Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SAP HCM STRUCTURAL  AUTHORIZATION     OVERVIEW          by      Ken Bowers    NK Consulting Inc
Structural Authorization                DefinedHR Structural Authorization permit access to personneldata based on the use...
Structural         GeneralAuthorization      Authorization    Org, PD,                    Personnel   TEM, Quals          ...
Structural Authorization  High Level Process Configuration & Switch Settings                                       Link St...
STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART                                                               DynamicallyPA/PD...
PA/PD Integration “Active”
Structural Authorizations                              ‘Activated”     Change from 0 to 1                                 ...
Structural Authorizations       “Activated”                 4.7
Activation Options• Value 1: Org Unit Checked – No  Authorization.• Value 2: Org Unit Not Checked – No  Authorization.• Va...
Structural Authorizations     Waiting Period
Create Organizational Structure•   Transaction code PPOME•   Create organizational units (object type O)•   Create jobs (o...
Create Organizational Structure
Create Personnel Master Records• All personnel require personnel number• Create IT0105, subtype 0001 record for all  EE’s ...
Create Personnel Master Records                            IT0001         IT0105
Evaluation Paths• Use SAP standard evaluation paths  – SAP standard function modules read    delivered evaluation paths• C...
Evaluation Paths             T778A           V_T77AW
Create Structural Authorization             Profiles• Transaction code OOSP or T77PR• Screen # 1  – Profile: Enter profile...
Assign Root Org Unit      Option 1: Dynamically.• Function Module:  RH_GET_MANAGER_ASSIGNMENT  determines the root organiz...
Screen # 2 T77PR                                    When Function                                       Module is         ...
• Screen # 2 (Continued)   – Auth Profile: Select profile for pop-up box   – No.: Enter Line/Sequence/Interval numbers 5, ...
• Screen # 2 (Continued)  – Status vector: Planning status authorization     •   1 – Active     •   2 – Planned     •   3 ...
• Screen # 2 (Continued)  – Time period: Restrict access based on the    validity period of the org structure.     •   D –...
• Screen # 2 (Continued)  – Add multiple rows in this table for all PD    objects the structural authorizations are    per...
Assign Root Org Unit       Option 2: Dynamically.• Function Module:  RH_GET_ORG_ASSIGNMENT  determines the root organizati...
Screen # 2 T77PR     A customer defined Function         Module may be used       RH_GET_ORG_ASSIGNMENT       Determines t...
Assign Root Org Unit      Option 3: Dynamically.• Customer Defined Function Module:   – Copy and modify SAP standard funct...
Assign Root Org Unit        Option 4: Manually• Function Module not used.• Manual assignment of root organizational  unit•...
Screen # 2 T77PR When Object ID is being used, leave  Function Module field  “Blank”
Structural Authorization Profile           Completed
Link User ID to Structural Authorization Option # 1             Assign Structural Authorization to PD Object• Restrict use...
Assign IT1017 to PositionExecute transaction code PP01 > Create PD Profiles > Assign Structural                         Au...
Link User ID to Structural          Authorization• Execute SAP Program RHPROFL0 on a  nightly or emergency basis.• Report ...
RHPROFL0 program report output  T77UA autopopulated by the  RHPROFL0   program
Link User ID to Structural     Authorization Option # 2• Can be assigned “manually”• IT1017 is not necessary• Transaction ...
Manually Link User ID to         Structural AuthorizationExecute transaction code OOSB > Click on New Entries > Enter user...
Optimize Structural    Authorization Performance• Manually enter user id’s in T77UU User Table for  Batch Input. Stores us...
Congratulations !• You have completed the configuration of  structural authorizations.• Do not know of any method to trace...
Customer Defined Structural         Authorizations• Use BADl: HRBAS00_STRUAUTH  Customer defined logic for Structural  Aut...
Reporting Considerations• Customer Defined Reports: Use HR Macros in  your custom program to engage structural  authorizat...
Lessons Learned• Keep in mind, users with new structural  authorizations will not be effective until  next day if RHPROFLO...
WHAT’S NEW IN 4.7Transaction code SU53: Reasons for failed Structural authorizations are                            displa...
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Context Structural Authorizations
Questions ?
Contact Informationkbowers@nkconsultinginc.com       864-940-7282
SAP HCM Structural Authorization Overview Presentation
Upcoming SlideShare
Loading in …5
×

SAP HCM Structural Authorization Overview Presentation

21,153 views

Published on

Structural Authorizations Presentation to ASUG Virginia Chapter on March 29, 2005

Published in: Business

SAP HCM Structural Authorization Overview Presentation

  1. 1. SAP HCM STRUCTURAL AUTHORIZATION OVERVIEW by Ken Bowers NK Consulting Inc
  2. 2. Structural Authorization DefinedHR Structural Authorization permit access to personneldata based on the user’s position or span of authoritywithin the organizational structure.
  3. 3. Structural GeneralAuthorization Authorization Org, PD, Personnel TEM, Quals Admin TC: OOSB TC: PFCG
  4. 4. Structural Authorization High Level Process Configuration & Switch Settings Link Structural Create Structural Authorization Authorization Profile Evaluation Path Profile to User Id Determine Root Org Unit
  5. 5. STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART DynamicallyPA/PD Integration Evaluation Paths Manually assign Organizational Turned Maintained assign Root Org Unit Structure “On” (T778A/ Root Org Unit (Function Module) (Org Unit/Position) (POLGI/ORGA) V_T77AW)) Structural Structural Structural Structural Auth Authorization Authorization Organizational Authorization Profiles Activated via Waiting Period Structure Profiles Dynamically Linked (TC: OOAC or (TC: OOAC or Developed Developed (TC: PD Object T77S0) T77S0) OOSP or T77PR) (IT1017) SAP User ID Employee Record SAP Program linked to PA via assigned RHPROFLO IT0105 Record IT0001 Executed SAP User ID linked Structural Auth. Manually Profile (TC: OOSB or T77UA Execute Reports to User Access Optimize Restricted Performance Based on Org Structure
  6. 6. PA/PD Integration “Active”
  7. 7. Structural Authorizations ‘Activated” Change from 0 to 1 4.6 and belowRefer to OSS Note 339367 refers to OSS Note 363083Maintenance of the switch AUTH_SW P_ORGPD toimport 4.7 functionality TC: OOAC T77S0
  8. 8. Structural Authorizations “Activated” 4.7
  9. 9. Activation Options• Value 1: Org Unit Checked – No Authorization.• Value 2: Org Unit Not Checked – No Authorization.• Value 3: Org Unit Checked – Authorization• Value 4: Org Unit Not Checked - Authorization
  10. 10. Structural Authorizations Waiting Period
  11. 11. Create Organizational Structure• Transaction code PPOME• Create organizational units (object type O)• Create jobs (object type C)• Create positions (object type S)• Assign chief positions especially if the relationship A012 is being used in function modules
  12. 12. Create Organizational Structure
  13. 13. Create Personnel Master Records• All personnel require personnel number• Create IT0105, subtype 0001 record for all EE’s linking SAP user id to personnel number which is linked to the org structure• All personnel require IT0001 record
  14. 14. Create Personnel Master Records IT0001 IT0105
  15. 15. Evaluation Paths• Use SAP standard evaluation paths – SAP standard function modules read delivered evaluation paths• Create customer defined evaluation paths – Customer defined function modules specify customer defined evaluation paths
  16. 16. Evaluation Paths T778A V_T77AW
  17. 17. Create Structural Authorization Profiles• Transaction code OOSP or T77PR• Screen # 1 – Profile: Enter profile name and description – Save Structural Authorization Profile
  18. 18. Assign Root Org Unit Option 1: Dynamically.• Function Module: RH_GET_MANAGER_ASSIGNMENT determines the root organizational unit to which the user is assigned as Manager via the A012 chief relationship.• Assign function module in T77PR In field PFUNC
  19. 19. Screen # 2 T77PR When Function Module is being used, leave Object ID field “Blank”RH_GET_MANAGER_ASSIGNMENT:Determines the root org unit object towhich the user is assigned as Managervia the A012 chief relationship.(Supervisor)
  20. 20. • Screen # 2 (Continued) – Auth Profile: Select profile for pop-up box – No.: Enter Line/Sequence/Interval numbers 5, 10, 15 …etc. – Plan version: Enter active plan. Ex. 01 – Object type: Enter object type end user will be authorized to change or display (O – Org Unit, S – Position, C – Job, P- person, and any customer defined objects) – Object ID: If assign root org unit is being used, enter org unit id value. If you are using function modules to dynamically determine the root org unit, leave this field blank – Maintenance: If checked, maintain authorization is granted for object type, if uncheck, only display authorization granted. – Evaluation Path: Enter evaluation path defined inT77UA
  21. 21. • Screen # 2 (Continued) – Status vector: Planning status authorization • 1 – Active • 2 – Planned • 3 – Submitted • 4 – Approved • 5 – Rejected • To grant access to Active and Planned status(s) enter “12” – Depth: Enter the number of levels from the root org unit of the org structure. – Sign: Process structural authorization top – down (+) or bottom-up (-)
  22. 22. • Screen # 2 (Continued) – Time period: Restrict access based on the validity period of the org structure. • D – Current Day • M – Current Month • Y – Current Year • P – Past • F – Future – Function module: • Leave this field “blank” if root org unit is defined in field “Object id” • Determine the root org unit using SAP standard or Customer defined function modules
  23. 23. • Screen # 2 (Continued) – Add multiple rows in this table for all PD objects the structural authorizations are permitting to change and/or display
  24. 24. Assign Root Org Unit Option 2: Dynamically.• Function Module: RH_GET_ORG_ASSIGNMENT determines the root organizational unit to which the user is organizationally assigned.• Assign function module in T77PR In field PFUNC
  25. 25. Screen # 2 T77PR A customer defined Function Module may be used RH_GET_ORG_ASSIGNMENT Determines the root organizational unit to which the user is organizationally assigned.
  26. 26. Assign Root Org Unit Option 3: Dynamically.• Customer Defined Function Module: – Copy and modify SAP standard function modules to specify customer defined evaluation paths• Assign function module in T77PR In field PFUNC
  27. 27. Assign Root Org Unit Option 4: Manually• Function Module not used.• Manual assignment of root organizational unit• Define root organizational unit in T77PR In field OBJID
  28. 28. Screen # 2 T77PR When Object ID is being used, leave Function Module field “Blank”
  29. 29. Structural Authorization Profile Completed
  30. 30. Link User ID to Structural Authorization Option # 1 Assign Structural Authorization to PD Object• Restrict user access based on PD objects.• Assign structural authorization defined in transaction code OOSP or T77PR by creating an IT1017 to a PD object. Example: Create IT1017 to org unit or position depending on your requirements• This is linking the structural authorization to the organizational structure.• IT1017 is required if you are going to dynamically populate T77UA by linking user id to structural authorization profile.
  31. 31. Assign IT1017 to PositionExecute transaction code PP01 > Create PD Profiles > Assign Structural Authorization Profile
  32. 32. Link User ID to Structural Authorization• Execute SAP Program RHPROFL0 on a nightly or emergency basis.• Report dynamically links the user id (IT0105, Subtype 0001) to the designated structural authorization profile in T77UA based on the assignment of IT1017 to PD objects.
  33. 33. RHPROFL0 program report output T77UA autopopulated by the RHPROFL0 program
  34. 34. Link User ID to Structural Authorization Option # 2• Can be assigned “manually”• IT1017 is not necessary• Transaction code OOSB or T77UA• Ensure customizing of the table in permitted in Production client• This method is no recommended. Can be very labor intensive
  35. 35. Manually Link User ID to Structural AuthorizationExecute transaction code OOSB > Click on New Entries > Enter user id,corresponding structural authorization profile, enter start date, enter end date and click on the save icon.
  36. 36. Optimize Structural Authorization Performance• Manually enter user id’s in T77UU User Table for Batch Input. Stores user id in SAP memory (T77UU). Not recommended.• Dynamically add/remove user id’s in T77UU executing program RHBAUS02 based on the number of objects.• Execute nightly program RHBAUS00 to regenerate indexes saved in table INDX.• Indexes regenerated and saved in table INDX• OSS note 836478 dated 4/21/05: Display Index Report: RHAUTH_VIEW_INDX
  37. 37. Congratulations !• You have completed the configuration of structural authorizations.• Do not know of any method to trace structural authorizations• Test, test user id’s for both structural authorizations and PA/PD authorization assigned to roles in TC: SU01.
  38. 38. Customer Defined Structural Authorizations• Use BADl: HRBAS00_STRUAUTH Customer defined logic for Structural Authorization• Use BADI: HRPAD00AUTH_CHECK, which allows the customer to input their own coding into this customer exit for HR Master Data. – Example: Restrict authorizations based on Business Area, Plant, etc.
  39. 39. Reporting Considerations• Customer Defined Reports: Use HR Macros in your custom program to engage structural authorizations from the LDB. If LDB is not being accessed, need to code structural authorizations in program• SAP Standard Reports: There may be some circumstances you do not want structural authorizations checked. Copy standard reports and remove authorization checks.
  40. 40. Lessons Learned• Keep in mind, users with new structural authorizations will not be effective until next day if RHPROFLO is ran nightly.• Remember to assign Authorization Groups to customer defined z-tables in order to maintain in Production client.• Assign all end users structural authorizations.
  41. 41. WHAT’S NEW IN 4.7Transaction code SU53: Reasons for failed Structural authorizations are displayed
  42. 42. Context Structural Authorizations
  43. 43. Context Structural Authorizations
  44. 44. Context Structural Authorizations
  45. 45. Context Structural Authorizations
  46. 46. Context Structural Authorizations
  47. 47. Questions ?
  48. 48. Contact Informationkbowers@nkconsultinginc.com 864-940-7282

×