MSS genericiview and R/3 structural authorizations

Similar Messages

• HR Structural Authorization DSO's

  Hi,
  I have developed HR module for the first time. I need to create the authorization objects for the HR reports.
  I found 0PA_DS02 and 0PA_DS03 for structural authorizations in HR. I dont understand the purpose of these DSO's.
  Can some one explain what is purpose of the 0PA_DS02 and 0PA_DS03 dso's and how to create authorizations in HR?
  Thanks and Regards,
  Pooja

  HI Pooja,
  Use "Rsecadmin" create a authorization object and in that click on the below tool bar infocube authorizations which gives you a option to choose the infoprovider either cube or dso .choose your dso and then navigate around according to your requirements with include option.
  I think you need to load the DSO 0TCA_DS01 for Authorization Data(Values). Activate this DSO and try loading the data into this DSO as well and then try to generate the authorizations from this
  Thank you

• Control Workflow Report output using Structural Authorization

  Is it possible to control output of Workflow Reports using Structural Authorizatins. E.g. Workflow Admins having access to tcode SWi2_FREQ will be able to see project wide data, but i want to restrict the workflow admins at department level from seeing workflow data for other departments. is that possible using Structural authorizations or any other mechanism?
  My understanding is that Structural authorizations pretty much control PA/PD, and not other modules. I did a quick test,
  1) Created a org structure
  2) Created employees, users, and set up structural authorizations
  Now when users are granted authorization to PA20, they are restricted to what they should be seeing, but when they are granted authorization for workflow admin reports, structural authorization don't seem to work, they are able to see data for workflow triggered for other departments as well. Is that the standard behavior or i am missing something. I don't have enough experience with Structural auth.
  I will appreciate any guidance on this matter.
  Thanks,
  Saurabh

  Arghadip, please explain how this will prevent someone from Norway from looking at the workflow log of a workflow for an employee belonging to the Danish part of the organisation.
  <i>Message was edited by Kjetil Kilhavn:</i>
  To explain a bit more in detail: how does this prevent me (Norwegian) from going into SWI1, SWIA or any other transaction, and looking at data from other parts of the organisation. I don't think it will work.
  I think the only way to achieve this is to either modify SAP's standard code and include some structural authorisation checks - or take the standard transactions out from every user role and create your own wrappers or program copies which basically does the same as the modification would have to do.

• Training Structural Authorization vs MSS/ESS

  Good day all.
  We're maintaining structural authorization for Training module. The requirement is to be able local company maintain theirown training and regional training can maintain the regional training.
  In OOSP we're maintaining object type L only. For the same object id we're using two evaluation path SCMCATAL and L-D-E-§.
  Unfortunately when we assign certain SAP id (manager) to this structural authorization, this manager can't see his/her subordinate. It saying that "No authorization for reading data". When I remove this user from structural authorization this manager is able to see his/her subordinate.
  Is there any others requirements from HR or additional (BASIS) authorization to rectify this issue?

  Hi
  We are maintaining structural authorization in E-learning. Thre is two departement 1 and 2 . Now for few courses are for dep-1 and few are only for dep-2 .
  This structural authorization is already maintained in ESS now we migrated all the data in e-leraning now my problem is how i can use this structural authorization for E-learning as objects are same just Transaction codes and one Appraisal object is differnt.
  Thanks
  Waiting for reply.
  Nutan

• E-Recruiting and structural authorizations

  Hello,
  We’re on e-recruiting 6.0. I have the impression that structural authorization is not always checked in this module.
  Can anyone share experiences?
  Thanks
  Koen

  Let me take you through a brief description of the Authorisation.I am no expert just trying to figure out if I can help you or not.
  At the lowest level are fields one or more of which gets mapped with Authorization object and one or more of which gets mapped with the authorization object class.Finally the required authorisation is being created and assigned to the profiles .
  In e recruitment the objects are :
  Candidates,Candidacy,Applicants etc,Its are 5125,5126,5104 etc till 5136.The infotyps delas with candidates ,applicants and postings etc.So the access and the entry of data in these infotypes should be controlled by some means or the other.
  Hence structural authrorisation should always be there and hence checks will be there.
  Message was edited by: Aniket Chatterjee

• Structural Authorization: Difference Between AUTSW-DFCON and AUTSW-ORGPD?

  Dear All,
  Can anyone explain to me the difference between AUTSW-DFCON and AUTSW-ORGPD in tbale T77S0?
  And what is the relationship between these two switches?
  Thanks!!

  HI Mr. potato,
  working off dilek's informative post you may be considering ? context vs non-context?
  this image explains how context problems arise in HCM.  http://help.sap.com/saphelp_470/helpdata/en/b3/bfb83b5b831f3be10000000a114084/content.htm
  I would say generally, when an organization decides to use structural authorizations, they also need to take into account a "context solution".  This is most frequently used to "lockdown" how different parts of the HR organization has different authority access to different groups of employees (potentially overlapping).  As an HR manager i might have full read access on IT0002 for the entire company (root org), but IT0008 view access only for a sub-org unit.
  in this case you need to use the DFCON switch.  the 'most restrictive setting for dfcon is value 2.  the most iberal setting is, 4.  Generally, you need to test all 4 to figure out what works for you.
  settings for dfcon:
  http://help.sap.com/saphelp_470/helpdata/en/56/db5bc71a64c94f9f2e3cb63e14c867/content.htm

• HR structural authorization

  Hello Friends,
  I am trying to get concept of HR structural authorization.  I have read the document " Structural Authorizations Step by Step, with Gotchas Too by Norm and Carl". After reading this document, what i have understood is In Structural authorization, we create PD profile eg: Manager, employee, ALL etc via transaction OOSP. And after that you assigned these profile to position via report RHPROFL0 or manually via transaction OOSB.
  But what i am not able to understand is
  1.How do this profile Manger, Employee etc will work? How do Users get authorization. What types of activities Uses are able to perform?  What type of data user will have acess to? Do users get authorization to transaction like PA20 or you still need additional role that is created via PFCG.
  2. What my understanding is Users who are in the top Hierarchal nodes or structure (eg: manager) is able to access data of employee below him. Do we still need to create roles like MSS and ESS role via transaction PFCG?
  If somebody can clarify, I will really appreciate.

  Hello Mate,
  Have a loook at this thread, this may help .
  Re: How to Restrict HR Org Structure from other Org Structures
  Regards,
  Regi

• Need Clarification Regarding Structural Authorization

  Hi Gurus,
  When you do need to implement Structural Authorization? How do you know when you don't need it?
  I'm currently on an ECC6 implementation project and was informed that we do not need to implement it even though we are implementing the HR organization structure along with ESS and MSS.
  Your inputs are highly appreciated.

  for one it can be useful to implement structural authorizations when you want to restrict not only on the enterprise structure (e.g. personnel area, employee group etc.) but also on organizational atributes (position, org. units and the likes).
  this decision is purely based on the requirement of your company's security demands.
  as for your second question, I assume that there is a misunderstanding of terms.  HR roles as such are the same as non-HR roles in so far that they can be assigned to the user directly through SU01 or PFCG.
  the advantage of having an org. structure is that you may also assign the roles through this structure as well.  this in itself has nothing to do with whether you would want to implement structural athorizations.
  I hope to have clarified things a litlle for you.

• Structural Authorization in e-recruiting

  Hello all
  We are implementing e-recruiting 603 ehp4 in standalone scenario. By customer requirements, the "recruiter" role was assigned to all manager therefore the standard service "Create requisition request" from MSS is not in use. So  structural authorization we need for the manager to create requisition for his position only.
  So, someone know how to perform this or tell me how to complete the table T77PR -the function module, evaluation path, object  type and so on-
  As always, thank you a lot
  Regards
  E. Ciotta

  Hello Emilio,
  Structural authorization in e-recuitng are a mess (although I have not found any official documentation which states "It won't work" and solution management says that there is no restriction sap support answers on customer request for that topic that it is not supported).
  Trouble with your requirement is when you restrict the structural authorizatuion on positions for the manager and anywhen run internal job market the manager could not access the position information on a publication if he wants to apply as internal candidate anywhere else in the company. Could get quite tricky to solve this (next to all other issues on this topic).
  If it is just about restricting the search I would exactly do this. Either per modification or by a customer development I'd restrict the search result by the structural information without actually switching on structural authorizations.
  For getting the positions you should be able by using an evaluation path for direct and indirect positions of a manager or if not available use employees under a manager. If it does not skip the positions they should be contained in the result. If not copy it and remove the skip flag (and S-P relation as it is not needed). Unfortunately I cannot say which evaluation paths are really standard as most systems I use are enhanced here.
  path should be like:
  NR    Obj.    A/B    Rel.    P    Rel. Obj.    (Descr. Info)
  10    P       B      008     *    S            (get position for employee)
  20    S       A      012     *    O            (get org.units the position is leading position)
  30    O       B      002     *    O            (get all other org.units under the org. unit assuming manager may see all levels)
  40    O       B      003     *    S            (get all "normal" related positions in org.units)  
  50    O       B      012     *    S            (get all leading org.units - could be more than in 10 as we have several org.unit levels)
  Best Regards
  Roman

• Structural Authorization views not displaying in EP

  We are using PD profiles to allow managers in an alternative org unit to approve time in MSS for employees not in their org unit. When you log onto the Enterprise Portal in the MSS Team Overview iview the manager cannot see the employees from the other org unit defined in the structural authorization. He can only see his own employees for his org unit. However, in transaction OOSB when you click the Display Objects button you see the positions and persons that should be visible
  to the manager.  We have assigned the profile through both PO13 to the position and OOSB directly to the user. We make sure to run RHPROFL0 after assignments
  of the profiles. HR has created a custom relationship Z99 and assigned to the positions for the alternate org unit.
  We had a scenario working in our sandbox at one time but we could not reproduce this in the development system.  Any tips would be greatly appreciated.

  Hi John,
  I know SAP_ALL doesn't matter but I wanted to rule out all possibilities of any standard authorization issue to isolate the PD profiles as the real issue. 
  To answer your question, the user can see his own org unit and subordinate employees in MSS.  The manager is a chief and manages his org unit.
  A colleague of mine mentioned that there may need to be some configuration established for the iViews in question so I put it to the HR functional team to confirm the correct customization is set up in the IMG for Integration with Other mySAP.com Components > Business Packages/Functional Packages > Manager Self-Service (mySAP ERP) > Object and Data Provider.  I'll report on the status of this as well when I hear back from them.  Thanks again.

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• BW/HR structural authorization in BI 7.0 version

  Dear experts,
  Can anyone please explain how to extract HR structural authorization from R/3 to BW 7.0, and how to configure the authorization in the BW, I hope everyone can give me a work flow.
  Thanks.

  Hi Auke, thanks for your answer.
  Changes inside the user profile are working, but deletion don't. And yes, the meaning of this is that user should not have role anymore.
  I saw help documents with some procedure using D_E_L_E_T_E user. I didn't understand. Do you know something about that? Is that maybe the right way?
  Thanks,
  Thiago

• How To Create ABAP Code For HR Context Sensitive Structural Authorization

  Hello,
  We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
  Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
  Thank you in advance for all your assistance,
  Ken Bowers

  Hello Ken
  You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
  Regards
  Ranganath

• SAP BI 7.0 Transport issue with HR Structural Authorization DSO

  Hi,
  I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
  1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
  2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
  Thanks a lot for your valuable inputs.
  Regards
  Paramesh
  Edited by: paramesh kumar on May 5, 2009 12:45 AM

  Hi Paramesh.
  You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
  You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
  Regards,
  Lars

• Error Occured when Applying Structural Authorizations in E-Recruitment

  Dear Experts,
  The E-Recruitment functionalities were working fine when no structural authorizations are applied. However, when structural authorizations are configured for the user on the backend SAP system (I configured structural authorizations for the user to have access to only his own department), the E-Recruitment module does not work.
  When I tried to access requisitions-> maintenace, application management->applications, etc, (i.e. when the E-Recruitment module tries to retrieve data from the backend), the the following error message occurred.
  Error when processing your request
  What has happened?
  The URL http://<hostname>:<port>/sap/bc/bsp/sap/hrrcf_start_int/application.do was not called due to an error.
  Note
  The following error text was processed in the system ABC : <b>RAISE EVENT statement nested to deep.</b> The error occurred on the application server XYZ and in the work process 0 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Method: GET_RECORDS_BY_DATE of program CL_HRRCF_INFOTYPE=============CP
  Method: ON_REQUISITION_UPDATE of program CL_HRRCF_REQUI_BL=============CP
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Please advice if E-Recruitment supports structural authorizations. If it does, are there additional configuration required to enable structural authorization. Kindly enlighten me on how to resolve this error. Any help will be much appreciated.

  Hello Louis,
  I implemented e-recruiting with structural authorizations for a customer and encountered exactly the same error. Anything in the e-recruiting implementation leads to this problem. When you miss some object authorizations the implementation generates an infinite callstack which results in this short dump.
  So be sure you assigned all necessary objects to recruiters and also candidates (NA, NB, NC, ND, NE, NF, BP, CP, P, Q, QK, VA, VB, VC) but this might be difficult esp. with the P object, when you use structural authorizations for other purposes, too. This usually generates problems in manager involvement (e.g. manager can't choose a recruiter to approve his requisition as he has not the structural authorization for the hr department members).
  It is also a bit strange that candidates need for example change rights for the requisition (NB) although they won't actually change it but without it the relation application->requisition, candidacy->requsition cannot be created correctly.
  Last but not least be always sure that you refreshed the authorization buffers after changing structural authorizations. They are usually switched on for better performance.
  Best regards
  Roman Weise
  PS: be aware that using structural authorizations will keep you busy for some time. we needed ~2 months to set up the system in a way that e-recruiting worked as the custoimer wanted without interfering any other productive hr component (admin, org. mgmnt., managers desktop).