GRC
HR
SCM
CRM
BI


Blog

 

Understanding how context authorizations work in HR security

by Amy Thistle

May 4, 2012

This HR tip comes courtesy of Juliet Henry of EPI-USE America, who is speaking at our HR 2012 event, 6-8 June in Milan, Italy.

Quick review:
•Standard authorization vs. structural authorizations
?Standard HR authorizations define which transactions, infotypes, and subtypes the user can maintain and/or display
?Standard HR authorization = WHAT the user can do
?The structural authorization will grant access to personnel data for employees within a specific area of the organization
?Structural authorization = WHO the user has access to

What’s new:
•A link between a standard HR authorization, which defines the infotypes and subtypes the user can maintain and/or display, and a structural authorization, which defines a group of employees within a specific area of the organization, is established

•Standard HR authorizations can be linked to different structural authorizations, thereby granting distinct infotype access to separate groups of employees

•Multiple combinations of standard and structural authorizations can be defined within a single user role, thereby eliminating the need for users to have more than one user ID to avoid context conflicts

Context-Sensitive Authorization Objects:
•P_ORGXXCON HR: Master Data – Extended Check with Context
?P_ORGXX with the additional field, Authorization Profile
?Authorization Profile = link to structural authorizations
?Must activate the XXCON authorization switch and deactivate the ORGXX authorization switch< /p>

•HR: Customer-Specific Authorization Check with Context
?Customer-Specific Authorization Check with the additional field, Authorization Profile
?Authorization Profile = link to structural authorizations
?Must activate the NNCON authorization switch and deactivate the NNNN authorization switch
?Fields comprising the Customer-Specific Authorization Check:
?Authorization Level, Infotype, and Subtype – mandatory
?Any other fields from IT 0001 Organizational Assignment, including custom fields
?Transaction code (TCD) – optional
?Infotype-subtype combination field (INFSU) – optional

Points to remember:
•If the user requires access to all objects and people in the organizational structure

?Use ALL in the Authorization Profile field instead of “*”
?“*” results in unpredictable behavior in HCM Security
?Do not delete the ALL Structural Profile in OOSP

•If custom or “Z” programs have not been coded using the logical database(s), and P_ORGIN authorization checks are individually coded in the programs, then the security checks will not work once security switches to P_ORGINCON

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ