HR Authorization: In a nutshell...

Posted by Hery-zo RAJERY in hery-zo.rajery on Feb 27, 2009 7:08:42 AM

Tweet

Objectives:

Protection of person-related data (law)

Secure data that is related to persons and employees stored in SAP Systems (Moral
obligation) Ex:only authorized users should have the permission to change the wage
details for an employee

Technical Main Risks :

ACCESS TO PERSONAL DATA

EXECUTION OF MASTER DATA REPORTS

STANDARD SAP TRANSACTIONS: SA38, ...

ACCESS TO DATABASE TABLE

AD-HOC QUERIES

STRUCTURAL AUTHORIZATIONS

grant access to view information on HR

are used to manage access on organisational plan

are NOT integrated into the standard authorization concept

Structural authorization profiles are not the same as standard authorization profiles (ECC,
BW, ...)
The HR data to be protected are defined via object type P

User-specific structural profiles can be created using function modules. Combined with the
PLOG authorization object, structural authorizations are also used to protect resource planning
data in HR.

Structural authorizations are based on hierarchy level (organisational plan). This is called
"structure" in structrural authorization.

MAIN AUTHORIZATION SWITCH

Main authorization switch enable structural authorization in SAP HR

Activation: Tcode: OOAC Table:T77UA

Main transactions:

Use for Tcode infotype

All
organizational PPOME,PPO_OLD,PPOC_OLD,PPME,PO1
plan 3
maintenance
Hiring
PB30, PB40 4000
applicants
Maintain
PA41, PA40, PU00
master records
Salary &
PU03, PA30,PA20 0002,0003,0006,0009,0011,0014
wage
Absence PA30 2001, 2013
View their
PC00_M16_CEDT 0008,0014,0015,2010
own wage
Salary
PA30,C138
validation
External
PC00_M99_CIPE
payments
Travel
requests and TP04,TRIP,TP01,TP02,TP03,TP04,PR05
expenses

HOW TO PROTECT MASTER DATA ?

The main authorization object to protect master data on HR is : P_ORGIN.

P_ORGIN is used usually together with the P_ORGXX authorization object.

P_ORGXX is usually to define responsabilities for personel administrators. It is possible

to put restrictions on infotypes and to define different authorization levels.

P_PERNR allows to control access data of individual users. It is used to restrict user to
change their own data.

P_SIGN: Personel number assigned to the user

Advice: P_SIGN authorization field must be set to authorization value 1

HOW TO PROTECT HR REPORTING ?

Authorization object: P_ABAP

Set the authorization field COARS

1:perform an authorization check independently of infotype and organizational assignment

2: No authorization check on the authorization object of HR master data

*: No checks will be performed at all

PAYROLL

Authorization object:P_TCODE:HR Transaction code

Authorization object:P_PCR : Payroll control record

Authorization object:P_PYEVDOC: Posting documents

Authorization object:P_PYEVRUN: Posting runs

SEGREGATION OF DUTIES ON HR

Employees who hire the applicant and who is responsible for recording applicant
information

Employees who initiate the payments and employees who records user information

Wage payment must be validated

Maintain personal record <>Maintain HR master data

...