HR Master Data Authorization

Similar Messages

• Master data authorization  by geography

  Hi,
  we need to build master data authorization based on geography. need is to have a flexible way of assigning visibility to master data (accounts/ contacts) to sales teams based on the geographical distribution. e.g a sales rep from California should be authorized to view accounts based out of california and no other region.
  can you recommend some ways to achieve this. we know we can define sales orgs to achieve this but we are looking for a more flexible way dont want to change sales org as it has a dependency on back end ERP too.
  thanks
  RH

  Hi RH
  You probably want to look at the Access Control Engine (ACE) - it is designed to meet your requirement.
  Here's a link to get you started. Check out the IMG as well.
  Cheers
  Dom
  http://help.sap.com/saphelp_crm40/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/frameset.htm

• HR master data authorizations Personnel Sub Area (PSA) wise

  Hi Experts,
  The requirement is to restrict HR masterdata access PSA wise.
  Example:-
  There are 2 PSAs i.e. 1000 & 2000 for which, there are two different HR admin who are responsible for the maintenance of the HR masterdata for their respective PSAs.
  The requirement is, the HR admin of 1000 PSA should have the authorization of create/change/display of 1000 PSA & should have only the display authorization for 2000 PSA. HR admin of 1000 PSA can not modify the details of other PSAs.
  Like the same way, HR admin of 2000 PSA should have the authorization of create/change/display of 2000 PSA & should have only the display authorization for 1000 PSA.
  I have managed to handle the same through org key (VDSK1). But the issue is, the HR admin of 1000 is only able see the data upto the period when the employee was in 1000 PSA. For e.g. if employee no. 789654  was in 1000 PSA from 1.1.2014 to 31.03.2014 & he was transferred to 2000 PSA on 1.4.2014, then the HR admin of 1000 is able to see the data upto 31.03.2014 only. And HR admin of 2000 PSA is able to see the data from 1.4.2014 onwards & not the past data.
  During a transfer action, I am manually changing the org key when I am transferring the employee from one PSA to other PSA.
  Requirement
  My requirement is that, after the transfer also, the HR admin of the 1st PSA (1000) should be able to only view the current employee data & but he can not change anything and the same way HR admin of 2000 PSA should be able to view the past data but should not able to change the past data.
  How it will work in Training & Event Mgt? Will the system restricts the HR admin from booking an employee of other PSA also?
  Please help..
  Regards,
  Daniel

  Hi Omid,
  Thanks for your reply. I saw your link where you have suggested for custom authorization object. Does it require any other development other than creating the custom object?
  I have managed to achieve the PSA wise authorization by using org key. But the problem is, the current HR administrator is not able to see the past data. For e.g. if employee no. 789654  was in 1000 PSA from 1.1.2014 to 31.03.2014 & he was transferred to 2000 PSA on 1.4.2014, then the HR admin of 1000 is able to see the data upto 31.03.2014 only. And HR admin of 2000 PSA is able to see the data from 1.4.2014 onwards & not the past data.
  My requirement is; the current HR admin can view all the past and current data but not authorized to create/change or delete anything once the employee is transferred from his PSA.   
  Regards,
  Daniel

• Student file & master data change according to authority

  Deal all,
  I have following requirements about student file and master data that certain IT are not displayed when i do not have authority.
  for example, if A student is belong to my department, IT1702 must be dislayed but student B is not belong to my department IT1702 must be disabled or must dissappear.
  if i can adjust student file & master data according authority (student belong to my department or not) it would be very nice.
  regards,
  jin dal

  Hi,
  The authorizations checks in Campus Management consist of the basic authorization and the structural HR authorization.
  The basic authorization determines whether the user is allowed to execute a certain function, while the structural authorization determines the objects for which the user is allowed to execute this function. In other words, the basic authorization defines what function the user is allowed to use, and the structural authorization defines for which objects the user is allowed to use this function.
  For example, the basic authorization can define that the user is allowed to perform the create module booking activity. With the structural authorization you can restrict this activity only to modules offered by the faculty of Mathematics, for example. (The user can then access these modules whenever required; see also Structural Authorization).
  Basic Authorization
  In release CM 4.64, three authorization objects are used in Campus Management:
  At the first level is the transaction code check. The system performs this check each time the user starts a transaction using the menu or command line. For this check to be successful, the user requires an authorization for the relevant transaction code in the authorization object S_TCODE.
  At the second level, the Campus Management function is divided into two parts. The first part includes activities such as create request, create registration, create re-registration, cancel module booking, and so on. The second part covers master data like student master data and a major part of the academic structure.
  When checking the authorizations for master data, the system uses the HR authorization object PLOG for master data authorization checks. A new authorization object ( P_CM_PROC) has been implemented for activities in release CM 4.64. The system now only checks whether the user is authorized to use the activity. It no longer checks if the user is authorized to read or change the data in this activity. The new authorization concept has the following advantages:
  It simplifies authorization assignment. The system no longer uses the comprehensive data model with its many objects and object interrelationships as the basis for the activity authorization (authorization assignment via authorization object PLOG);
  Changes in the data model have no effects on the authorization checks for activities;
  It is now possible to distinguish between create and change operations, for example in re-registrations;
  You can now distinguish between re-registrations and leaves of absence.
  The table T7PIQPROCESS (Activities) contains all Campus Management activities. The system performs authorization checks for all activities with the exception of the ones listed below.
  Authorization checkes are not performed for the following activities:
  AC10 (Send Reminder for Outstanding Payments)
  HSMA (Create Status Indicator Manually)
  PR11 (Create Applicability List Automatically)
  These activities do not contain any activity-related authorization checks.
  In the standard system, the authorization check for activities is independent of the objects for which the activities are performed, and of their attributes. (The structural authorization only restricts the objects which the user can then process irrespective of the activity.). If you require additional checks, you can use the business add-in HRPIQ00AUTHORITY.
  Structural Authorization
  The structural authorization enables you to define the set of objects the user is authorized to process. You determine these objects using evaluation paths. You can define whether the user should only be given a display authorization for these objects or a maintenance authorization as well.
  You cannot combine the structural authorization with the basic authorization. The user is therefore authorized to process the assigned set of objects irrespective of the function (s)he is currently using.
  Further notes
  As functions from other applications areas (Training and Event Management, Notification Processing) and from Student Accounting are integrated in Campus Management, users also need authorizations from these areas.
  Campus Management contains a number of roles which you can combine with the roles of other application areas to create composite roles. You can either assign a composite role or individual roles to users.
  Component Prefix of the roles provided
  Campus Management SAP_CM_
  Training and Event Management SAP_HR_PE
  Notification processing SAP_CA_NO_NOTIF
  Student Accounting SAP_FI_CA_
  You create the business partner authorizations in separate IMG activities which you can find in Customizing for Campus Management in Campus Management Master Data -> Students -> Students as Business Partners -> Basic Business Partner Settings -> SAP Business Partner -> Business Partner -> Basic Settings -> Authorization Management.
  In the SAP Reference IMG under Basis Components -> System Administration -> Users and Authorizations, you can find more IMG activities in which you can make general settings for authorizations.

• Authorization Material Master data

  Hello,
  vould you tell me if it's possible to restrict changing Material master data according to material type ?
  Thank's

  Hi,
  Use authorization object M_MATE_MAR - Material type authorization for material master records
  This object determines whether a user is authorized to maintain the material master record for a specific material type.
  Defined fields
  Fields      Possible values         Meaning
  ACTVT       01                      User may create data.
              02                      User may change data.
              03                      User may display data.
              06                      User may flag data for deletion.
  BEGRU                               Here you must specify the
                                      authorization groups from table
                                      T134 for which the materials
                                      concerned may be processed.

• [Asking for Clue] Authorization to Display Spesific Master Data of HR

  Hi,
  I have 2 payroll area, R1 and R2. I want to authorize user only to R2 payroll area employee's master data.
  How to make this happen?
  Thanks & Regards,
  nessia

  Authorizations will be done by the Basis Team.But we cannot restrict master data through payroll wise.
  Either go with Personnel Area Wise or Employee Group wise or Employee subgroup wise
  If not then go with the Organizational Key wise then u have  configure  the below nodes
  IMG>Personnel Management>Personnel Administration> Organizational Data> Organizational Assignment--> Set up organizational key
  Organizational key: Maintain feature VDSK1
  Organizational key: Control
  Organizational key: Creation rules
  Best Regards,

• Authorization Issue in creating HR Master data through PA40

  Hi,
  I am facing an issue while creating HR master data thru PA40. On the first screen, I select Action Type Hire, put personnel area IN01,EE Group 1, EE Subgroup N2 and Execute. It takes me to the next screen. there I put all the information required i.e., Personeel No., Start date, Title, Last name, First name, Date of Birth, Action Type (Hire), Reason of Action 06, position 40208, Personnel Area In01, Personnel Sub area 0001. when I save it, It gives me an error No Authorization to maintain Actions 01 exists  I have SAP_ALL.
  Any idea why this error is coming?? Same setting is running fine in another client.
  Thanks,
  Parul

  Hi,
  On the same screen where error is coming type tcode-SU53 this will display if still some object is missing for authorisation.Then give that object to your basis guy to include in ur role.
  thanks
  Deepa

• Does Authorization object applicable to Master Data

  Gurus,
  I am trying to set up authorization relavant object to one of the HR Master data. i would like to know if this authorization object created would limit the users to access the data through backhand transactions such as RSA1 or SE16.
  Please advise.
  Thanks.
  Regards,
  Akilesh

  Hi ,
  If you mark infoObject as the authorization object relevant, it will restrict you to access the data at report execution level (i.e BEx Analyzer & Portal level). It will not restrict you to see the data at table level (i.r Se11 & Se16 level).
  Y can get more details in below link.
  http://help.sap.com/saphelp_nw73/helpdata/en/4c/65fcd82f841f3ce10000000a42189c/frameset.htm
  Thanks & Regards,
  Krishna.

• BW master data infoprovider authorization question

  Hi,we have a user getting the below error when trying to run a new query in production. The query uses new master data infoproviders which we added to the appropriate role in Prod. Any suggestions as to any other authorizations that we need to grant?
  Thanks for your help
  No Authorization (Or Everything Has Been Filtered Out)

  Hi
  Ussually when new MD or IP are added there also Auth objects that are needed to be added to the role.
  best way is to trace the query and it will point to the missing objects.
  To trace -> ST01
  and then login with a test user with the exact same role and run the query, also make sure the test is done with the same ver of Bex.
  Reg's
  Edan

• Authorization problem regarding master data

  Hello,
  we have got a role with very restricted authorizations.
  A user with this role can't start the BEx tools for example but it should be possible for him to see queries in the portal. That works fine for normal queries based on normal InfoCubes, DSOs and with hierarchies. But we have got one query that is based on master data (0mat_sales) - if the user wants to see this query he gets a message"You do not have the authorization for component <name of the query>".
  I added object class S_RS_IOMAD but it didn't help. I also made some tests with changes on S_RS_ICUBE and S_RS_IOBJ but it also didn't help.
  Has anybody an idea which authorization object class to use or how to configure this?
  Greetings & Thanks a lot
  Bettina

  Hello,
  here's the solution:
  I traced the steps of the user for executing this query based on master data by transaction ST01.
  The following authorization has to be given:
  S_RS_COMP
  Activity:Execute
  Info Area: <InfoArea where the master data can be found>
  InfoCube: 0* <or other names for own master data objects>
  Name of reporting component: <name of the query>
  Type of reporting component: Query
  Greetings
  Bettina

• Authorization for Master Data (Customer / Vendor)

  Dear All,
  I've requirement in Master Data Transaction display (XD03 / XK03), to control the dispaly of data for certain fields based on Authorization.  As an example like below...
  User X1 to see F1 & F2 data in above master transaction display data
  User X2 to see F1 field, but F2 field not authorized...should be displayed as XXX (u2018XXXu2019 u2013 means data exists in database); if data doesn't exits for field F2...then I would like to display as YYY)
  Can you please share your thoughts / ideas to implement the above requirement.
  Regds,
  Ramki.

  SAP standard does not provice such function in XD03/XK03.
  Yes, you can achieve this function using custom ABAP code but implementing in sap-standard transaction would be challanging because of the restriction on modifying sap-standard code and not having exits at right place where you would need to implement this.
  Regards,
  Pawan.

• Invoking HR Master Data (P_ORGIN) authorization check for transaction PCP0

  Hello,
  We have to limit access to executives (managers) sensitive posting data in transaction PCP0 (display posting runs).
  Since executives belong to a personnel area other than all other employees, I thought we can achieve this by personnel area distinction.
  In order to have this done, P_ORGIN authorization check should be performed.
  It looks that by standard, such check is not performed.
  Does anyone have any experience of dealing with this issue?
  Thanks,
  Isaac

  Hi,
  I have a vague idea.
  I remember while creating an ESS user, we did something in P_ORGIN so as to to restrict access to personnel master data.
  Check the composite role : SAP_EMPLOYEE_ERP.
  A Z role was created for SAP_EMPLOYEE_ERP=>the corresponding roles in it had to be copied to a z role.
  Check the z-role created ; zSAP_ESSUSER_ERP.
  In Authorizations tab=>Display authorization data option => ;
  Expand Human Resources;
  In HR : Master data, you can find the various authorization assignments to P_ORIGIN;  where
  Authorization level (AUTHC)
  Infotype (INFTY)          
  Personnel Area (PERSA)
  Employee Group   (PERSG)
  Employee Subgroup  (PERSK)
  Subtype (SUBTY)
  Organizational Key (VDSK1)
  Authorization level (AUTHC) takes the values :
  • R (Read) for read access
  • M (Matchcode) for read access to input helps (F4)
  • W (Write) for write access
  • E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
  • S (Symmetric) for write access using the Symmetric Double Verification Principle
  • * always includes all other authorization levels simultaneously
  In your case if some has to make changes through PPCO.. it's equivalent to making changes to infotype 0001 (Organizational Assignment)
  So, probably, you need the Authorization level to R for Infotype 0001.
  I have no personal hands-on experience on this...since we are not allowed to anything Basis
  I have seen this being done and have noted what was done... !! May or may not be correct....!!
  I hope this is what you want.
  Cheers and Good Luck!!
  Remi

• Missing authorization check to display master data error..

  Hi,
  We are in SRM7.0.
  After adding content in my shopping cart, I am trying to change the Account Assignment in the Item Details from Network to Cost Center or GL Account.
  Under Item Overview, after changing the Account Assignment to Cost Center, I go to "Assign Number" to add a Cost center..On clicking the matchcode search box,  I get selection entries like Cost Center, Controlling area etc..If I click on the Search box without keying anything, I get a "Missing authorization check to display master data error".
  I get the same error, when I try to select Assets under Account Assignment area and use search under Assign number. I dont get any errors on searching networks.
  Am we missing any authorization check in the backend ?
  Regards,
  Rajan.K

  Hello Rajan,
  You could use transaction ST01 in SRM to perform some 'authorisation' trace.
  It might give you some pointers to the issue.
  Regards,
  Franz

• Filter authorization by Master data attribute?

  Hi,
  Is it possible to restrict (based on authorizations) the view of a report based on a attribute of master data (0customer or similar)?
  In case, a report regarding the sales by sales person, but filtred by sales person by authorization. (each sales person should see only their sales)

  Hi
  yes its possibel.
  SAP BI Analasis Authorization provides more flexible and more secure.
  Please go through link.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144?QuickLink=events&overridelayout=true
  Regards,
  Ranganath

• Authorization setting for "Grant Assignment" tab in Student Master data

  Hi,
  I want to create a role to give "Display only" right for the "Grant Assignment" tab in Student Master Data. I was trying to exclude 1324 BP Field Group from BP_BUPA_FDG but nothing happened. Does anyone has a solution for this? Thanks.

  You can hide the fields from GMS101 t-code.
  Regards,
  Shiva Kumar