Org Structural authorisation

Similar Messages

• Change org structure, structural authorisations and MSS team calendar

  We are using structural authorisations with evaluation path O-S-P for managers .  If I move an employee into a new org unit, when the manager views the Team Calendar in MSS, they can see the new employee.  However, if I move the manager into a new org unit from a specific date with the chief indicator ticked, nothing is displayed in the Team Calendar and the message says "no data available in chosen period".  I thought it could be an authorisation issue so I have done an authorisation check in Time Managers Workplace for the same manager trying to view an employee in the new org unit and it says it's failing on structural authorisations.  If I look in T77UA it shows the correct org unit, positions and employee numbers so I don't understand why it's giving me the structural authorisation error?  PFUD has been run and T77UA looks correct - am I missing something??
  Any help would be greatly appreciated!

  I would check the A012 "manages" relationship and see if its pointing to the right Org unit. We have had several issues with the team calendar and ended up customsing a lot of it.

• FM to identify Org Units Authorised in structural authorisation

  Hi experts,
  could you please let me know if there is any fm to identify list of all org units authorised by the user.
  rgds
  gayathri

  Hi Gayathri,
  Check for FM -
  HR_BW_IS_AUTHORITY
  HR_BW_IS_AUTHORITY_HIERARCHY
  Regards,
  Malathi V

• Sending mail to a particular positon in org structure via workflow

  hi all
  i have a problem regarding sending mail to particular position in org structure on runtime execution  via workflow so that i neednt hard court the particular position
  to achieve this i am using expressions,first i have created a new container element and then i have used container operation like this:
  (lead.employee responsible.business partner= container element defined by me)
  when i first try to execute the workflow and test it ,in the container  i am getting the value of the container element in which i have the position where i have to send the mail.but inspite of value getting populated ,when i am using that container element to send mail like:
  expression: container element
  the mail is not send,when i checked the log it is mentioned that " you are not the authorised person to stsart the workflow and start failed" but workflow is still triggered and i am able to pass the object but not able to send the mail.
  please tell me is there any feasible way to achieve this,like rule or in my way how is it able to achieve
  detailed possible solution will really be appreciated.on thing we are working on CRM 5.0 standalone system
  full marks will be rewarded
  best regards
  ashish

  Hi,
  Follow this ,
  Goto PFTC -> Choose "Workflow Template" from the drop down -> Enter the workflow template id "123********" in the text box -> now click on "change" button -> Now goto the menu addional data -> agent assignment -> maintain -> select the task text -> and set it as general task.
  I guess you have done the same for the standard task TS*********** but failed to do it for the workflow template (WS123*************). Or have you done it already?
  Also once you make this change "Refresh your buffers" once before checking it out.
  Richard A

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Integrate HR org structure and CUA?

  We are considering a new design for our authorization management on our production ECC 6.0 system.
  There will be 2 productive ECC 6.0 systems; which system you use will depend on your global location.  We currently utilize the HR org structure to assist us with provisioning and deprovisioning accounts on our durrent single ECC 6.0 instance, and we hang composite roles off of positions in the org structure, so that a fair amount of authorization management is automated.
  If we were to put a CUA client over the two productive ECC 6.0 clients, how might that be integrated with the HR organizational model?  Does CUA integrate well with an org structure?  Any experiences with this would be helpful.

  Hi Mary,
  Firstly, are the org structures in the two ECC clients identical - in sync with each other?
  If the org structures are different then it would limit the options that you would have:
  - CUA client would simply be used for the provisioning of the user id
  - The role to position allocation would still take place locally in each of the ECC clients
  - You would have to maintain the 105 relationships locally in the ECC clients
  - You would have to set the role maintenance option in SCUM to local maintenance
  If the org structure is the same on both ECC clients, then it would provide you with some additional options:
  Option 1 - use the approach described above to allow for local maintenance
  Option 2 - ALE the org structure to the CUA client, then allocate the composite roles to the positions on the org structure and maintain the 105 relationship on the CUA client.
  - the roles will then be distributed to the correct child system when the org recon is run
  Option 3 - Use one of the ECC systems as the CUA client (Which we are busy implementing at the moment)
  I'm using my ECC system as my central CUA for the production system, I know that many people would disagree with this due to upgrade requirements and all the rest. However in the Netweaver environment the ECC client is typically on the highest basis release, which caters for the CUA requirement and CUA is far more stable these days which reduces the risk. The other reason we have chosen this route is also the capacity of the ECC production system which is suitable.
  Also the HRORG is maintained on the same system, therefore less ALE requirements to move the org structure between systems etc. In the landscape we currently have BI and Portal, future applications/modules include ESS, MSS, APO and SEM.
  To achieve the solution I create all roles for all applications in the landscape, in the ECC client - for non-ECC roles the role definition is only role name and description (the correct authorisations are then maintained in the relevant child system). These are then distributed via RFC to the various child systems, it requires a couple of small changes but does work fine. All roles are then inlcuded into a composite role, regardless of which child system the role belongs to. The composite role is then allocated to the position in the HR org and once the HR recon is run, the role allocations are distributed to the correct child system. An example of a Line Manager Composite role would include:
  - HR Line Manager (ECC Client)
  - Cost Centre Manager (ECC Client)
  - BW Line Manager Menu role (Portal)
  - BW Line Manager Data role (BI client)
  - Purchasing Approval (ECC Client)
  I'm not sure if this has helped you, but in short the CUA integration with HRORG does work reasonably well and depending on the approach you choose it could affect the amount of maintenance that takes place. Just remember that the structural profile allocations would always take place locally on the ECC clients and only the role allocations can be managed from the CUA.
  Regards
  Sujeet

• Business partner not created when User is intergrated in SRM org Structure

  Hi SRM gurus,
  A new users  in integrated into the SRM org structure thro Z tcode ,business partner is not created.
  the user is not able to create shopping cart.
  When we try to check for t.code:BBP_BP_OM_INTEGRATE we are getting this error"
  Connection of object us XXXXXX to object u2018CPu2019 is not unique"
  how to resolve this error.
  Regards
  G.Ganesh kumar

  Hi  all,
  1) I  have checked the SLG1 -No error log is found
  2) In the basic tab there is no details to enter.
  I am getting this error"Missing Authorisation : info type 1001 ,object type BP,Subtype A207".
  since it is Production system -can we run run PFAL directly
  G.Ganesh Kumar

• Beginning with Structural Authorisations

  Good day fellow SAP HCM Community,
  Our company is currently investigating the option of going via structural authorisations for our HCM system security but we are struggling to set it up.
  Please advise if anybody has some documentation on the following:
  1. What is the values in the table OOSP for a manger and a sub-ordinate?
  2. Do we need to assign a PD profile to each position in the org structure whether a SAP user or not?
  3. What is the relationship for a manger and a subordinate on the postion, i.e. A002 - B002, etc.
  4. In order for a manager to view their subordinates do they all have to be indicated as chief positions as we have a complex management hierarchy?
  5. The function module RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT is not available to our DEVLAB client, does it need to be visible in order for structural authorisations to work.
  Kind regards
  Dorianne

  Update your B card or send me a test mail. I will send you doc

• PPOMA_BBP Structural Authorisations Setup

  Hi,
  I am setting up the structural authorisations via transaction OOSP so that I can grant local admins access to their part of the org structure in PPOMA_BBP. However, to assign a user to a profile (tcode OOSB) that has been setup via OOSP, it is considered config and has to be done in the development system.
  Does anyone know if the assignment of user to profile can be changed so that it is not config and can be done in a production system?
  Thanks,
  Mark

  Hi Mark,
  You are absolutely right. Here is what you can do then:
  Expand SPRO tree until you find the transaction you want.
  Then, select it (don't execute it, just click on its name once).
  Then click on Edit > Display img activity.
  Then click on 'Maint Objects' tab.
  Then copy the value of colum 'Customizing Object'.
  Depending on the value of colum 'Ty' this might not work. If the Ty colum value is 'V' or 'S' it should work.
  Then access transaction SE54
  Paste the copied value in the 'Table/View'
  Select 'Generated objects'
  Click on 'Create/Change'
  Then select 'no, or user, recording routine' option.
  This should be done in the customizing client and a request will be generated. Then transport the generated request as needed.
  If you want to implement this changes in you productive system, there is an extra step;
  Go to transaction SOBJ
  Click on 'Maintain'
  Select the object you copied in the previous steps.
  Then click on 'Details'
  Then mark the field 'Current Settings'.
  Refer to the following notes if you need:
  Note 356483 - Customizing: Current settings in the test system
  Note 77430 - Customizing: Current settings
  I hope this helps! I'm confident this will solve your problem 100%!
  Regards,
  Henrique

• Structural authorisation HR security

  Hi all,
        I am very much new in HR Security ,need your help in Structural Authorisation My querry is that
  1.) how can we get Personnel number when we have POSITION or Org unit.any steps or Tcode.
  2.) Is Structural authorisation applied to the POSITION who has B012 Relation ships only with Org unit or it can also be applied on the POSITION without B012 relationships.
  Pl.. help..
  Thanks in ADVANCE,
  Chandresh Bajpai

  Hi Chandresh,
  If you know position, then go to PP01 > select position > give position ID > Clcik on relationship > select all radio button > click on overview > you can see all relationship which have been maintained for that position. Check relathionship A008 (position to person).
  Then structural authorization does not depend on only relationshio A012 (chief position. But it depends on total OM structure. Before going for structural authorization, you should have OM structure in place.
  Regards,
  Purnima

• Structural authorisation along with organisational key

  Hi All:
  The scenario is:There are 8 company codes(8 diff countries) with 8 diff Personnel areas.A user needs to have access to all employees in his country and secondly, all the HR employees spread over all other company codes in different org units.
  I can create role using P_ORIGIN with that PA and assign to the user but how do i provide him access to all other HR employees.Structural Authorisation would restrict access to a specific org unit which doesn't suffice both criteria as it overrides org key.
  Helpful answers would be duly rewarded.
  Regards,
  Kmaini

  Hi,
  Structural authorization does not overwrite org.key.
  You need to customize structural authorization accordingly.
  For example, you have 8 company codes associated with personnel areas PA01-PA08. You are trying to create role for company code 1.
  1. In P_ORGIN you give access to all personnel areas PA01-PA08.
  2. For structural authorization you create following entry points:
  - root org.unit for company 1
  - HR org unit for company 2
  - HR org unit for company 3
  - HR org unit for company 4
  - HR org unit for company 5
  - HR org unit for company 6
  - HR org unit for company 7
  - HR org unit for company 8
  Cheers

• Problem in Structural Authorisation

  Hi All,
  scenario: There is CEO, of a org unit say ABCpvt Ltd. This root org unit has many sub units, depts & positions.
  This CEO, should need to view only his org units & positions which come under ABC pvt Ltd, & he should not able to view other depts & units.
  For this i want to create structural authorisation,
  1.hence I created a user eg: RKRao(CEO)
  2.I created a role through PFCG.
  3.I creeted stucrutal autho through OOSP, OOSB...
  4.I maintained infotype  IT 0105 communication, then OM IT 1017(pd profiles infotype)
  When I went to test this user, it is not showing me the desired data, which he is liable to seeunder his org unit ( i.e ABCPvt ltd, units, positions ,jobs etc)
  Hence can any one tell me where I am wrong, I have maintained all the neceaary transaction needed for structural autho
  Pls help me out in this!  <b>points are assured</b>
  Regds,
  NithiBabu

  Hi Nithi,
  The pre-requisite for configuring Structural Authorization are:
  A)PLOGi – ORGA
  TCode: OOPS
  This switch activates the integration between Personnel administration (PA) and Org Management (OM). Ensure this switch is ‘on’ before setting up the Org Plan; structural profile etc.  Turning the switch ‘on’ is a mandatory prerequisite before other setups are initiated.
  B) In case of OOAC,Following switches need to be set to appropriate values (switching on) for structural authorizations:
  1.     ORGIN : HR master data: Value “1” mean its activated
  2.     ORGPD: HR Structural authorization check: Value “1” means it is activated. This is mandatory for Structural authorization to work (see note).
  3.     PERNR: HR Master Data: Personnel number check activation: Value “1” mean it is activated.
  4.     ADAYS: Tolerance time for authorization check: The value entered here is the number of days for tolerance limit. This determines how many calendar days the user has access to the data he or she is entitled to, after the organizational change. For example “ADAYS = 10” means 10 calendar days of tolerance limit. In the standard system the value is set to 15; If the value is set to “0”, the organizational change causes the user to lose the authorization immediately upon change.
  C) After creating the Authorization Profile in OOSP
  IMG > Personnel mgmt > Org Mgmt > Basic Settings > Authorization Mgmt > Structural Authorization > Maintain Structural Authorization Profile
  Select the Profile and double click the Authorization Profile maintenance in the dialog structure on the left of the screen
  1.     Accessible Org Mgmt Objects are determined by the settings defined in this step. This step determines permissible Objects for the user.
  2.     Permissible objects can be defined in more than one ways. By directly identifying the Object ID’s (optional) in the Object ID field. Or through an Evaluation Path (optional) which ensures that users are only authorized to access objects along a particular path in Organization structure or plan. If an Evaluation path is specified, Object ID needs to be specified which determines the root object for the evaluation path Or via a function module which determines the objects the users are authorized to access.
  3.     If function module (optional) is specified, the Object ID need not be specified and depending upon the logic of the function module, evaluation path may or may not be specified. The usage of Function module to determine authorized objects provides flexibility that is not available via Evaluation path.
  Hope this further clarifies your doubt.
  Regards,
  Raj

• Structural Authorisation - Unrelated Objects

  Hi all,
  We are facing an issue in structural authorisation of OM objects. The user wants to have authorisation of all objects under his root Org unit alongwith any objects that are unrelated (having no relationship with any Org unit / Positions).
  Is this possible with standard configuration? How can this be achieved?
  Regards,
  VK

  Hi VK
  Yes it is possible.
  You have to create your own function module and assign it to a structural authorization profile (field T77PR-PFUNC)
  In this function module, as semvladigo says you have to collect all required unrelated objects and return them via OBJ_TAB interface table.
  as a reference please check the following function modules:
  RH_GET_MANAGER_ASSIGNMENT
  RH_GET_ORG_ASSIGNMENT
  Regards,
  Sergey

• Structural Authorisation

  Hi Experts,
  Is it mandatory to implement "HR Structural Authorisation" to implement MSS?
  Rgds
  Sunil

  No it isn't.
  HR Structural Authorisations is a security concept that is used to control what HR objects (e.g. org units, positions, people etc) a user can see and/or maintain.
  For MSS to work correctly you need:
  - an organisational structure in HR
  - the manager needs to be in a Chief Position
  - the manager's R/3 user id needs to be assigned to their emloyee record via Infotype 0105
  - there needs to be some subordinate employees assigned to the manager in the org structure.  This can be either employees that occupy positions in the part of the structure that the manager is assigned to as "Chief", or employees located elsewhere in the structure that have a direct reporting relationship to the manager position.
  The Team Viewer and Team Explorer iViews in MSS automatically determine and limit which employees the manager can see via the org structure, so HR Structural Authorisations really aren't necessary.
  Hope this helps...
  Regards,
  John

• Structural Authorisation access issue

  HI
  I am currently trying to implement Structural Authorisation.  I have run into a problem and hoping someone maybe able to help.  The problem I have is that when a user searchs for employee's in PA20/30 the results show all employee's that are part of the org unit that the PD profile is restricting.  However it also includes users that were part of the org unit at some stage.
  Now in PA30 the user does not get the header for these users but is able to access/modify some infotypes.  I am not sure but I think there is a setting somewhere that will limit the PD profile to only display current employee's of the org unit only but for the life of me can not remember or recall where it is.  Can anyone help with this?
  Any help will be appreciated,
  Many thanks in advance.

  Hi,
  Did you verify the values for the
  Switch ADAYS "HR: Tolerance Time for Authorization Check"
  in Transaction OOAC.
  Depending on the number of days mentioned.
  The person would have access to old Org Unit till the tolerance period if he modified information in that org unit.
  Actual SAP documentation:
  HR: Tolerance Time for Authorization Check (ADAYS)
    Use
      The tolerance time for the authorization check specifies the length of
      time, in the case of an organizational change, that the personnel
      administrator has access to the data he or she created for a person if
      this person already has an organizational assignment outside of his or
      her authorizations.
    Input values
      The tolerance time for the time logic for master data infotypes is
      specified in calendar days. In the standard SAP system, the value of the
      switch is set to 15 (= 15 calendar days). When this switch is active,
      that is, when it contains a value greater than 0, organizational changes
      that result in the loss of a particular authorization take effect in
      accordance with the tolerance time.
    Example
      ADAYS is set to 15. In the system, only checks with P_ORGIN are active.
      Administrator A has read and write access to data in personnel area A
      while administrator B has read and write access to data in personnel
      area B. It is assumed that for all infotypes the time dependency of the
      authorization check (switch T582A-VALDT) is active.
      A personnel number was assigned to personnel area A until 12/31/9999. As
      of 01/01/2000 this personnel number is assigned to personnel area B. The
      period of responsibilty of administrator A ends on 12/31/9999 but due to
      the tolerance time, he or she continues to have unrestricted read and
      write access to data until 01/15/2000 (inclusive). However, as of
      01/16/2000, he or she no longer has write access to data. Nevertheless,
      the administrator still has read access to all data records with a startdate prior to 12/31/9999.