual customer depending on their requirements. OOSB :Transaction OOSB can be used to assign one or more PD profiles directly to users .PD Profile T-codes    OOAC OOSP OOSB OOAC : Activate the structural authorization switch.