SAP HR Structural Authorizations

Similar Messages

• Risk Analysis for SAP HR structural authorization

  Hi experts, for those who are familiar with SAP HR structural authorization setup, can you advice what tools out there are able to implement risk based on Structural Authorization as well.
  SAP RAR/CC is not able to do this at the moment, but i am not sure if tools like CSI has the capabilities.
  Appreciate the advice.

  Hi,
  Structural Authorizations "sits" on Standard authorizations. These Structural Authorizations   will need to be defined manually ( as far as I know) depending on the "Evaluation Path".
  Award points if answer was useful.
  Thanks

• SAP BI 7.0 Transport issue with HR Structural Authorization DSO

  Hi,
  I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
  1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
  2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
  Thanks a lot for your valuable inputs.
  Regards
  Paramesh
  Edited by: paramesh kumar on May 5, 2009 12:45 AM

  Hi Paramesh.
  You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
  You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
  Regards,
  Lars

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• How To Create ABAP Code For HR Context Sensitive Structural Authorization

  Hello,
  We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
  Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
  Thank you in advance for all your assistance,
  Ken Bowers

  Hello Ken
  You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
  Regards
  Ranganath

• MSS genericiview and R/3 structural authorizations

  Hi,
  I have created some iViews based on par-file "eeprofilegenericiviewtable" to display R/3-queries. In R/3 we use also structural authorizations for the managers with functional module RH_GET_MANAGER_ASSIGNMENT.
  The structural authorization is working in R/3 for a selected manager selecting a query directly from the R/3 via SQ01, but it doesn't in the iview. When the same user is viewing the "query"-iview, the message "No data selected" appears.
  When I assign the user a structural authorization without the functional module RH_GET_MANAGER_ASSIGNMENT, e.g. only with some object types, the user can retrieve data without any problem using "query"-iview.
  Probably the problem is in the functional module HR_INFO_GET_USING_QUERY used for retrieving R/3 query data from the portal and used by the iview eeprofilegenericiviewtable.
  Has anybody met a similar problem? We are using EP6.0 SP14 and SAP R/3 4.6C.
  Beata

  Hi Dwayne (and others!),
  Were facing similar problems with the error message "R3_CONNECT_FAILED". However, our difficulties are a bit strange because i only occurs on one of our two server nodes. We're running SAP EP 6.4, SP9.
  Previously, we've had problems with the maximum number of connections towards our backend system, SAP R/3. But setting the environment variable CPIC_MAX_CONV helped us.
  However, now we get the above error, but only on one of our server nodes. Do you (or anyone else) have any suggestions as to what might be wrong?
  Thanks in advance,
  Rasmus

• Error Occured when Applying Structural Authorizations in E-Recruitment

  Dear Experts,
  The E-Recruitment functionalities were working fine when no structural authorizations are applied. However, when structural authorizations are configured for the user on the backend SAP system (I configured structural authorizations for the user to have access to only his own department), the E-Recruitment module does not work.
  When I tried to access requisitions-> maintenace, application management->applications, etc, (i.e. when the E-Recruitment module tries to retrieve data from the backend), the the following error message occurred.
  Error when processing your request
  What has happened?
  The URL http://<hostname>:<port>/sap/bc/bsp/sap/hrrcf_start_int/application.do was not called due to an error.
  Note
  The following error text was processed in the system ABC : <b>RAISE EVENT statement nested to deep.</b> The error occurred on the application server XYZ and in the work process 0 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Method: GET_RECORDS_BY_DATE of program CL_HRRCF_INFOTYPE=============CP
  Method: ON_REQUISITION_UPDATE of program CL_HRRCF_REQUI_BL=============CP
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Please advice if E-Recruitment supports structural authorizations. If it does, are there additional configuration required to enable structural authorization. Kindly enlighten me on how to resolve this error. Any help will be much appreciated.

  Hello Louis,
  I implemented e-recruiting with structural authorizations for a customer and encountered exactly the same error. Anything in the e-recruiting implementation leads to this problem. When you miss some object authorizations the implementation generates an infinite callstack which results in this short dump.
  So be sure you assigned all necessary objects to recruiters and also candidates (NA, NB, NC, ND, NE, NF, BP, CP, P, Q, QK, VA, VB, VC) but this might be difficult esp. with the P object, when you use structural authorizations for other purposes, too. This usually generates problems in manager involvement (e.g. manager can't choose a recruiter to approve his requisition as he has not the structural authorization for the hr department members).
  It is also a bit strange that candidates need for example change rights for the requisition (NB) although they won't actually change it but without it the relation application->requisition, candidacy->requsition cannot be created correctly.
  Last but not least be always sure that you refreshed the authorization buffers after changing structural authorizations. They are usually switched on for better performance.
  Best regards
  Roman Weise
  PS: be aware that using structural authorizations will keep you busy for some time. we needed ~2 months to set up the system in a way that e-recruiting worked as the custoimer wanted without interfering any other productive hr component (admin, org. mgmnt., managers desktop).

• Failed HR Structure Authorization: should not be possible

  Hi there,
  I've got a strange problem which is quite similar to [this one|https://forums.sdn.sap.com/click.jspa?searchID=10542618&messageID=4893986], but the difference is that my userid does not have an entry in OOSB (T77UA) so it should not have missing HR Structure Authorizations because the general principle in the HR Structure is: No profile - No restrictions.
  However, this user is restricted, but not for all records. The restrictions seem very random.
  It seems that the userid itsself causes the problem. The account has been copied from another account. If you copy this account to any other userid then the problem does not occur, but I have to use this particular one because it is the official userid (personnel number).
  As I said earlier, OOSB is empty and also infotype 0105 (Communication) is set properly.
  I even tried to delete and re-create the userid completely but this did not help.
  It looks like there are some 'hidden entries' in table T77UA or another table setting for this userid that I am not aware of. Could anyone help me out her?
  Thank you!
  Kind regards,
  Lodewijk

  Hi Lodewijk,
  You say your problem is similar to the one you're referring to in your initial post.  Does that mean that you also get an error message saying:
  The last authorization check was successful
  Failed HR Structure Authorizations
  Date xxxxxxxxxxxxxxxxxxx

• Structure Authorization Issue

  Hi guys,
  I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial.  After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
  We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
  They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
  Please help
  Thanks

  Structural Authorization Check
  Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
  On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
  In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
  Steps to Perform to Set Up Structural Authorization Check in brief:
  (Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
  1. Integration:  Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
  2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
  (Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
  3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
  4. Create Org. Plan (check the first post).
  (Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
  5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
  6. Create record for Infotype 0105 - TCode is PA30.
  7. Create Structural Authorization Profiles u2013 TCode = OOSP
  8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
  9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
  Please check and let us know for any query.
  Regards,
  Dipanjan

• Training Structural Authorization vs MSS/ESS

  Good day all.
  We're maintaining structural authorization for Training module. The requirement is to be able local company maintain theirown training and regional training can maintain the regional training.
  In OOSP we're maintaining object type L only. For the same object id we're using two evaluation path SCMCATAL and L-D-E-§.
  Unfortunately when we assign certain SAP id (manager) to this structural authorization, this manager can't see his/her subordinate. It saying that "No authorization for reading data". When I remove this user from structural authorization this manager is able to see his/her subordinate.
  Is there any others requirements from HR or additional (BASIS) authorization to rectify this issue?

  Hi
  We are maintaining structural authorization in E-learning. Thre is two departement 1 and 2 . Now for few courses are for dep-1 and few are only for dep-2 .
  This structural authorization is already maintained in ESS now we migrated all the data in e-leraning now my problem is how i can use this structural authorization for E-learning as objects are same just Transaction codes and one Appraisal object is differnt.
  Thanks
  Waiting for reply.
  Nutan

• Talent Management (EhP4) - cannot find structural authorization profiles

  Hi All,<br/><br/>
  I have looked in 3 different SAP ECC6.0 EhP4 system for the Talent Management structural authorization profiles stated in the IMG documentation and on the help.sap.com website. The profiles are:<br/><br/>
  TMS_PROFILE<br/>
  TMS_ALL<br/>
  TMS_MAN_PROF<br/><br/>
  There are also several "sub" profiles for TMS_PROFILE.<br/><br/>
  To take an example from help.sap.com on their Authorizations page (http://help.sap.com/erp2005_ehp_04/helpdata/en/7b/6f92413c3a2e7be10000000a1550b0/content.htm ), the SAP_TMC_SUPER_TALENT_MANA_SPEC clearly indicates the TMS_ALL structural authorization profile is in the standard system:<br/><br/>
  Authorizations for talent management superusers<br/><br/>
  For more information, see Talent Management Superuser.<br/><br/>
  The structural authorization profile TMS_ALL is also available as a template for the Talent Management Superuser.<br/><br/>
  For more information, see Customizing for Talent Management and Talent Development under Basic Settings ® Authorizations in Talent Management ® Define Structural Authorizations.<br/><br/>
  So... does anybody know anything about these and where I can find them? Do they require some form of activation outside of the standard switch activations for Talent Management? I've looked in several tcodes (SU01,PCFG, OOSP etc) for them but no luck.<br/><br/>
  Any help gratefully received and points will be awarded for helpful answers and solutions!<br/><br/>
  Best regards,<br/><br/>
  Luke

  Hey Luke:
  Could you do me a favor and look in client 000 (the SAP delivered client)?  You generally need a basis person for this activity, and I can't find one now on my own end to confirm my theory.  However I'm pretty sure if you went to OOSP in client 000, you'd see those profiles.  They were either never copied over from 000 or your security friends deleted all the profiles that are SAP delivered in the clients you're looking at.
  I could talk for a super boring amount of time about the security concept of "SAP delivers too much access with their roles so we don't use them" that a good number of security teams use - but that's a story for a different day.
  Take a peek in 000 and let me know what you see.  If they're there, you can always have your basis chums copy them over to your clients that you want them in (presumably your security config client).
  Thanks,
  Chris

• SRM 4.0 & structural authorizations

  Hi all,
  I have discovered that using structural authorizations (OOSP & OOSB) I can control all match codes and filter users on creating P.O.
  Does anyone have used OOSP & OOSB in SRM ?
  Is this supported ?
  Thanks
  Andrea

  Paula,
  Since SRM 3.0, we can not create private templates and item favorites anymore. Only public templates.
  even if corresponding status still exist in SC search criteria...
  For a RU SRM 5.0 customer upgrading from EBP 3.0, we asked SAP SRM Development to propose a solution to bring back private templates.
  Consulting note 911241 was created for this (not yet translated).
  Rgds
  Christophe

• Steps for creating structural authorization profile using trans. OOSP

  Dears,
  Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
  Thanks.
  Reda

  Hi,
  There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
  However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
  P_ORGIN  http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
  Cheers

• Control Workflow Report output using Structural Authorization

  Is it possible to control output of Workflow Reports using Structural Authorizatins. E.g. Workflow Admins having access to tcode SWi2_FREQ will be able to see project wide data, but i want to restrict the workflow admins at department level from seeing workflow data for other departments. is that possible using Structural authorizations or any other mechanism?
  My understanding is that Structural authorizations pretty much control PA/PD, and not other modules. I did a quick test,
  1) Created a org structure
  2) Created employees, users, and set up structural authorizations
  Now when users are granted authorization to PA20, they are restricted to what they should be seeing, but when they are granted authorization for workflow admin reports, structural authorization don't seem to work, they are able to see data for workflow triggered for other departments as well. Is that the standard behavior or i am missing something. I don't have enough experience with Structural auth.
  I will appreciate any guidance on this matter.
  Thanks,
  Saurabh

  Arghadip, please explain how this will prevent someone from Norway from looking at the workflow log of a workflow for an employee belonging to the Danish part of the organisation.
  <i>Message was edited by Kjetil Kilhavn:</i>
  To explain a bit more in detail: how does this prevent me (Norwegian) from going into SWI1, SWIA or any other transaction, and looking at data from other parts of the organisation. I don't think it will work.
  I think the only way to achieve this is to either modify SAP's standard code and include some structural authorisation checks - or take the standard transactions out from every user role and create your own wrappers or program copies which basically does the same as the modification would have to do.

• SAP Basis - CTS authorization

  Dear all,
  I have a system landscape as below: DEV -> PRD, & DEV has 2 clients 200 (for develop & customize) & 210 (for test). When I release requests from 200, all are put in import queue of 210. But when log-on 210 & call STMS, I couldn't import these request into 210, all import button is disabled.
  I try to use authorization S_CTS_ADMIN or SAP_ALL, nut nothing changes.
  Do you know this issue ?
  Thank you very much,
  Regards,
  Sylvacast.
  Edited by: Sylvecast T on Mar 22, 2008 4:36 PM

  Hi Vikas,
  If you go to help.sap.com, and navigate through the tree to ERP>Human Resourses> Authorizations in HR, you will be able to find a great deal of information on structural authorizations.
  I hope you find this helpful.
  Regards,
  -Joe