Structural Authorisation

Similar Messages

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Ad Hoc Query & HR Structural Authorisations

  Good day,
  Can you kindly suggest solutions to the following?
  Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
  Can you advise how i can restrict IT8 access for users across sites/company codes?
  Thanks have a lovely day!

  Hi Anders,
  Thank you for the reply,
  We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
  My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?

• Change org structure, structural authorisations and MSS team calendar

  We are using structural authorisations with evaluation path O-S-P for managers .  If I move an employee into a new org unit, when the manager views the Team Calendar in MSS, they can see the new employee.  However, if I move the manager into a new org unit from a specific date with the chief indicator ticked, nothing is displayed in the Team Calendar and the message says "no data available in chosen period".  I thought it could be an authorisation issue so I have done an authorisation check in Time Managers Workplace for the same manager trying to view an employee in the new org unit and it says it's failing on structural authorisations.  If I look in T77UA it shows the correct org unit, positions and employee numbers so I don't understand why it's giving me the structural authorisation error?  PFUD has been run and T77UA looks correct - am I missing something??
  Any help would be greatly appreciated!

  I would check the A012 "manages" relationship and see if its pointing to the right Org unit. We have had several issues with the team calendar and ended up customsing a lot of it.

• Beginning with Structural Authorisations

  Good day fellow SAP HCM Community,
  Our company is currently investigating the option of going via structural authorisations for our HCM system security but we are struggling to set it up.
  Please advise if anybody has some documentation on the following:
  1. What is the values in the table OOSP for a manger and a sub-ordinate?
  2. Do we need to assign a PD profile to each position in the org structure whether a SAP user or not?
  3. What is the relationship for a manger and a subordinate on the postion, i.e. A002 - B002, etc.
  4. In order for a manager to view their subordinates do they all have to be indicated as chief positions as we have a complex management hierarchy?
  5. The function module RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT is not available to our DEVLAB client, does it need to be visible in order for structural authorisations to work.
  Kind regards
  Dorianne

  Update your B card or send me a test mail. I will send you doc

• Who's Who with Structural Authorisations

  Hi,
  We have implemented structural authorisation.
  When manager logins to portal and view Who's who he is able to see only team members data.
  Instead our requirement is to view all the employees data in Who's who though manager has structural authorisation profile.
  Structural authorisation we have implemented only for the user who are (PORTAL+R\3).
  << Moderator message - Everyone's problem is important >>
  Thanks,
  Usha
  Edited by: Rob Burbank on Oct 18, 2010 3:39 PM

  Check the following link:
  Authorization Made Easy
  http://www.slideshare.net/Juanfe1978/1ux2y54tcwomq2gtx7pd
  Authorization Concept for SAP Student Lifecycle Management
  http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/409acd1d-75d1-2a10-4a91-dadabd18e1ff
  Technical Considerations in Global SAP BW HR Implementations
  http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/505351fe-ec8c-2910-c5b5-a43bbf53f6fc
  Hope this help you.
  Regards

• PPOMA_BBP Structural Authorisations Setup

  Hi,
  I am setting up the structural authorisations via transaction OOSP so that I can grant local admins access to their part of the org structure in PPOMA_BBP. However, to assign a user to a profile (tcode OOSB) that has been setup via OOSP, it is considered config and has to be done in the development system.
  Does anyone know if the assignment of user to profile can be changed so that it is not config and can be done in a production system?
  Thanks,
  Mark

  Hi Mark,
  You are absolutely right. Here is what you can do then:
  Expand SPRO tree until you find the transaction you want.
  Then, select it (don't execute it, just click on its name once).
  Then click on Edit > Display img activity.
  Then click on 'Maint Objects' tab.
  Then copy the value of colum 'Customizing Object'.
  Depending on the value of colum 'Ty' this might not work. If the Ty colum value is 'V' or 'S' it should work.
  Then access transaction SE54
  Paste the copied value in the 'Table/View'
  Select 'Generated objects'
  Click on 'Create/Change'
  Then select 'no, or user, recording routine' option.
  This should be done in the customizing client and a request will be generated. Then transport the generated request as needed.
  If you want to implement this changes in you productive system, there is an extra step;
  Go to transaction SOBJ
  Click on 'Maintain'
  Select the object you copied in the previous steps.
  Then click on 'Details'
  Then mark the field 'Current Settings'.
  Refer to the following notes if you need:
  Note 356483 - Customizing: Current settings in the test system
  Note 77430 - Customizing: Current settings
  I hope this helps! I'm confident this will solve your problem 100%!
  Regards,
  Henrique

• Structural authorisation HR security

  Hi all,
        I am very much new in HR Security ,need your help in Structural Authorisation My querry is that
  1.) how can we get Personnel number when we have POSITION or Org unit.any steps or Tcode.
  2.) Is Structural authorisation applied to the POSITION who has B012 Relation ships only with Org unit or it can also be applied on the POSITION without B012 relationships.
  Pl.. help..
  Thanks in ADVANCE,
  Chandresh Bajpai

  Hi Chandresh,
  If you know position, then go to PP01 > select position > give position ID > Clcik on relationship > select all radio button > click on overview > you can see all relationship which have been maintained for that position. Check relathionship A008 (position to person).
  Then structural authorization does not depend on only relationshio A012 (chief position. But it depends on total OM structure. Before going for structural authorization, you should have OM structure in place.
  Regards,
  Purnima

• Concurrent Employment and MSS ( Structural Authorisation)

  Hi
  We are having some problem with Structural authorisation in case of concurrently employed users. The scenarios is as follows
  1. User A is manager and have MSS role and relevant PD profile
  2. User P is employee . This employee is concurrently employed. one position of this user is in the organisation unit of manager A and the another position for this
  The problem is that the manager A is unable to approve the form submitted by the employee P. if we remove concurrent employment it start working again.
  I can see that Manager has structural access over employee P in tcode OOSb
  Any suggestion will be welcome
  Parveen

  Hi
  The problem we were having is that index was not updated. So inspite of having access to the user i was not able to approve the form. I have regenerated the index via report rhbaus00 which fixed the problem
  Parveen

• Bypass Structural Authorisation

  Hi there,
    I am just wondering if there is some FM that can be called to disable Structural Authorisation? ..to bypass PA (infotype) authorisation, i can use "HR_READ_INFOTYPE_AUTHC
  _DISABLE" .
  I know that "Context sensitive" might be more relevant than bypassing struc auth.
  <removed_by_moderator>
    Thanks so much!
  Zul
  Edited by: Mohamed Ali Zulzaili on Sep 10, 2008 9:41 AM
  Edited by: Julius Bussche on Sep 10, 2008 9:56 AM

  Hi,
  you could use the report RHBAUS00.
  Regards
  Bernd

• Structural authorisation along with organisational key

  Hi All:
  The scenario is:There are 8 company codes(8 diff countries) with 8 diff Personnel areas.A user needs to have access to all employees in his country and secondly, all the HR employees spread over all other company codes in different org units.
  I can create role using P_ORIGIN with that PA and assign to the user but how do i provide him access to all other HR employees.Structural Authorisation would restrict access to a specific org unit which doesn't suffice both criteria as it overrides org key.
  Helpful answers would be duly rewarded.
  Regards,
  Kmaini

  Hi,
  Structural authorization does not overwrite org.key.
  You need to customize structural authorization accordingly.
  For example, you have 8 company codes associated with personnel areas PA01-PA08. You are trying to create role for company code 1.
  1. In P_ORGIN you give access to all personnel areas PA01-PA08.
  2. For structural authorization you create following entry points:
  - root org.unit for company 1
  - HR org unit for company 2
  - HR org unit for company 3
  - HR org unit for company 4
  - HR org unit for company 5
  - HR org unit for company 6
  - HR org unit for company 7
  - HR org unit for company 8
  Cheers

• Org Structural authorisation

  Hi,
  I am new to org structural authorisation.Can any one please let me know step by step configurations of structural authorisations and how to test the reports in structural authorisation?
  Thanks,
  Usha

  Hi,
  This is SAP reference http://help.sap.com/saphelp_470/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
  This is guide for set up http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0a19aba-15f2-2c10-a6b0-ccd121447ec2?quicklink=index&overridelayout=true
  Cheers!

• Problem in Structural Authorisation

  Hi All,
  scenario: There is CEO, of a org unit say ABCpvt Ltd. This root org unit has many sub units, depts & positions.
  This CEO, should need to view only his org units & positions which come under ABC pvt Ltd, & he should not able to view other depts & units.
  For this i want to create structural authorisation,
  1.hence I created a user eg: RKRao(CEO)
  2.I created a role through PFCG.
  3.I creeted stucrutal autho through OOSP, OOSB...
  4.I maintained infotype  IT 0105 communication, then OM IT 1017(pd profiles infotype)
  When I went to test this user, it is not showing me the desired data, which he is liable to seeunder his org unit ( i.e ABCPvt ltd, units, positions ,jobs etc)
  Hence can any one tell me where I am wrong, I have maintained all the neceaary transaction needed for structural autho
  Pls help me out in this!  <b>points are assured</b>
  Regds,
  NithiBabu

  Hi Nithi,
  The pre-requisite for configuring Structural Authorization are:
  A)PLOGi – ORGA
  TCode: OOPS
  This switch activates the integration between Personnel administration (PA) and Org Management (OM). Ensure this switch is ‘on’ before setting up the Org Plan; structural profile etc.  Turning the switch ‘on’ is a mandatory prerequisite before other setups are initiated.
  B) In case of OOAC,Following switches need to be set to appropriate values (switching on) for structural authorizations:
  1.     ORGIN : HR master data: Value “1” mean its activated
  2.     ORGPD: HR Structural authorization check: Value “1” means it is activated. This is mandatory for Structural authorization to work (see note).
  3.     PERNR: HR Master Data: Personnel number check activation: Value “1” mean it is activated.
  4.     ADAYS: Tolerance time for authorization check: The value entered here is the number of days for tolerance limit. This determines how many calendar days the user has access to the data he or she is entitled to, after the organizational change. For example “ADAYS = 10” means 10 calendar days of tolerance limit. In the standard system the value is set to 15; If the value is set to “0”, the organizational change causes the user to lose the authorization immediately upon change.
  C) After creating the Authorization Profile in OOSP
  IMG > Personnel mgmt > Org Mgmt > Basic Settings > Authorization Mgmt > Structural Authorization > Maintain Structural Authorization Profile
  Select the Profile and double click the Authorization Profile maintenance in the dialog structure on the left of the screen
  1.     Accessible Org Mgmt Objects are determined by the settings defined in this step. This step determines permissible Objects for the user.
  2.     Permissible objects can be defined in more than one ways. By directly identifying the Object ID’s (optional) in the Object ID field. Or through an Evaluation Path (optional) which ensures that users are only authorized to access objects along a particular path in Organization structure or plan. If an Evaluation path is specified, Object ID needs to be specified which determines the root object for the evaluation path Or via a function module which determines the objects the users are authorized to access.
  3.     If function module (optional) is specified, the Object ID need not be specified and depending upon the logic of the function module, evaluation path may or may not be specified. The usage of Function module to determine authorized objects provides flexibility that is not available via Evaluation path.
  Hope this further clarifies your doubt.
  Regards,
  Raj

• Structural Authorisation - Unrelated Objects

  Hi all,
  We are facing an issue in structural authorisation of OM objects. The user wants to have authorisation of all objects under his root Org unit alongwith any objects that are unrelated (having no relationship with any Org unit / Positions).
  Is this possible with standard configuration? How can this be achieved?
  Regards,
  VK

  Hi VK
  Yes it is possible.
  You have to create your own function module and assign it to a structural authorization profile (field T77PR-PFUNC)
  In this function module, as semvladigo says you have to collect all required unrelated objects and return them via OBJ_TAB interface table.
  as a reference please check the following function modules:
  RH_GET_MANAGER_ASSIGNMENT
  RH_GET_ORG_ASSIGNMENT
  Regards,
  Sergey

• Structural authorisation performance issue

  Hi,
  For our customer we have the HR-PD object authorisation activated. We now encounter performance issues in the buffering of objects. We have set the buffer/refresh two times a day but this has a huge impact on the resources and hence performance of the system. We actually need to set the buffer to be run more then two times a day (once a half hour) but this is now out of the question.
  Are there any settings, configuration, or something else that can be done to improve performance.
  Business Scenario: in SAP SLcM* a student is already admitted for a program on faculty (O-unit) X. After a couple months the student is admitted to another faculty (Y) by an employee of that faculty Y (that proces is without authorisation).From that moment on the structural authorisation gets in place. Also on this moment the student is not visible to the employee of faculty Y. After the run of the buffer the student is visible again.
  br,
  Rob
  *Also works with HR-PD objects and the structural authorisation from ERP-HCM. SAP SLcM is a industry solution for the higher education market.

  >
  Rob Jonkers wrote:
  > Hi,
  >
  > For our customer we have the HR-PD object authorisation activated. We now encounter performance issues in the buffering of objects. We have set the buffer/refresh two times a day but this has a huge impact on the resources and hence performance of the system. We actually need to set the buffer to be run more then two times a day (once a half hour) but this is now out of the question.
  >
  > br,
  > Rob
  >
  > *Also works with HR-PD objects and the structural authorisation from ERP-HCM. SAP SLcM is a industry solution for the higher education market.
  Hi rob, what exactly is meant by refreshing the buffer two times a day?  Are you running the program RHBAUS00?  If so, have you considered tweaking what gets indexed by using program RHBAUS02.  Here you can increase threshold, which should limit what type of users actually get buffered when the program runs (so only users with access to many auth objects will actually be indexed). 
  Let me know if this helps.
  Best Regards,
  Michael