You are on page 1of 18

Assigning Roles to a Position in HCM

This document covers the step by step process of assigning roles to a position which in turn is assigned
to an employee/user. As in SAP HR, we assign roles to a position which is held by an employee/user.

First go to PA30 and fetch the details of the corresponding employee/user.

Then, Select the Organizational Assignment (IT0001) and display the infotype
Take the details of the position held by the employee (position no) as highlighted in the screen shot. Once
you have the position details, Execute the tcode PFCG.

Mention the role you wish to assign to the employee/user and select the Change icon. Then go
to User tab and select Organizational Management button.
Once you select Organizational Management button, following screen will appear.

Select the second option from left on top i.e. Create Assignment as highlighted in the screen shot.
Following screen will appear.
Select the Position option from the dialog box and click enter.
Enter the position no. (As fetched in the initial steps) for in the Choose Position dialog box and press
Enter. Following screen will appear.
Now you can create the relationship between the position and the role here. You can also specify the
begin date and end date for the role being assigned to the position i.e. you can decide on the duration till
you want the role to be assigned to the particular position. After mentioning the dates and all press
on Create as highlighted. Following screen will appear.
Click on the first icon on the top from left i.e. Indirect User Assignment Reconciliation as highlighted.
After performing the required actions, come back to the Change Roles screen.
Click on User Comparison button and then press on Complete Comparison button which appears
on the pop-up screen. Once the comparison is done, the User Comparison button on main screen will
turn to Green indicating that the process is done correctly.
Now when you are done with the following steps, go to tcode SU01 to check whether the role has been
assigned to the user or not.

Enter the username in User text box and press the Display icon from the top menu as highlighted in
the screen shot.
Go to the Roles tab to check for the roles assigned to the employee/user.

The highlighted portion shows that the role has been assigned to the employee/user. Similarly we can
follow the above steps to assign other set of roles.

Changing the SAP Time Zones

Please note that the change in time zone would reflect in all the clients. So you need to be cautious in
changing the time zone.
Go to transaction STZAC

Now for our demo purpose, lets change the system time zone from CET (Central Europe) toINDIA .

You can use F4 to select the new time zone INDIA .

Save your entries.

You would be prompted to enter the customizing request. Enter the details.

To view the list of time zones, the transaction STZBC can be used. Here you can deactivate any time
zones, set the time zone rules and others.
Defining Authorization objects for custom database tables

By Divya Nayudu, TCS

Authorization Objects

Authorization Object, as the name itself suggests, is a method of restricting users to access any particular
application created in the system. It could simply be: denying user for viewing confidential data on-screen
or denying access to certain Transactions.

Taking this feature into consideration, SAP gets the flexibility to decide at runtime whether a particular
user is supposed to access a given application or not.

To get an in-depth picture on the Authorization and the way it works, well look at an example which would
demonstrate the use of Authorization Object and the way to use.

Example:

Requirement We have a few Z-tables in our system that consists of confidential data, which cannot be
accessed by all users. Only authorized persons can have access to the data. So, incase these tables are
being used in any program, for display/write purpose, that program would be executed only by Authorized
users. Please make sure to disable Table Entries, while creating tables, and not to create any Table
Maintenance Generator also. Only this program would be used to perform read/write operations on the
table.

Resolution Well see, step by step, what all needs to be done in order to fulfill the mentioned
requirement.

Giving authorization to access (read / write) into z-tables

Steps:
1. To begin with Authorization Object, well enter the Tcode: SU21. Here, we will create the following, in
the order shown:

I. Object Class

II. Authorization Object

2. On clicking the Object Class (as shown in the above screen shot), youll see the window shown
below. Enter the Object class name, description & click on SAVE. You can also use available objects,
to create your Authorization Object. Like incase of HR module, you can make use of Object Class
HR, then you need not create one.

3. Once you create Object class (E.g. Test), youll see a folder with that name in the list. Now your
object class is ready. We will need this Object class to encapsulate the Authorization object that we
will be creating. Click on the Object created, and then click on Create - Authorization Object (shown
in the figure step 1). On clicking, youll see the below shown screen.

Give respective field name, in our case, PERNR (Employee Number), as shown in the above
diagram. We will be keeping a check on the employee number, and see if the employee has
authorization to access the report (made to view z-tables) or not.

4. Now, we need to create a Role, inside which we will attach our Authorization Object. Enter
Transaction code: PFCG to create a role.
Select the Authorizations tab. And Click on the icon next to profile name, as shown in the figure
above. On the click of that icon, the system will generate a Profile name and a description for the
same.

5. Click on the Change authorization data as shown in the figure below:

Youll see a new screen with the Role Name on top left. Here you will have to add your Authorization
Object that was created in SU21.

6.Click on the Manually button shown in the toolbar, to add the Authorization object, as shown in the
figure below. Here you can add your Authorization object in the list and press enter.

7. Now you need to add values (Employee numbers) in your object, for those who would be given
authorization. In our case, we will put a * symbol (to allow the system to provide access to any
employee, which is Assigned this role).
8. Press Save and then Generate the profile by clicking on generate icon.

9. Finally you come out of the screen pressing back button. And you will see the Authorizations tab
with a Green symbol, meaning, Authorization object has been assigned and the role can be
used.
10. After these steps, if you want to give authorizations to say Employee No.: 96. Go to
Transaction SU01, click on the Roles tab and assign our role name, in our case : test_role.

This way, you can assign this role to all those users, who are supposed to be authorized to access
the report (for data entry in the table).

11. Finally, in the main program, which has been created, we need to write a small code, as shown
below, which will decide if that employee is authorized or not:

REPORT ZCHECK_AUTH.

DATA : L_PERNR TYPE PERNR_D.


SELECT SINGLE PERNR INTO L_PERNR FROM PA0105
WHERE UNAME EQ SY-UNAME AND USRTY EQ '0001' AND
BEGDA LE SY-DATUM AND ENDDA GE SY-DATUM.

AUTHORITY-CHECK OBJECT 'Z_OBJECT1'


ID 'PERNR' FIELD L_PERNR.

IF sy-subrc <> 0.
MESSAGE 'No authorization' TYPE 'E'.
ELSE.
**** Here you can have the Query to view the table or perform any
**** action related to the Z-tables

MESSAGE 'Congrats! You are authorized' TYPE 'I'.


ENDIF.

If the user passes this authorization check, the return code SY-SUBRC is set to 0. Hence, users who are
not assigned the Role, if they try to access this report; theyll not be able to do the same.

This way, you can provide authorizations on any Z- objects.