Need Clarification Regarding Structural Authorization

Hi Gurus,
When you do need to implement Structural Authorization? How do you know when you don't need it?
I'm currently on an ECC6 implementation project and was informed that we do not need to implement it even though we are implementing the HR organization structure along with ESS and MSS.
Your inputs are highly appreciated.

for one it can be useful to implement structural authorizations when you want to restrict not only on the enterprise structure (e.g. personnel area, employee group etc.) but also on organizational atributes (position, org. units and the likes).
this decision is purely based on the requirement of your company's security demands.
as for your second question, I assume that there is a misunderstanding of terms.  HR roles as such are the same as non-HR roles in so far that they can be assigned to the user directly through SU01 or PFCG.
the advantage of having an org. structure is that you may also assign the roles through this structure as well.  this in itself has nothing to do with whether you would want to implement structural athorizations.
I hope to have clarified things a litlle for you.

Similar Messages

  • Needs Clarification Regarding Listener.ora file

    I want a clarification regarding listener.ora file I've Listener.ora file and its content look like as:
    # listener.ora Network Configuration File: C:\oracle\product\10.2.0\db_1\NETWORK\ADMIN\listener.ora
    # Generated by Oracle configuration tools.
    SID_LIST_LISTENER =
    (SID_LIST =
    (SID_DESC =
    (SID_NAME = PLSExtProc)
    (ORACLE_HOME = C:\oracle\product\10.2.0\db_1)
    (PROGRAM = extproc)
    (SID_DESC =
    (GLOBAL_DBNAME = Oracle8)
    (SID_NAME = ORCL)
    LISTENER =
    (DESCRIPTION_LIST =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = 10.10.10.10)(PORT = 1521))
    I can understand every entry in this file accept the following
    *(SID_DESC =*
    *(SID_NAME = PLSExtProc)*
    *(ORACLE_HOME = C:\oracle\product\10.2.0\db_1)*
    *(PROGRAM = extproc)*
    *(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))*
    Although rest of entries refer to network services(Database name) and host address and protocol etc.
    what these above refere to.
    Please clarify me in this.
    Regards,
    D.Abbasi

    (SID_DESC =
    (SID_NAME = PLSExtProc)
    (ORACLE_HOME = C:\oracle\product\10.2.0\db_1)
    (PROGRAM = extproc)
    (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
    that about External Procedure, If you don't use "External Procedure" you can remove it, by the way you should avoid default configure.
    http://download.oracle.com/docs/cd/B19306_01/network.102/b14212/advcfg.htm#sthref1331
    http://download.oracle.com/docs/cd/B19306_01/network.102/b14212/advcfg.htm#NETAG0132
    http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14251/adfns_extern_proc.htm#sthref1658
    Sample create External Procedure:
    http://surachartopun.com/2008/07/create-and-run-sample-external.html

  • Need clarification regarding the test cable-diagnostics tdr command

    Hello,
    I've read about the test cable-diagnostics tdr command but I need clarification on the examples listed below to make sure that I am providing the right answer to my co-workers.
    Example 1:
    CXXX7SW17#show cable-diagnostic tdr int g0/20
    TDR test last run on: July 16 10:23:00
    Interface Speed Local pair Pair length        Remote pair  Pair status
    Gi0/20    auto  Pair A     N/A                        N/A                Normal
                           Pair B     72   +/- 10 meters  N/A                Open
                           Pair C     75   +/- 10 meters  N/A                Short/Crosstalk 
                           Pair D     74   +/- 10 meters  N/A                Short/Crosstalk
    Does this example mean that there's a cable length issue in the line which is causing the device that it's connected to not to work properly?
    Example 2:
    CXXX2SW140#show cable-diagnostics tdr int g0/21
    TDR test last run on: July 16 09:16:22
    Interface Speed Local pair Pair length        Remote pair Pair status
    Gi0/21    100M  Pair A     N/A                      Pair A           Normal
                              Pair B     N/A                      Pair B           Normal
                              Pair C     N/A                     Pair C           Normal
                              Pair D     N/A                     Pair D           Normal
    Does this example state that the cable line is okay for use?
    Example 3:
    CXXX1SW19#show cable-diagnostics tdr int g0/22
    TDR test last run on: July 16 06:36:53
    Interface Speed Local pair Pair length            Remote pair Pair status
    Gi0/22    auto    Pair A       1    +/- 10 meters  N/A               Open
                              Pair B     39   +/- 10 meters   N/A               Open
                              Pair C     72   +/- 10 meters   N/A               Open
                              Pair D     1    +/- 10 meters    N/A               Open
    Does this example mean that there isn't a device connected on the other end? No pin-contact?
    Thank you very much for any help you could provide.
    S

    I found this article here at supportforums that seemed like the best explanation I've read so far for TDR info.
    Hope that helps.

  • Needs Clarification Regarding Segments and Datafiles

    Hi,
    I want clarification regarding Segments, Datafiles and extents.
    As we know that A segment is made of one or more extents and extents are composed of one or more datablocks in the HD.
    Since all data are store in Datafiles which are composed of extents and datablocks. I want to know weather a table(Segment) can span to multiple datafiles or in a sigle datafile.
    Regards,
    D.Abbasi

    And an easy way to check it by yourself :
    SQL> create tablespace abbasi_tbs
      2  datafile 'E:\ORADATA\DEMO111P\abbasi_01.dbf' size 1m autoextend off,
      3           'E:\ORADATA\DEMO111P\abbasi_02.dbf' size 1m autoextend off;
    Tablespace created.
    SQL> create table abbasi_tbl (id number)
      2  tablespace abbasi_tbs;
    Table created.
    SQL> insert into abbasi_tbl
      2  select rownum as rn
      3  from   dual
      4  connect by level <=10000;
    10000 rows created.
    SQL> commit;
    Commit complete.
    SQL> select distinct file_id
      2  from   dba_extents
      3  where  segment_name ='ABBASI_TBL';
       FILE_ID
             6
             7
    or...
    SQL> select distinct DBMS_ROWID.ROWID_RELATIVE_FNO(rowid)
      2  from   abbasi_tbl;
    DBMS_ROWID.ROWID_RELATIVE_FNO(ROWID)
                                       6
                                       7
    SQL> select file_name from dba_data_files where file_id in (6,7);
    FILE_NAME
    E:\ORADATA\DEMO111P\ABBASI_01.DBF
    E:\ORADATA\DEMO111P\ABBASI_02.DBF
    SQL>Nicolas.
    added the ROWID function usage
    Edited by: N. Gasparotto on Jun 21, 2009 11:02 AM

  • Need clarification regarding select query

    Hi,
    I need a little clarification regrding a Select senario
    I want to select data from table which have been minupulated between a certian date like between 1-DEC-10 to 31-DEC-10 and note that table does not have any time/date column. I've applied the following query to do this.
    select * from TABLE_NAME where sysdate between to_date('01-DEC-10') AND to_date('31-DEC-10');
    Would it work fine because I've tried it against a table and it returned me nothing however DML occur between time period.
    Regards,
    Abbasi

    Abbasi wrote:
    Hi,
    I need a little clarification regrding a Select senario
    I want to select data from table which have been minupulated between a certian date like between 1-DEC-10 to 31-DEC-10 and note that table does not have any time/date column. I've applied the following query to do this.
    select * from TABLE_NAME where sysdate between to_date('01-DEC-10') AND to_date('31-DEC-10');
    Would it work fine because I've tried it against a table and it returned me nothing however DML occur between time period.
    Regards,
    AbbasiAFAIK without log mining and auditing this is not possible.
    http://download.oracle.com/docs/cd/B19306_01/server.102/b14215/logminer.htm

  • Needs Clarification Regarding Tablespace

    Hello,
    I'm using Oracle 10g DB and I want to know weather to creating database from DBCA automatically create a tablespace for that database or we have to create manually.
    if it create automatically then how can we retrive information about that database.
    Looking for Reply
    Regards,
    D.Abbasi

    When you create database using DBCA you can choose tempalte, in the template there tablespaces defined, the tablespaces that will be created depends on the tamplate you choose, and if you installed sample schema's.
    Every database created need to have several system tablespaces.
    You can retrive all of database tablespaces using :
    select name from v$tablepsace;
    Oded
    [www.dbsnaps.com]
    [www.orbiumsoftware.com]

  • Need clarifications regarding APEX_PUBLIC_USER

    Hello all,
    Apex 3.0 on 10g
    'am aware that APEX_PUBLIC_USER is the one used by the apex applications to get the stuff from the database.
    I have noticed that in v$session there do exist the apex_public_user even if i logout from the apex.
    In my production i have found apex_public_user with last_call_et greater than 7 hrs
    and also when i tried to drop a package from the apex sql window, it hangs and doing the same from sql*plus from system account makes the session hang, which i will need to kill later. What could be the reason for the session to get stuckup??
    Thank you,
    J J

    Yea, today i had to bounce my DB for some reason and there were no connections from the APEX_PUBLIC_USER and i could drop the package.
    Is there anyway to close those sessions from the oracle HTTP server once they are done with the job than letting them lingering around?
    Will APEX use these existing sessions like a connection pooling?
    TIA,
    JJ

  • Need clarification regarding Work status rule

    Hi All,
    I have a work state "Submitted" which is controlled by "owner".
    My work status is driven by following dimensions in the application:
    u2022Entity  - Owner dimension
    u2022Category
    u2022Time
    Entity hierarchy is as follows : A
                                                      |____B
                                                      |____C
    Now considering that user is owner of member "A", I set the work status to "Submitted". (Note: B and C does not have any owner)
    It gives error "controlled by rule has been violated".
    On the other side, one of the document tells states that "If the user is acting as an owner and the selected member has no parent, the user also acts as a manager (top hierarchy), they can select a work status controlled by "Owner", "Manager" or "Both"".
    Going by this rule, in the scenario which i have explained above, it should set the work status as "submitted". But it is throwing error.
    Kindly clarify if my understanding is wrong.

    Hi,
    The problem is arising because as per the setup, only the owner can change the work state to submitted. However, there are no owners for the child members.
    You can try changing the setting to manager. If you login as owner of A, then you will be able to change the work state of A (since you are your own manager because A is the top node) and you will be able to change B and C also (since you are the manager).
    Alternatively, you need to maintain the same user as the owner of B and C.
    You have rightly indicated the statement "If the user is acting as an owner and the selected member has no parent, the user also acts as a manager (top hierarchy), they can select a work status controlled by "Owner", "Manager" or "Both"".
    However, if you take a look at this statement, this is valid if the setting is manager. But in your case, the setting is owner. And there are no owners of the children.
    Hope this helps.

  • I need clarification regarding REFERENCE TYPES and CASTING.

    Hello all,
    I'm taking a course on the fundamental of JAVA. Everything's been going smoothly until I slammed into the the concept of CASTING and REFERENCE TYPES. Flat--out == I DON'T GET IT?
    I'm having trouble with...
    CONVERTING REFERENCE TYPES
    CASTING BETWEEN REFERENCE TYPES
    WORKING WITH REFERENCE TYPES
    I understand what's happening from an academic vantage point. I just don't understand why you'd want to convert REFERENCE TYPES? What would be an application of such an exercise?
    1. What IS a REFERENCE TYPE -- exactly?
    a. what are we referencing?
    b. type? type of what??
    for example... why would you want to do a widening conversion, a conversion of the hierarchy tree?
    I understand the concept of OBJECTS, CLASSES, METHODS and CONSTRUCTORS so far...
    I think it's the terminology that's screwing my up.
    Thanks,
    Alex

    ok... wow, thanks J.
    So--in a nutshell-- we're making it so that different
    objects:
    ie,. ford(), chevy(), honda(), lotus() and
    dealers()... so and so forth()...
    all share the resources(for lack of a better word) of
    the Auto Class? because all of those auto brand
    objects and one redically different object can be
    unrelated, correct?Um, yes and no.
    I just ran with the example you had, but that probably included too many concepts and they got muddied up.
    Yes, Chevy, Ford etc. all share the characteristics of Auto, since they're all subclasses. But that's just inheritance, and has nothing to do with casting.
    A "reference type" can loosely be described as a variable that refers to an object. (Constrasted with "primitive types" which are int, char, float, etc. and don't refer to objects--they just hold values.)
    Casting just tells the compiler that even though as far as it knows you only have a reference to some superclass, the object that reference points to will in fact be an instance of a subclass, and so treat it as such (e.g., we can now call methods that the subclass has that the superclass lacks).
    (You can also cast primitives, but one thing at a time.)
    So let's say you have class A (which extends object) and B extends A.
    A a = new B();
    B b = a; // won't compile. compiler sees the "A a" on the left of the =, not "new B()" on the right.
    B b = (B)a; // works because we're telling the compiler, "Dude, I'm seriously. This is a B.
    Note that if we had done new A() instead of new B(), it would still compile--the compiler would trust us. But at runtime, we'd get a ClassCastException, since we wouldn't actually have a B object.
    /**folks, I'm a web designer that has to learn Java
    so that I can perform my duties as a JSP author here
    at work. I tried to learn JSP sans Java and that was
    a simple exercise in ignorance.-- it's really hard
    without understanding the root concepts of Java and
    for that matter, C. Concepts like "polymorphism,
    inheritance, object references... are completely
    foreign to me. **/It's a rather big leap from web designing to OO concepts. Take your time, and don't be discouraged if you feel completely confused. It's a prerequisite. :-)

  • Can I creat the structural authorization profile in batch?

    Hi All:
    I have a question.
    I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like  object type; object ID; Eval. path  and so on.
    But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
    But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like  object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
    Can anyone tell me what's the reason?

    Hi All:
    I have a question.
    I need to creat structural authorization profile in transaction code OOSP, it's OK if I enter new entries in the OOSP and then maintenance the authorzation profile like  object type; object ID; Eval. path  and so on.
    But there are so many new entries need to be created that I want to use lsmw to realize batch in put.
    But when I use the transaction code "OOSP' to record the screen during the LSMW, I failed to see the "athorization profile maintenance" screen , that is, I can enter new entry, give it a name and text still, but cannot maintenance the authorzation profile like  object type; object ID; Eval. path. In other words,the "athorization profile maintenance" screen is missing during the LSMW recording screen!
    Can anyone tell me what's the reason?

  • How To Create ABAP Code For HR Context Sensitive Structural Authorization

    Hello,
    We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
    Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
    Thank you in advance for all your assistance,
    Ken Bowers

    Hello Ken
    You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
    Regards
    Ranganath

  • SAP BI 7.0 Transport issue with HR Structural Authorization DSO

    Hi,
    I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
    1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
    2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
    Thanks a lot for your valuable inputs.
    Regards
    Paramesh
    Edited by: paramesh kumar on May 5, 2009 12:45 AM

    Hi Paramesh.
    You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
    You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
    Regards,
    Lars

  • Error Occured when Applying Structural Authorizations in E-Recruitment

    Dear Experts,
    The E-Recruitment functionalities were working fine when no structural authorizations are applied. However, when structural authorizations are configured for the user on the backend SAP system (I configured structural authorizations for the user to have access to only his own department), the E-Recruitment module does not work.
    When I tried to access requisitions-> maintenace, application management->applications, etc, (i.e. when the E-Recruitment module tries to retrieve data from the backend), the the following error message occurred.
    Error when processing your request
    What has happened?
    The URL http://<hostname>:<port>/sap/bc/bsp/sap/hrrcf_start_int/application.do was not called due to an error.
    Note
    The following error text was processed in the system ABC : <b>RAISE EVENT statement nested to deep.</b> The error occurred on the application server XYZ and in the work process 0 .
    The termination type was: RABAX_STATE
    The ABAP call stack was:
    Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
    Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
    Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
    Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
    Method: GET_RECORDS_BY_DATE of program CL_HRRCF_INFOTYPE=============CP
    Method: ON_REQUISITION_UPDATE of program CL_HRRCF_REQUI_BL=============CP
    Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
    Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
    Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
    Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
    Please advice if E-Recruitment supports structural authorizations. If it does, are there additional configuration required to enable structural authorization. Kindly enlighten me on how to resolve this error. Any help will be much appreciated.

    Hello Louis,
    I implemented e-recruiting with structural authorizations for a customer and encountered exactly the same error. Anything in the e-recruiting implementation leads to this problem. When you miss some object authorizations the implementation generates an infinite callstack which results in this short dump.
    So be sure you assigned all necessary objects to recruiters and also candidates (NA, NB, NC, ND, NE, NF, BP, CP, P, Q, QK, VA, VB, VC) but this might be difficult esp. with the P object, when you use structural authorizations for other purposes, too. This usually generates problems in manager involvement (e.g. manager can't choose a recruiter to approve his requisition as he has not the structural authorization for the hr department members).
    It is also a bit strange that candidates need for example change rights for the requisition (NB) although they won't actually change it but without it the relation application->requisition, candidacy->requsition cannot be created correctly.
    Last but not least be always sure that you refreshed the authorization buffers after changing structural authorizations. They are usually switched on for better performance.
    Best regards
    Roman Weise
    PS: be aware that using structural authorizations will keep you busy for some time. we needed ~2 months to set up the system in a way that e-recruiting worked as the custoimer wanted without interfering any other productive hr component (admin, org. mgmnt., managers desktop).

  • HR Structural Authorization DSO's

    Hi,
    I have developed HR module for the first time. I need to create the authorization objects for the HR reports.
    I found 0PA_DS02 and 0PA_DS03 for structural authorizations in HR. I dont understand the purpose of these DSO's.
    Can some one explain what is purpose of the 0PA_DS02 and 0PA_DS03 dso's and how to create authorizations in HR?
    Thanks and Regards,
    Pooja

    HI Pooja,
    Use "Rsecadmin" create a authorization object and in that click on the below tool bar infocube authorizations which gives you a option to choose the infoprovider either cube or dso .choose your dso and then navigate around according to your requirements with include option.
    I think you need to load the DSO 0TCA_DS01 for Authorization Data(Values). Activate this DSO and try loading the data into this DSO as well and then try to generate the authorizations from this
    Thank you

  • HR structural authorization

    Hello Friends,
    I am trying to get concept of HR structural authorization.  I have read the document " Structural Authorizations Step by Step, with Gotchas Too by Norm and Carl". After reading this document, what i have understood is In Structural authorization, we create PD profile eg: Manager, employee, ALL etc via transaction OOSP. And after that you assigned these profile to position via report RHPROFL0 or manually via transaction OOSB.
    But what i am not able to understand is
    1.How do this profile Manger, Employee etc will work? How do Users get authorization. What types of activities Uses are able to perform?  What type of data user will have acess to? Do users get authorization to transaction like PA20 or you still need additional role that is created via PFCG.
    2. What my understanding is Users who are in the top Hierarchal nodes or structure (eg: manager) is able to access data of employee below him. Do we still need to create roles like MSS and ESS role via transaction PFCG?
    If somebody can clarify, I will really appreciate.

    Hello Mate,
    Have a loook at this thread, this may help .
    Re: How to Restrict HR Org Structure from other Org Structures
    Regards,
    Regi

Maybe you are looking for

  • ITunes does not work with Windows VISTA

    If you are planning on installing Windows VISTA than do not expect your iTunes to work. It will mark all our downloads as being unauthorized to play on the Windows VISTA computer. If you try to download some new songs you will get an error. I am work

  • Creating Inventory Goods Receipt (oInventoryGenEntry)

    Creating Inventory Goods Receipt (oInventoryGenEntry) gives the error "The inventory account is not defined".  But I do the same in SAP and the works. What do I have to do in my code about accounts ? I mean for sure I just give the item, the quantity

  • Sender Mail Adapter with SAP Conversion agent

    have some1 used SAP conversion agent on attchment from XI Sender Mail adapter? it seems to ignore the attchment of the e-mail the sender configuration module tab is as follows : 1.localejbs/AF_Modules/PayloadSwapBean transform 2.localejbs/sap.com/com

  • Is there any way to get an older app version of apple tv remote?

    It's been several months since the apple tv remote app was updated to 3.0+. Once I updated, I have not been able to control my apple tv (2nd gen). I have 2 ipod touch (2nd gen as well) and neither can use the updated app to control our apple tv any m

  • Stuck with bootcamp

    hi guys, I´m stuck with my MacPro!!! I tried to install vista with bootcamp and didn´t work, now don´t want accept any disk but it keep on start on bootcamp partition. I´m not able to let it start on with Mac partition. What can i do? There is any wa