R/3 reports related to structural authorization

Similar Messages

• Control Workflow Report output using Structural Authorization

  Is it possible to control output of Workflow Reports using Structural Authorizatins. E.g. Workflow Admins having access to tcode SWi2_FREQ will be able to see project wide data, but i want to restrict the workflow admins at department level from seeing workflow data for other departments. is that possible using Structural authorizations or any other mechanism?
  My understanding is that Structural authorizations pretty much control PA/PD, and not other modules. I did a quick test,
  1) Created a org structure
  2) Created employees, users, and set up structural authorizations
  Now when users are granted authorization to PA20, they are restricted to what they should be seeing, but when they are granted authorization for workflow admin reports, structural authorization don't seem to work, they are able to see data for workflow triggered for other departments as well. Is that the standard behavior or i am missing something. I don't have enough experience with Structural auth.
  I will appreciate any guidance on this matter.
  Thanks,
  Saurabh

  Arghadip, please explain how this will prevent someone from Norway from looking at the workflow log of a workflow for an employee belonging to the Danish part of the organisation.
  <i>Message was edited by Kjetil Kilhavn:</i>
  To explain a bit more in detail: how does this prevent me (Norwegian) from going into SWI1, SWIA or any other transaction, and looking at data from other parts of the organisation. I don't think it will work.
  I think the only way to achieve this is to either modify SAP's standard code and include some structural authorisation checks - or take the standard transactions out from every user role and create your own wrappers or program copies which basically does the same as the modification would have to do.

• Structure Authorization Issue

  Hi guys,
  I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial.  After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
  We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
  They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
  Please help
  Thanks

  Structural Authorization Check
  Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
  On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
  In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
  Steps to Perform to Set Up Structural Authorization Check in brief:
  (Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
  1. Integration:  Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
  2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
  (Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
  3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
  4. Create Org. Plan (check the first post).
  (Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
  5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
  6. Create record for Infotype 0105 - TCode is PA30.
  7. Create Structural Authorization Profiles u2013 TCode = OOSP
  8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
  9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
  Please check and let us know for any query.
  Regards,
  Dipanjan

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• Error Occured when Applying Structural Authorizations in E-Recruitment

  Dear Experts,
  The E-Recruitment functionalities were working fine when no structural authorizations are applied. However, when structural authorizations are configured for the user on the backend SAP system (I configured structural authorizations for the user to have access to only his own department), the E-Recruitment module does not work.
  When I tried to access requisitions-> maintenace, application management->applications, etc, (i.e. when the E-Recruitment module tries to retrieve data from the backend), the the following error message occurred.
  Error when processing your request
  What has happened?
  The URL http://<hostname>:<port>/sap/bc/bsp/sap/hrrcf_start_int/application.do was not called due to an error.
  Note
  The following error text was processed in the system ABC : <b>RAISE EVENT statement nested to deep.</b> The error occurred on the application server XYZ and in the work process 0 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Method: GET_RECORDS_BY_DATE of program CL_HRRCF_INFOTYPE=============CP
  Method: ON_REQUISITION_UPDATE of program CL_HRRCF_REQUI_BL=============CP
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Please advice if E-Recruitment supports structural authorizations. If it does, are there additional configuration required to enable structural authorization. Kindly enlighten me on how to resolve this error. Any help will be much appreciated.

  Hello Louis,
  I implemented e-recruiting with structural authorizations for a customer and encountered exactly the same error. Anything in the e-recruiting implementation leads to this problem. When you miss some object authorizations the implementation generates an infinite callstack which results in this short dump.
  So be sure you assigned all necessary objects to recruiters and also candidates (NA, NB, NC, ND, NE, NF, BP, CP, P, Q, QK, VA, VB, VC) but this might be difficult esp. with the P object, when you use structural authorizations for other purposes, too. This usually generates problems in manager involvement (e.g. manager can't choose a recruiter to approve his requisition as he has not the structural authorization for the hr department members).
  It is also a bit strange that candidates need for example change rights for the requisition (NB) although they won't actually change it but without it the relation application->requisition, candidacy->requsition cannot be created correctly.
  Last but not least be always sure that you refreshed the authorization buffers after changing structural authorizations. They are usually switched on for better performance.
  Best regards
  Roman Weise
  PS: be aware that using structural authorizations will keep you busy for some time. we needed ~2 months to set up the system in a way that e-recruiting worked as the custoimer wanted without interfering any other productive hr component (admin, org. mgmnt., managers desktop).

• HR Structural Authorization DSO's

  Hi,
  I have developed HR module for the first time. I need to create the authorization objects for the HR reports.
  I found 0PA_DS02 and 0PA_DS03 for structural authorizations in HR. I dont understand the purpose of these DSO's.
  Can some one explain what is purpose of the 0PA_DS02 and 0PA_DS03 dso's and how to create authorizations in HR?
  Thanks and Regards,
  Pooja

  HI Pooja,
  Use "Rsecadmin" create a authorization object and in that click on the below tool bar infocube authorizations which gives you a option to choose the infoprovider either cube or dso .choose your dso and then navigate around according to your requirements with include option.
  I think you need to load the DSO 0TCA_DS01 for Authorization Data(Values). Activate this DSO and try loading the data into this DSO as well and then try to generate the authorizations from this
  Thank you

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd

• HR structural authorization

  Hello Friends,
  I am trying to get concept of HR structural authorization.  I have read the document " Structural Authorizations Step by Step, with Gotchas Too by Norm and Carl". After reading this document, what i have understood is In Structural authorization, we create PD profile eg: Manager, employee, ALL etc via transaction OOSP. And after that you assigned these profile to position via report RHPROFL0 or manually via transaction OOSB.
  But what i am not able to understand is
  1.How do this profile Manger, Employee etc will work? How do Users get authorization. What types of activities Uses are able to perform?  What type of data user will have acess to? Do users get authorization to transaction like PA20 or you still need additional role that is created via PFCG.
  2. What my understanding is Users who are in the top Hierarchal nodes or structure (eg: manager) is able to access data of employee below him. Do we still need to create roles like MSS and ESS role via transaction PFCG?
  If somebody can clarify, I will really appreciate.

  Hello Mate,
  Have a loook at this thread, this may help .
  Re: How to Restrict HR Org Structure from other Org Structures
  Regards,
  Regi

• SAP HR Structural Authorizations

  Hi Experts,
  I need a help regarding SAP HR Structural Authorizations.
  Currently our HR System is set with structural authorizations were in
  users will be accessing HR Org structure with different pd-profile and HR relationships (with Org units ex:
  assistant relation, manager relation).
  Now we want to design the roles based on company codes, where users should be able to see
  all organization units within company code 'xyz'.
  Do we need to create new pd-profile or new HR relationships or just restrict within existing HR roles for
  accessing organizations units within different company codes.
  Please guide me steps to proceed with this requirement?
  Your early response is highly appreciated, thanks in advance......

  You will need to talk to the HR folks about this and whether any employee grouping on the HR side matches a company code unit on the FI side to use in the authorizations.
  This means that HR data and processes are also aligned to finance processes, which was often the case with local HR systems but less so with global ones.
  The answer is on your side in the data and the processes. There is no single field which you can use for both, let alone an org. level field known to structural authorizations.
  Cheers
  Julius

• CATS selection + Structural Authorization Check

  Hi, guys!
     Please, check if you can help me with this doubt.
     The seleciton of CATS are according to the Cost Center. And we need to change the employee selection of CATS according to the new Structural Authorization (recorded in OOSB).
     So the doubt is, if we configure the CATS profile to report selection criteria and create a generic variant, will it select the employees according to OOSB?
  Regards

  Hi, everyone!
     I've just made the test and it worked without problem.
  Regards,

• CAT2 Org Unit Structural Authorizations - Employees moving to different Org

  Hello, everyone -
  We currently use structural authorizations to restrict time keepers to only maintain time entries for employees in their org units. If an employee moves to an org unit maintained by a different timekeeper, we want to continue to allow the previous time keeper to maintain entries for the time the employee was in their org.
  Example: pernr 1 starts out in org unit X. Org Unit X time entries are maintained by time keeper A. Effective 5/1/2014, pernr 1 moves to org unit Y, whose time entries are maintained by timekeeper B. The standard maintenance data entry profile allows the user to go back 6 weeks. On 5/2/2014, time keeper A tries to enter overtime worked by pernr 1 for his org unit on 4/30/2014. He receives the error "Not authorized to maintain data for personnel number &2 using profile &1".
  How do we allow a timekeeper to make entries for any employee who was in any of their org units, even if they're no longer there?
  Thanks in advance, and I'll definitely reward points for any helpful answers.
  - Steve

  Hi, Rohit -
  The actual scenario is that we are set up to move all withdrawn personnel numbers to a pooled "separated" position in a separate org unit. This frees their previous position to be filled by a new hire. It also means that a LOT of personnel numbers are in this org unit, which the time keeper should not have access to.
  D.  -
  We're using a custom function module entered in T77PR to retrieve the organization units that the time keepers should access.  Here are the entries in T77PR:
  (The "Maint."/Processing Type column is checked for all 3 rows.)
  Z_HRLY_TMKPR 1 01 O          O_S_P 12 3   ZBC_GET_TKEEPER_ORGS_BY_USER
  Z_HRLY_TMKPR 2 01 S          O_S_P 12 3   ZBC_GET_TKEEPER_ORGS_BY_USER
  Z_HRLY_TMKPR 3 01 P          O_S_P 12 3   ZBC_GET_TKEEPER_ORGS_BY_USER
  The function module uses a custom evaluation path ZHT that looks like this:
  15 * B 008 Holder * S
  20 S B ZHT Hourly Timekeeper * O
  30 US A 208 Is identical to * P
  I'm not sure what you'd like to see related to the profile... Is there a way to configure the CAT2 logic to allow a user to maintain a personnel number who is in the org for at least part of the time that the employee was in an organization that the user is authorized to maintain?
  Thanks again,
  - Steve

• Regeneration of INDX for Structural Authorization

  Hello all,
  We are having problems with the index of structural authorization.... employees can´t see objects created until we run the program RHBAUS00.
  I'm reading at the documentation of program RHBAUS00, and it says that "The index for the structural authorization profile of the user is generally regenerated during the night in a batch job".....  but it is not working !
  Does any body know how SAP execute an automated regeneration of index for structural authorization?
  I want to know which job do that or how the system do that? or if I need to define a job by my self?
  Thanks in adcanve.
  Enrique Vera

  Hi Enrique,
  I think you have misanderstood the documentation.What it says is that usually customers run this program RHBAUS00 as batch every night. But apart from the report there is no other program/functionality that will reset the INDEX
  You have to set up this report to run as BDC everynight if you require it.
  Hope this help
  Sarah

• Structural Authorizations Issue

  Dear all,
  We are involved in a HCM OM project and we have an issue with the Structural Authorizations.
  We have more than one user who must acces to the same Organizational Unit. This is suppose to be easy because we assign this object code to an user profile (T77pr) 
  The problem is that, the users doesn't have to have acces to the same objects which belongs to this Org Unit. (Objects positions in example).
  I.E.
  User 1 acces Org Unit 1
  User 2 acces Org Unit 1
  User 1 create Positions in Org Unit 1
  User 2 create positions in Org Unit 1
  User 1 cannot acces to positions created by user 2.
  Any idea? how can we restrict this access?
  Thanks in advance,
  L.

  let me take a shot at this by drawing an analogy with a std sap scenario in hcm.
  my-scenario-1:
  1. position to position relationship is maintained for the sake of line managers A/B-002 relationship to be specific & in the absence of chiefs because in an org unit there are 3 line managers with 10 people reporting to each of them
  2. this means
  manager-1 has 10 people reporting to him/her
  manager 2 - has 10 other people
  manager-3 has 10 other people.
  3. the above means manager-1 cannot view people reporting to manager-2 and 3 respectively,.. and extrapolates this to each manager.
  4. how do you handle this via str.auths in sap std?
  now compare the above to your scenario:
  1. I would create a z-relationship for each user and restrict access based on that using a functional module in the structural profile.
  worth a shot .....not very complex if you ask me :-0
  cheers

• Structural Authorization in e-recruiting

  Hello all
  We are implementing e-recruiting 603 ehp4 in standalone scenario. By customer requirements, the "recruiter" role was assigned to all manager therefore the standard service "Create requisition request" from MSS is not in use. So  structural authorization we need for the manager to create requisition for his position only.
  So, someone know how to perform this or tell me how to complete the table T77PR -the function module, evaluation path, object  type and so on-
  As always, thank you a lot
  Regards
  E. Ciotta

  Hello Emilio,
  Structural authorization in e-recuitng are a mess (although I have not found any official documentation which states "It won't work" and solution management says that there is no restriction sap support answers on customer request for that topic that it is not supported).
  Trouble with your requirement is when you restrict the structural authorizatuion on positions for the manager and anywhen run internal job market the manager could not access the position information on a publication if he wants to apply as internal candidate anywhere else in the company. Could get quite tricky to solve this (next to all other issues on this topic).
  If it is just about restricting the search I would exactly do this. Either per modification or by a customer development I'd restrict the search result by the structural information without actually switching on structural authorizations.
  For getting the positions you should be able by using an evaluation path for direct and indirect positions of a manager or if not available use employees under a manager. If it does not skip the positions they should be contained in the result. If not copy it and remove the skip flag (and S-P relation as it is not needed). Unfortunately I cannot say which evaluation paths are really standard as most systems I use are enhanced here.
  path should be like:
  NR    Obj.    A/B    Rel.    P    Rel. Obj.    (Descr. Info)
  10    P       B      008     *    S            (get position for employee)
  20    S       A      012     *    O            (get org.units the position is leading position)
  30    O       B      002     *    O            (get all other org.units under the org. unit assuming manager may see all levels)
  40    O       B      003     *    S            (get all "normal" related positions in org.units)  
  50    O       B      012     *    S            (get all leading org.units - could be more than in 10 as we have several org.unit levels)
  Best Regards
  Roman

• Structural authorization : role, profile, user group

  Dear All,
  I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
  I am mainly concerned with roles and profiles, What exactly is role and what is profile.
  Pl give me practical example....
  Regards,
  Kumar

  Hi kumar,
  Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
  Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
  User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
  Good Luck
  Om
  Reward it, if u feel helpful.