SAP HCM Structural Authorization Overview Presentation
1. SAP HCM STRUCTURAL
AUTHORIZATION
OVERVIEW
by
Ken Bowers
NK Consulting Inc
2. Structural Authorization
Defined
HR Structural Authorization permit access to personnel
data based on the user’s position or span of authority
within the organizational structure.
3. Structural General
Authorization Authorization
Org, PD, Personnel
TEM, Quals Admin
TC: OOSB
TC: PFCG
4. Structural Authorization
High Level Process
Configuration &
Switch Settings
Link Structural
Create Structural
Authorization
Authorization
Profile
Evaluation Path Profile
to User Id
Determine Root
Org Unit
5. STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART
Dynamically
PA/PD Integration Evaluation Paths Manually
assign Organizational
Turned Maintained assign
Root Org Unit Structure
“On” (T778A/ Root Org Unit
(Function Module) (Org Unit/Position)
(POLGI/ORGA) V_T77AW))
Structural Structural Structural Structural Auth
Authorization Authorization Organizational Authorization Profiles
Activated via Waiting Period Structure Profiles Dynamically Linked
(TC: OOAC or (TC: OOAC or Developed Developed (TC: PD Object
T77S0) T77S0) OOSP or T77PR) (IT1017)
SAP User ID
Employee Record SAP Program
linked to PA via
assigned RHPROFLO
IT0105 Record
IT0001 Executed
SAP User ID linked
Structural Auth.
Manually Profile
(TC: OOSB or
T77UA
Execute Reports to User Access
Optimize Restricted
Performance Based on Org
Structure
7. Structural Authorizations
‘Activated”
Change from 0 to 1 4.6 and
below
Refer to OSS Note 339367 refers to OSS Note 363083
Maintenance of the switch AUTH_SW P_ORGPD to
import 4.7 functionality
TC: OOAC
T77S0
9. Activation Options
• Value 1: Org Unit Checked – No
Authorization.
• Value 2: Org Unit Not Checked – No
Authorization.
• Value 3: Org Unit Checked – Authorization
• Value 4: Org Unit Not Checked -
Authorization
11. Create Organizational Structure
• Transaction code PPOME
• Create organizational units (object type O)
• Create jobs (object type C)
• Create positions (object type S)
• Assign chief positions especially if the
relationship A012 is being used in function
modules
13. Create Personnel Master Records
• All personnel require personnel number
• Create IT0105, subtype 0001 record for all
EE’s linking SAP user id to personnel
number which is linked to the org structure
• All personnel require IT0001 record
15. Evaluation Paths
• Use SAP standard evaluation paths
– SAP standard function modules read
delivered evaluation paths
• Create customer defined evaluation paths
– Customer defined function modules
specify customer defined evaluation
paths
17. Create Structural Authorization
Profiles
• Transaction code OOSP or T77PR
• Screen # 1
– Profile: Enter profile name and description
– Save Structural Authorization Profile
18. Assign Root Org Unit
Option 1: Dynamically.
• Function Module:
RH_GET_MANAGER_ASSIGNMENT
determines the root organizational unit to
which the user is assigned as Manager via
the A012 chief relationship.
• Assign function module in T77PR In field
PFUNC
19. Screen # 2 T77PR
When Function
Module is
being used,
leave Object
ID field
“Blank”
RH_GET_MANAGER_ASSIGNMENT:
Determines the root org unit object to
which the user is assigned as Manager
via the A012 chief relationship.
(Supervisor)
20. • Screen # 2 (Continued)
– Auth Profile: Select profile for pop-up box
– No.: Enter Line/Sequence/Interval numbers 5, 10, 15
…etc.
– Plan version: Enter active plan. Ex. 01
– Object type: Enter object type end user will be
authorized to change or display (O – Org Unit, S –
Position, C – Job, P- person, and any customer defined
objects)
– Object ID: If assign root org unit is being used, enter
org unit id value. If you are using function modules to
dynamically determine the root org unit, leave this field
blank
– Maintenance: If checked, maintain authorization is
granted for object type, if uncheck, only display
authorization granted.
– Evaluation Path: Enter evaluation path defined
inT77UA
21. • Screen # 2 (Continued)
– Status vector: Planning status authorization
• 1 – Active
• 2 – Planned
• 3 – Submitted
• 4 – Approved
• 5 – Rejected
• To grant access to Active and Planned status(s)
enter “12”
– Depth: Enter the number of levels from the
root org unit of the org structure.
– Sign: Process structural authorization top –
down (+) or bottom-up (-)
22. • Screen # 2 (Continued)
– Time period: Restrict access based on the
validity period of the org structure.
• D – Current Day
• M – Current Month
• Y – Current Year
• P – Past
• F – Future
– Function module:
• Leave this field “blank” if root org unit is defined in
field “Object id”
• Determine the root org unit using SAP standard or
Customer defined function modules
23. • Screen # 2 (Continued)
– Add multiple rows in this table for all PD
objects the structural authorizations are
permitting to change and/or display
24. Assign Root Org Unit
Option 2: Dynamically.
• Function Module:
RH_GET_ORG_ASSIGNMENT
determines the root organizational unit to
which the user is organizationally assigned.
• Assign function module in T77PR In field
PFUNC
25. Screen # 2 T77PR
A customer defined Function
Module may be used
RH_GET_ORG_ASSIGNMENT
Determines the root organizational unit to
which the user is organizationally assigned.
26. Assign Root Org Unit
Option 3: Dynamically.
• Customer Defined Function Module:
– Copy and modify SAP standard function
modules to specify customer defined
evaluation paths
• Assign function module in T77PR In field
PFUNC
27. Assign Root Org Unit
Option 4: Manually
• Function Module not used.
• Manual assignment of root organizational
unit
• Define root organizational unit in T77PR In
field OBJID
28. Screen # 2 T77PR
When Object
ID is being
used, leave
Function
Module field
“Blank”
30. Link User ID to Structural
Authorization Option # 1
Assign Structural Authorization to PD Object
• Restrict user access based on PD objects.
• Assign structural authorization defined in
transaction code OOSP or T77PR by creating an
IT1017 to a PD object. Example: Create IT1017 to
org unit or position depending on your
requirements
• This is linking the structural authorization to the
organizational structure.
• IT1017 is required if you are going to dynamically
populate T77UA by linking user id to structural
authorization profile.
31. Assign IT1017 to Position
Execute transaction code PP01 > Create PD Profiles > Assign Structural
Authorization Profile
32. Link User ID to Structural
Authorization
• Execute SAP Program RHPROFL0 on a
nightly or emergency basis.
• Report dynamically links the user id
(IT0105, Subtype 0001) to the designated
structural authorization profile in T77UA
based on the assignment of IT1017 to PD
objects.
35. Link User ID to Structural
Authorization Option # 2
• Can be assigned “manually”
• IT1017 is not necessary
• Transaction code OOSB or T77UA
• Ensure customizing of the table in permitted
in Production client
• This method is no recommended. Can be
very labor intensive
36. Manually Link User ID to
Structural Authorization
Execute transaction code OOSB > Click on New Entries > Enter user id,
corresponding structural authorization profile, enter start date, enter end
date and click on the save icon.
37. Optimize Structural
Authorization Performance
• Manually enter user id’s in T77UU User Table for
Batch Input. Stores user id in SAP memory
(T77UU). Not recommended.
• Dynamically add/remove user id’s in T77UU
executing program RHBAUS02 based on the
number of objects.
• Execute nightly program RHBAUS00 to
regenerate indexes saved in table INDX.
• Indexes regenerated and saved in table INDX
• OSS note 836478 dated 4/21/05: Display Index
Report: RHAUTH_VIEW_INDX
38. Congratulations !
• You have completed the configuration of
structural authorizations.
• Do not know of any method to trace
structural authorizations
• Test, test user id’s for both structural
authorizations and PA/PD authorization
assigned to roles in TC: SU01.
39. Customer Defined Structural
Authorizations
• Use BADl: HRBAS00_STRUAUTH
Customer defined logic for Structural
Authorization
• Use BADI: HRPAD00AUTH_CHECK,
which allows the customer to input their
own coding into this customer exit for HR
Master Data.
– Example: Restrict authorizations based on
Business Area, Plant, etc.
40. Reporting Considerations
• Customer Defined Reports: Use HR Macros in
your custom program to engage structural
authorizations from the LDB. If LDB is not being
accessed, need to code structural authorizations in
program
• SAP Standard Reports: There may be some
circumstances you do not want structural
authorizations checked. Copy standard reports and
remove authorization checks.
41. Lessons Learned
• Keep in mind, users with new structural
authorizations will not be effective until
next day if RHPROFLO is ran nightly.
• Remember to assign Authorization Groups
to customer defined z-tables in order to
maintain in Production client.
• Assign all end users structural
authorizations.
42. WHAT’S NEW IN 4.7
Transaction code SU53: Reasons for failed Structural authorizations are
displayed