Who's Who with Structural Authorisations

Similar Messages

• Beginning with Structural Authorisations

  Good day fellow SAP HCM Community,
  Our company is currently investigating the option of going via structural authorisations for our HCM system security but we are struggling to set it up.
  Please advise if anybody has some documentation on the following:
  1. What is the values in the table OOSP for a manger and a sub-ordinate?
  2. Do we need to assign a PD profile to each position in the org structure whether a SAP user or not?
  3. What is the relationship for a manger and a subordinate on the postion, i.e. A002 - B002, etc.
  4. In order for a manager to view their subordinates do they all have to be indicated as chief positions as we have a complex management hierarchy?
  5. The function module RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT is not available to our DEVLAB client, does it need to be visible in order for structural authorisations to work.
  Kind regards
  Dorianne

  Update your B card or send me a test mail. I will send you doc

• Concurrent Employment and MSS ( Structural Authorisation)

  Hi
  We are having some problem with Structural authorisation in case of concurrently employed users. The scenarios is as follows
  1. User A is manager and have MSS role and relevant PD profile
  2. User P is employee . This employee is concurrently employed. one position of this user is in the organisation unit of manager A and the another position for this
  The problem is that the manager A is unable to approve the form submitted by the employee P. if we remove concurrent employment it start working again.
  I can see that Manager has structural access over employee P in tcode OOSb
  Any suggestion will be welcome
  Parveen

  Hi
  The problem we were having is that index was not updated. So inspite of having access to the user i was not able to approve the form. I have regenerated the index via report rhbaus00 which fixed the problem
  Parveen

• Who are the authorised resellers in the philippines of iphone 5s 16gb

  because i buy my apple iphone 5s 16gb and after 2 months the lcd is have a problem it is a warranty covered and the store tell me that i can back this iphone where the is released and that is in the north korea, can i know the address of iphone store in north korea to check and repair my phone.
  and ask the apple who was the only authorised resellers in the philppines because the store that i buy my iphone is not authorised so im comfused to that, so that please tell me who was the authorised reseller in the philippines and what are the things to do to the not authorised reseller but my iphone is registered to the apple.

  A)  We are not Apple employees.  We are other iPhone users like you, trying to assist others with hardware problems.
  B)  Your Apple warranty is valid only in the country* in which the phone was originally purchased.  If you didn't buy from Apple or an authorized agent, then the warranty is valid only in the country in which that seller bought the phone.  Apple will not accept international shipments, so the phone must be delivered to Apple from within that country.
  C)  Here is a list of authorized Apple resellers:  https://locate.apple.com/country
  *EU is considered one country for warranty purposes.

• Structural authorisation along with organisational key

  Hi All:
  The scenario is:There are 8 company codes(8 diff countries) with 8 diff Personnel areas.A user needs to have access to all employees in his country and secondly, all the HR employees spread over all other company codes in different org units.
  I can create role using P_ORIGIN with that PA and assign to the user but how do i provide him access to all other HR employees.Structural Authorisation would restrict access to a specific org unit which doesn't suffice both criteria as it overrides org key.
  Helpful answers would be duly rewarded.
  Regards,
  Kmaini

  Hi,
  Structural authorization does not overwrite org.key.
  You need to customize structural authorization accordingly.
  For example, you have 8 company codes associated with personnel areas PA01-PA08. You are trying to create role for company code 1.
  1. In P_ORGIN you give access to all personnel areas PA01-PA08.
  2. For structural authorization you create following entry points:
  - root org.unit for company 1
  - HR org unit for company 2
  - HR org unit for company 3
  - HR org unit for company 4
  - HR org unit for company 5
  - HR org unit for company 6
  - HR org unit for company 7
  - HR org unit for company 8
  Cheers

• Structural authorisation HR security

  Hi all,
        I am very much new in HR Security ,need your help in Structural Authorisation My querry is that
  1.) how can we get Personnel number when we have POSITION or Org unit.any steps or Tcode.
  2.) Is Structural authorisation applied to the POSITION who has B012 Relation ships only with Org unit or it can also be applied on the POSITION without B012 relationships.
  Pl.. help..
  Thanks in ADVANCE,
  Chandresh Bajpai

  Hi Chandresh,
  If you know position, then go to PP01 > select position > give position ID > Clcik on relationship > select all radio button > click on overview > you can see all relationship which have been maintained for that position. Check relathionship A008 (position to person).
  Then structural authorization does not depend on only relationshio A012 (chief position. But it depends on total OM structure. Before going for structural authorization, you should have OM structure in place.
  Regards,
  Purnima

• How to apply Structural Authorisations for Report

  Hi All,
  We are using structural authorisations in our project and it is working fine for all processes. But we are facing problem for reports.
  Kindly guide on How to apply structural authorisations to SAP Standard Reports and Custom reports.
  Thanks & Regards,
  Prashant

  Hi Prashant,
  Yeah LDB is a good way of implementing Structural auth. Apart from that you can assign the Authorization Group in the Z-report attribute. So users who are part of this group only can access this report. This also applies to the standard reports as they are already assgned to standard Authorization Groups.
  Br/Manas

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Ad Hoc Query & HR Structural Authorisations

  Good day,
  Can you kindly suggest solutions to the following?
  Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
  Can you advise how i can restrict IT8 access for users across sites/company codes?
  Thanks have a lovely day!

  Hi Anders,
  Thank you for the reply,
  We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
  My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?

• Change org structure, structural authorisations and MSS team calendar

  We are using structural authorisations with evaluation path O-S-P for managers .  If I move an employee into a new org unit, when the manager views the Team Calendar in MSS, they can see the new employee.  However, if I move the manager into a new org unit from a specific date with the chief indicator ticked, nothing is displayed in the Team Calendar and the message says "no data available in chosen period".  I thought it could be an authorisation issue so I have done an authorisation check in Time Managers Workplace for the same manager trying to view an employee in the new org unit and it says it's failing on structural authorisations.  If I look in T77UA it shows the correct org unit, positions and employee numbers so I don't understand why it's giving me the structural authorisation error?  PFUD has been run and T77UA looks correct - am I missing something??
  Any help would be greatly appreciated!

  I would check the A012 "manages" relationship and see if its pointing to the right Org unit. We have had several issues with the team calendar and ended up customsing a lot of it.

• Structural Authorisation - Unrelated Objects

  Hi all,
  We are facing an issue in structural authorisation of OM objects. The user wants to have authorisation of all objects under his root Org unit alongwith any objects that are unrelated (having no relationship with any Org unit / Positions).
  Is this possible with standard configuration? How can this be achieved?
  Regards,
  VK

  Hi VK
  Yes it is possible.
  You have to create your own function module and assign it to a structural authorization profile (field T77PR-PFUNC)
  In this function module, as semvladigo says you have to collect all required unrelated objects and return them via OBJ_TAB interface table.
  as a reference please check the following function modules:
  RH_GET_MANAGER_ASSIGNMENT
  RH_GET_ORG_ASSIGNMENT
  Regards,
  Sergey

• Structural authorisation performance issue

  Hi,
  For our customer we have the HR-PD object authorisation activated. We now encounter performance issues in the buffering of objects. We have set the buffer/refresh two times a day but this has a huge impact on the resources and hence performance of the system. We actually need to set the buffer to be run more then two times a day (once a half hour) but this is now out of the question.
  Are there any settings, configuration, or something else that can be done to improve performance.
  Business Scenario: in SAP SLcM* a student is already admitted for a program on faculty (O-unit) X. After a couple months the student is admitted to another faculty (Y) by an employee of that faculty Y (that proces is without authorisation).From that moment on the structural authorisation gets in place. Also on this moment the student is not visible to the employee of faculty Y. After the run of the buffer the student is visible again.
  br,
  Rob
  *Also works with HR-PD objects and the structural authorisation from ERP-HCM. SAP SLcM is a industry solution for the higher education market.

  >
  Rob Jonkers wrote:
  > Hi,
  >
  > For our customer we have the HR-PD object authorisation activated. We now encounter performance issues in the buffering of objects. We have set the buffer/refresh two times a day but this has a huge impact on the resources and hence performance of the system. We actually need to set the buffer to be run more then two times a day (once a half hour) but this is now out of the question.
  >
  > br,
  > Rob
  >
  > *Also works with HR-PD objects and the structural authorisation from ERP-HCM. SAP SLcM is a industry solution for the higher education market.
  Hi rob, what exactly is meant by refreshing the buffer two times a day?  Are you running the program RHBAUS00?  If so, have you considered tweaking what gets indexed by using program RHBAUS02.  Here you can increase threshold, which should limit what type of users actually get buffered when the program runs (so only users with access to many auth objects will actually be indexed). 
  Let me know if this helps.
  Best Regards,
  Michael

• Structural Authorisation access issue

  HI
  I am currently trying to implement Structural Authorisation.  I have run into a problem and hoping someone maybe able to help.  The problem I have is that when a user searchs for employee's in PA20/30 the results show all employee's that are part of the org unit that the PD profile is restricting.  However it also includes users that were part of the org unit at some stage.
  Now in PA30 the user does not get the header for these users but is able to access/modify some infotypes.  I am not sure but I think there is a setting somewhere that will limit the PD profile to only display current employee's of the org unit only but for the life of me can not remember or recall where it is.  Can anyone help with this?
  Any help will be appreciated,
  Many thanks in advance.

  Hi,
  Did you verify the values for the
  Switch ADAYS "HR: Tolerance Time for Authorization Check"
  in Transaction OOAC.
  Depending on the number of days mentioned.
  The person would have access to old Org Unit till the tolerance period if he modified information in that org unit.
  Actual SAP documentation:
  HR: Tolerance Time for Authorization Check (ADAYS)
    Use
      The tolerance time for the authorization check specifies the length of
      time, in the case of an organizational change, that the personnel
      administrator has access to the data he or she created for a person if
      this person already has an organizational assignment outside of his or
      her authorizations.
    Input values
      The tolerance time for the time logic for master data infotypes is
      specified in calendar days. In the standard SAP system, the value of the
      switch is set to 15 (= 15 calendar days). When this switch is active,
      that is, when it contains a value greater than 0, organizational changes
      that result in the loss of a particular authorization take effect in
      accordance with the tolerance time.
    Example
      ADAYS is set to 15. In the system, only checks with P_ORGIN are active.
      Administrator A has read and write access to data in personnel area A
      while administrator B has read and write access to data in personnel
      area B. It is assumed that for all infotypes the time dependency of the
      authorization check (switch T582A-VALDT) is active.
      A personnel number was assigned to personnel area A until 12/31/9999. As
      of 01/01/2000 this personnel number is assigned to personnel area B. The
      period of responsibilty of administrator A ends on 12/31/9999 but due to
      the tolerance time, he or she continues to have unrestricted read and
      write access to data until 01/15/2000 (inclusive). However, as of
      01/16/2000, he or she no longer has write access to data. Nevertheless,
      the administrator still has read access to all data records with a startdate prior to 12/31/9999.

• HCM Structural Authorisations - OOSP Not Updating

  Hi All,
  I am experiencing a problem when I am trying to transport a newly created Structural Authorisation from our Development to UAT clients.
  I have been able to apply the transport to the UAT client and table T77PR has been updated with the new structural authorisation, the problem I have is that transaction OOSP is not updating in the UAT client, I am therefore unable to assign the structural authorisation to any positions for testing purposes.
  The UAT client is 'not modifiable' could this be the problem ?
  Thanks
  Simon

  Hi Simon,
  Check in Transaction code OOCR. I infer a setting that you need to verify there. The issue may occur if the TRSP CORR option is  set it to the right option. If you left it Blank, it means automatic transport connection is activated and if the value is set to X, it means no automatic transport connection.
  If the issue persists, I recommend you checking the transport logs and see if there is an error.
  Regards,
  Raghu

• Error in SRM:  a user with enough authorisation level is miss

  Hello,
  We are on SRM 5.0 and our users get the following error in SRM when creating a shopping cart:
  No user assigned to object a user with enough authorisation level is missing.
  Anybody any idea ?
  Thanks as ever

  Hello Can anybody helpe me please ?