Exclusion Flag in PD Profiles (Structural Authorizations)

Similar Messages

• PD Profile / Structural Authorization in Access Request - 10.1

  Hi - We are upgrading from 5.3 to 10.1 SP6.  We are not migrating.  In 5.3 we provisioned PD profiles directly to a user in OOSB.
  I'm having issues with our PD Profile showing up in my access request search.  Here's what I have done.
  Business Role Management
  - I created a "PD Profile" against my ECC "Landscape".  The "Project Release" is Production.  The Additonal Details -->Provisioning has my ECC system and allows for provisioning.  The "Current Phase" is Complete.
  When a search for the PD profile using "Role Type" PD Profile in Access Management-->Role Management-->Role Search, my PD profile appears.
  When I go to create an access request and I go to Add --> Role the "Select Roles" search screen appears.  I search by Role Type = PD Profile and nothing shows up.  I try to search by the actual PD Profile Name with no other selections and nothing shows up.  All my composite and single roles show up in my searches.
  When I go into table "GRACPDPROFILES", I see the PD Profile I created.  Field AC_REF_ROLE_ID contains a long string.  It has an updated date of when I created it.
  Any idea on what other setting I may be missing to make the PD profile available to select in an access request?
  We'll continue to do direct assignment within OOSB and not indirectly via the position.
  Thanks,
  Rich

  Hi Richard,
  You need to refer to: http://service.sap.com/sap/support/notes/1666128
  Hope this helps.
  Regards,
  Ameet

• Talent Management (EhP4) - cannot find structural authorization profiles

  Hi All,<br/><br/>
  I have looked in 3 different SAP ECC6.0 EhP4 system for the Talent Management structural authorization profiles stated in the IMG documentation and on the help.sap.com website. The profiles are:<br/><br/>
  TMS_PROFILE<br/>
  TMS_ALL<br/>
  TMS_MAN_PROF<br/><br/>
  There are also several "sub" profiles for TMS_PROFILE.<br/><br/>
  To take an example from help.sap.com on their Authorizations page (http://help.sap.com/erp2005_ehp_04/helpdata/en/7b/6f92413c3a2e7be10000000a1550b0/content.htm ), the SAP_TMC_SUPER_TALENT_MANA_SPEC clearly indicates the TMS_ALL structural authorization profile is in the standard system:<br/><br/>
  Authorizations for talent management superusers<br/><br/>
  For more information, see Talent Management Superuser.<br/><br/>
  The structural authorization profile TMS_ALL is also available as a template for the Talent Management Superuser.<br/><br/>
  For more information, see Customizing for Talent Management and Talent Development under Basic Settings ® Authorizations in Talent Management ® Define Structural Authorizations.<br/><br/>
  So... does anybody know anything about these and where I can find them? Do they require some form of activation outside of the standard switch activations for Talent Management? I've looked in several tcodes (SU01,PCFG, OOSP etc) for them but no luck.<br/><br/>
  Any help gratefully received and points will be awarded for helpful answers and solutions!<br/><br/>
  Best regards,<br/><br/>
  Luke

  Hey Luke:
  Could you do me a favor and look in client 000 (the SAP delivered client)?  You generally need a basis person for this activity, and I can't find one now on my own end to confirm my theory.  However I'm pretty sure if you went to OOSP in client 000, you'd see those profiles.  They were either never copied over from 000 or your security friends deleted all the profiles that are SAP delivered in the clients you're looking at.
  I could talk for a super boring amount of time about the security concept of "SAP delivers too much access with their roles so we don't use them" that a good number of security teams use - but that's a story for a different day.
  Take a peek in 000 and let me know what you see.  If they're there, you can always have your basis chums copy them over to your clients that you want them in (presumably your security config client).
  Thanks,
  Chris

• Steps for creating structural authorization profile using trans. OOSP

  Dears,
  Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
  Thanks.
  Reda

  Hi,
  There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
  However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
  P_ORGIN  http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
  Cheers

• Can I creat the structural authorization profile in batch?

  Hi All:
  I have a question.
  I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like  object type; object ID; Eval. path  and so on.
  But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
  But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like  object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
  Can anyone tell me what's the reason?

  Hi All:
  I have a question.
  I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like  object type; object ID; Eval. path  and so on.
  But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
  But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like  object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
  Can anyone tell me what's the reason?

• Structural authorization : role, profile, user group

  Dear All,
  I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
  I am mainly concerned with roles and profiles, What exactly is role and what is profile.
  Pl give me practical example....
  Regards,
  Kumar

  Hi kumar,
  Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
  Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
  User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
  Good Luck
  Om
  Reward it, if u feel helpful.

• Exclusion Indicator in PD profiles

  Hello, I have a question about the exclusion indicator in IT1017 (PD Profiles.  We are upgrading from 4.6C to ECC 6.0.  This indicator was not available in 4.6C.  We are now concerned that users may inadvertently set this indicator and the recipients authorizations will get impacted.
  The documentation only states that "This field allows you to exclude branch structures from structural authorizations."
  We have found that if the flag is set (and RHPROFL0 runs), the impact to the user is that they can only see their own data.  We have also found that, in order to remove the flag you must remove it from IT1017 and re-run RHPROFL0 with the "delete manually maintained authorization profiles" - PD Authorizations flag switched on. 
  Can anyone help explain, what the exclusion indicator is used for? and it's function?
  Regards,
  Gino

  The exclusion is used to exclude a specific piece of a structural profile you assign to a user. Example: your user has a structural profile to see all HR infotypes within his/her department. However you don't want this user to see the managers data. You can create a separate structural profile that contains the manager's personnel number.
  You assign both structural profiles to the user. Either directly "on the user" using transaction OOSB (Table T77UA) where you see an identical exclusion indicator. The "manager" structural profile will have the exclusion indicator set. That way the user has access to department data exclusive the managers data.
  If you assign it on the position by IT1017 you set the exlusion indicator there. You will see that if you run RHPROFL0 that T77UA will be updated with the 2 entries for the user and one will automatically have the exclusion indicator set.
  The concern that users inadvertently change this indicator should be very small since there should not be very many users that have access to PO13 and/or OOSB in a production environment.
  Ruud Scheenen

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• BW/HR structural authorization in BI 7.0 version

  Dear experts,
  Can anyone please explain how to extract HR structural authorization from R/3 to BW 7.0, and how to configure the authorization in the BW, I hope everyone can give me a work flow.
  Thanks.

  Hi Auke, thanks for your answer.
  Changes inside the user profile are working, but deletion don't. And yes, the meaning of this is that user should not have role anymore.
  I saw help documents with some procedure using D_E_L_E_T_E user. I didn't understand. Do you know something about that? Is that maybe the right way?
  Thanks,
  Thiago

• Context sensitive solution for Structural authorization

  Dear all,
  I would like to know whether new relationship, evaluation path and authorization profile has to be created for each role with context sensitive structural authorization ?
  In T77UA table, each user has assigned a profile which tells the system how to find the structure by evaluation path (in T77PR table).  Then in tranx OOAW, the evaluation path indicate how to build the structure by series of relationship, and this way we have to create new relationship for each role with context.
  Am i correct ? 
  If an organization has many roles, then many relationship, evaluation path, profile.. has to be created !
  Thanks for your help !
  patrick cheung

  Hi Chandra,
  Thanks for your prompt reply !
  This is for <u>Context Sensitive</u> solution, <b>not</b> the normal structural authorization:
  Yes, if you add the authorization object P_ORGINCON in PFCG, you will notice that the field "<b>Authorization Profile</b>" has to be entered which tells the system <i>WHICH ORG STRUCTURE</i> does this authorization are refering to...
  In table T77PR, instead of hardcoding the organization unit in the object ID field, we use Evaluation path to tell the system how to find the org structure for employees.  Function RH_GET_MANAGER_ASSIGNMENT will return the org unit ID for the evaluation path.
  In transaction OOAW, the said evaluation path specified the relationships which the system should use to draw the org structure of the employee's supervision... and there should be relationship like "<b>Is managed by</b>", may be as follows:
  O     B     002     Is line supervisor of     *     O
  O     A     011     Cost center asignmnt     *     K
  O     B     003     Incorporates     *     S
  O     B     012     <b>Is managed by...</b>     *     S
  Up to now.... if you want to assign authorization to someone as follows, you could not simply maintain the same relationship "<b>Is managed by</b>" to Org Structure A and B because this will confuse the system as to which org structure you want the employee to maintain infotype 7 or 14/15.  You should then create different relationships and maintain them to Org Structure A and B.  And tell the system how to find the structure from the Evaluation path, which is stick to the Auth. profile.  The Auth. profile is then maintain in the Context sensitive master data object P_ORGINCON !
  (1)
  Org Structure A
  Maintain only infotype 7
  (2)
  Org Structure B
  Maintain only infotype 14, 15
  So... that's why i said if an employee has many role to perform duties in many different Org Structures (e.g. A, B, C...etc), you would create many relationship...
  Hope this message will give idea to someone who intend to implement Context Sensitive Solution.

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd

• HR structural authorization

  Hello Friends,
  I am trying to get concept of HR structural authorization.  I have read the document " Structural Authorizations Step by Step, with Gotchas Too by Norm and Carl". After reading this document, what i have understood is In Structural authorization, we create PD profile eg: Manager, employee, ALL etc via transaction OOSP. And after that you assigned these profile to position via report RHPROFL0 or manually via transaction OOSB.
  But what i am not able to understand is
  1.How do this profile Manger, Employee etc will work? How do Users get authorization. What types of activities Uses are able to perform?  What type of data user will have acess to? Do users get authorization to transaction like PA20 or you still need additional role that is created via PFCG.
  2. What my understanding is Users who are in the top Hierarchal nodes or structure (eg: manager) is able to access data of employee below him. Do we still need to create roles like MSS and ESS role via transaction PFCG?
  If somebody can clarify, I will really appreciate.

  Hello Mate,
  Have a loook at this thread, this may help .
  Re: How to Restrict HR Org Structure from other Org Structures
  Regards,
  Regi

• Failed HR Structure Authorization: should not be possible

  Hi there,
  I've got a strange problem which is quite similar to [this one|https://forums.sdn.sap.com/click.jspa?searchID=10542618&messageID=4893986], but the difference is that my userid does not have an entry in OOSB (T77UA) so it should not have missing HR Structure Authorizations because the general principle in the HR Structure is: No profile - No restrictions.
  However, this user is restricted, but not for all records. The restrictions seem very random.
  It seems that the userid itsself causes the problem. The account has been copied from another account. If you copy this account to any other userid then the problem does not occur, but I have to use this particular one because it is the official userid (personnel number).
  As I said earlier, OOSB is empty and also infotype 0105 (Communication) is set properly.
  I even tried to delete and re-create the userid completely but this did not help.
  It looks like there are some 'hidden entries' in table T77UA or another table setting for this userid that I am not aware of. Could anyone help me out her?
  Thank you!
  Kind regards,
  Lodewijk

  Hi Lodewijk,
  You say your problem is similar to the one you're referring to in your initial post.  Does that mean that you also get an error message saying:
  The last authorization check was successful
  Failed HR Structure Authorizations
  Date xxxxxxxxxxxxxxxxxxx

• SAP HR Structural Authorizations

  Hi Experts,
  I need a help regarding SAP HR Structural Authorizations.
  Currently our HR System is set with structural authorizations were in
  users will be accessing HR Org structure with different pd-profile and HR relationships (with Org units ex:
  assistant relation, manager relation).
  Now we want to design the roles based on company codes, where users should be able to see
  all organization units within company code 'xyz'.
  Do we need to create new pd-profile or new HR relationships or just restrict within existing HR roles for
  accessing organizations units within different company codes.
  Please guide me steps to proceed with this requirement?
  Your early response is highly appreciated, thanks in advance......

  You will need to talk to the HR folks about this and whether any employee grouping on the HR side matches a company code unit on the FI side to use in the authorizations.
  This means that HR data and processes are also aligned to finance processes, which was often the case with local HR systems but less so with global ones.
  The answer is on your side in the data and the processes. There is no single field which you can use for both, let alone an org. level field known to structural authorizations.
  Cheers
  Julius

• Structure Authorization Issue

  Hi guys,
  I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial.  After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
  We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
  They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
  Please help
  Thanks

  Structural Authorization Check
  Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
  On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
  In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
  Steps to Perform to Set Up Structural Authorization Check in brief:
  (Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
  1. Integration:  Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
  2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
  (Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
  3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
  4. Create Org. Plan (check the first post).
  (Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
  5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
  6. Create record for Infotype 0105 - TCode is PA30.
  7. Create Structural Authorization Profiles u2013 TCode = OOSP
  8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
  9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
  Please check and let us know for any query.
  Regards,
  Dipanjan