Beginning with Structural Authorisations

Similar Messages

• Who's Who with Structural Authorisations

  Hi,
  We have implemented structural authorisation.
  When manager logins to portal and view Who's who he is able to see only team members data.
  Instead our requirement is to view all the employees data in Who's who though manager has structural authorisation profile.
  Structural authorisation we have implemented only for the user who are (PORTAL+R\3).
  << Moderator message - Everyone's problem is important >>
  Thanks,
  Usha
  Edited by: Rob Burbank on Oct 18, 2010 3:39 PM

  Check the following link:
  Authorization Made Easy
  http://www.slideshare.net/Juanfe1978/1ux2y54tcwomq2gtx7pd
  Authorization Concept for SAP Student Lifecycle Management
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/409acd1d-75d1-2a10-4a91-dadabd18e1ff
  Technical Considerations in Global SAP BW HR Implementations
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/505351fe-ec8c-2910-c5b5-a43bbf53f6fc
  Hope this help you.
  Regards

• Concurrent Employment and MSS ( Structural Authorisation)

  Hi
  We are having some problem with Structural authorisation in case of concurrently employed users. The scenarios is as follows
  1. User A is manager and have MSS role and relevant PD profile
  2. User P is employee . This employee is concurrently employed. one position of this user is in the organisation unit of manager A and the another position for this
  The problem is that the manager A is unable to approve the form submitted by the employee P. if we remove concurrent employment it start working again.
  I can see that Manager has structural access over employee P in tcode OOSb
  Any suggestion will be welcome
  Parveen

  Hi
  The problem we were having is that index was not updated. So inspite of having access to the user i was not able to approve the form. I have regenerated the index via report rhbaus00 which fixed the problem
  Parveen

• Structural authorisation along with organisational key

  Hi All:
  The scenario is:There are 8 company codes(8 diff countries) with 8 diff Personnel areas.A user needs to have access to all employees in his country and secondly, all the HR employees spread over all other company codes in different org units.
  I can create role using P_ORIGIN with that PA and assign to the user but how do i provide him access to all other HR employees.Structural Authorisation would restrict access to a specific org unit which doesn't suffice both criteria as it overrides org key.
  Helpful answers would be duly rewarded.
  Regards,
  Kmaini

  Hi,
  Structural authorization does not overwrite org.key.
  You need to customize structural authorization accordingly.
  For example, you have 8 company codes associated with personnel areas PA01-PA08. You are trying to create role for company code 1.
  1. In P_ORGIN you give access to all personnel areas PA01-PA08.
  2. For structural authorization you create following entry points:
  - root org.unit for company 1
  - HR org unit for company 2
  - HR org unit for company 3
  - HR org unit for company 4
  - HR org unit for company 5
  - HR org unit for company 6
  - HR org unit for company 7
  - HR org unit for company 8
  Cheers

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Ad Hoc Query & HR Structural Authorisations

  Good day,
  Can you kindly suggest solutions to the following?
  Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
  Can you advise how i can restrict IT8 access for users across sites/company codes?
  Thanks have a lovely day!

  Hi Anders,
  Thank you for the reply,
  We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
  My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?

• CFUPDATE problem with field name beginning with a number

  I have a form (actually several) that is gathering data for a survey. I tried to use cfupdate to update the data elements and got a string index out of range error. I tested again without the form fields that began with numbers and it worked just fine. I then tried to enclose the offending field names in () and []. Both times I got same error. Does anyone have a work around for this? The code and error are below.
  Changing the field names is not really an option. This survey has almost 400 data points and most of the fields begin with the question number.
  Thanks
  DW
  <cfupdate datasource="#application.fdp_datasource#" tablename="arra_survey1" dbtype="ODBC" formfields = "entry_no, 2_a_fy09, '2_a_fy10', '2_a_fy11', '2_a_fy12', '2_b_fy09', '2_b_fy10', '2_b_fy11', '2_b_fy12', '2_c_fy09', '2_c_fy10', '2_c_fy11', '2_c_fy12', '2_d_fy09', '2_d_fy10', '2_d_fy11', '2_d_fy12', '2_e_fy09', '2_e_fy10', '2_e_fy11', '2_e_fy12', '2_f_fy09', '2_f_fy10', '2_f_fy11', '2_f_fy12', '2_g_fy09', '2_g_fy10', '2_g_fy11', '2_g_fy12', '2_h_fy09', '2_h_fy10', '2_h_fy11', '2_h_fy12', '2_i_fy09', '2_i_fy10', '2_i_fy11', '2_i_fy12', '2_j_fy09', '2_j_fy10', '2_j_fy11', '2_j_fy12', '2_k_fy09', '2_k_fy10', '2_k_fy11', '2_k_fy12', '2_l_fy09', '2_l_fy10', '2_l_fy11', '2_l_fy12', central_office, dept_office, incl_other, 3_a_fy09, 3_a_fy10, 3_a_fy11, 3_a_fy12, 3_b_fy09, 3_b_fy10, 3_b_fy11, 3_b_fy12, 3_c_fy09, 3_c_fy10, 3_c_fy11, 3_c_fy12, 3_d_fy09, 3_d_fy10 3_d_fy11, 3_d_fy12, 3_e_fy09, 3_e_fy10, 3_e_fy11, 3_e_fy12, 3_f_fy09, 3_f_fy10, 3_f_fy11, 3_f_fy12, 3_g_fy09, 3_g_fy10, 3_g_fy11, 3_g_fy12, 3_h_fy09, 3_h_fy10, 3_h_fy11, 3_h_fy12, 3_i_fy09, 3_i_fy10, 3_i_fy11, 3_i_fy12, 3_j_fy09, 3_j_fy10, 3_j_fy11, 3_j_fy12, 3_k_fy09, 3_k_fy10, 3_k_fy11, 3_k_fy12, 3_l_fy09, 3_l_fy10, 3_l_fy11, 3_l_fy12">
  String index out of range: -2
  The error occurred in C:\Inetpub\wwwroot\directory\process_arra_suvey_2.cfm: line 12
  12 : <cfupdate datasource="#application.fdp_datasource#" tablename="arra_survey1" dbtype="ODBC" formfields = "entry_no, 2_a_fy09, '2_a_fy10', '2_a_fy11', ...

  I think you have run one of CFUPDATE's limitations.  I am not 100% certain, but I do not think cfupdate provides a way to escape invalid column names like yours.  In which case you may need to do a regular UPDATE within a  cfquery instead... or rename your columns.
  fields that began with numbers
  Most databases discourage creating column names that start with a number (or other restricted characters).  While many databases will allow you to escape invalid names, it is simpler all around to avoid them altogether.  Otherwise, you may have to escape the names in every single query. The recommendations vary, but usually object names that begin with a  letter, and contain only letters, numbers and underscores are considered  safe.
  This survey has almost 400 data points and most of the fields begin with the question number.
  Four-hundred (400) is a lot of columns for a single table.  The fact that they all them seem to contain the same type of information (ie response to a question) is an indication that data should probably be stored in a separate table, as rows, not columns.  For example questions could be stored in one table, possible answers in another, and the results of an individual test/survey stored in a third table.  A structure like that is much easier to query, can easily accommodate changes (add/remove questions, responses, etcetera) without having modify the table every time.

• Change org structure, structural authorisations and MSS team calendar

  We are using structural authorisations with evaluation path O-S-P for managers .  If I move an employee into a new org unit, when the manager views the Team Calendar in MSS, they can see the new employee.  However, if I move the manager into a new org unit from a specific date with the chief indicator ticked, nothing is displayed in the Team Calendar and the message says "no data available in chosen period".  I thought it could be an authorisation issue so I have done an authorisation check in Time Managers Workplace for the same manager trying to view an employee in the new org unit and it says it's failing on structural authorisations.  If I look in T77UA it shows the correct org unit, positions and employee numbers so I don't understand why it's giving me the structural authorisation error?  PFUD has been run and T77UA looks correct - am I missing something??
  Any help would be greatly appreciated!

  I would check the A012 "manages" relationship and see if its pointing to the right Org unit. We have had several issues with the team calendar and ended up customsing a lot of it.

• Structural authorisation HR security

  Hi all,
        I am very much new in HR Security ,need your help in Structural Authorisation My querry is that
  1.) how can we get Personnel number when we have POSITION or Org unit.any steps or Tcode.
  2.) Is Structural authorisation applied to the POSITION who has B012 Relation ships only with Org unit or it can also be applied on the POSITION without B012 relationships.
  Pl.. help..
  Thanks in ADVANCE,
  Chandresh Bajpai

  Hi Chandresh,
  If you know position, then go to PP01 > select position > give position ID > Clcik on relationship > select all radio button > click on overview > you can see all relationship which have been maintained for that position. Check relathionship A008 (position to person).
  Then structural authorization does not depend on only relationshio A012 (chief position. But it depends on total OM structure. Before going for structural authorization, you should have OM structure in place.
  Regards,
  Purnima

• Structural Authorisation - Unrelated Objects

  Hi all,
  We are facing an issue in structural authorisation of OM objects. The user wants to have authorisation of all objects under his root Org unit alongwith any objects that are unrelated (having no relationship with any Org unit / Positions).
  Is this possible with standard configuration? How can this be achieved?
  Regards,
  VK

  Hi VK
  Yes it is possible.
  You have to create your own function module and assign it to a structural authorization profile (field T77PR-PFUNC)
  In this function module, as semvladigo says you have to collect all required unrelated objects and return them via OBJ_TAB interface table.
  as a reference please check the following function modules:
  RH_GET_MANAGER_ASSIGNMENT
  RH_GET_ORG_ASSIGNMENT
  Regards,
  Sergey

• Structural authorisation performance issue

  Hi,
  For our customer we have the HR-PD object authorisation activated. We now encounter performance issues in the buffering of objects. We have set the buffer/refresh two times a day but this has a huge impact on the resources and hence performance of the system. We actually need to set the buffer to be run more then two times a day (once a half hour) but this is now out of the question.
  Are there any settings, configuration, or something else that can be done to improve performance.
  Business Scenario: in SAP SLcM* a student is already admitted for a program on faculty (O-unit) X. After a couple months the student is admitted to another faculty (Y) by an employee of that faculty Y (that proces is without authorisation).From that moment on the structural authorisation gets in place. Also on this moment the student is not visible to the employee of faculty Y. After the run of the buffer the student is visible again.
  br,
  Rob
  *Also works with HR-PD objects and the structural authorisation from ERP-HCM. SAP SLcM is a industry solution for the higher education market.

  >
  Rob Jonkers wrote:
  > Hi,
  >
  > For our customer we have the HR-PD object authorisation activated. We now encounter performance issues in the buffering of objects. We have set the buffer/refresh two times a day but this has a huge impact on the resources and hence performance of the system. We actually need to set the buffer to be run more then two times a day (once a half hour) but this is now out of the question.
  >
  > br,
  > Rob
  >
  > *Also works with HR-PD objects and the structural authorisation from ERP-HCM. SAP SLcM is a industry solution for the higher education market.
  Hi rob, what exactly is meant by refreshing the buffer two times a day?  Are you running the program RHBAUS00?  If so, have you considered tweaking what gets indexed by using program RHBAUS02.  Here you can increase threshold, which should limit what type of users actually get buffered when the program runs (so only users with access to many auth objects will actually be indexed). 
  Let me know if this helps.
  Best Regards,
  Michael

• Cannot create xmlindex with structured component

  Hello everybody,
  I want to create an XMLIndex with structured components on a table named BID_XWH. The table stores rows that are valid against the following XML Schema:
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
       <xs:element name="bid">
            <xs:complexType>
                 <xs:all>
                      <xs:element name="bid_date" type="xs:date"/>
                      <xs:element name="bid_time" type="xs:time"/>
                      <xs:element name="increase" type="xs:float"/>
                 </xs:all>
                 <xs:attribute name="bid_id" type="xs:string" use="required"/>
            </xs:complexType>
       </xs:element>
  </xs:schema>
  I want to index bid_id, bid_time and increase. I wrote the following code
  CREATE INDEX bid_idx ON bid_xwh(OBJECT_VALUE)
  INDEXTYPE IS XDB.XMLINDEX PARAMETERS(
  'XMLTABLE bid_tab ''/bid''
  COLUMNS
  bid_id varchar2(15) PATH ''@bid_id'',
  bid_time VARCHAR2(15) path ''bid_time'',
  increase integer path ''increase''
  However, I'm getting this error:
  {Erreur commençant à la ligne 1 de la commande :
  CREATE INDEX bid_idx ON bid_xwh(OBJECT_VALUE)
  INDEXTYPE IS XDB.XMLINDEX PARAMETERS(
                 'XMLTABLE bid_tab ''/bid''
                 COLUMNS
                bid_id varchar2(15) PATH ''@bid_id'',
                bid_time VARCHAR2(15) path ''bid_time'',
                increase integer path ''increase''
  Erreur à la ligne de commande : 1, colonne : 0
  Rapport d'erreur :
  Erreur SQL : ORA-00600: code d'erreur interne, arguments : [ktcxbr0_1], [0x3B26BD24], [1], [0], [], [], [], [], [], [], [], []
  ORA-00600: code d'erreur interne, arguments : [kqludp2], [0x37C28CFC], [0], [], [], [], [], [], [], [], [], []
  00600. 00000 - "internal error code, arguments: [%s], [%s], [%s], [%s], [%s], [%s], [%s], [%s]"
  *Cause:    This is the generic internal error number for Oracle program
  exceptions.     This indicates that a process has encountered an
  exceptional condition.
  *Action:   Report as a bug - the first argument is the internal error number}
  I have already created 4 other indexes on other tables, with quite the same syntax and everything worked fine. But for this table BID_XWH and another one, I am getting the error all the time. I suspected a storage problem, so, I granted the "unlimited tablespace" privilege to the user and then I restarted the database. The problem persists.
  I noticed that although I'm getting the above error, the index BID_IDX is created, but not the associated relational table BID_TABLE.
  I am using Oracle 11g R on Windows 7.
  Could you help please?
  Doulkifli.

  Hi,
  Some additional questions...
  - Could you give the complete version number?
  - What type of storage are you using?
  - Did you register the XML schema in the DB?
  Please post the DDL for your XMLType table.
  The following works for me on 11.2.0.1 :
  SQL> begin
    2   dbms_xmlschema.registerSchema(
    3   schemaURL => 'bid.xsd',
    4   schemaDoc => '<?xml version="1.0" encoding="UTF-8"?>
    5  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
    6  <xs:element name="bid">
    7  <xs:complexType>
    8  <xs:all>
    9  <xs:element name="bid_date" type="xs:date"/>
  10  <xs:element name="bid_time" type="xs:time"/>
  11  <xs:element name="increase" type="xs:float"/>
  12  </xs:all>
  13  <xs:attribute name="bid_id" type="xs:string" use="required"/>
  14  </xs:complexType>
  15  </xs:element>
  16  </xs:schema>',
  17   local => true,
  18   genTypes => false,
  19   genTables => false,
  20   options => dbms_xmlschema.REGISTER_BINARYXML
  21   );
  22  end;
  23  /
  Procédure PL/SQL terminée avec succès.
  SQL> create table bid_xwh of xmltype
    2  xmltype store as binary xml
    3  xmlschema "bid.xsd"
    4  element "bid"
    5  ;
  Table créée.
  SQL> insert into bid_xwh values(
    2  xmltype(
    3  '<bid bid_id="ID001">
    4   <bid_date>2011-02-05</bid_date>
    5   <bid_time>12:34:56</bid_time>
    6   <increase>123.45</increase>
    7  </bid>')
    8  );
  1 ligne créée.
  SQL> commit;
  Validation effectuée.
  SQL> CREATE INDEX bid_idx ON bid_xwh(OBJECT_VALUE)
    2  INDEXTYPE IS XDB.XMLINDEX PARAMETERS(
    3  'XMLTABLE bid_tab ''/bid''
    4  COLUMNS
    5  bid_id varchar2(15) PATH ''@bid_id'',
    6  bid_time VARCHAR2(15) path ''bid_time'',
    7  increase integer path ''increase''
    8  ');
  Index créé.
  SQL> select /*+ gather_plan_statistics */
    2         x.*
    3  from bid_xwh t,
    4       XMLTable('/bid'
    5         passing t.object_value
    6         columns
    7           bid_id varchar2(15) PATH '@bid_id',
    8           bid_time VARCHAR2(15) path 'bid_time',
    9           increase integer path 'increase'
  10       ) x
  11  ;
  BID_ID          BID_TIME          INCREASE
  ID001           12:34:56.000000        123
  SQL> select * from table(dbms_xplan.display_cursor(null, null, 'ALLSTATS LAST'));
  PLAN_TABLE_OUTPUT
  SQL_ID  g6t7430a6g7dp, child number 0
  select /*+ gather_plan_statistics */        x.* from bid_xwh t,
  XMLTable('/bid'        passing t.object_value        columns
  bid_id varchar2(15) PATH '@bid_id',          bid_time VARCHAR2(15) path
  'bid_time',          increase integer path 'increase'      ) x
  Plan hash value: 752159937
  | Id  | Operation                    | Name                   | Starts | E-Rows | A-Rows |   A-Time   | Buffers |
  |   0 | SELECT STATEMENT             |                        |      1 |        |      1 |00:00:00.01 |       6 |
  |   1 |  NESTED LOOPS                |                        |      1 |        |      1 |00:00:00.01 |       6 |
  |   2 |   NESTED LOOPS               |                        |      1 |      1 |      1 |00:00:00.01 |       5 |
  |   3 |    INDEX FAST FULL SCAN      | SYS_C0011792           |      1 |      1 |      1 |00:00:00.01 |       4 |
  |*  4 |    INDEX RANGE SCAN          | SYS76494_76495_OID_IDX |      1 |      1 |      1 |00:00:00.01 |       1 |
  |   5 |   TABLE ACCESS BY INDEX ROWID| BID_TAB                |      1 |      1 |      1 |00:00:00.01 |       1 |
  Predicate Information (identified by operation id):
     4 - access("T"."SYS_NC_OID$"="SYS_ALIAS_0"."OID")
  Note
     - dynamic sampling used for this statement (level=2)
  29 ligne(s) sélectionnée(s).

• Structural Authorisation access issue

  HI
  I am currently trying to implement Structural Authorisation.  I have run into a problem and hoping someone maybe able to help.  The problem I have is that when a user searchs for employee's in PA20/30 the results show all employee's that are part of the org unit that the PD profile is restricting.  However it also includes users that were part of the org unit at some stage.
  Now in PA30 the user does not get the header for these users but is able to access/modify some infotypes.  I am not sure but I think there is a setting somewhere that will limit the PD profile to only display current employee's of the org unit only but for the life of me can not remember or recall where it is.  Can anyone help with this?
  Any help will be appreciated,
  Many thanks in advance.

  Hi,
  Did you verify the values for the
  Switch ADAYS "HR: Tolerance Time for Authorization Check"
  in Transaction OOAC.
  Depending on the number of days mentioned.
  The person would have access to old Org Unit till the tolerance period if he modified information in that org unit.
  Actual SAP documentation:
  HR: Tolerance Time for Authorization Check (ADAYS)
    Use
      The tolerance time for the authorization check specifies the length of
      time, in the case of an organizational change, that the personnel
      administrator has access to the data he or she created for a person if
      this person already has an organizational assignment outside of his or
      her authorizations.
    Input values
      The tolerance time for the time logic for master data infotypes is
      specified in calendar days. In the standard SAP system, the value of the
      switch is set to 15 (= 15 calendar days). When this switch is active,
      that is, when it contains a value greater than 0, organizational changes
      that result in the loss of a particular authorization take effect in
      accordance with the tolerance time.
    Example
      ADAYS is set to 15. In the system, only checks with P_ORGIN are active.
      Administrator A has read and write access to data in personnel area A
      while administrator B has read and write access to data in personnel
      area B. It is assumed that for all infotypes the time dependency of the
      authorization check (switch T582A-VALDT) is active.
      A personnel number was assigned to personnel area A until 12/31/9999. As
      of 01/01/2000 this personnel number is assigned to personnel area B. The
      period of responsibilty of administrator A ends on 12/31/9999 but due to
      the tolerance time, he or she continues to have unrestricted read and
      write access to data until 01/15/2000 (inclusive). However, as of
      01/16/2000, he or she no longer has write access to data. Nevertheless,
      the administrator still has read access to all data records with a startdate prior to 12/31/9999.

• HCM Structural Authorisations - OOSP Not Updating

  Hi All,
  I am experiencing a problem when I am trying to transport a newly created Structural Authorisation from our Development to UAT clients.
  I have been able to apply the transport to the UAT client and table T77PR has been updated with the new structural authorisation, the problem I have is that transaction OOSP is not updating in the UAT client, I am therefore unable to assign the structural authorisation to any positions for testing purposes.
  The UAT client is 'not modifiable' could this be the problem ?
  Thanks
  Simon

  Hi Simon,
  Check in Transaction code OOCR. I infer a setting that you need to verify there. The issue may occur if the TRSP CORR option is  set it to the right option. If you left it Blank, it means automatic transport connection is activated and if the value is set to X, it means no automatic transport connection.
  If the issue persists, I recommend you checking the transport logs and see if there is an error.
  Regards,
  Raghu

• Error in SRM:  a user with enough authorisation level is miss

  Hello,
  We are on SRM 5.0 and our users get the following error in SRM when creating a shopping cart:
  No user assigned to object a user with enough authorisation level is missing.
  Anybody any idea ?
  Thanks as ever

  Hello Can anybody helpe me please ?