HR Structual Authorization

Similar Messages

• Structual authorization set up for departments

  Hello all,
  We are trying to figure out the best way of setting up a structual authorizations for the following scenario. I appreciate your inputs relating to this.
  We have a 'Purchasing department' head by a Vice president. Under him are the two Purchasing Managers and we have executives reporting the purchasing managers.  We would want to make 'Purchasing department' as one organization unit.  However, in structural authorization what is the best way to restrict the purchasing managers assigned to same organization unit such that they do not access executives that report to other managers. We thought of using position to position however heard that SAP standard roles delivered in areas such as MSS are organization unit driven and not position driven.
  Instead of creating multiple organization units and control the structural authorization through them, what will be easiest way in this scenario ?.
  Thanks,
  Girish

  Hi
  Normally I would prefer using separate org units here - But as understand your requirement - that's not an option.
  I would advice against building this based on position, but what can be done is:
  1. Create a new/find a relation in HR describing the relation the reporting relation between the Purchasing managers and the executives.
  2. Create an evaluation path (Transaction OOAW)  defining the path from the purchasing managers to executive.
  3. Now you can create a structural profile using this evaluation path.
  Regards
  Morten Nielsen

• Structual Authorization Training and event management

  Hi
  We have implemented structural authorization using evaluation path O-S-P. The structural authorization is working fine for org unit and positions.
  After implementing structural authorization, user lost access to business event catalog ( transaction code PSV2). Now the users are not able to see any business events and cannot book any employee for business events.
  Can we disable structural authorization check just for L-D-E structure for TEM? If not, is that any evaluation path which provide access to FULL business event catalog to all users?
  Thanks for your help.

  Hi
  Thanks for taking time to review the question.
  After we implemented structural authorization, users cannot see events in business event catalog. Before structural authorization, when they execute PSV2 the list was coming for all business event group (L) --- business event type (D) -
  business event (E). But now they are not getting any list.
  In development client, I played with some evaluation path. Using evaluation path L-D-E, i can able to get business event group and business events. But still they cannot see business events. Because of this, they are not able to book any employee to events.
  Thanks again,
  Tejas

• Structual Authorization related to Appraisal PD module

  Hi,
  I have created appraisal templates properly but i am facing following issue.
  If a person is having roles as well as Structural Authroization for related PA then in Infotype he can see details in"Appraisal where Appraiser or Appraisee" column only if Appraiser and Appraisee belongs to PA for which he can see details.
  If Appraiser belongs to different PA then in Infotype 25 , details r not coming.
  My requirement is that in infotype user can see all the details for user if appraisers belongs to different PA.
  Can you please help me ?
  Thanks and Best Regards
  Puneet

  Hi Rag,
  Thanks for the response.
  My requirement is like following.
  Suppose there are 3 users A, B and C. I m logging through user ID A into SAP system. User A is having some roles in the system and he can see the employees data of PA for which he has authorization.  We have given Structural Auth to user A for that PA (enterprise) also. We have given Struct auth for Appraisal templates also.
  Now if he is checking data for employee B. and C has given feedback for user B. If A, B and C belongs to same PA then A can see the Appraial template in IT0025 but if C belongs to different PA for which user A is not having auth to see data then A user can't see appraisal document in IT 0025.
  When i delete all the structural auth for user A then it's working properly. But we have to give sturctural auth to user A.
  I hope you understood my requirement now. Kindly let me now if u have any doubt.
  Thanks
  Puneet

• Structual authorization

  hi experts ,
  i am working on the structural authorization ....
  i wanted to know that is structural authorization enough to do the HR Security ???
  and how these two are linked together ???
  thanks
  hr_user

  Hi,
  In SAP HR the population that a user can access can be restricted using either the enterprise structure (Personnel Areas, Employee Groups, Company Codes, etc) or the organisational structure. Structural authorisations allow restrictions to be configured on the organisational structure.
  Structural authorisations are configured in transaction OOSB.
  In SAP 4.7 upwards structural authorisations can be combined with standard HR authorisations to create context sensitive authorisations using object P_ORGINCON.
  Regards
  Ghouse

• Org and Staffing

  Hi All
  I create the structure in Org and staff. mode from 01.01.2008 to 31.12.9999. After saving and exiting and Reopening it, I cant see the same?, Again I create the same , again its happening. I tried for every search term. But it is not.
  Can anybody tell me what could be problem?
  milinds

  Hi Melinda,
  Are you able to see any org structure in PPOME, that was created prior or just the new one?? If you don't have the structural authorization you cannot see the org units in PPOME/SE/CE screens.
  No matter which transaction you use (PPOCE/PO10), if you saved your information it should be visible if you have all the structual authorization.
  If you want to make sure that your entries were saved, Please go to SE16 and go to HRP1000, select Plan version 01, Object type 'O', enter the end date as 12/31/9999, run it for all the Org units.
  If you don't know the org unit number, check for the short/long description that you have mentioned while creating.
  You should see your org unit in the above table if you would have saved properly.
  Thanks,
  Sasha

• Standard Profiles Infotype 1016

  Hi,
  I tried to assign a profile to a position (Object type S) via t-code PO13. Then i executed PFUD. However, the role was not transferred to the user id assigned to the position.
  but when i assigned the position to the role via PFCG and then executed PFUD, it worked fine. The role was transferred to the user id.
  Can someone tell me why it is not working the other way round. I would like to maintain all role assignments in the Organizational Management module.
  Thanks,
  Zubair Naseer
  SAP HCM Consultant

  Hi,
  B007 in relationships is what i was looking for. Created this relationship between position and role and now PFUD is updating the user's authorization. I guess 1016 which i was using previously is meant for structural authorization only.
  RHPROFL0 is also updating user's authorization based on B007 relationship but i think this is also meant for the structual authorizations so i'll put transaction PFUD on scheduler.
  Thanks for your help.
  Regards,
  Zubair Naseer

• Open and close posting period authorization control TCODE: S_ALR_87003642

  HI All,
  Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
  In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
  We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close  their country / company code posting periods.
  Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
  Please share your knowledge if you come across this problem..
  Thanks in advance..

  Hey Sandhya,
  Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
  Field ORG_CRIT - Value 02
  Field ORG_FIeld1 - Value ZT001B
  We have successfully done it in our client.
  You need to contact your BASIS consultant for this.
  Thanks,
  Nitish

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

• BW Analysis authorizations issue in BO Webi Report

  Dear All,
  I have one webi report which is on BEx Query-universe.
  Query has 6 authorization variables with ready for input(optional).
  User has authorizations for all 6 fields.
  But when we execute the webi report it is throwing error message  like" query do not retrive data"
  One of the  6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
  Could  anybody tell me what is need be done here
  regards
  mhreddy

  Hi!
  Probabily the combination of authoriztions funcions are executing considering "and".
  See your configuration to considerer "or".
  Test one by one.
  bye

• Can I authorize 2 apple IDs on one computer?

  I'm new to the communities so please bear with me if I post this inappropriately.
  My husband and I both have iphones.  My two children have itouchs.  My husband has an ipad.  We also have numerous ipods.
  We have two computers in the house.  When my husband first bought an ipod, we had a PC.  All of his devices have always been synced on the PC using his apple id.  When I got my iphone, I synced on our MAC using my apple id.  When the kids got itouches, they synced on the MAC using their apple id.
  We discovered that anything the kids and I purchased on itunes on the MAC is available to all of us.
  We would now like to use home sharing.  To do this, both computers must be authorized to one apple id.  If the PC is deauthorized for my husband's apple id, I understand he will lose his purchases on the PC (or at least they won't be available until he authorizes it again).
  I understand that an apple id may be authorized on up to 5 computers.  But what about multiple apple id on one computer???
  My questions are basically this...
  Can we authorize 2 or more apple id on one computer? 
  Can I authorize my apple id on the PC and have my husband's apple id remain authorized on the PC?
  Can my husband's apple id be authorized on the MAC and my apple id remain authorized? 
  Can the kids apple id be authorized on each of the PC and the MAC?
  Can we have 4 different apple id authorized on a computer at once?
  Will authorizing my apple id on the PC de-authorize my husband's apple id?
  How's that for asking the same question in lots of different ways?  I have seen a lot about a computer using the same id multiple times but nothing about whether I can authorize many different ids on one computer at once.
  Thanks for the help.

  Each person in your home can have their own Apple ID provided it is tied the their own separate email address.
  iTunes permits up to five authorized computers connected to a single Apple ID: iTunes Store- About authorization and deauthorization.
  For this all to work well, however, each user in your household should have a separate user account on the computer they commonly use.