Optimising SAP HR Authorisation by using custom development incl. BAdIs

© Copyright 2014 Wellesley Information Services, Inc.

All rights reserved.

When and How to Use Custom Development to Optimise SAP ERP HCM Authorisations

Sven Ringling iProCon

1

In This Session

• We’ll walk through the most important standard concepts of HR

authorisations

To demonstrate what they can and can’t do and, thus leading to

improvement opportunities through custom development

We will not discuss each and every detail of standard concepts

• We’ll discuss when to use custom development and when you

should aim for other alternatives

• We’ll introduce the most important concepts for custom

development in HR authorisations

BAdIs, custom authorisation objects, and dynamic start objects

for structural authorisation

And demonstrate business cases for each of them

2

What We’ll Cover

• Overview: out-of-the-box concepts and enhancement options

• Standard objects, structural and context-sensitive authorisations

• Making structural authorisations more dynamic

• Using a custom authorisations object

• Using BAdIs: (almost) everything is possible

• Striking the right balance: keep customization to a minimum

• Wrap-up

3

A Quick Run Through Primary School

• Are a set of fields to describe user rights for certain data or activities

• SAP standard coding checks these objects to control user rights

Authorisation Objects

• Are objects “filled in” to describe the rights of a certain user or group

Authorisations

• Are sets of authorisations to represent a task or group of tasks

• Are assigned to users directly or through composite roles

Roles

4

Standard Options for HR Authorisations

• Personnel master data and time data infotypes

• Infoytpes of HR planning and development

Basic HR authorisations

• Controlling access along organisational structure

• Other structures of personnel planning and development, such as the training catalogue

• For personnel planning and development and also for personnel master data, if activated

Structural authorisations

• Linking the two concepts above, so structural authorisations can be used in a more differentiated way

Context-sensitive

authorisations

5

Further Authorisations Relevant to HR

• More authorisation objects can be relevant, but are not analysed

in this session

Non-HR authorisations

Authorisation objects for specific HR processes

Authorisation objects for specific countries

6

Enhancement Options

• For structural authorisations, function modules can be used to decide at which point in the structure to start

Dynamic start object

• For HR, a custom object is available that can be generated or filled with bespoke coding

Custom authorisation object

• Available for basic objects, as well as for structural and context-sensitive authorisations

BAdIs

7

Before You Start with Custom Programming …

Make sure you understand what’s

available in SAP standard

Ask “Why do we need this” and

consider process changes

8

What We’ll Cover







• Wrap-up

9

The Mother of All HR Authorisation Objects

• Authorisation Object P_ORGIN

Most widely used object to control access to employee data

Note: Cost Centre or Personnel Subarea not available

What can

you do?

For which set of

data?

For which employees?

10

Using Organisational Key as a Wildcard

• Before building a custom authorisation object, if you are missing

a field in P_ORGIN, make full use of the organisational key!

SAP leaves this field free to use for whatever purpose a

customer wants to use it for

You can configure this field to be:

Free to change (from a drop-down list or free text)

Free to change with a default value

Default value not changeable

• Default values can be:

Built from other fields in Infotype 0001

E.g., cost centre or personnel subarea

Set in Master Data BAdI HRPAD00_INFTY

11

Access Per Administrator: P_ORGXX

• Object P_ORGXX answers the question “which employees” are

using the administrator fields from Infotype 0001

Convenient solution if you use these fields

However, consider substitution issues!

If you don’t use these fields in your process, you could use

them as extra wild cards via BAdI HRPAD00_INFTY


12

Access to Your Own Data: P_PERNR

• Object P_PERNR controls how users can access their own data

• Field “interpretation of assigned personnel number” is confusing

for some administrators:

I: user gets extra right for her own data beyond P_ORGIN/

P_ORGXX (usually for ESS)

E: access to user’s own data is restricted (e.g., HR staff not

allowed to change their own salary)

Think of this being two separate authorisation objects

Assigned via infotype

0105, subtype 0001

13

Which of the Three Objects Are Used for Master Data?

• Entries in T77S0 (see above) decide which objects are active

• All active objects are checked sequentially

E.g., if a user does have access to a certain record through

P_ORGIN, but not through P_ORGXX (both being active), then

access is rejected

P_PERNR can then add rights for the user’s own data or take

them away

It can never affect access to data other than the user’s own

records

14

Considerations for Basic Authorisation Objects

• Infotype and subtype are not always the right level – e.g., NI number in IT0002 is critical

• Sometimes controls based on amounts (e.g., one off payments) are required

No field-level controls

• Dealt with by context-sensitive authorisation

No link to organisational structure

• It is often required for certain infotypes to be accessible in one transaction or report, but not another

No link to transaction or other context data

15

How Object P_ABAP Can Help in Reporting

P_ABAP deactivates

HR authorisation check (COARS = 2)

but doesn’t replace the basic authorisation to

start a report!

Tip

Often difficult to provide access to

non-critical reports (e. g., phone list)

Recommendation: 1 role with

non-critical reports for all users

16

Workaround for the Amount Problem

• Problem

A user is allowed to capture a certain wage type (e.g., “medical expenses”) in Infotype 2010, but only up to EUR 100

Infotype and wage type (= subtype) can be controlled by object P_ORGIN or P_ORGXX, but not the amount

This would require custom programming (discussed further down)

• Workaround

Create two different wage types

One without limit

One with a limit of EUR 100 set in configuration view V_T511

Assign the two wage types through P_ORGIN or P_ORGXX using the subtype field accordingly

17

Personnel Planning and Development: PLOG

• Object PLOG controls access to PD data per

Object type (organisational unit, job, qualification, …)

Infotype and subtype

Activity (function code), such as view, change, …

PLOG can control access per plan

variant, so “secret” planning

scenarios can be protected.

If you use only one, still use the

restriction so you don’t have to

change all roles if the requirement

for a sandbox plan comes up (it

often happens with very little

advance warning only).

18

Understanding Object PLOG

• Unlike the objects for personnel master data, PLOG has no option to restrict certain organisational units

This is due to the nature of the data, which can be jobs, as well as courses, etc.

The only way to restrict access to parts of the organisational structure is structural authorisation

• The function code controls:

“Standard” activities, like display and change

Bespoke activities for certain processes, like approvals or career simulation

• Subtype field for Infotype 1001 (Relationships)

In IT1001, the subtype field represents the relationship type

Making good use of this allows very detailed controls

19

Detailed Controls Using Relationship Types

• If your authorisations on personnel planning and developments are quite differentiated, picking the right relationship types can be challenging and require dozens of authorisations of PLOG

Whenever possible, keep it simple

You need to understand the data structure very well

Don’t forget most relationships exist in two directions (“A” and “B”)

This example would allow a user

to assign instructors and

organisers to a course/event, but

not to book delegates

Prerequisite:

Access to instructors and

organisers

20

Considerations for Authorisation Object PLOG

• Similar to problem with PA-infotypes, but not required very often

No field-level controls

• Access rights are always for all objects of a particular type

• Organisational view is checked separately by structural organisation

• Link between PLOG and structural organisation requires context-sensitive authorisation, which is not yet available for PLOG

No organisational view

• It is often required for certain infotypes to be accessible in one transaction or report, but not another. This is even more common here than in PA.

• In a few cases, the bespoke function codes mentioned earlier can cover this aspect

No link to transaction or other context data

21

Structural Authorisation

• Access to a section of a structure

E.g., org unit with all subordinate

units, positions, and people

• Structural profile

One or several such sections

Using evaluation paths

Defined in table T77PR

• Profiles are assigned to users

In table T77UA

• Access to data is defined in

“normal” authorisation objects

No link!

Organisational unit

Position

Person

Organisational unit

Has access to these

persons’ data

22

Example: Two Structural Profiles for One User

Structural

profile:

“Time manager”

Glenn is responsible for

time management. He

may maintain time data

for the sales team.

Glenn is also a

leader of his team

and may read all

their master data

Structural

profile:

“My team”

User

23

Merging Two Structural Profiles Goes Wrong

Maintain time data

+ Read master data

The sales team

+ His own team

24

Context-Sensitive Authorisation Gets It Right

Structural

profile “Time

manager”

Structural

profile “own

team”

Glenn is also a

leader of his team

and may read master

data

Co

nte

xt

Co

nte

xt

Glenn is responsible for

time management. He

may maintain time data

for a special unit.

25

Context Authorisation in Object P_ORGINCON

• The new field PROFL represents a structural profile

Data and actions specified can be accessed only for employees

accessible via this structural profile

This is the hitherto missing link between structural

authorisation and “normal” authorisation objects

What can

you do?

For which set of

data?


26

Options in Context-Sensitive Authorisation

• It can be used in two standard objects:

P_ORGINCON, replacing P_ORNGIN

P_ORGXXCON, replacing P_ORGXX

• They are activated in T77S0

Switches INCON and XXCON, respectively

Switch DFCON must also be set to activate context solution

• There is no context solution for PD-Data

Authorisation object PLOG_CON exists, but is

currently not working (SAP is aware it is not working)

27

So, Why Custom Programming?

Some structural gaps in standard

authorisations

Only partially rectified by

context solution

Custom coding can close gaps and streamline

processes, if used with consideration

28

What We’ll Cover







• Wrap-up

29

Structural Authorisation: Example

• Rather than creating a profile with an explicit start object for each

section of the org structure, the start object can be determined

dynamically

Organisational unit

Position

Person

Organisational unit

Has access to these

people’s data

Position

Person

User

Line Manager

Relationship, e.g.‚ is line

manager of:

30

Dynamic Start Object Using Function Module

Standard function module RH_GET_ORG_ASSIGNMENT

dynamically identifies the assigned org unit

User

Person

Position

Org unit

IT 0105

Holder

Belongs to

Eval. P

ath

OR

GA

SS

31

More Flexibility with Custom Function Modules

• User is line manager of – function module RH_GET_MANAGER_ASSIGNMENT

• User is staff member of – function module RH_GET_ORG_ASSIGNMENT

Many users stop at standard options

• PAs capturing data for managers or whole teams

• Managers not having access more than two levels down (“grandfather principle”)

• Other roles, like resource planners, event managers, …

Real life requirements are more diverse custom function modules

• … and a good deal of analysis and conceptual thinking

• This is arguably the least intrusive way of enhancing

You can achieve much with little custom programming

32

It Can Be That Easy …

Copy function module and replace standard with your own evaluation path:

... or as complex as you want it to be

33

What We’ll Cover







• Wrap-up

34

How to Use the Custom HR Authorisation Object

• You can create as many custom objects as you like

However, they would not be checked in any standard

transactions and would, therefore, be useless except when

used in custom coding

• The special concept of P_NNNNN in HR allows you to create one

custom object, which is integrated an all relevant standard

transactions

The standard process allows you to chose fields from Infotype

0001, plus some obligatory fields

E.g., cost centre or supervisor

You can also add custom coding, e.g., to make it dynamic

35

Step-by-Step Guide to P_NNNNN

Create P_NNNNN

• The real name would usually be different, starting with “Z”

• P_NNNNN is merely a placeholder for your own name

• Chose fields from Infotype 0001

Integrate P_NNNNN in standard authorisation check

• Code generation with report RPUACG00

Amend coding, if required

• Note: your amendments will be lost if code generation is repeated

Activate P_NNNNN

• Switch in table T77S0

36

Step 1: Create New Object

• Transaction SU21 button “create” “Authorisation Object”

• Fill in name and chose fields

• Save new object

• Generate SAP_ALL to include the new object

Mandatory

fields

37

Step 2: Generate Coding

• Report RPUACG00

Decide whether the object should be context-sensitive

Password = your user name

• Note: although this is not a modification, you’ll be asked to enter

an object key

38

Step 3: Amend Coding

• You can skip this step

Then the object will just check the fields you included in the

same way P_ORGIN checks employee group, subgroup, …

• Or you can add extra logic in program MPPAUTZZ, e.g.:

Make the cost centre check dynamic, so the system is not

granting access to a fixed cost centre, but to the cost centre

assigned to the user

Perform a check depending on the transaction code

This would allow you to get around one of the major

considerations of standard authorisations

Consider a custom table with FLAs*

Right to capture IT0015 depends on the amount * Financial authority limit

39

Step 4: Activate Check

• Activation in T77S0 in the same way as standard objects are

activated

Before the activation, you should make sure it is included in all

relevant roles – otherwise, users will be completely blocked

• You may also want to amend the profile generator to include the

new object in its suggestions

40

What We’ll Cover







• Wrap-up

41

BAdIs Overview

• The most widely used BAdIs are:

HRBAS00_ GET_PROFL: dynamic assignment of structural profiles in the context solution

HRBAS00_STRUAUTH: changing structural authorisation

HRPAD00AUTH_CHECK: replacing general HR master data check

HRBAS00_RHBAUS00: amending the report for buffering objects in structural authorisation

HRPAD00CHECK_TIME: amending HR authorisations time logic

Further BAdIs for particular processes, such as:

Access to cost plans

Travel and Expense management

Appraisals

42

Automatically Assigning Structural Profiles

If maintenance of table T77UA takes too much effort

or doesn’t fulfill the requirements

Assignment of structural profiles either from the field

PROFL or following your own logic

via BAdI HRBAS00_ GET_PROFL

No need to maintain table T77UA.

Dynamic assignment of structural profiles.

Tip

43

Changing Structural Authorisations

• BAdI HRBAS00_STRUAUTH has six methods which can be used independently or in combination with each other

• The most popular ones are:

Check_Authority_View: you can determine freely whether the user should have access to a certain object

Check_Auth_Plan1: same, but for employees rather than other objects

Check_Authority_Search: allows different access to objects for users in a search function

44

Business Examples

• Some users may not have any access to data of organisational units, but should see them in a search function to perform a structural search. Method Check_Authority_Search can do this.

Opening up search functions

• PAs may not have any access to the object type E (event), but should still be allowed to book employees on courses. This can be done in method Check_Authority_View.

Booking employees on courses

• You can also use method Check_Authority_View to allow a user access to external courses only. The flag external/internal is not used by standard authorisations, so you need the BAdI to differentiate.

Access to external courses only

45

The Most Powerful of Authorisation BAdIs

BAdI HRPAD00AUTH_CHECK is very powerful, as well as dangerous

• It can completely change the behaviour of standard PA authorisation checks. So, in theory, you can implement any authorisation process you want.

• As soon as the BAdI is activated without any coding changes, no user will be able to access any HR master data

• You need to implement all methods, even if you need only one of them for your purpose

• It is recommended to use other tools for smaller amendments, whenever possible

• If you have various bespoke requirements, this is the right tool

46

What Are All Those Methods For?

• This BAdI has 13 methods, which makes it difficult to understand

Most of them are meant to improve the performance of standard

authorisation checks

In almost all cases, the method required for custom checks is

CHECK_AUTHORIZATION

• However, when the BAdI is switched on, it is completely

replacing standard authorisation checks for PA data

Therefore, it is not enough to implement the one method only

You’d usually want all other methods to work as they would in

SAP standard, so you need to implement them accordingly

47

Keeping Standard Checks Where Still Needed

• Just the normal implementation steps for BAdI HRPAD00AUTH_CHECK

Create a BAdI implementation

• Create method, e.g., “CHECK_CHECKER” as shown on next slide

Make standard checks available

• Call standard method in all method implementations

• Example on next slide shows this for method CHECK_MAX_INFTY_AUTHORIZATION – others are to be done accordingly

Implement standard checks

• Now add your custom coding – usually in method CHECK_AUTHORIZATION

Make custom amendments

48

Sample Coding

Method CHECK_CHECKER

• CREATE OBJECT checker TYPE cl_hrpad00auth_check_std.

Method DELAYED_CONSTRUCTOR

• CALL METHOD check_checker

• EXPORTING

• context = context

• repid = repid.

Method CHECK_MAX_INFTY_AUTHORIZATION

• CALL METHOD check_checker.

• CALL METHOD checker->check_max_infty_authorization “change accordingly for other methods

• EXPORTING

• level = level

• tclas = tclas

• infty = infty

• IMPORTING

• is_authorized = is_authorized

• EXCEPTIONS

• invalid = 1

• internal_error = 2

• OTHERS = 3.

49

Business Examples

• Depending on config, time evaluation may require display rights for IT0008. The user running time needs this, but is not allowed to see IT0008 directly.

• Many reports require some data from IT0002 or IT0032, but users running these reports should not see national insurance numbers or company car data. So, they get access to these infotypes only in the context of these reports.

Transaction sensitivity

• PAs have access to staff in their department for info purposes, but they are not allowed to see salary data for their own boss

Exclude some data from own manager

• Some users are allowed to change infotype 2006 max for one month into past. The BAdI allows this without using IT0130 and constantly updating it.

Dynamic time sensitivity

50

Typical Problems with This BADI

• As checks are hard coded rather than visible in roles, it is difficult to see who’s got which rights

• Tip: using custom authorisation objects and checking them in this BAdI improves transparency a lot

Transparency

• Whilst you often focus on one single method, it can become very complex to manage the interdependencies of all methods in this BAdI

Interdependencies of the many methods

• Because it is so powerful, business users may get used to getting each and every exception implemented. Eventually, this will lead to an unmanageable level of complexity.

Anything goes attitude

51

What We’ll Cover







• Wrap-up

52

Authorisations in Custom Development

• Sometimes you require a deviation from standard authorisation

checks only in the context of a custom development

In this case, it may be easier to add coding for bespoke

authorisation checks into the custom program

This avoids side effects you may have by using the BAdIs

Consider a custom authorisation object (not P_NNNNN)

Always remember that access to data is not checked by the

database, but in each program

Custom coding can, therefore, easily get around authorisations

Using logical databases makes it easier for developers to

make sure authorisations are checked, but they can still

ignore them, if they want to

53

Balancing It Out

Pro Custom Coding

Business requirements followed very closely

They can reduce number of roles considerably

May improve system performance

Contra Custom Coding

Upfront cost for implementation and test

Test effort for changes

Risk of side effects and sceptical auditors

Long-term complexity trap

Some processes may just not work otherwise

54

Make the Substitution Test

• Requirements for more and more exceptions to be programmed in

authorisation checks can become overwhelming

• Apart from the usual discussion of cost vs. benefit, there is one

test we recommend to do with the business every time:

If we implement this bespoke, very strict

authorisation check, would then a substitution

still be able to perform this user’s task, when

he or she is off sick? Note that handing over

your password is considered a severe breach

of security guidelines.

55

What We’ll Cover







• Wrap-up

56

Where to Find More Information

• Eric Wood, “How to Use Structural Authorizations for Effective HR

Strategy and Security” (HR Expert, February 2013).

• Anja Junold and Martin Esch, Authorizations in SAP ERP HCM –

Design, Implementation, and Operation (SAP PRESS, 2008).

A new edition is available in German

• www.iprocon.com/nl-en

iProCon Newsletter on SAP HCM with several authorisations

experts as regular contributors

German version available: www.iprocon.de/newsletter

• http://help.sap.com/saphelp_470/helpdata/en/e0/bdb83b5b831f3be

10000000a114084/content.htm

Simple examples for BAdI HRPAD00AUTH_CHECK

57

7 Key Points to Take Home

• SAP standard authorisation checks happen primarily on infotype/ subtype and object level depending on organisational criteria

• Assigning rights on field-level or based on data content (e.g., amount limits) or transactional context requires custom solutions

• Custom solutions can reduce the number of roles and profiles

• The custom object P_NNNNN can be generated or amended with custom coding for more complex logic

• BAdI HRPAD00AUTH_CHECK is very powerful, but difficult to handle. For small amendments, try to use other tools.

• Custom programs have to take care of their own authorisation checks – ideally referring to standard checks and making use of logical databases

• It is important to strike the right balance; otherwise, complexity can keep growing until it becomes almost impossible to make further changes without unwanted side effects

58

Your Turn!

How to contact me:

Sven Ringling

[email protected]

@svenringling

Please remember to complete your session evaluation

59

Disclaimer

SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and

service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

Technology

Optimising SAP HR Authorisation by using custom development incl. BAdIs