Structure Authorization Steps

Similar Messages

• HR structural authorization

  Hello Friends,
  I am trying to get concept of HR structural authorization.  I have read the document " Structural Authorizations Step by Step, with Gotchas Too by Norm and Carl". After reading this document, what i have understood is In Structural authorization, we create PD profile eg: Manager, employee, ALL etc via transaction OOSP. And after that you assigned these profile to position via report RHPROFL0 or manually via transaction OOSB.
  But what i am not able to understand is
  1.How do this profile Manger, Employee etc will work? How do Users get authorization. What types of activities Uses are able to perform?  What type of data user will have acess to? Do users get authorization to transaction like PA20 or you still need additional role that is created via PFCG.
  2. What my understanding is Users who are in the top Hierarchal nodes or structure (eg: manager) is able to access data of employee below him. Do we still need to create roles like MSS and ESS role via transaction PFCG?
  If somebody can clarify, I will really appreciate.

  Hello Mate,
  Have a loook at this thread, this may help .
  Re: How to Restrict HR Org Structure from other Org Structures
  Regards,
  Regi

• Steps for creating structural authorization profile using trans. OOSP

  Dears,
  Could someone please guide to the steps for creating a structural authorization profile using transaction OOSP, to authorize on the HR Payroll Area.
  Thanks.
  Reda

  Hi,
  There are comprehensive guidelines on help.sap.com for creation of structural authorizations: http://help.sap.com/saphelp_erp2004/helpdata/en/34/49ba3b3bf00152e10000000a114084/content.htm
  However, please bear in mind that you cannot limit access to certain payroll area with structural authorization. For that you should use standard PA authorization object (you can use field organizational key to store Payroll Area VDSK1 in IT0001):
  P_ORGIN  http://help.sap.com/erp2005_ehp_02/helpdata/en/3e/b8b83b5b831f3be10000000a114084/content.htm
  Cheers

• SAP HR Structural Authorizations

  Hi Experts,
  I need a help regarding SAP HR Structural Authorizations.
  Currently our HR System is set with structural authorizations were in
  users will be accessing HR Org structure with different pd-profile and HR relationships (with Org units ex:
  assistant relation, manager relation).
  Now we want to design the roles based on company codes, where users should be able to see
  all organization units within company code 'xyz'.
  Do we need to create new pd-profile or new HR relationships or just restrict within existing HR roles for
  accessing organizations units within different company codes.
  Please guide me steps to proceed with this requirement?
  Your early response is highly appreciated, thanks in advance......

  You will need to talk to the HR folks about this and whether any employee grouping on the HR side matches a company code unit on the FI side to use in the authorizations.
  This means that HR data and processes are also aligned to finance processes, which was often the case with local HR systems but less so with global ones.
  The answer is on your side in the data and the processes. There is no single field which you can use for both, let alone an org. level field known to structural authorizations.
  Cheers
  Julius

• Structure Authorization Issue

  Hi guys,
  I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial.  After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
  We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
  They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
  Please help
  Thanks

  Structural Authorization Check
  Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
  On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
  In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
  Steps to Perform to Set Up Structural Authorization Check in brief:
  (Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
  1. Integration:  Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
  2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
  (Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
  3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
  4. Create Org. Plan (check the first post).
  (Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
  5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
  6. Create record for Infotype 0105 - TCode is PA30.
  7. Create Structural Authorization Profiles u2013 TCode = OOSP
  8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
  9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
  Please check and let us know for any query.
  Regards,
  Dipanjan

• Structural Authorization

  hi
  I am new to Authorizations ...
  can somebody tell me the basics of Structural Authorizations from HR Module point of view ...
  i would like to know the steps involved in setting up the structural authorizations from a organization's perspective ....
  thanks
  hr_user

  Hi,
  Structural authorizations are used to grant access to view information for personnel where HR has been implemented. Access is granted to a user implicitly by the useru2019s position on the organizational plan. Structural authorizations are not integrated into the standard authorization concept and structural authorization profiles are not the same as standard authorization profiles.
  The use of structural authorizations can be illustrated by the following example. A manager can typically view or maintain information on employees in her organizational unit but not employees in other organizational units. When an employee moves from one unit to another his previous manager will no longer be able to view or maintain information about them. Similarly if a manager moves from one unit to another she will be able to see the employees in her new unit
  Regards,
  Prasad

• Authorization  step by step document on BI 7.0

  Dear Friends,
  Please  send me step by step document on BI 7.0 authorization ,
  Thanks in Advances
  RA

  You can find information from Help.sap.com, related link and initial information listed below.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  Generation of Analysis Authorizations
  Use
  With the generation of analysis authorizations, you can load authorized values from other systems into DataStore objects and generate authorizations from them.
  In this way, necessary authorizations from the data for an application (for example, HR) can be generated so that users are able to see or not see the same data in the BI system as in the transactions of the application, even when the authorization concepts are different.
  You can use the generation of authorizations to generate either single authorizations or mass authorizations. It is suitable for scenarios that generate new authorizations periodically, that is, that are constantly changing. It does not necessarily make sense to assign these authorizations to the users in roles and profiles. This is not even possible for automatically generated names that keep changing. Therefore the generated authorizations are assigned directly in the BI system. This is considerably faster than generating them from profiles. If a fixed name is assigned, however, this can be done manually from role maintenance. Keep in mind, however, that there is the danger that you can overwrite constant names.
  The generation of authorizations is a dynamic authorization assignment that is an alternative concept to the role concept.
  Prerequisites
  An extractor must be available for authorizations (up to now, for HR and Controlling).
  For HR:
  You have to transfer the DataStore objects 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) from BI Content. These DataStore objects should be copied for each application for which you want a complete data load. For more information about the content objects at BI Content ® Human Resources ® Organizational Management ® DataStore Objects ® Structural Authorizations – Hierarchy and Structural Authorizations – Values
  For controlling:
  A complete scenario is available. Transfer the content objects: 0CO_OM_CCA_USER1 (DataSource and InfoSource), as well as the DataStore objects including update rules 0CCA_001, 0CCA_002, and 0CCA_003.
  For all other applications:
  Copy the templates 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) in DataStore objects for your application area (department, and so on). Note the naming convention with the digits 1 to 5 at the end.
  You need sufficient authorization for generation activities such as deleting, changing and generating analysis authorizations, changing user assignments (authorization object R_SEC), along with any other activities for creating or changing system users using NetWeaver authorization objects for user maintenance. The authorizations required in detail depend on the generation scenario.
  Features
  You get to this function through management of analysis authorizations (transaction RSECADMIN) at Authorizations ® Generation of Authorizations.
  The DataStore objects for generating authorizations have an analogous structure to the authorizations and contain the following authorization values:
  ●      Authorization data (values) (0TCA_DS01)
  ●      Authorization data (hierarchy) (0TCA_DS02)
  ●      Description texts for authorizations (0TCA_DS03)
  ●      Assignment of authorization users (0TCA_DS04)
  ●      Generation of users for authorizations (0TCA_DS05)
  The actual data to be used in the generated authorizations can be found in the two template DataStore objects 0TCA_DS01 and 0TCA_DS02.
  More information:
  ●      Template for DataStore Objects with Authorization Data (Values)
  ●      Template for DataStore Objects with Authorization Data (Hierarchy)
  You define which authorizations are to be generated from which DataStore objects. You then load your authorization data for them. This can be done for example with CSV files or with extractors. Automatic generation assumes correctly filled DataStore objects. However, the system tries to detect incorrect intervals and some other errors, and to correct them if possible. This is recorded in the log.
  For CSV files, the fields User and Authorization need not necessarily be filled with values. In general, however, these fields can be filled with names and numbers. There can be different results when you assign authorizations. You can find more detailed information in the detailed descriptions of the two template DataStore objects above.
  You can generate the authorizations on the Authorizations tab page under Generation in the transaction RSECADMIN. As an alternative, the report RSEC_GENERATE_AUTHORIZATIONS starts or schedules generation.
  Generating Single Authorizations:
  Maintain the user in the DataStore object 0TCA_DS01. It is assigned to the user when the authorization is generated. It can be used for assigning authorizations that are very user specific.
  Generating Mass Authorizations:
  Leave the User key field empty in the DataStore object 0TCA_DS01 and generate the authorizations. A profile appears that can be assigned to any number of users. The profile gets its texts from the DataStore object 0TCA_DS03. There can be language-dependent short, medium and long texts. You maintain the user in the DataStore object 0TCA_DS04. This generates your mass authorizations.
  Generation of Users
  You can also generate users with 0TCA_DS05. To do this, specify an existing reference user from which to copy. The newly created users are assigned randomly generated initial passwords that are not transparent. Users can only log on after manually changing the assigned password.       
  Generating Authorization Names:
  Generate explicit (meaningful) authorization names by filling the field for 0TCTAUTH with your desired name. As an alternative, you can also specify numbers to mark characteristic dimensions that belong to the same authorization. If field 0TCTAUTH is empty, technical names are generated according to the pattern RSR_00000012. All entries with the same name (or an empty field) are assigned the same authorization.
  If a technical name with eight digits (RSR_nnnnnnnn) was created for an authorization and then generated again, the existing names are deleted and new technical names are generated. As a result, the previous authorization is deleted and replaced with the new authorization. This new authorization might not be identical to the old one. You can prevent unintended overwriting by using a number range. There is an overflow after 100,000,000 generated authorizations and numbering starts with 1 again.
  Deletion of Authorizations and Regeneration
  For users for which data exists in the DataStore object that has to be regenerated, first the existing, generated authorizations are deleted. Afterwards, authorizations are generated using the data in the DataStore objects in the usual way.
  If a data record with the user name 'D_E_L_E_T_E' is loaded into the DataStore object 0TCA_DS01, first the generated authorizations for all users in the BI system for the DataStore object record are deleted (separated by the first part of the name before the digits) and then generated for the rest of the data.
  Log for Generation
  A detailed log is created during generation that documents the generation steps and that is displayed automatically. Old logs can be viewed from the transaction RSECADMIN under the Analysis tab page ®   Generation Logs or at the start of the report RSEC_GENERATE_AUTHORIZATIONS by clicking on the log symbol.

• When i try to sync my iphone 5c to my itunes it says my computer is not authorized.  I've gone through the authorize steps and restarted my computer.  It says "already authorized," yet the phone still won't sync saying, "computer unauthorized."

  When i try to sync my iphone 5c to my itunes it says my computer is not authorized.  I've gone through the authorize steps and restarted my computer.  It says "already authorized," yet the phone still won't sync saying, "computer unauthorized."

  Click here and follow the instructions.
  (91121)

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• BW/HR structural authorization in BI 7.0 version

  Dear experts,
  Can anyone please explain how to extract HR structural authorization from R/3 to BW 7.0, and how to configure the authorization in the BW, I hope everyone can give me a work flow.
  Thanks.

  Hi Auke, thanks for your answer.
  Changes inside the user profile are working, but deletion don't. And yes, the meaning of this is that user should not have role anymore.
  I saw help documents with some procedure using D_E_L_E_T_E user. I didn't understand. Do you know something about that? Is that maybe the right way?
  Thanks,
  Thiago

• How To Create ABAP Code For HR Context Sensitive Structural Authorization

  Hello,
  We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
  Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
  Thank you in advance for all your assistance,
  Ken Bowers

  Hello Ken
  You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
  Regards
  Ranganath

• MSS genericiview and R/3 structural authorizations

  Hi,
  I have created some iViews based on par-file "eeprofilegenericiviewtable" to display R/3-queries. In R/3 we use also structural authorizations for the managers with functional module RH_GET_MANAGER_ASSIGNMENT.
  The structural authorization is working in R/3 for a selected manager selecting a query directly from the R/3 via SQ01, but it doesn't in the iview. When the same user is viewing the "query"-iview, the message "No data selected" appears.
  When I assign the user a structural authorization without the functional module RH_GET_MANAGER_ASSIGNMENT, e.g. only with some object types, the user can retrieve data without any problem using "query"-iview.
  Probably the problem is in the functional module HR_INFO_GET_USING_QUERY used for retrieving R/3 query data from the portal and used by the iview eeprofilegenericiviewtable.
  Has anybody met a similar problem? We are using EP6.0 SP14 and SAP R/3 4.6C.
  Beata

  Hi Dwayne (and others!),
  Were facing similar problems with the error message "R3_CONNECT_FAILED". However, our difficulties are a bit strange because i only occurs on one of our two server nodes. We're running SAP EP 6.4, SP9.
  Previously, we've had problems with the maximum number of connections towards our backend system, SAP R/3. But setting the environment variable CPIC_MAX_CONV helped us.
  However, now we get the above error, but only on one of our server nodes. Do you (or anyone else) have any suggestions as to what might be wrong?
  Thanks in advance,
  Rasmus

• SAP BI 7.0 Transport issue with HR Structural Authorization DSO

  Hi,
  I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
  1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
  2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
  Thanks a lot for your valuable inputs.
  Regards
  Paramesh
  Edited by: paramesh kumar on May 5, 2009 12:45 AM

  Hi Paramesh.
  You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
  You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
  Regards,
  Lars

• Error Occured when Applying Structural Authorizations in E-Recruitment

  Dear Experts,
  The E-Recruitment functionalities were working fine when no structural authorizations are applied. However, when structural authorizations are configured for the user on the backend SAP system (I configured structural authorizations for the user to have access to only his own department), the E-Recruitment module does not work.
  When I tried to access requisitions-> maintenace, application management->applications, etc, (i.e. when the E-Recruitment module tries to retrieve data from the backend), the the following error message occurred.
  Error when processing your request
  What has happened?
  The URL http://<hostname>:<port>/sap/bc/bsp/sap/hrrcf_start_int/application.do was not called due to an error.
  Note
  The following error text was processed in the system ABC : <b>RAISE EVENT statement nested to deep.</b> The error occurred on the application server XYZ and in the work process 0 .
  The termination type was: RABAX_STATE
  The ABAP call stack was:
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Method: GET_RECORDS_BY_DATE of program CL_HRRCF_INFOTYPE=============CP
  Method: ON_REQUISITION_UPDATE of program CL_HRRCF_REQUI_BL=============CP
  Method: ON_CHANGE of program CL_HRRCF_INFOTYPE=============CP
  Method: INSERT_RECORD of program CL_HRRCF_INFOTYPE=============CP
  Method: READ_RECORDS of program CL_HRRCF_REQUISITION_INFO=====CP
  Method: GET_RECORDS of program CL_HRRCF_INFOTYPE=============CP
  Please advice if E-Recruitment supports structural authorizations. If it does, are there additional configuration required to enable structural authorization. Kindly enlighten me on how to resolve this error. Any help will be much appreciated.

  Hello Louis,
  I implemented e-recruiting with structural authorizations for a customer and encountered exactly the same error. Anything in the e-recruiting implementation leads to this problem. When you miss some object authorizations the implementation generates an infinite callstack which results in this short dump.
  So be sure you assigned all necessary objects to recruiters and also candidates (NA, NB, NC, ND, NE, NF, BP, CP, P, Q, QK, VA, VB, VC) but this might be difficult esp. with the P object, when you use structural authorizations for other purposes, too. This usually generates problems in manager involvement (e.g. manager can't choose a recruiter to approve his requisition as he has not the structural authorization for the hr department members).
  It is also a bit strange that candidates need for example change rights for the requisition (NB) although they won't actually change it but without it the relation application->requisition, candidacy->requsition cannot be created correctly.
  Last but not least be always sure that you refreshed the authorization buffers after changing structural authorizations. They are usually switched on for better performance.
  Best regards
  Roman Weise
  PS: be aware that using structural authorizations will keep you busy for some time. we needed ~2 months to set up the system in a way that e-recruiting worked as the custoimer wanted without interfering any other productive hr component (admin, org. mgmnt., managers desktop).

• R/3 reports related to structural authorization

  Can anyone advise which standard reports/transcation codes in R/3 relate to structural authorization? are some better than others? I am interested in viewing allowable objects etc,.
  Thank you,
  Meghan

  Hi Jim,
  As you have mentioned you have worked a lot on structural authorizations,
  I would request you to kindly help us on the below mentioned scenerio..
  Issue : (Scenario)
  C directly reports to B, and B Reports to A.
  In the above scenario we have logged as B and did the compensation planning for C. A is the approver for the C’s compensation planning.
  As C is HOD for HR Org unit. He will submit compensation plans of his subordinates to B for approval. That means B has to have approval authorization for C’s subordinates and he should not have approval authorization for his direct reporting employees.
  In our scenario, B is able to perform the compensation planning as well as able to approve the same for his direct reporting employees. This shouldn’t happen in our process.
  How can achieve this, Please advice
  Regards
  Raghav