Optimising SAP HR Authorisation by using custom development incl. BAdIs

© Copyright 2014
Wellesley Information Services, Inc.
All rights reserved.
When and How to Use
Custom Development to
Optimise SAP ERP HCM
Authorisations
Sven Ringling
iProCon

1
In This Session
• We’ll walk through the most important standard concepts of HR
authorisations
 To demonstrate what they can and can’t do and, thus leading to
improvement opportunities through custom development
 We will not discuss each and every detail of standard concepts
• We’ll discuss when to use custom development and when you
should aim for other alternatives
• We’ll introduce the most important concepts for custom
development in HR authorisations
 BAdIs, custom authorisation objects, and dynamic start objects
for structural authorisation
 And demonstrate business cases for each of them

2
What We’ll Cover
• Overview: out-of-the-box concepts and enhancement options
• Standard objects, structural and context-sensitive authorisations
• Making structural authorisations more dynamic
• Using a custom authorisations object
• Using BAdIs: (almost) everything is possible
• Striking the right balance: keep customization to a minimum
• Wrap-up

3
A Quick Run Through Primary School
• Are a set of fields to describe user rights for certain data or
activities
• SAP standard coding checks these objects to control user rights
Authorisation Objects
• Are objects “filled in” to describe the rights of a certain user or
group
Authorisations
• Are sets of authorisations to represent a task or group of tasks
• Are assigned to users directly or through composite roles
Roles

4
Standard Options for HR Authorisations
• Personnel master data and time data infotypes
• Infoytpes of HR planning and development
Basic HR
authorisations
• Controlling access along organisational structure
• Other structures of personnel planning and development, such
as the training catalogue
• For personnel planning and development and also for
personnel master data, if activated
Structural
authorisations
• Linking the two concepts above, so structural authorisations
can be used in a more differentiated way
Context-
sensitive
authorisations

5
Further Authorisations Relevant to HR
• More authorisation objects can be relevant, but are not analysed
in this session
 Non-HR authorisations
 Authorisation objects for specific HR processes
 Authorisation objects for specific countries

6
Enhancement Options
• For structural authorisations, function modules can be used to
decide at which point in the structure to start
Dynamic start object
• For HR, a custom object is available that can be generated or
filled with bespoke coding
Custom authorisation object
• Available for basic objects, as well as for structural and context-
sensitive authorisations
BAdIs

7
Before You Start with Custom Programming …
Make sure you understand what’s
available in SAP standard
Ask “Why do we need this” and
consider process changes

8
What We’ll Cover
• Wrap-up

9
The Mother of All HR Authorisation Objects
• Authorisation Object P_ORGIN
 Most widely used object to control access to employee data
 Note: Cost Centre or Personnel Subarea not available
What can
you do?
For which set of
data?
For which employees?

10
Using Organisational Key as a Wildcard
• Before building a custom authorisation object, if you are missing
a field in P_ORGIN, make full use of the organisational key!
 SAP leaves this field free to use for whatever purpose a
customer wants to use it for
 You can configure this field to be:
 Free to change (from a drop-down list or free text)
 Free to change with a default value
 Default value not changeable
• Default values can be:
 Built from other fields in Infotype 0001
 E.g., cost centre or personnel subarea
 Set in Master Data BAdI HRPAD00_INFTY

11
Access Per Administrator: P_ORGXX
• Object P_ORGXX answers the question “which employees” are
using the administrator fields from Infotype 0001
 Convenient solution if you use these fields
 However, consider substitution issues!
 If you don’t use these fields in your process, you could use
them as extra wild cards via BAdI HRPAD00_INFTY

12
Access to Your Own Data: P_PERNR
• Object P_PERNR controls how users can access their own data
• Field “interpretation of assigned personnel number” is confusing
for some administrators:
 I: user gets extra right for her own data beyond P_ORGIN/
P_ORGXX (usually for ESS)
 E: access to user’s own data is restricted (e.g., HR staff not
allowed to change their own salary)
 Think of this being two separate authorisation objects
Assigned via infotype
0105, subtype 0001

13
Which of the Three Objects Are Used for
Master Data?
• Entries in T77S0 (see above) decide which objects are active
• All active objects are checked sequentially
 E.g., if a user does have access to a certain record through
P_ORGIN, but not through P_ORGXX (both being active), then
access is rejected
 P_PERNR can then add rights for the user’s own data or take
them away
 It can never affect access to data other than the user’s own
records

14
Considerations for Basic Authorisation Objects
• Infotype and subtype are not always the right level – e.g., NI
number in IT0002 is critical
• Sometimes controls based on amounts (e.g., one off payments) are
required
No field-level controls
• Dealt with by context-sensitive authorisation
No link to organisational structure
• It is often required for certain infotypes to be accessible in one
transaction or report, but not another
No link to transaction or other context data

15
How Object P_ABAP Can Help in Reporting
P_ABAP deactivates
HR authorisation check (COARS = 2)
but doesn’t replace the basic authorisation to
start a report!
Tip
Often difficult to provide access to
non-critical reports (e. g., phone list)
Recommendation: 1 role with
non-critical reports for all users

16
Workaround for the Amount Problem
• Problem
 A user is allowed to capture a certain wage type (e.g., “medical
expenses”) in Infotype 2010, but only up to EUR 100
 Infotype and wage type (= subtype) can be controlled by object
P_ORGIN or P_ORGXX, but not the amount
 This would require custom programming (discussed further
down)
• Workaround
 Create two different wage types
 One without limit
 One with a limit of EUR 100 set in configuration view V_T511
 Assign the two wage types through P_ORGIN or P_ORGXX
using the subtype field accordingly

17
Personnel Planning and Development: PLOG
• Object PLOG controls access to PD data per
 Object type (organisational unit, job, qualification, …)
 Infotype and subtype
 Activity (function code), such as view, change, …
PLOG can control access per plan
variant, so “secret” planning
scenarios can be protected.
If you use only one, still use the
restriction so you don’t have to
change all roles if the requirement
for a sandbox plan comes up (it
often happens with very little
advance warning only).

18
Understanding Object PLOG
• Unlike the objects for personnel master data, PLOG has no option
to restrict certain organisational units
 This is due to the nature of the data, which can be jobs, as well
as courses, etc.
 The only way to restrict access to parts of the organisational
structure is structural authorisation
• The function code controls:
 “Standard” activities, like display and change
 Bespoke activities for certain processes, like approvals or
career simulation
• Subtype field for Infotype 1001 (Relationships)
 In IT1001, the subtype field represents the relationship type
 Making good use of this allows very detailed controls

19
Detailed Controls Using Relationship Types
• If your authorisations on personnel planning and developments
are quite differentiated, picking the right relationship types can be
challenging and require dozens of authorisations of PLOG
 Whenever possible, keep it simple
 You need to understand the data structure very well
 Don’t forget most relationships exist in two directions (“A”
and “B”)
This example would allow a user
to assign instructors and
organisers to a course/event, but
not to book delegates
Prerequisite:
Access to instructors and
organisers

20
Considerations for Authorisation Object PLOG
• Similar to problem with PA-infotypes, but not required very often
No field-level controls
• Access rights are always for all objects of a particular type
• Organisational view is checked separately by structural organisation
• Link between PLOG and structural organisation requires context-sensitive
authorisation, which is not yet available for PLOG
No organisational view
• It is often required for certain infotypes to be accessible in one transaction
or report, but not another. This is even more common here than in PA.
• In a few cases, the bespoke function codes mentioned earlier can cover
this aspect
No link to transaction or other context data

21
Structural Authorisation
• Access to a section of a structure
 E.g., org unit with all subordinate
units, positions, and people
• Structural profile
 One or several such sections
 Using evaluation paths
 Defined in table T77PR
• Profiles are assigned to users
 In table T77UA
• Access to data is defined in
“normal” authorisation objects
 No link!
Organisational unit
Position
Person
Organisational unit
Has access to these
persons’ data

22
Example: Two Structural Profiles for One User
Structural
profile:
“Time manager”
Glenn is responsible for
time management. He
may maintain time data
for the sales team.
Glenn is also a
leader of his team
and may read all
their master data
Structural
profile:
“My team”
User

23
Merging Two Structural Profiles Goes Wrong
Maintain time data
+
Read master data
The sales team
+
His own team

24
Context-Sensitive Authorisation Gets It Right
Structural
profile “Time
manager”
Structural
profile “own
team”
Glenn is also a
leader of his team
and may read master
data
Context
Context
Glenn is responsible for
time management. He
may maintain time data
for a special unit.

25
Context Authorisation in Object P_ORGINCON
• The new field PROFL represents a structural profile
 Data and actions specified can be accessed only for employees
accessible via this structural profile
 This is the hitherto missing link between structural
authorisation and “normal” authorisation objects
What can
you do?
For which set of
data?

26
Options in Context-Sensitive Authorisation
• It can be used in two standard objects:
 P_ORGINCON, replacing P_ORNGIN
 P_ORGXXCON, replacing P_ORGXX
• They are activated in T77S0
 Switches INCON and XXCON, respectively
 Switch DFCON must also be set to activate context solution
• There is no context solution for PD-Data
 Authorisation object PLOG_CON exists, but is
currently not working (SAP is aware it is not working)

27
So, Why Custom Programming?
Some structural
gaps in standard
authorisations
Only partially
rectified by
context solution
Custom coding
can close gaps
and streamline
processes, if used
with consideration

28
What We’ll Cover
• Wrap-up

29
Structural Authorisation: Example
• Rather than creating a profile with an explicit start object for each
section of the org structure, the start object can be determined
dynamically
Organisational unit
Position
Person
Organisational unit
Has access to these
people’s data
Position
Person
User
Line Manager
Relationship, e.g.‚ is line
manager of:

30
Dynamic Start Object Using Function Module
Standard function module RH_GET_ORG_ASSIGNMENT
dynamically identifies the assigned org unit
User
Person
Position
Org unit
IT 0105
Holder
Belongs to
Eval.Path
ORGASS

31
More Flexibility with Custom Function Modules
• User is line manager of – function module RH_GET_MANAGER_ASSIGNMENT
• User is staff member of – function module RH_GET_ORG_ASSIGNMENT
Many users stop at standard options
• PAs capturing data for managers or whole teams
• Managers not having access more than two levels down (“grandfather
principle”)
• Other roles, like resource planners, event managers, …
Real life requirements are more diverse  custom function modules
• … and a good deal of analysis and conceptual thinking
• This is arguably the least intrusive way of enhancing
You can achieve much with little custom programming

32
It Can Be That Easy …
Copy function module and replace standard with your own evaluation path:
... or as complex as you want it to be

33
What We’ll Cover
• Wrap-up

34
How to Use the Custom HR Authorisation
Object
• You can create as many custom objects as you like
 However, they would not be checked in any standard
transactions and would, therefore, be useless except when
used in custom coding
• The special concept of P_NNNNN in HR allows you to create one
custom object, which is integrated an all relevant standard
transactions
 The standard process allows you to chose fields from Infotype
0001, plus some obligatory fields
 E.g., cost centre or supervisor
 You can also add custom coding, e.g., to make it dynamic

35
Step-by-Step Guide to P_NNNNN
Create P_NNNNN
• The real name would usually be different, starting with “Z”
• P_NNNNN is merely a placeholder for your own name
• Chose fields from Infotype 0001
Integrate P_NNNNN in standard authorisation check
• Code generation with report RPUACG00
Amend coding, if required
• Note: your amendments will be lost if code generation is repeated
Activate P_NNNNN
• Switch in table T77S0

36
Step 1: Create New Object
• Transaction SU21  button “create”  “Authorisation Object”
• Fill in name and chose fields
• Save new object
• Generate SAP_ALL to include the new object
Mandatory
fields

37
Step 2: Generate Coding
• Report RPUACG00
 Decide whether the object should be context-sensitive
 Password = your user name
• Note: although this is not a modification, you’ll be asked to enter
an object key

38
Step 3: Amend Coding
• You can skip this step
 Then the object will just check the fields you included in the
same way P_ORGIN checks employee group, subgroup, …
• Or you can add extra logic in program MPPAUTZZ, e.g.:
 Make the cost centre check dynamic, so the system is not
granting access to a fixed cost centre, but to the cost centre
assigned to the user
 Perform a check depending on the transaction code
 This would allow you to get around one of the major
considerations of standard authorisations
 Consider a custom table with FLAs*
 Right to capture IT0015 depends on the amount
* Financial authority limit

39
Step 4: Activate Check
• Activation in T77S0 in the same way as standard objects are
activated
 Before the activation, you should make sure it is included in all
relevant roles – otherwise, users will be completely blocked
• You may also want to amend the profile generator to include the
new object in its suggestions

40
What We’ll Cover
• Wrap-up

41
BAdIs Overview
• The most widely used BAdIs are:
 HRBAS00_ GET_PROFL: dynamic assignment of structural
profiles in the context solution
 HRBAS00_STRUAUTH: changing structural authorisation
 HRPAD00AUTH_CHECK: replacing general HR master data
check
 HRBAS00_RHBAUS00: amending the report for buffering
objects in structural authorisation
 HRPAD00CHECK_TIME: amending HR authorisations time logic
 Further BAdIs for particular processes, such as:
 Access to cost plans
 Travel and Expense management
 Appraisals

42
Automatically Assigning Structural Profiles
If maintenance of table T77UA takes too much effort
or doesn’t fulfill the requirements
Assignment of structural profiles either from the field
PROFL or following your own logic
via BAdI HRBAS00_ GET_PROFL
No need to maintain table T77UA.
Dynamic assignment of structural profiles.
Tip

43
Changing Structural Authorisations
• BAdI HRBAS00_STRUAUTH has six methods which can be used
independently or in combination with each other
• The most popular ones are:
 Check_Authority_View: you can determine freely whether the
user should have access to a certain object
 Check_Auth_Plan1: same, but for employees rather than other
objects
 Check_Authority_Search: allows different access to objects for
users in a search function

44
Business Examples
• Some users may not have any access to data of organisational units, but
should see them in a search function to perform a structural search.
Method Check_Authority_Search can do this.
Opening up search functions
• PAs may not have any access to the object type E (event), but should still
be allowed to book employees on courses. This can be done in method
Check_Authority_View.
Booking employees on courses
• You can also use method Check_Authority_View to allow a user access to
external courses only. The flag external/internal is not used by standard
authorisations, so you need the BAdI to differentiate.
Access to external courses only

45
The Most Powerful of Authorisation BAdIs
BAdI HRPAD00AUTH_CHECK is very powerful, as
well as dangerous
• It can completely change the behaviour of standard PA
authorisation checks. So, in theory, you can implement any
authorisation process you want.
• As soon as the BAdI is activated without any coding changes,
no user will be able to access any HR master data
• You need to implement all methods, even if you need only one
of them for your purpose
• It is recommended to use other tools for smaller amendments,
whenever possible
• If you have various bespoke requirements, this is the right tool

46
What Are All Those Methods For?
• This BAdI has 13 methods, which makes it difficult to understand
 Most of them are meant to improve the performance of standard
authorisation checks
 In almost all cases, the method required for custom checks is
CHECK_AUTHORIZATION
• However, when the BAdI is switched on, it is completely
replacing standard authorisation checks for PA data
 Therefore, it is not enough to implement the one method only
 You’d usually want all other methods to work as they would in
SAP standard, so you need to implement them accordingly

47
Keeping Standard Checks Where Still Needed
• Just the normal implementation steps for BAdI HRPAD00AUTH_CHECK
Create a BAdI implementation
• Create method, e.g., “CHECK_CHECKER” as shown on next slide
Make standard checks available
• Call standard method in all method implementations
• Example on next slide shows this for method
CHECK_MAX_INFTY_AUTHORIZATION – others are to be done accordingly
Implement standard checks
• Now add your custom coding – usually in method CHECK_AUTHORIZATION
Make custom amendments

48
Sample Coding
Method CHECK_CHECKER
• CREATE OBJECT checker TYPE cl_hrpad00auth_check_std.
Method DELAYED_CONSTRUCTOR
• CALL METHOD check_checker
• EXPORTING
• context = context
• repid = repid.
Method CHECK_MAX_INFTY_AUTHORIZATION
• CALL METHOD check_checker.
• CALL METHOD checker->check_max_infty_authorization “change accordingly for other methods
• EXPORTING
• level = level
• tclas = tclas
• infty = infty
• IMPORTING
• is_authorized = is_authorized
• EXCEPTIONS
• invalid = 1
• internal_error = 2
• OTHERS = 3.

49
Business Examples
• Depending on config, time evaluation may require display rights for IT0008.
The user running time needs this, but is not allowed to see IT0008 directly.
• Many reports require some data from IT0002 or IT0032, but users running
these reports should not see national insurance numbers or company car data.
So, they get access to these infotypes only in the context of these reports.
Transaction sensitivity
• PAs have access to staff in their department for info purposes, but they are not
allowed to see salary data for their own boss
Exclude some data from own manager
• Some users are allowed to change infotype 2006 max for one month into past.
The BAdI allows this without using IT0130 and constantly updating it.
Dynamic time sensitivity

50
Typical Problems with This BADI
• As checks are hard coded rather than visible in roles, it is difficult to
see who’s got which rights
• Tip: using custom authorisation objects and checking them in this BAdI
improves transparency a lot
Transparency
• Whilst you often focus on one single method, it can become very
complex to manage the interdependencies of all methods in this BAdI
Interdependencies of the many methods
• Because it is so powerful, business users may get used to getting
each and every exception implemented. Eventually, this will lead to an
unmanageable level of complexity.
Anything goes attitude

51
What We’ll Cover
• Wrap-up

52
Authorisations in Custom Development
• Sometimes you require a deviation from standard authorisation
checks only in the context of a custom development
 In this case, it may be easier to add coding for bespoke
authorisation checks into the custom program
 This avoids side effects you may have by using the BAdIs
 Consider a custom authorisation object (not P_NNNNN)
 Always remember that access to data is not checked by the
database, but in each program
 Custom coding can, therefore, easily get around authorisations
 Using logical databases makes it easier for developers to
make sure authorisations are checked, but they can still
ignore them, if they want to

53
Balancing It Out
Pro Custom
Coding
Business requirements followed
very closely
They can reduce number of roles
considerably
May improve system performance
Contra Custom
Coding
Upfront cost for implementation
and test
Test effort for changes
Risk of side effects and
sceptical auditors
Long-term complexity trap
Some processes may just not
work otherwise

54
Make the Substitution Test
• Requirements for more and more exceptions to be programmed in
authorisation checks can become overwhelming
• Apart from the usual discussion of cost vs. benefit, there is one
test we recommend to do with the business every time:
If we implement this bespoke, very strict
authorisation check, would then a substitution
still be able to perform this user’s task, when
he or she is off sick? Note that handing over
your password is considered a severe breach
of security guidelines.

55
What We’ll Cover
• Wrap-up

56
Where to Find More Information
• Eric Wood, “How to Use Structural Authorizations for Effective HR
Strategy and Security” (HR Expert, February 2013).
• Anja Junold and Martin Esch, Authorizations in SAP ERP HCM –
Design, Implementation, and Operation (SAP PRESS, 2008).
 A new edition is available in German
• www.iprocon.com/nl-en
 iProCon Newsletter on SAP HCM with several authorisations
experts as regular contributors
 German version available: www.iprocon.de/newsletter
• http://help.sap.com/saphelp_470/helpdata/en/e0/bdb83b5b831f3be
10000000a114084/content.htm
 Simple examples for BAdI HRPAD00AUTH_CHECK

57
7 Key Points to Take Home
• SAP standard authorisation checks happen primarily on infotype/
subtype and object level depending on organisational criteria
• Assigning rights on field-level or based on data content (e.g., amount
limits) or transactional context requires custom solutions
• Custom solutions can reduce the number of roles and profiles
• The custom object P_NNNNN can be generated or amended with custom
coding for more complex logic
• BAdI HRPAD00AUTH_CHECK is very powerful, but difficult to handle.
For small amendments, try to use other tools.
• Custom programs have to take care of their own authorisation checks –
ideally referring to standard checks and making use of logical databases
• It is important to strike the right balance; otherwise, complexity can
keep growing until it becomes almost impossible to make further
changes without unwanted side effects

58
Your Turn!
How to contact me:
Sven Ringling
s.ringling@iprocon.com
@svenringling
Please remember to complete your session evaluation

59
Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

Optimising SAP HR Authorisation by using custom development incl. BAdIs

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Optimising SAP HR Authorisation by using custom development incl. BAdIs

Similar to Optimising SAP HR Authorisation by using custom development incl. BAdIs (20)

More from Sven Ringling

More from Sven Ringling (7)

Recently uploaded

Recently uploaded (20)

Optimising SAP HR Authorisation by using custom development incl. BAdIs