By Venu Gopal Talla

Sap hr mainly deals with the employee data.

Data will be stored in the form of info types in hr.
Ex : personal data (0002),Address (0006),salary (0008). There
different types of components in sap hr. Each has different
range of infotypes.

0000 0999 Personnel Administration

1000 1999 Personnel Planning OM,PD
2000 2999 Time Management
4000 4999Recruitment
9000 9999 Customer Specific infotypes.
 XYZ Inc.

XYZ
XYZ XYZ
Company code Insurance
Finance Sales

Pune Bangalore Personnel Area

Manufacturing Planning Personnel Sub-area

 Developer Job

S / W Engineer Trainee Positions

Job

General Manager

Management Positions

Sr.Manager
 Employee Group : General classification of employees.

Active ,
Retired,
Contractors and
External Employees.
Employee Sub group : Division of employee groups.

Hourly based,
Salaried,
Executives and
Trainees
1. General authorizations check
2. Structural authorization check

1. General authorizations check or Role based

authorization:
TheGeneral Authorizationdetermines which object
data (infotype, subtype) and which access mode (Read,
Write ...) the user has an access.
Like all other SAP components, an authorization role in
SAP ERP HCM comprises authorization objects,
authorizations, and authorization profiles.
p_pernr: pernosnal number check
P_orgin: HR :Mater data
P_orgincon : HR master data With context
P_orgxx :HR master data extended check
P_orgxxcon:HR master data extended check
with context.
PLOG :personal planning (OM,PD,EREC,PM, :
mainly to secure Objects types (O,S,P etc)
P_PCLX: Giving access to cluster tables
 OOSP- Define PD Profile
OOSB-Direct assignment of PD profile to the user
OOAW-Define Evaluaiton paths.
OOAC- HR Authorization main switch
PPST- Structure evaluation.
PO13- Maintain positions.
 TheStructural Authorizationdetermines to which
object/objects in the organizational structure the user has an
access.

It describes the special authorizations that you can define in

Personnel Planning and Development in addition to the basic
access authorizations.

Structural profiles use the data model of the Organizational

Management to build hierarchies using objects and relationships.

Structural Authorizations will be assigned

toUserswithStructural Profilesin table T77UA or using
Transaction CodeOOSB.
While using structural authorizations, its important to note that A persons total
authorization is a result of the interaction between his general authorizations
(through roles) and his structural authorizations (through PD profiles).

Secondly, structural authorizations are always used to restrict access. You

can never use structural authorizations to grant access. It can only be used to
restrict access to a smaller set of objects or people than is already given though a
general authorizations.

While using structural authorizations to restrict access, we need to ensure to add

access to the corresponding objects are also added to the users roles through
PLOG.
 Display and maintenance of objects in Organizational
Management (OM)

Display and maintenance of all other HCM objects that are

stored in tables of the HRP* structure

Organizational restrictions for the display and maintenance

of personnel administration data
 Through general authorization check will provide access to
info types (0001,0002,0006,0008 etc) and actives (disp,
edit,change etc) performed on those.
Through structural authorization check will give access to
objects in the org structure and to restrict access to
empolyess.
Note :Users total authorization is an intersection of general
and structural authorization.
When we observe the PLOG object, it doesnt provide the option
to exclude or permit access to certain objects. For example, if
the authorization for Info type 1000 of object type S is granted,
it applies to all positions of the Org unit. The PLOG authorization
object doesnt enable you to determine for which areas of the
Org unit positions may be displayed or managed. But this can
be done using the structural authorization check.
PLOG :
Object type : S
Plan version :01
Planning status :
Function code :INSE,AEND,DISP,DEL, etc.
Infotype : 1000
Subtype : *
Hence in this case we will use structural
authorization.
Based on the evaluation path, Object type
,and Object id user will get access to .

Hence A user HR authorization is an

intersection of general auth (ex : PLOG) and
structural authorization (Structural profile).
 Turn on PD PA Switch (tcode : OOPS)
Ensure value registered for PLOGI ORGA is X. No other
values need to be checked or changed.
PD and PA sub modules of HR are not configured to share
data by default in the SAP delivered system. This switch
must be on for data to flow between both modules.
 Unassigned Users :: User IDs that have been linked to a
Personnel Master Record via Info type 105 MUST be
assigned a structural authorization profile regardless of
whether they are assigned to a node on the organizational
plan or not.

Impact : unassigned users linked to personnel master

records with access to HR transactions can see personnel
data for any user.

Hence each user id which has the proper perner mapped in

info type 105 should be assigned to at least one dummy
structural profile or any user does not associated with
personal master record cant be able to see others
information.
 Step1:
Tcode: OOAC
Ensure values for the main authorization switches in HR are
set to the following Values
Continue Step1
 Sem.Abb
Group r. Values Abbr. Description
HR: Tolerance Time for Authorization
AUTSW ADAYS 15 Check

AUTSW APPRO 0HR: Test Procedures

AUTSW DFCON 4HR: Default Position (Context)

AUTSW INCON 0HR: Master Data (Context)

HR:Customer-Specific Authorization Check
AUTSW NNCON 0 (Context)
HR: Customer-Specific Authorization
AUTSW NNNNN 0 Check

AUTSW ORGIN 1HR: Master Data

AUTSW ORGPD 4HR: Structural Authorization Check

AUTSW ORGXX 0HR: Master Data - Extended Check

HR: Master Data - Personnel Number
AUTSW PERNR 1 Check
HR: Master Data - Enhanced Check
AUTSW XXCON 0 (Context)
a) AUTSW ADAYS (Tolerance Time for Authorization Check)

If any changes happened to the employee org assignment (changing

the positions)- it will cause the hr admin access .

if we activate this switch ,can avoid access loss and will be delayed
significantly by tolerance time.( If it contains values >0).

The tolerance time enables an administrator to make any necessary

changes to the data of an employee after this employee has left the
administrator's area of responsibility by providing a transition
period, in which the administrator still has access authorization to
the data. This transaction period is the number set (in days) in the
Tolerance Time switch.
DFCON & ORGPD Auth Switches Exceptional case :
how to handle non-integrated positions:
Access to these non integrated persons can be controlled by the value of the Org Unit
stored in info type 0001 (org Assignment).
Possible Values for ORGPD/ DFCON and its meaning

1 = Check access to Org Unit maintained in IT 0001 for persons not linked to the
OM structure. if no values are maintained in IT 0001, deny authorization to the
person.

2 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to
the OM structure. Deny access to all these persons.

3 = Check access to Org Unit maintained in IT 0001 for persons not linked to the
OM structure. if no values are maintained in IT 0001, give authorization to the person
.
4 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to
the OM structure. Give access to all these persons.

Tip : As best practice use ORGPD with for plain structural authorization (p_orgin) and
DFCON in combination with context solution P_RNINCON ,P_ORNXXON etc.
 Tcode :OOSP
Fields: Auth profile, Serial num, plan version, Object type,
Object id, maintenance, eveluation path, status vector,
depth,sign,period,function module.
Each filed in S.A in details :

Authorization Profile: (Mandatory)

Name of the Authorization Profile
No: (Optional)
Sequential Number
Plan Version: (Mandatory)
Enter the Plan Version to which the profile is authorized
for the Organization Plan
Object Type: (Mandatory)
Accessible Objects in the mentioned Plan Version

Object ID
You can use this field to define the start object using evaluation paths

Maintenance (Processing Mode)

You can use this field to control whether a read or write authorization should be
assigned to a user for the corresponding set of objects. This field in the T77PR table
(Definition of Authorization Profiles) corresponds to the MAINT field in the T77FC
table (Function Codes HR-PD). All function codes that have an X in this field can be
processed.
Evaluation Path
By entering a specific evaluation path in this field, you can determine that the user is
only authorized to access objects along this evaluation path.
Use tcodes : PPST or PPSS to test evaluation path.
Status Vector
You can use this field to determine which relationships are considered when the
structure is created. If you define the status vector as 12, for example, all
relationships that have the status active or planned are evaluated
Depth (Display Depth)
You can use this field to determine which level of a hierarchical structure a user is
authorized to access.
Sign
By entering a sign in this field, you can determine that structural authorization
profiles should be created which process the structure bottom up.
If you make no entry in this field (default value <Blank>) or enter a + sign, the
structure is processed in the normal top down manner.
Period (Optional)
Use this field if you want to restrict the authorization according to the validity period
of the structure.
Blank -All
D - Key date
M- Current month
Y -Current year
P -Past
F- Future
Function Module
You can use this field to specify a function module that determines the root object
dynamically at runtime. Do not make an entry in the Object ID field. However, you
must specify the Plan Version and Object Typefields.
The advantage of using function modules is that each time you define an
authorization profile, the function module generates a user-specific profile for each
user at runtime.
If a manager changes department, for example, the corresponding profile in the
T77PR table (Definition of Authorization Profiles) does not need to be changed.
What is more, setting up function modules can reduce the number of entries in the
T77PR table significantly.

2 standard SAP Function modules:

RH_GET_MANAGER_ASSIGNMENT (Determine Organizational Units for

Manager)
RH_GET_ORG_ASSIGNMENT (Organizational Assignment)

Tip :The advantage of the dynamic structural authorizations is their ability to use
attributes of the user for determination of access to content. A dynamical structural
profile can therefore be reused by many users with different need to content. The
most common know dynamic structural profile is the line manger which is a profile,
which can be reused for all with a manager position.
 Basically, the structural authorization uses the evaluation
paths . Based on a root object, which is defined by its eight-
digit object ID, the evaluation path determines all objects
under the root object in the structure. The authorization is
issued for all of these objects.
Evaluation path : O-S-P: Internal Persons per Org unit.
Tcode :OOAW
 If root object 80000815 is linked to the O-O-S evaluation
path, all objects illustrated showed in above example are
permitted. If you specify root object 80004711, an
authorization is only issued for the white objects.

.
Example 3 :Skipping Object types : If we want to give access to only positions
,but not the organizational (O) units. We can do it by selecting the SKIP check in
Evaluation path
 Tcode : OOSB or PO13 or PO10 or PP01, PP03
Standard profiles : Info type 1016, PD profiles : Info type 1017.

Note : After assignment of profile run the report RHPROFL0 to create

authorization profile assigned to user. Or schedule it as background
job.
Trouble shooting in general authorization
check is same as r/3 security
SU53 or SU01 or STAUTHTRACE

In Structural authorization su53 or st01 wont

work. In oosp i symbol . There can find the
missing Org values.
 Note : Large organizations using structural authorizations, the PD
profiles assigned to a user might return thousands of distinct
objects. Evaluating the entire PD profile at run time to generate the
object list, for each access to HR data, can lead to a significant
degradation in performance of HR transactions.
SAP provides two programs,RHBAUS02 Check and compare
T77UU (user data in SAP memory)andRHBAUS00
Regeneration of INDX for StructuralAuthorization,to
automate updating of the table and regeneration of the user
indexes.

We can schedule it as batch job to improve the auth perfomance.

Thank you