Problem in Structural Authorisation

Similar Messages

• Concurrent Employment and MSS ( Structural Authorisation)

  Hi
  We are having some problem with Structural authorisation in case of concurrently employed users. The scenarios is as follows
  1. User A is manager and have MSS role and relevant PD profile
  2. User P is employee . This employee is concurrently employed. one position of this user is in the organisation unit of manager A and the another position for this
  The problem is that the manager A is unable to approve the form submitted by the employee P. if we remove concurrent employment it start working again.
  I can see that Manager has structural access over employee P in tcode OOSb
  Any suggestion will be welcome
  Parveen

  Hi
  The problem we were having is that index was not updated. So inspite of having access to the user i was not able to approve the form. I have regenerated the index via report rhbaus00 which fixed the problem
  Parveen

• Who's Who with Structural Authorisations

  Hi,
  We have implemented structural authorisation.
  When manager logins to portal and view Who's who he is able to see only team members data.
  Instead our requirement is to view all the employees data in Who's who though manager has structural authorisation profile.
  Structural authorisation we have implemented only for the user who are (PORTAL+R\3).
  << Moderator message - Everyone's problem is important >>
  Thanks,
  Usha
  Edited by: Rob Burbank on Oct 18, 2010 3:39 PM

  Check the following link:
  Authorization Made Easy
  http://www.slideshare.net/Juanfe1978/1ux2y54tcwomq2gtx7pd
  Authorization Concept for SAP Student Lifecycle Management
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/409acd1d-75d1-2a10-4a91-dadabd18e1ff
  Technical Considerations in Global SAP BW HR Implementations
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/505351fe-ec8c-2910-c5b5-a43bbf53f6fc
  Hope this help you.
  Regards

• PPOMA_BBP Structural Authorisations Setup

  Hi,
  I am setting up the structural authorisations via transaction OOSP so that I can grant local admins access to their part of the org structure in PPOMA_BBP. However, to assign a user to a profile (tcode OOSB) that has been setup via OOSP, it is considered config and has to be done in the development system.
  Does anyone know if the assignment of user to profile can be changed so that it is not config and can be done in a production system?
  Thanks,
  Mark

  Hi Mark,
  You are absolutely right. Here is what you can do then:
  Expand SPRO tree until you find the transaction you want.
  Then, select it (don't execute it, just click on its name once).
  Then click on Edit > Display img activity.
  Then click on 'Maint Objects' tab.
  Then copy the value of colum 'Customizing Object'.
  Depending on the value of colum 'Ty' this might not work. If the Ty colum value is 'V' or 'S' it should work.
  Then access transaction SE54
  Paste the copied value in the 'Table/View'
  Select 'Generated objects'
  Click on 'Create/Change'
  Then select 'no, or user, recording routine' option.
  This should be done in the customizing client and a request will be generated. Then transport the generated request as needed.
  If you want to implement this changes in you productive system, there is an extra step;
  Go to transaction SOBJ
  Click on 'Maintain'
  Select the object you copied in the previous steps.
  Then click on 'Details'
  Then mark the field 'Current Settings'.
  Refer to the following notes if you need:
  Note 356483 - Customizing: Current settings in the test system
  Note 77430 - Customizing: Current settings
  I hope this helps! I'm confident this will solve your problem 100%!
  Regards,
  Henrique

• Structural Authorisation access issue

  HI
  I am currently trying to implement Structural Authorisation.  I have run into a problem and hoping someone maybe able to help.  The problem I have is that when a user searchs for employee's in PA20/30 the results show all employee's that are part of the org unit that the PD profile is restricting.  However it also includes users that were part of the org unit at some stage.
  Now in PA30 the user does not get the header for these users but is able to access/modify some infotypes.  I am not sure but I think there is a setting somewhere that will limit the PD profile to only display current employee's of the org unit only but for the life of me can not remember or recall where it is.  Can anyone help with this?
  Any help will be appreciated,
  Many thanks in advance.

  Hi,
  Did you verify the values for the
  Switch ADAYS "HR: Tolerance Time for Authorization Check"
  in Transaction OOAC.
  Depending on the number of days mentioned.
  The person would have access to old Org Unit till the tolerance period if he modified information in that org unit.
  Actual SAP documentation:
  HR: Tolerance Time for Authorization Check (ADAYS)
    Use
      The tolerance time for the authorization check specifies the length of
      time, in the case of an organizational change, that the personnel
      administrator has access to the data he or she created for a person if
      this person already has an organizational assignment outside of his or
      her authorizations.
    Input values
      The tolerance time for the time logic for master data infotypes is
      specified in calendar days. In the standard SAP system, the value of the
      switch is set to 15 (= 15 calendar days). When this switch is active,
      that is, when it contains a value greater than 0, organizational changes
      that result in the loss of a particular authorization take effect in
      accordance with the tolerance time.
    Example
      ADAYS is set to 15. In the system, only checks with P_ORGIN are active.
      Administrator A has read and write access to data in personnel area A
      while administrator B has read and write access to data in personnel
      area B. It is assumed that for all infotypes the time dependency of the
      authorization check (switch T582A-VALDT) is active.
      A personnel number was assigned to personnel area A until 12/31/9999. As
      of 01/01/2000 this personnel number is assigned to personnel area B. The
      period of responsibilty of administrator A ends on 12/31/9999 but due to
      the tolerance time, he or she continues to have unrestricted read and
      write access to data until 01/15/2000 (inclusive). However, as of
      01/16/2000, he or she no longer has write access to data. Nevertheless,
      the administrator still has read access to all data records with a startdate prior to 12/31/9999.

• HCM Structural Authorisations - OOSP Not Updating

  Hi All,
  I am experiencing a problem when I am trying to transport a newly created Structural Authorisation from our Development to UAT clients.
  I have been able to apply the transport to the UAT client and table T77PR has been updated with the new structural authorisation, the problem I have is that transaction OOSP is not updating in the UAT client, I am therefore unable to assign the structural authorisation to any positions for testing purposes.
  The UAT client is 'not modifiable' could this be the problem ?
  Thanks
  Simon

  Hi Simon,
  Check in Transaction code OOCR. I infer a setting that you need to verify there. The issue may occur if the TRSP CORR option is  set it to the right option. If you left it Blank, it means automatic transport connection is activated and if the value is set to X, it means no automatic transport connection.
  If the issue persists, I recommend you checking the transport logs and see if there is an error.
  Regards,
  Raghu

• How to apply Structural Authorisations for Report

  Hi All,
  We are using structural authorisations in our project and it is working fine for all processes. But we are facing problem for reports.
  Kindly guide on How to apply structural authorisations to SAP Standard Reports and Custom reports.
  Thanks & Regards,
  Prashant

  Hi Prashant,
  Yeah LDB is a good way of implementing Structural auth. Apart from that you can assign the Authorization Group in the Z-report attribute. So users who are part of this group only can access this report. This also applies to the standard reports as they are already assgned to standard Authorization Groups.
  Br/Manas

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Ad Hoc Query & HR Structural Authorisations

  Good day,
  Can you kindly suggest solutions to the following?
  Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
  Can you advise how i can restrict IT8 access for users across sites/company codes?
  Thanks have a lovely day!

  Hi Anders,
  Thank you for the reply,
  We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
  My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?

• Change org structure, structural authorisations and MSS team calendar

  We are using structural authorisations with evaluation path O-S-P for managers .  If I move an employee into a new org unit, when the manager views the Team Calendar in MSS, they can see the new employee.  However, if I move the manager into a new org unit from a specific date with the chief indicator ticked, nothing is displayed in the Team Calendar and the message says "no data available in chosen period".  I thought it could be an authorisation issue so I have done an authorisation check in Time Managers Workplace for the same manager trying to view an employee in the new org unit and it says it's failing on structural authorisations.  If I look in T77UA it shows the correct org unit, positions and employee numbers so I don't understand why it's giving me the structural authorisation error?  PFUD has been run and T77UA looks correct - am I missing something??
  Any help would be greatly appreciated!

  I would check the A012 "manages" relationship and see if its pointing to the right Org unit. We have had several issues with the team calendar and ended up customsing a lot of it.

• Beginning with Structural Authorisations

  Good day fellow SAP HCM Community,
  Our company is currently investigating the option of going via structural authorisations for our HCM system security but we are struggling to set it up.
  Please advise if anybody has some documentation on the following:
  1. What is the values in the table OOSP for a manger and a sub-ordinate?
  2. Do we need to assign a PD profile to each position in the org structure whether a SAP user or not?
  3. What is the relationship for a manger and a subordinate on the postion, i.e. A002 - B002, etc.
  4. In order for a manager to view their subordinates do they all have to be indicated as chief positions as we have a complex management hierarchy?
  5. The function module RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT is not available to our DEVLAB client, does it need to be visible in order for structural authorisations to work.
  Kind regards
  Dorianne

  Update your B card or send me a test mail. I will send you doc

• Structural authorisation HR security

  Hi all,
        I am very much new in HR Security ,need your help in Structural Authorisation My querry is that
  1.) how can we get Personnel number when we have POSITION or Org unit.any steps or Tcode.
  2.) Is Structural authorisation applied to the POSITION who has B012 Relation ships only with Org unit or it can also be applied on the POSITION without B012 relationships.
  Pl.. help..
  Thanks in ADVANCE,
  Chandresh Bajpai

  Hi Chandresh,
  If you know position, then go to PP01 > select position > give position ID > Clcik on relationship > select all radio button > click on overview > you can see all relationship which have been maintained for that position. Check relathionship A008 (position to person).
  Then structural authorization does not depend on only relationshio A012 (chief position. But it depends on total OM structure. Before going for structural authorization, you should have OM structure in place.
  Regards,
  Purnima

• Bypass Structural Authorisation

  Hi there,
    I am just wondering if there is some FM that can be called to disable Structural Authorisation? ..to bypass PA (infotype) authorisation, i can use "HR_READ_INFOTYPE_AUTHC
  _DISABLE" .
  I know that "Context sensitive" might be more relevant than bypassing struc auth.
  <removed_by_moderator>
    Thanks so much!
  Zul
  Edited by: Mohamed Ali Zulzaili on Sep 10, 2008 9:41 AM
  Edited by: Julius Bussche on Sep 10, 2008 9:56 AM

  Hi,
  you could use the report RHBAUS00.
  Regards
  Bernd

• Structural authorisation along with organisational key

  Hi All:
  The scenario is:There are 8 company codes(8 diff countries) with 8 diff Personnel areas.A user needs to have access to all employees in his country and secondly, all the HR employees spread over all other company codes in different org units.
  I can create role using P_ORIGIN with that PA and assign to the user but how do i provide him access to all other HR employees.Structural Authorisation would restrict access to a specific org unit which doesn't suffice both criteria as it overrides org key.
  Helpful answers would be duly rewarded.
  Regards,
  Kmaini

  Hi,
  Structural authorization does not overwrite org.key.
  You need to customize structural authorization accordingly.
  For example, you have 8 company codes associated with personnel areas PA01-PA08. You are trying to create role for company code 1.
  1. In P_ORGIN you give access to all personnel areas PA01-PA08.
  2. For structural authorization you create following entry points:
  - root org.unit for company 1
  - HR org unit for company 2
  - HR org unit for company 3
  - HR org unit for company 4
  - HR org unit for company 5
  - HR org unit for company 6
  - HR org unit for company 7
  - HR org unit for company 8
  Cheers

• Org Structural authorisation

  Hi,
  I am new to org structural authorisation.Can any one please let me know step by step configurations of structural authorisations and how to test the reports in structural authorisation?
  Thanks,
  Usha

  Hi,
  This is SAP reference http://help.sap.com/saphelp_470/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
  This is guide for set up http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0a19aba-15f2-2c10-a6b0-ccd121447ec2?quicklink=index&overridelayout=true
  Cheers!