Post on 26-Oct-2015
description
HR STRUCTURAL AUTHORIZATIONS
by
Ken Bowers
SAIC
Structural Authorization Defined
HR Structural Authorization permit access to personnel data based on the user’s position or span of authority within the organizational structure.
Structural
Authorization General
Authorization
TC: OOSB
TC: PFCG
Personnel Admin
Org, PD, TEM, Quals
Structural Authorization High Level Process
Create StructuralAuthorization
Profile
Link StructuralAuthorization
Profileto User Id
Configuration &Switch Settings
Evaluation Path
Determine RootOrg Unit
SAP User IDlinked to PA viaIT0105 Record
PA/PD IntegrationTurned “On”
(POLGI/ORGA)
StructuralAuthorizationActivated via
(TC: OOAC orT77S0)
StructuralAuthorization
ProfilesDeveloped (TC:
OOSP or T77PR)
Structural AuthProfilesLinked
PD Object(IT1017)
DynamicallyOrganizational
StructureDeveloped
SAP User ID linkedStructural Auth.
Profile(TC: OOSB or
T77UA
SAP ProgramRHPROFLO
Executed
Manually
Evaluation PathsMaintained
(T778A/V_T77AW))
Dynamicallyassign
Root Org Unit(Function Module)
Employee RecordassignedIT0001
Manuallyassign
Root Org Unit
STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART
User AccessRestricted
Based on OrgStructure
OrganizationalStructure
(Org Unit/Position)
StructuralAuthorization
Waiting Period(TC: OOAC or
T77S0)
Execute Reports toOptimize
Performance
PA/PD Integration “Active”
Structural Authorizations ‘Activated”
4.6 and below
Refer to OSS Note 339367 refers to OSS Note 363083 Maintenance of the switch AUTH_SW P_ORGPD to import 4.7 functionality
Change from 0 to 1
TC: OOAC T77S0
Structural Authorizations “Activated”
4.7
Activation Options
• Value 1: Org Unit Checked – No Authorization.
• Value 2: Org Unit Not Checked – No Authorization.
• Value 3: Org Unit Checked – Authorization
• Value 4: Org Unit Not Checked - Authorization
Structural Authorizations Waiting Period
Create Organizational Structure
• Transaction code PPOME
• Create organizational units (object type O)
• Create jobs (object type C)
• Create positions (object type S)
• Assign chief positions especially if the relationship A012 is being used in function modules
Create Organizational Structure
Create Personnel Master Records
• All personnel require personnel number
• Create IT0105, subtype 0001 record for all EE’s linking SAP user id to personnel number which is linked to the org structure
• All personnel require IT0001 record
Create Personnel Master Records
IT0105 IT0001
Evaluation Paths
• Use SAP standard evaluation paths
– SAP standard function modules read delivered evaluation paths
• Create customer defined evaluation paths
– Customer defined function modules specify customer defined evaluation paths
Evaluation Paths
T778A
V_T77AW
Create Structural Authorization Profiles
• Transaction code OOSP or T77PR
• Screen # 1– Profile: Enter profile name and description– Save Structural Authorization Profile
Assign Root Org Unit Option 1: Dynamically.
• Function Module: RH_GET_MANAGER_ASSIGNMENT determines the root organizational unit to which the user is assigned as Manager via the A012 chief relationship.
• Assign function module in T77PR In field PFUNC
Screen # 2 T77PR
When Function Module is
being used, leave Object
ID field “Blank”
RH_GET_MANAGER_ASSIGNMENT:
Determines the root org unit object to which the user is assigned as Manager via the A012 chief relationship. (Supervisor)
• Screen # 2 (Continued)– Auth Profile: Select profile for pop-up box– No.: Enter Line/Sequence/Interval numbers 5, 10, 15
…etc.– Plan version: Enter active plan. Ex. 01– Object type: Enter object type end user will be
authorized to change or display (O – Org Unit, S – Position, C – Job, P- person, and any customer defined objects)
– Object ID: If assign root org unit is being used, enter org unit id value. If you are using function modules to dynamically determine the root org unit, leave this field blank
– Maintenance: If checked, maintain authorization is granted for object type, if uncheck, only display authorization granted.
– Evaluation Path: Enter evaluation path defined inT77UA
• Screen # 2 (Continued)– Status vector: Planning status authorization
• 1 – Active• 2 – Planned• 3 – Submitted• 4 – Approved• 5 – Rejected• To grant access to Active and Planned status(s)
enter “12”– Depth: Enter the number of levels from the
root org unit of the org structure.– Sign: Process structural authorization top –
down (+) or bottom-up (-)
• Screen # 2 (Continued)– Time period: Restrict access based on the
validity period of the org structure. • D – Current Day• M – Current Month• Y – Current Year• P – Past• F – Future
– Function module:• Leave this field “blank” if root org unit is defined in
field “Object id”• Determine the root org unit using SAP standard or
Customer defined function modules
• Screen # 2 (Continued)– Add multiple rows in this table for all PD
objects the structural authorizations are permitting to change and/or display
Assign Root Org Unit Option 2: Dynamically.
• Function Module: RH_GET_ORG_ASSIGNMENT determines the root organizational unit to which the user is organizationally assigned.
• Assign function module in T77PR In field PFUNC
Screen # 2 T77PR
RH_GET_ORG_ASSIGNMENT
Determines the root organizational unit to which the user is organizationally assigned.
A customer defined Function Module may be used
Assign Root Org Unit Option 3: Dynamically.
• Customer Defined Function Module:
– Copy and modify SAP standard function modules to specify customer defined evaluation paths
• Assign function module in T77PR In field PFUNC
Assign Root Org Unit Option 4: Manually
• Function Module not used.
• Manual assignment of root organizational unit
• Define root organizational unit in T77PR In field OBJID
Screen # 2 T77PR
When Object ID is being used, leave Function
Module field “Blank”
Structural Authorization Profile Completed
Link User ID to Structural Authorization Option # 1
Assign Structural Authorization to PD Object
• Restrict user access based on PD objects.• Assign structural authorization defined in
transaction code OOSP or T77PR by creating an IT1017 to a PD object. Example: Create IT1017 to org unit or position depending on your requirements
• This is linking the structural authorization to the organizational structure.
• IT1017 is required if you are going to dynamically populate T77UA by linking user id to structural authorization profile.
Assign IT1017 to PositionExecute transaction code PP01 > Create PD Profiles > Assign Structural
Authorization Profile
Link User ID to Structural Authorization
• Execute SAP Program RHPROFL0 on a nightly or emergency basis.
• Report dynamically links the user id (IT0105, Subtype 0001) to the designated structural authorization profile in T77UA based on the assignment of IT1017 to PD objects.
RHPROFL0 program report output
T77UA auto populated by the
RHPROFL0 program
Link User ID to Structural Authorization Option # 2
• Can be assigned “manually”
• IT1017 is not necessary
• Transaction code OOSB or T77UA
• Ensure customizing of the table in permitted in Production client
• This method is no recommended. Can be very labor intensive
Manually Link User ID to Structural Authorization
Execute transaction code OOSB > Click on New Entries > Enter user id, corresponding structural authorization profile, enter start date, enter end
date and click on the save icon.
Optimize Structural Authorization Performance
• Manually enter user id’s in T77UU User Table for Batch Input. Stores user id in SAP memory (T77UU). Not recommended.
• Dynamically add/remove user id’s in T77UU executing program RHBAUS02 based on the number of objects.
• Execute nightly program RHBAUS00 to regenerate indexes saved in table INDX.
• Indexes regenerated and saved in table INDX• ODD note 836478 dated 4/21/05: Display Index
Report: RHAUTH_VIEW_INDX
Congratulations !
• You have completed the configuration of structural authorizations.
• Do not know of any method to trace structural authorizations
• Test, test user id’s for both structural authorizations and PA/PD authorization assigned to roles in TC: SU01.
Customer Defined Structural Authorizations
• Use BADl: HRBAS00_STRUAUTH Customer defined logic for Structural Authorization
• Use BADI: HRPAD00AUTH_CHECK, which allows the customer to input their own coding into this customer exit for HR Master Data.– Example: Restrict authorizations
based on Business Area, Plant, etc.
Reporting Considerations
• Customer Defined Reports: Use HR Macros in your custom program to engage structural authorizations from the LDB. If LDB is not being accessed, need to code structural authorizations in program
• SAP Standard Reports: There may be some circumstances you do not want structural authorizations checked. Copy standard reports and remove authorization checks.
Lessons Learned
• Keep in mind, users with new structural authorizations will not be effective until next day if RHPROFLO is ran nightly.
• Remember to assign Authorization Groups to customer defined z-tables in order to maintain in Production client.
• Assign all end users structural authorizations.
WHAT’S NEW IN 4.7
Transaction code SU53: Reasons for failed Structural authorizations are displayed
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Questions ?