Upload
vtech07
View
65
Download
4
Embed Size (px)
DESCRIPTION
SAP HR Structural Auths
Citation preview
Structural Authorization
Defined HR Structural Authorization permit access to personnel
data based on the user’s position or span of authority
within the organizational structure.
Structural
Authorization General
Authorization
TC: OOSB
TC: PFCG
Personnel
Admin
Org, PD,
TEM, Quals
Structural Authorization
High Level Process
Create Structural
Authorization
Profile
Link Structural
Authorization
Profile
to User Id
Configuration &
Switch Settings
Evaluation Path
Determine Root
Org Unit
SAP User ID
linked to PA via
IT0105 Record
PA/PD Integration
Turned
“On”
(POLGI/ORGA)
Structural
Authorization
Activated via
(TC: OOAC or
T77S0)
Structural
Authorization
Profiles
Developed (TC:
OOSP or T77PR)
Structural Auth
Profiles
Linked
PD Object
(IT1017)
Dynamically
Organizational
Structure
Developed
SAP User ID linked
Structural Auth.
Profile
(TC: OOSB or
T77UA
SAP Program
RHPROFLO
Executed
Manually
Evaluation Paths
Maintained
(T778A/
V_T77AW))
Dynamically
assign
Root Org Unit
(Function Module)
Employee Record
assigned
IT0001
Manually
assign
Root Org Unit
STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART
User Access
Restricted
Based on Org
Structure
Organizational
Structure
(Org Unit/Position)
Structural
Authorization
Waiting Period
(TC: OOAC or
T77S0)
Execute Reports to
Optimize
Performance
PA/PD Integration “Active”
Structural Authorizations
„Activated”
4.6 and
below
Refer to OSS Note 339367 refers to OSS Note 363083
Maintenance of the switch AUTH_SW P_ORGPD to
import 4.7 functionality
Change from 0 to 1
TC: OOAC
T77S0
Structural Authorizations
“Activated”
4.7
Structural Authorizations
Waiting Period
Create Organizational Structure
• Transaction code PPOME
• Create organizational units (object type O)
• Create jobs (object type C)
• Create positions (object type S)
• Assign chief positions especially if the
relationship A012 is being used in function
modules
Create Organizational Structure
Create Personnel Master Records
• All personnel require personnel number
• Create IT0105, subtype 0001 record for all
EE’s linking SAP user id to personnel
number which is linked to the org structure
• All personnel require IT0001 record
Create Personnel Master Records
IT0105 IT0001
Evaluation Paths
• Use SAP standard evaluation paths
– SAP standard function modules read
delivered evaluation paths
• Create customer defined evaluation paths
– Customer defined function modules
specify customer defined evaluation paths
Evaluation Paths
T778A
V_T77AW
Create Structural Authorization
Profiles
• Transaction code OOSP or T77PR
• Screen # 1
– Profile: Enter profile name and description
– Save Structural Authorization Profile
Assign Root Org Unit
Option 1: Dynamically.
• Function Module:
RH_GET_MANAGER_ASSIGNMENT
determines the root organizational unit to
which the user is assigned as Manager via
the A012 chief relationship.
• Assign function module in T77PR In field
PFUNC
Screen # 2 T77PR
When Function
Module is
being used,
leave Object
ID field “Blank”
RH_GET_MANAGER_ASSIGNMENT:
Determines the root org unit object to
which the user is assigned as Manager
via the A012 chief relationship.
(Supervisor)
• Screen # 2 (Continued) – Auth Profile: Select profile for pop-up box
– No.: Enter Line/Sequence/Interval numbers 5, 10, 15 …etc.
– Plan version: Enter active plan. Ex. 01
– Object type: Enter object type end user will be authorized to change or display (O – Org Unit, S – Position, C – Job, P- person, and any customer defined objects)
– Object ID: If assign root org unit is being used, enter org unit id value. If you are using function modules to dynamically determine the root org unit, leave this field blank
– Maintenance: If checked, maintain authorization is granted for object type, if uncheck, only display authorization granted.
– Evaluation Path: Enter evaluation path defined inT77UA
• Screen # 2 (Continued) – Status vector: Planning status authorization
• 1 – Active
• 2 – Planned
• 3 – Submitted
• 4 – Approved
• 5 – Rejected
• To grant access to Active and Planned status(s) enter
“12”
– Depth: Enter the number of levels from the
root org unit of the org structure.
– Sign: Process structural authorization top –
down (+) or bottom-up (-)
• Screen # 2 (Continued) – Time period: Restrict access based on the
validity period of the org structure. • D – Current Day
• M – Current Month
• Y – Current Year
• P – Past
• F – Future
– Function module: • Leave this field “blank” if root org unit is defined in
field “Object id”
• Determine the root org unit using SAP standard or
Customer defined function modules
• Screen # 2 (Continued) – Add multiple rows in this table for all PD
objects the structural authorizations are
permitting to change and/or display
Assign Root Org Unit
Option 2: Dynamically.
• Function Module:
RH_GET_ORG_ASSIGNMENT
determines the root organizational unit to
which the user is organizationally assigned.
• Assign function module in T77PR In field
PFUNC
Screen # 2 T77PR
RH_GET_ORG_ASSIGNMENT
Determines the root organizational unit to
which the user is organizationally assigned.
A customer defined Function
Module may be used
Assign Root Org Unit
Option 3: Dynamically.
• Customer Defined Function Module:
– Copy and modify SAP standard function
modules to specify customer defined
evaluation paths
• Assign function module in T77PR In field
PFUNC
Assign Root Org Unit
Option 4: Manually
• Function Module not used.
• Manual assignment of root organizational
unit
• Define root organizational unit in T77PR In
field OBJID
Screen # 2 T77PR
When Object
ID is being
used, leave
Function
Module field
“Blank”
Structural Authorization Profile
Completed
Link User ID to Structural
Authorization Option # 1 Assign Structural Authorization to PD Object
• Restrict user access based on PD objects.
• Assign structural authorization defined in transaction code OOSP or T77PR by creating an IT1017 to a PD object. Example: Create IT1017 to org unit or position depending on your requirements
• This is linking the structural authorization to the organizational structure.
• IT1017 is required if you are going to dynamically populate T77UA by linking user id to structural authorization profile.
Assign IT1017 to Position
Execute transaction code PP01 > Create PD Profiles > Assign Structural
Authorization Profile
Link User ID to Structural
Authorization
• Execute SAP Program RHPROFL0 on a
nightly or emergency basis.
• Report dynamically links the user id
(IT0105, Subtype 0001) to the designated
structural authorization profile in T77UA
based on the assignment of IT1017 to PD
objects.
RHPROFL0 program report output
T77UA auto
populated by the
RHPROFL0
program
Link User ID to Structural
Authorization Option # 2
• Can be assigned “manually”
• IT1017 is not necessary
• Transaction code OOSB or T77UA
• Ensure customizing of the table in permitted
in Production client
• This method is no recommended. Can be
very labor intensive
Manually Link User ID to
Structural Authorization Execute transaction code OOSB > Click on New Entries > Enter user id,
corresponding structural authorization profile, enter start date, enter end
date and click on the save icon.
Optimize Structural
Authorization Performance • Manually enter user id’s in T77UU User Table for
Batch Input. Stores user id in SAP memory (T77UU). Not recommended.
• Dynamically add/remove user id’s in T77UU executing program RHBAUS02 based on the number of objects.
• Execute nightly program RHBAUS00 to regenerate indexes saved in table INDX.
• Indexes regenerated and saved in table INDX
• ODD note 836478 dated 4/21/05: Display Index Report: RHAUTH_VIEW_INDX
Congratulations !
• You have completed the configuration of
structural authorizations.
• Do not know of any method to trace
structural authorizations
• Test, test user id’s for both structural
authorizations and PA/PD authorization
assigned to roles in TC: SU01.
Customer Defined Structural
Authorizations
• Use BADl: HRBAS00_STRUAUTH Customer defined logic for Structural Authorization
• Use BADI: HRPAD00AUTH_CHECK, which allows the customer to input their own coding into this customer exit for HR Master Data.
– Example: Restrict authorizations based on Business Area, Plant, etc.
Reporting Considerations
• Customer Defined Reports: Use HR Macros in
your custom program to engage structural
authorizations from the LDB. If LDB is not being
accessed, need to code structural authorizations in
program
• SAP Standard Reports: There may be some
circumstances you do not want structural
authorizations checked. Copy standard reports and
remove authorization checks.
Lessons Learned
• Keep in mind, users with new structural authorizations will not be effective until next day if RHPROFLO is ran nightly.
• Remember to assign Authorization Groups to customer defined z-tables in order to maintain in Production client.
• Assign all end users structural authorizations.
WHAT’S NEW IN 4.7
Transaction code SU53: Reasons for failed Structural authorizations are
displayed
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Questions ?