Perfil Estrutural Structural Authorizations Step by Step

Structural Authorizations
Step by Step, with Gotchas Too

by
Norm and Carl
Structural Authorizations Overview....................................................................................2

Overview......................................................................................................................2
Example.......................................................................................................................2
About this Document...................................................................................................2
Graphical Overview of Structural Authorization Components and Setup...........................3
Considerations for Structural Authorization Implementation..............................................3
Considerations for Structural Authorization Implementation..............................................4
Gotchas........................................................................................................................4
Overall Design Considerations....................................................................................4
Steps to Implement Structural Authorizations.....................................................................5
1. Turn on PD PA Switch............................................................................................5
2. Turn on Structural Authorizations Main Switches...................................................6
Description.......................................................................................................................6
3. Create Organizational Plan......................................................................................7
4. Create Personnel Master Record............................................................................11
5. Create User ID’s....................................................................................................16
6. Create Infotype 105...............................................................................................17
7. Create Structural Authorization Profiles................................................................19
8. Create Infotype 1017.............................................................................................22
9. Assign Structural Authorization Profiles to User ID’s...........................................25
10. Setup Regular Security........................................................................................28
Appendix 1.........................................................................................................................30
Authorization Main Switches....................................................................................30
Maintain Authorization Main Switches.........................................................................30
Standard Settings...........................................................................................................30
Further Notes.................................................................................................................31
Appendix 2.........................................................................................................................32
Appendix 3.........................................................................................................................34
Assign Structural Authorization Profile to User ID Manually..................................34
Norm & Carl’s Big Document about Structural Authorizations ®©™
Structural Authorizations Overview

Overview
Structural authorizations are used to grant access to view information for personnel where
HR has been implemented. Access is granted to a user implicitly by the user’s position on
the organizational plan. Structural authorizations are not integrated into the standard
authorization concept and structural authorization profiles are not the same as standard
authorization profiles.
Example
The use of structural authorizations can be illustrated by the following example. A
manager can typically view or maintain information on employees in her organizational
unit but not employees in other organizational units. When an employee moves from one
unit to another his previous manager will no longer be able to view or maintain
information about them. Similarly if a manager moves from one unit to another she will
be able to see the employees in her new unit.
About this Document

This document shows how to set up a very simple example of structural authorizations
that are assigned to Organizational Units. All the steps of setting up a test environment
are documented below so you can try it too. There are some gotchas and design
considerations listed up front and some additional information listed in the many
appendices at the end.
Page 2
Graphical Overview of Structural Authorization

Components and Setup
The graphic below shows the main components of structural authorizations at a high
level. The setup of structural authorizations is more complex than regular security
authorizations. None of the main setup steps can be omitted or incomplete. Structural
authorizations setup is analogous to an electric circuit. If there is a break anywhere in the
circuit structural authorizations it will not work.
Structural
Authorization Infotype 1017
Report Profile
RHPROFLO
(daily) Org Unit
Position
Task
Standard Task
PD PA Switch
ON
HR Main Switch Organizational
User ID Plan Node
(AUTSW- ORGPD)
ON
Security Role
Profile
Authorizations
Transaction
Communication PPOM_OLD
Infotype 105 Personnel
Master
Record
Key:
Configured in Production
Configured in Development
Configured in All Environments
Page 3
Considerations for Structural Authorization

Implementation
Gotchas
 Setting up structural authorizations has some dependencies so follow the order of
the steps in this document for best results.
 Structural authorization profiles are not related to standard security profiles in
any way.
 Unassigned Users: User IDs that have been linked to a Personnel Master Record
via Infotype 105 MUST be assigned a structural authorization profile regardless
of whether they are assigned to a node on the organizational plan or not. (See
Appendix 3)
 There is no way to trace structural authorization checks, and structural
authorization checks that fail do not show in SU53. The closest thing to a trace is
the information available in OOSP by clicking on the Blue I icon next to the
profile. This lists the effect of the structural authorization when it is working.
 The HR Main switch: Tolerance time of the authorization check (ADAYS) which
is 15 by default did not affect the structural authorizations in this example. In tests
where a manager was moved from one organizational unit to another the effect of
the structural authorizations was immediate after running report RHPROFL0. The
manager can no longer see information for anyone in their old organizational unit.
Overall Design Considerations

1. What level of the organizational plan to assign structural authorizations – we use
org units in this example. This allows managers in the same org unit and same
level to see each other’s information. If this was not acceptable then a hybrid
approach of organizational units and positions could be used. It seems most
efficient to attach structural authorizations to the highest node on the
organizational plan possible. Note that we create profiles with authorization for an
organizational unit but we assign these profiles to positions.
2. As mentioned in Gotchas above unassigned users linked to personnel master

records with access to HR transactions can see personnel data for any user. This
has an impact on how you design both standard roles and also procedures for
creating roles. One way to make sure that unintended access does not occur is to
assign a dummy structural authorization to every user in the system with. The
dummy structural authorization should be empty. It is possible to control this
using infotype 105 as well. Any user ID that is not associated with a personnel
master record will not be able to view other users information with the correct
standard authorizations assigned to the User ID.
Page 4
Steps to Implement Structural Authorizations

1. Turn on PD PA Switch
Tcode: OOPS
Action: Ensure value registered for PLOGI – ORGA is X. No other values need to be
checked or changed.
Explanation: PD and PA sub modules of HR are not configured to share data by default
in the SAP delivered system. This switch must be on for data to flow between both
modules.
Additional Info: None
Gotcha:
 Do not create your Organizational Plan without this switch on.
 If you do, structural authorizations will not work and some org and infotype setup
will not work.
 ***You cannot turn the switch on and get structural authorizations on an
organizational plan, that was created while it was off, to work.***
Page 5
2. Turn on Structural Authorizations Main Switches

Tcode: OOAC
Action: Ensure values for the main authorization switches in HR are set to the following
Values
Group Sem. abbr. Value abbr.Description
AUTSW ADAYS 15HR: tolerance time for authorization check
AUTSW APPRO 0HR: Test procedures
AUTSW NNNNN 0HR: Customer-specific authorization check
AUTSW ORGIN 1HR: Master data
AUTSW ORGPD 1HR: Structural authorization check
AUTSW ORGXX 0HR: Master data - Extended check
AUTSW PERNR 1HR: Master data - Personnel number check
Explanation: The SAP delivered system has similar values as above but PERNR = 0.
Gotcha: Make sure that ORGPD = 1 otherwise structural authorizations will not work.
Additional Info: Appendix 1
Page 6
3. Create Organizational Plan

Tcode: PPOM_OLD
Action:
1. Create the root of your Organizational Plan
 Organizational Plan > Create
 Enter info and click Create
2. Create Organizational Units

 Select the Organizational branch you want to build on and click Create
 Fill in the abbreviations and names of the child structures (one level at a time) in
the popup dialog box.
Page 7
Example of the results:
3. Create and assign positions

 Click on Staff Assignments button
 Select the unit that the position will be part of, then click on Create Positions…
 In the popup dialog box select a job description in the Choose Describing Job
field group, fill in the fields in the Position field group and save.
Page 8
Example of the results:
4. Designate Chief Positions

 Select the Position which will be the manager’s position and Select Edit > Chief
Position > Create
Page 9
 Select the position in the Create Chief Position dialog box and click on Save
Results:
Notice the position Manager of BC now has a Hat next to it and the name of the Chief is
listed below the Org Unit.
Explanation: Structural authorizations work based on this hierarchy (the Organizational

Plan). This is the ‘structure’ in ‘structural’ authorizations.
Gotcha:
 Don’t start this step without first ensuring the PD PA switch is on (the first step in
this document).
 If we want to use Manager’s Desktop we need to designate a position as Chief.
The user(s) associated with this position will only be able to access Manager’s
Page 10
Desktop if their position is designated as Chief. Chief positions can have more
than one person assigned, i.e. a single business unit can have more than one
manager at the same level.
 SAP’s documentation indicates that performance may be adversely affected by the
complexity of structural authorizations.
4. Create Personnel Master Record

Tcode: PA40
Action: Create a personnel master record and assign it to the organizational plan.
1. Ensure that Personnel no. field is empty. Select a hiring action from the bottom of
the screen and Click on execute.
2. Enter basic data for the master record.

 Enter a Start Date (current date is fine).
 Enter Personnel Area, Employee Group and Subgroup.
 Enter the Position Number to assign this employee to a node on the organizational
plan.
 Save
Page 11
3. Enter more personal data.

 Enter First and Last Name
 Select Gender
 Enter SIN number 000000000
 Enter birthday
 Save
Page 12
4. Enter Information on one more screen.

 Enter the Payer Area and Subarea
 Save.
Page 13
5. End maintenance for this action

 Back out of the above screen
 Yes to this message
 Record the Personnel Number on the next screen
Results:
Page 14
Explanation: User ID’s are not assigned directly to the organizational plan. The User
Master Record (User ID) is relatively simple and is mostly used to give access to the SAP
system. In SAP a personnel master record is created and assigned to the organizational
plan. The Personnel Master Record is then linked to the User ID, which is the next step in
building structural authorizations.
Gotcha:
 Ordinarily all personnel master records will be assigned to a node on the
Organizational Plan. See Unassigned Users in the Gotchas in the Overview at the
beginning of this document for more on this issue.
 The sequence of the screens in this action can vary
Page 15
5. Create User ID’s

Tcode: SU01 or SU10 (Mass Create)
Action: Create users (Suggest creating users with a name similar to the Personnel Master
employee name)
Explanation: User master records must exist before you can proceed to the next step.
Gotcha: If you use mass create make sure that request ‘with log’ and print or save the log
so you know what the initial password is for each user.
Page 16
6. Create Infotype 105

Tcode: PA30
Action: Create Infotype 105 for each Personnel Master Record
1. Enter Personnel ID, Info Type 105 and Subtype 0001.
2. Enter the User ID in the ID/Number field
Page 17
Explanation: The user master record and the personnel number have to be linked
because it is the personnel number that is associated with the Organizational Plan. When
the user logs on SAP needs to know which personnel number is associated with that user
ID in order to grant structural authorizations.
Gotcha: None
Page 18
7. Create Structural Authorization Profiles

Tcode: OOSP
Action: Create structural authorization profiles and then define the details of the
authorization profile.
1. Click new entry. Enter the authorization profile names, and descriptions. Click
Save. (If you don’t save here you won’t be able to see the profile in the selection
list of the next step)
Click here
to check
information
Check the information for a profile e.g. Manager West.
Page 19
Note: No organizational plan units are shown in the list.
2. Define the structural authorization profile.

 Select a profile and click on Authorization Maintenance on the left side
 Click on New Entry
 Enter the following:
Field Value
Profile: Select a structural authorization profile
No. Choose an interval e.g. 10
Plan vers. Select a plan version probably 01
Obj. type In this case we are securing by Org unit. Enter O
Object ID In this case we are securing by Org unit. So enter the
Org unit number
Maintenance Check this on
Eval.path Recommend O-S-P
Status vec Recommend 12
Depth Recommend no entry
Sign Recommend no entry
Period Recommend no entry
Function module Recommend no entry
Page 20
Explanation: We are creating structural authorization profiles here. In order to limit a

user’s access to information according to the structure of the organization plan, you must
define the place on the organizational structure below which a user can see personnel
information.
Gotcha: Check the info button on the profile to make sure that the profile a) gives access
to something and b) gives access to the right thing.
Additional Info: Appendix 2
Page 21
8. Create Infotype 1017

Tcode: PO10 (Organizational Unit) or PO13 (Position)
Action: Create Infotype 1017 for all relevant nodes on the Organizational Plan. In this
case all Positions (Tcode PO13)
1. Select the position
2. Select the PD Profile infotype from the scrollable list and click on Create
button
Page 22
3. Enter the profile name in the Profile field and click on the Save button
Page 23
Explanation: This infotype links the structural authorization profile to a node on the
organizational plan. In our example we use PO13 to assign the authorization to a
Position. Note we can assign the structural authorization profile to other types of nodes
e.g. an organizational unit but we must use different transactions for each different node
type.
Gotcha: This has to be done manually. SAP documentation may seem to indicate that
report RHPROFL0 will do this, it doesn’t, this step must be done manually.
Page 24
9. Assign Structural Authorization Profiles to User ID’s

Tcode: SE38
Action: Use report RHPROFL0 to automatically assign the appropriate structural
authorization profile to each User ID. This program will update the table in transaction
OOSB.
1. Execute the report
2. Enter the following data, the Object ID should be the object ID for the root of the
Organizational Plan.
Field Value
Organizational Unit O
Object ID e.g.50000753
Evaluation Path PROFL0
Test Session (check on)
Leave all other defaults as they are.
Page 25
3. Execute in test mode
Page 26
Note: The lights in the left margin of the report are yellow. This is because the
assignment has NOT been made yet.
4. Back out of this screen. Uncheck Test Session and then Execute to have the
changes made.
Page 27
Note: The lights in the left margin of the report are green now. This indicates that the
assignment has been made.
Explanation: This report assigns a structural authorization profile to the user ID based on
the Organizational Plan. If we had not first completed all the main steps listed above this
report would be empty. The report is a positive indicator that some of the steps to setup
structural authorizations have been completed successfully. It is possible however, to
have results with this report and yet have structural authorizations that do NOT work.
Gotcha:
 Don’t forget to execute the report with Test Session unchecked!
 This report should be run daily to update the authorizations of users based on
changed made in the Organizational Plan.
 Ensure that the Infotype 1017 has been populated for all relevant nodes on the
Organizational Plan.
10. Setup Regular Security

Tcode: PFCG
Action: Create regular security role and assign to User ID
1. Create a role that gives access to regular HR transactions for all employees. E.g.
Time Entry CAT2, PA20, PR20 Enter expenses
2. Create a role that gives access to manager HR transactions. E.g. Time Approval
CADO , PPMDT Managers Desktop, PR05 Approve Expenses
Page 28
Explanation: Structural authorizations are used in addition to standard security. Setup

two roles to do positive and negative tests.
Gotcha: None
Page 29
Appendix 1
Authorization Main Switches
Gotcha: This is SAP delivered information. It is not that easy to understand. The bottom
line is make sure the Structural authorization switch and the P_PERNR switch are on.
Maintain Authorization Main Switches

In this step you maintain the authorization switch and adapt, if necessary, the profile generator
specifications. You must process the profile generator specifications if you intend to make
changes to the main switch settings.
You can process the authorization main switch using transaction HR: Authorization main switch
(OOAC).
Using the Auth.object check under transactions transaction (SU24) you maintain whether a
transaction checks an authorization and/or whether the relevant authorizations are offered in the
profile generator for maintenance.
The profile generator recognizes whether authorization objects are used in transactions using the
legal check status. You can process this manually, also using the Auth.object check under
transactions transaction (SU24). Also check the individual authorization objects under Process
check status in all transactions. Ensure that the following check indicators are set:
 When you switch on the HR: Master data (P_ORGIN), HR: Master data - extended
check (P_ORGXX) and HR: Master data - personnel number check (P_PERNR)
authorization objects, you must set the relevant check/maintain check status in the
primary transaction that accesses these objects. You recognize these in the standard
system, because the check indicator is set to check/maintain (PP) for the HR: Master
data (P_ORGIN) object. In addition to this, please note the example below.
 When you switch off the HR: Master data (P:ORGIN) authorization object, you must
reset the check indicator for the HR: Master data (P_ORGIN) authorization object from
check/maintain (PP) to check (P).
Example (1):
The HR: Master data (P_ORGIN) object is switched on, the HR: Master data - extended check
(P_ORGXX) and Master data - personnel number check (P_PERNR) objects are switched off.
No customer action is necessary.
Example (2):
The HR:Master data - extended check (P_ORGXX) object is switched on, the HR: Master data
(P_ORGIN) and HR: Master data - personnel number check (P_PERNR) objects are switched
on. You must set the following check status:
For the HR:Master data - extended check (P_ORGXX) object, copy the default check indicator
of the HR: Master data (P_ORGIN) object. Then change the check indicator of the HR: Master
data (P_ORGIN) object from check/maintain (PP) to check (P). Leave the given check status
for the HR: Master data - personnel number check (P_PERNR) object as it is.
Standard Settings
In the standard system the authorization main switches and settings are defined as follows:
Switch Setting
HR: Tolerance time of the authorization check (ADAYS)15
HR: Check procedure (APPRO) 0
HR: Customer authorization check (NNNNN) 0
Page 30
HR: Master data (ORGIN) 1
HR: Structural authorization check (ORGPD) 1
HR: Master data - extended check (ORDXX) 0
HR: Master data - personnel number check (PERNR) 0
Further Notes
When you use a customer authorization object (P_PNNNN) you must maintain it in the Auth.
object check under transactions transaction, analogous to the HR: Master data (P_ORGIN),
HR: Master data - extended check (P_ORGXX) and HR: Master data - personnel number
check (P_PERNR) objects.
Example:
When the switch is off for the HR: Master data (P_ORGIN) and HR: Master data - extended
check (P_ORGXX) objects and is on for the customer object (PNNNN) and HR: Master data -
personnel number check (P_PERNR) object, you must reset the check status for these -
corresponding to the setting of the HR: Master data object (P_ORGIN) in the standard system -
to check/maintain (PP), and for the HR: Master data (P_ORGIN) and HR: Master data -
extended check (P_ORGXX) to check.
Page 31
Appendix 2
PD Authorization configuration fields
Field Name Description
Auth Profile Chose an authorization profile. For this example we always

selected the authorization profile that we were editing.
Gotcha: The profiles that have not been saved will not show
in the list.
Line Number Enter a line number for each authorization. (Each line in this
screen is a separate authorization.) This is a unique identifier
for the authorization. Choose any number, we chose 10 for
our first authorization. The second authorization would be
20…
Plan Version Specify the current Plan version. Usually 01 (the active plan)
Object Type Specify object type We used O for Organizational Unit but
you can assign authorizations to positions tasks and standard
tasks too.
Object ID Specify the object ID of the object in the Object ID field.
Maintenance Two types of function codes exist. A function codes with
"maintaining" and a code with "non-maintaining" attributes.
The maintenance function code is linked to T77FC and is
activated by flagging the Maintenance field. If the
Maintenance field is flagged, maintenance is possible for the
authorized objects defined in the PD Profiles.
Evaluation Select path from the list of delivered evaluation paths. Note:
Path You can create a custom path via the IMG - “Maintain
evaluation paths.” (O-S-P).
Status Vector Select the planning status (1-Active, 2-Planned, etc).
Depth Leave blank or specify the descending level of organizational
units to access.
Sign Controls access of structure direction. (+) or blank (default)
Structure is viewed from root object and down. (-) Structure
is viewed in reverse from root object.
Time Period Use this field if you want to restrict the auth. according to the
validity period of the structure. If you select the entry D the
authorization is limited to structures valid on the current day.
Possible entries:
Blank - All
D – Current Day
M – Current Month
Y – Current Year
P – Past
F - Future
Page 32
Field Name Description
Function This field allows you to specify a function module to

Module determine the root object of the structural authorization.
Possible entries:
RH_GET_MANAGER_ASSIGNMENT (Determine
organizational units for manager)
This function module finds the root organizational unit with

which the user is related via the position and relationship
A012 (manages).
RH_GET_ORG_ASSIGNMENT (Organizational
assignment)
This function module finds the root organizational unit to

which the user is organizationally assigned.
Page 33
Appendix 3
Assign Structural Authorization Profile to User ID Manually
Unassigned Users: User IDs that have been linked to a Personnel Master Record via
Infotype 105 MUST be assigned a structural authorization profile regardless of whether
they are assigned to a node on the organizational plan or not.
Why? Users in this situation will be able to see HR data for any Personnel Master Record
as long as they have the standard authorization profiles that give access to transactions
where HR data can be seen, and which give access to HR data to see other people’s data.
Solution: If the user is not on the Organizational Plan we need to assign the profile
manually. If the user is assigned to a node on the Organizational Plan AND that node has
a structural authorization profile assigned to it, we need to run report RHPROFL0 and we
need to make sure the user does not log on. If the user is assigned to a node AND that
node does not have a structural authorization profile assigned to it we need to assign the
profile manually.
It is possible to assign a structural authorization directly to a user instead of having the

profile assigned indirectly by virtue of the user’s assignment in the Organizational Plan
and the structural authorization profile that is assigned to the same node as the user. This
is not the recommended approach because it will require increased maintenance.
Assigning one or more structural authorizations directly to a User ID means that we are
not taking advantage of SAP delivered functionality which allows implicit assignment of
HR authorizations. If this approach is used then when the user is promoted for example,
maintenance will have to be done on both the Organizational Plan and in Transaction
OOSB. Assigning structural authorizations to users may be useful for temporary
assignments, or testing.
Tcode: OOSB
Action: Assign structural authorization profile (created in OOSP) to the UserID
1. Click on New Entries button and enter the Name of the user, the name of the
profile the start date, end date. And save
Page 34
2. Check to see that the profile is giving access to the appropriate Organizational
units Positions etc…
Page 35
Explanation: This is analogous to assigning a profile generator role to a user ID. SAP
needs to know what structural authorization profiles a user takes advantage of .
Gotcha: You need to assign every user in the system at least one structural authorization
profile including consultants. Create a dummy authorization profile and assign it. (To be
verified by Norm 20.06.2001)
Additional Info: start date, end date limit the validity of the authorization so if the
authorization has an end date of June 30 then on July 01 they will no longer be able to see
information on their subordinates.
Page 36
Transactions and Reports for checking HR authorizations
Transaction HRAUTH - A new tool has been developed for analyzing authorizations. Please check note 902000
for information about the delivery. With this tool, you will be able to see at a glance all the HR authorization related
settings.
When calling this transaction, two tabs will be displayed: Overview and User-Specific.
In tab you will get:
 Information about the authorization related BAdis, and if these BAdis have been implemented in the
system. Is it also possible to navigate to them and documentation is also available.
 Information about the authorizations settings in table T77S0, and the assigned value for them.
 Also, the profile assigned to SAP* will be displayed.
 If a job has been schedule for reports RHPROFL0, RHBAUS00, RHBAUS01 or RHBAUS02 the last
execution date will be displayed (for further information about these reports, please check their documentation).
 Information about entries in tables T77PR (structural profiles), T77UA (assignment of users to structural
profiles), T77UU (user in SAP memory), HRP1016 and HRP1017 - these two tables are important as
authorizations (standard and structural), can also be assigned through the organizational structure.
 With button we can see the Auth. Access flag for all the
infotypes maintained in table V_T582A.
In tab , we can get authorization info for a user:
 User's organizational unit

 User's personnel numbers
 Roles and standard profiles
 HR authorization Objects (P_ORGIN, P_ORGXX...)
 Structural profiles
 Entries in table INDX
 Entries in T77UA
 Entries in T77UU
In the tool bar there is also a direct link to the HR authorization document
'Authorizations in mySAP HR'.
Is it possible also to execute RHBAUS00 report pressing button .
The most important development here is button . This calls report RSUSR050. Using this
report it is possible to compare users, roles, authorizations and profiles, and it is also possible to compare them
across systems (if corresponding RFC connection has been set up). For further information, check the report
documentation.
Report RHUSERRELATIONS - Use report RHUSERRELATIONS to check HR authorization settings. Enter the
user with the authorization issue in field 'User name'.
1.- Button : Use this button to display the main authorization settings
in T77S0. Is it also possible to check these values entering this table in transaction SM30. These parameters are:
Page 37
AUTSW ORGPD HR: Structural Authorization Check - This parameter can have the following values:- 0 - Structural
authorizations will not be checked in Personnel Administration. IMPORTANT- they will be always checked in Org.
Management.
- 1 - If an organizational unit is assigned in infotype 0001, the system checks against this organizational unit. If no
organizational unit is assigned, the system rejects the authorization.
- 2 - The system does not evaluate the organizational unit and rejects the authorization.
- 3 - If an organizational unit exists, the system checks against this organizational unit. If no organizational unit is
assigned, it grants the authorization.
- 4 - The system does not evaluate the organizational unit and grants the authorization.For information about this
parameter, please check note 339367.
AUTSW ORGIN HR: Master Data - If this parameter is set to 1, P_ORGIN authorization object will be checked.
AUTSW ORGXX HR: Master Data - Extended Check. If this parameter is set to 1, P_ORGXX authorization object
will be checked.
AUTSW NNNNN HR: Customer-Specific Authorization Check. If this parameter is set to 1, customer authorization
object will be checked. In order to know the name of this authorization object (it should be in the customer
namespace), just check the coding of include MPPAUTZZ. There, under the 'authorization-check' statement you
will have the name of that authorization object. Customer authorization object must contain fields INFTY Infotype
and SUBTY Subtype. It is possible also to use any of the fields from infotype 0001 organizational Assignment or in
PA0001 structure, and customer-specific additional fields as long as they are NUMC or CHAR type fields. In
addition field TCD Transaction Code and INFSU Infotype/subtype (4 characters for the infotypes and 4 for the
subtype) can be used.
These are the only fields allowed for the customer authorization object. In case customer uses a different field,
issues could arise.
In order to generate the coding, report RPUACG00 should be run for this customer authorization object.
AUTSW PERNR HR: Master Data - Personnel Number Check - If this parameter is set to 1, authorization object
P_PERNR will be checked. Check that users do not have the object P_PERNR set with the SIGN = *. This might
lead to an undefined state. The only possible values here must either be E or I.
AUTSW DFCON HR: Default Position (Context). Same possible values as AUTSW ORGPD.
AUTSW INCON HR: Master Data (Context) - If this parameter is set to 1, context authorization object
P_ORGINCON will be checked.
AUTSW XXCON HR: Master Data - Enhanced Check (Context) - If this parameter is set to 1, context authorization
object P_ORGXXCON will be checked.
AUTSW NNCON HR: Customer-Specific Authorization Check (Context) - If this parameter is set to 1, context
customer authorization object will be checked. Customer context authorization object must contain fields INFTY
Infotype, SUBTY Subtype, AUTHC Authorization Level and PROFL Authorization Profile. It is possible also to use
any of the fields from infotype 0001 organizational Assignment or in PA0001structure, and customer-specific
additional fields as long as they are NUMC or CHAR type fields. In addition field TCD Transaction Code and
INFSU Infotype/subtype (4 characters for the infotypes and 4 for the subtype) can be used.
AUTSW ADAYS HR: Tolerance Time for Authorization Check. This setting has by default value 15.
After checking these settings you will now know which are the authorization objects involved.
Page 38
2.- Button : with this button you can display the employee
number assigned to the user you are analyzing. This is important to know for example when checking P_PERNR
authorizations.
3.- Pushbutton : Use this button in order to analyze structural profiles assigned to the
user. Select the pushbutton and press F8. You will get a list with all the structural profiles assigned to the user (this
is the assignment done in T77UA). There you can select the following options:
 : Selecting a profile, you will get the objects included in that profile
(configuration in table T77PR).
 : to get the complete list of objects the user has authorizations for
according to the structural profile. This will list all the objects, including just the employees directly assigned to the
profile. This means that employees assigned to the default position will not be listed here. If an object is displayed
in this list the user will have authorization to thatobject according to the Structural authorizations. However, we still
have to check if the user has authorization to it, according to the HR authorizations.
4.- Pushbutton : select this pushbutton to display the HR authorization values

assigned to the user. Select the HR authorization objects (P_ORGIN, P_ORGXX....) and execute the report. You
will get a list with all the authorization values assigned to the user. Then you will have to check if according to
these values, the user should be able to see that object or not.
Transaction ST01 - It is also helpful to execute an authorization trace in order to check which authorization check
failed.
IMPORTANT: please for HR authorization issues, do not user transaction SU53. Please check note 565456.
Unfortunately transaction SU53 does not always show the last correct authorization check. In many cases
authorization checks are done to check something that is not relevant to carry out some activities within the actual
transaction. It means there are cases where SU53 shows a failed authorization check that the user actually doesn't
need. Some cases are for example the maximal authorization check that is checked in personal administration.
Page 39

Perfil Estrutural Structural Authorizations Step by Step

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Perfil Estrutural Structural Authorizations Step by Step

Uploaded by

Copyright:

Available Formats

Structural Authorizations

Step by Step, with Gotchas Too

Structural Authorizations Overview....................................................................................2

Structural Authorizations Overview

About this Document

Graphical Overview of Structural Authorization

Considerations for Structural Authorization

Overall Design Considerations

2. As mentioned in Gotchas above unassigned users linked to personnel master

Steps to Implement Structural Authorizations

2. Turn on Structural Authorizations Main Switches

3. Create Organizational Plan

2. Create Organizational Units

Example of the results:

3. Create and assign positions

Example of the results:

4. Designate Chief Positions

Explanation: Structural authorizations work based on this hierarchy (the Organizational

4. Create Personnel Master Record

2. Enter basic data for the master record.

3. Enter more personal data.

4. Enter Information on one more screen.

5. End maintenance for this action

5. Create User ID’s

6. Create Infotype 105

2. Enter the User ID in the ID/Number field

7. Create Structural Authorization Profiles

Check the information for a profile e.g. Manager West.

Note: No organizational plan units are shown in the list.

2. Define the structural authorization profile.

Explanation: We are creating structural authorization profiles here. In order to limit a

8. Create Infotype 1017

9. Assign Structural Authorization Profiles to User ID’s

Leave all other defaults as they are.

3. Execute in test mode

10. Setup Regular Security

Explanation: Structural authorizations are used in addition to standard security. Setup

Maintain Authorization Main Switches

HR: Tolerance time of the authorization check (ADAYS)15

HR: Check procedure (APPRO) 0

HR: Customer authorization check (NNNNN) 0

HR: Master data (ORGIN) 1

HR: Structural authorization check (ORGPD) 1

HR: Master data - extended check (ORDXX) 0

HR: Master data - personnel number check (PERNR) 0

Auth Profile Chose an authorization profile. For this example we always

Field Name Description

Function This field allows you to specify a function module to

This function module finds the root organizational unit with

This function module finds the root organizational unit to

It is possible to assign a structural authorization directly to a user instead of having the

Transactions and Reports for checking HR authorizations

In tab you will get:

In tab , we can get authorization info for a user:

 User's organizational unit

Is it possible also to execute RHBAUS00 report pressing button .

4.- Pushbutton : select this pushbutton to display the HR authorization values

You might also like