sapuniversity.

eu

http://sapuniversity.eu/authorization-objects-hr-security/#more-2735

Authorization objects in HR Security

Authorization objects related to master data Below you will find an overview of important authorization objects within SAP HR: 1. P_ORGIN 2. P_ORGXX 3. P_PERNR 4. P_APPL 5. PLOG 6. P_TCODE 7. P_PCR 8. P_PYEVRUN 9. P_PYEVDOC a) HR Master Data Authorizations: P_ORGIN The Authorization Object P_ORGIN (HR: Master Data) is used during the authorization check on HR infotypes. The checks take place when HR infotypes are edited or read. The system queries the contents of the fields during the authorization check. The authorization level field specifies the access mode. The following authorization levels exist: R (read) for read access M (matchcode) for read access using input help (F4) W (write) for write access E and D (enqueue and dequeue) for write access using the Asymmetrical double verification principle. E allows the user to create and change locked data records and D allows the user to change lock indicators. S(symmetrical) for write access using the Symmetric Double Verification Principle always includes all other authorization levels simultaneously b) HR: Master Data - Extended Check: P_ORGXX The object HR: Master Data - Extended Check is used during the authorization check on HR infotypes. The checks take place when HR infotypes are edited or read. The fields SACHA, SACHP, SACHZ and SBMOD are filled from the Organizational Assignment infotype (0001). Since this infotype has time-dependent specifications, an authorization may only exist for certain time intervals depending on the users authorization. A users period of responsibility is represented by all the time intervals for which he or she has P_ORGXX authorizations. In the administrator group, all administrators who are responsible for an organizational area in Personnel Administration or in Applicant Management are grouped together. In the standard system, the check of this object is not active. Main authorization switch (transaction OOAC) can be used to determine whether this check is to be carried out in addition to or instead of the HR: Master Data check.

If the additional check is activated, an authorization check according to P_ORGIN takes place first. If the result of this check is positive, a further check based on P_ORGXX is performed. c) Personnel Number Check: P_PERNR The Authorization Object HR: Master Data - Personnel Number Check is used when you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures. The following values are possible for the PSIGN field: I = Authorization for personnel number assigned, that is for the users own personnel number. E =Authorization for all personnel numbers excluding ones own personnel number. This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user. d) HR: Applicants: P_APPL The object HR: Applicants is used during the authorization check on HR applicant infotypes. The checks take place when these infotypes are edited or read. The PERSA, APGRP, APTYP, VDSK1 and RESRF fields are filled from the Organizational Assignment infotype (0001). Since this infotype has time-dependent specifications, an authorization may only exist for certain time intervals depending on the users authorization. e) Personnel Planning Authorization: PLOG This authorization object is used to check the authorization for specific fields in the Personnel Planning components (Organizational Management,Personnel Development, Training and Event Management, and so on). Plan version : This field specifies which plan versions the user is authorized to access. Object type : This field specifies which object types the user is authorized to access. Infotype :This field specifies which infotypes the user is authorized to access. Subtype :This field specifies which subtypes of the infotpyes the user is authorized to access. Planning Status :This field specifies the planning status in which the user is authorized to access information. Function Code: This field specifies the editing mode for which the user has authorization (display, change, and so on). f) HR: Transaction Code: P_TCODE This authorization object enables to check whether a user is authorized to start the different HR transactions. The transaction code is checked. Note that this object is not used in all HR transactions. We distinguish between: HR transactions with a natural (their own) authorization object HR transactions without a natural (their own) authorization object This authorization object contains the HR transaction codes without their own authorization object. The P_TCODE authorization object is the HR equivalent of the Check Transaction Code at Start of Transaction authorization object (S_TCODE). The P_TCODE authorization object was implemented

before the S_TCODE authorization object. Given the increased need to protect data in HR, it was retained as an additional protection measure. Authorization objects related to Payroll a) The Personnel Control Record: P_PCR This authorization object is used by the authorization check for the payroll control record. This check takes place when the control record is displayed using transaction PA03, or when the control record is maintained. The check also takes place in particular during maintenance using the payroll menu. Specifications to the activity field 01 Add or Create 02 Change 03 Display 06 Delete b) Posting Results to Accounting: P_PYEVRUN This authorization object is used to control the actions possible for posting runs. The following entries are possible in the run type field: AP Posting tax/SI Austria PP Payroll posting TP Posting Third-Party Remittance TR Travel Expenses Posting ZA Payroll Evaluation South Africa Specifications to the activity field 01 Add or Create 03 Display 06 Delete 10 Post 85 Reverse Specifications of the simulation indicator field X Simulation Run _ Live Run c) HR: Posting Document: P_PYEVDOC This authorization object is used to protect actions on posting documents. Specifications to the activity field 03 Display 10 Post 28 Display Line Item 43 Release