3 = If employee is not assigned to an org unit, the user has access. 4 = Access is granted.
When function module is being used, leave object id field “blank”. When using the Object id field, leave the Function Module Field “blank”.
SAP HCM Structural Authorization Overview Presentation
SAP HCM STRUCTURAL AUTHORIZATION OVERVIEW by Ken Bowers NK Consulting Inc
Structural Authorization DefinedHR Structural Authorization permit access to personneldata based on the user’s position or span of authoritywithin the organizational structure.
Structural GeneralAuthorization Authorization Org, PD, Personnel TEM, Quals Admin TC: OOSB TC: PFCG
Structural Authorization High Level Process Configuration & Switch Settings Link Structural Create Structural Authorization Authorization Profile Evaluation Path Profile to User Id Determine Root Org Unit
STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART DynamicallyPA/PD Integration Evaluation Paths Manually assign Organizational Turned Maintained assign Root Org Unit Structure “On” (T778A/ Root Org Unit (Function Module) (Org Unit/Position) (POLGI/ORGA) V_T77AW)) Structural Structural Structural Structural Auth Authorization Authorization Organizational Authorization Profiles Activated via Waiting Period Structure Profiles Dynamically Linked (TC: OOAC or (TC: OOAC or Developed Developed (TC: PD Object T77S0) T77S0) OOSP or T77PR) (IT1017) SAP User ID Employee Record SAP Program linked to PA via assigned RHPROFLO IT0105 Record IT0001 Executed SAP User ID linked Structural Auth. Manually Profile (TC: OOSB or T77UA Execute Reports to User Access Optimize Restricted Performance Based on Org Structure
Structural Authorizations ‘Activated” Change from 0 to 1 4.6 and belowRefer to OSS Note 339367 refers to OSS Note 363083Maintenance of the switch AUTH_SW P_ORGPD toimport 4.7 functionality TC: OOAC T77S0
Activation Options• Value 1: Org Unit Checked – No Authorization.• Value 2: Org Unit Not Checked – No Authorization.• Value 3: Org Unit Checked – Authorization• Value 4: Org Unit Not Checked - Authorization
Create Organizational Structure• Transaction code PPOME• Create organizational units (object type O)• Create jobs (object type C)• Create positions (object type S)• Assign chief positions especially if the relationship A012 is being used in function modules
Create Personnel Master Records• All personnel require personnel number• Create IT0105, subtype 0001 record for all EE’s linking SAP user id to personnel number which is linked to the org structure• All personnel require IT0001 record
Evaluation Paths• Use SAP standard evaluation paths – SAP standard function modules read delivered evaluation paths• Create customer defined evaluation paths – Customer defined function modules specify customer defined evaluation paths
Create Structural Authorization Profiles• Transaction code OOSP or T77PR• Screen # 1 – Profile: Enter profile name and description – Save Structural Authorization Profile
Assign Root Org Unit Option 1: Dynamically.• Function Module: RH_GET_MANAGER_ASSIGNMENT determines the root organizational unit to which the user is assigned as Manager via the A012 chief relationship.• Assign function module in T77PR In field PFUNC
Screen # 2 T77PR When Function Module is being used, leave Object ID field “Blank”RH_GET_MANAGER_ASSIGNMENT:Determines the root org unit object towhich the user is assigned as Managervia the A012 chief relationship.(Supervisor)
• Screen # 2 (Continued) – Auth Profile: Select profile for pop-up box – No.: Enter Line/Sequence/Interval numbers 5, 10, 15 …etc. – Plan version: Enter active plan. Ex. 01 – Object type: Enter object type end user will be authorized to change or display (O – Org Unit, S – Position, C – Job, P- person, and any customer defined objects) – Object ID: If assign root org unit is being used, enter org unit id value. If you are using function modules to dynamically determine the root org unit, leave this field blank – Maintenance: If checked, maintain authorization is granted for object type, if uncheck, only display authorization granted. – Evaluation Path: Enter evaluation path defined inT77UA
• Screen # 2 (Continued) – Status vector: Planning status authorization • 1 – Active • 2 – Planned • 3 – Submitted • 4 – Approved • 5 – Rejected • To grant access to Active and Planned status(s) enter “12” – Depth: Enter the number of levels from the root org unit of the org structure. – Sign: Process structural authorization top – down (+) or bottom-up (-)
• Screen # 2 (Continued) – Time period: Restrict access based on the validity period of the org structure. • D – Current Day • M – Current Month • Y – Current Year • P – Past • F – Future – Function module: • Leave this field “blank” if root org unit is defined in field “Object id” • Determine the root org unit using SAP standard or Customer defined function modules
• Screen # 2 (Continued) – Add multiple rows in this table for all PD objects the structural authorizations are permitting to change and/or display
Assign Root Org Unit Option 2: Dynamically.• Function Module: RH_GET_ORG_ASSIGNMENT determines the root organizational unit to which the user is organizationally assigned.• Assign function module in T77PR In field PFUNC
Screen # 2 T77PR A customer defined Function Module may be used RH_GET_ORG_ASSIGNMENT Determines the root organizational unit to which the user is organizationally assigned.
Assign Root Org Unit Option 3: Dynamically.• Customer Defined Function Module: – Copy and modify SAP standard function modules to specify customer defined evaluation paths• Assign function module in T77PR In field PFUNC
Assign Root Org Unit Option 4: Manually• Function Module not used.• Manual assignment of root organizational unit• Define root organizational unit in T77PR In field OBJID
Screen # 2 T77PR When Object ID is being used, leave Function Module field “Blank”
Link User ID to Structural Authorization Option # 1 Assign Structural Authorization to PD Object• Restrict user access based on PD objects.• Assign structural authorization defined in transaction code OOSP or T77PR by creating an IT1017 to a PD object. Example: Create IT1017 to org unit or position depending on your requirements• This is linking the structural authorization to the organizational structure.• IT1017 is required if you are going to dynamically populate T77UA by linking user id to structural authorization profile.
Link User ID to Structural Authorization• Execute SAP Program RHPROFL0 on a nightly or emergency basis.• Report dynamically links the user id (IT0105, Subtype 0001) to the designated structural authorization profile in T77UA based on the assignment of IT1017 to PD objects.
RHPROFL0 program report output T77UA autopopulated by the RHPROFL0 program
Link User ID to Structural Authorization Option # 2• Can be assigned “manually”• IT1017 is not necessary• Transaction code OOSB or T77UA• Ensure customizing of the table in permitted in Production client• This method is no recommended. Can be very labor intensive
Manually Link User ID to Structural AuthorizationExecute transaction code OOSB > Click on New Entries > Enter user id,corresponding structural authorization profile, enter start date, enter end date and click on the save icon.
Optimize Structural Authorization Performance• Manually enter user id’s in T77UU User Table for Batch Input. Stores user id in SAP memory (T77UU). Not recommended.• Dynamically add/remove user id’s in T77UU executing program RHBAUS02 based on the number of objects.• Execute nightly program RHBAUS00 to regenerate indexes saved in table INDX.• Indexes regenerated and saved in table INDX• OSS note 836478 dated 4/21/05: Display Index Report: RHAUTH_VIEW_INDX
Congratulations !• You have completed the configuration of structural authorizations.• Do not know of any method to trace structural authorizations• Test, test user id’s for both structural authorizations and PA/PD authorization assigned to roles in TC: SU01.
Customer Defined Structural Authorizations• Use BADl: HRBAS00_STRUAUTH Customer defined logic for Structural Authorization• Use BADI: HRPAD00AUTH_CHECK, which allows the customer to input their own coding into this customer exit for HR Master Data. – Example: Restrict authorizations based on Business Area, Plant, etc.
Reporting Considerations• Customer Defined Reports: Use HR Macros in your custom program to engage structural authorizations from the LDB. If LDB is not being accessed, need to code structural authorizations in program• SAP Standard Reports: There may be some circumstances you do not want structural authorizations checked. Copy standard reports and remove authorization checks.
Lessons Learned• Keep in mind, users with new structural authorizations will not be effective until next day if RHPROFLO is ran nightly.• Remember to assign Authorization Groups to customer defined z-tables in order to maintain in Production client.• Assign all end users structural authorizations.
WHAT’S NEW IN 4.7Transaction code SU53: Reasons for failed Structural authorizations are displayed