Outlining Time Logic for Data Access

The period of responsibility begins before the current date. The end of the period of responsibility is before the current date by a maximum of a specified tolerance time.

In this case, a write or read authorization is extended to cover each period. This means that there are no restrictions on the authorization of the administrator A currently responsible with regard to the validity period of the corresponding infotype records.

The period of responsibility ends in the past. The end of the period of responsibility, postponed for the length of the tolerance time, is also before the current date.

In this case, administrator A no longer has write authorization. Read authorization exists for the infotype records with a validity period that overlaps with the period of responsibility. In the example, administrator A has read authorization for both records of infotype 0008.

Users can access HR data as a result of their direct or structural authorizations. However, if the data is no longer actively used, it might be necessary to protect it from further access. This is the case when you no longer require the data for business purposes but cannot destroy it for other reasons.

To block users from the accessing data in the past in a time-dependent manner, you can enhance the SAP standard authorization check by customer-specific authorization checks. By changing the access authorizations, you can remove the access to personal data in the past so it cannot be used or changed. When doing so, take into consideration that different user role required different authorization time periods.

1. In the past, all administrators required access authorization for infotype data 0007 (planned working time) and 0008 (basic pay).

2. In addition, a time data administrator must be able to display data from the time management infotype, such as 0007 (planned working time), 2 years in the past.

3. In addition, a payroll administrator must be able to display data from the payroll infotype, such as 0008 (basic pay), 10 years in the past.

4. Individual key user administrators may need unlimited access to employee data records.

By defining the authorization period, you can restrict the access to data in the past in a time-dependent manner, based on the system date. To do so, you define a minimum authorization period based on the type of data (infotype and subtypes) and the country grouping.  You can enhance these minimum authorization periods for individual user roles and assign them to the corresponding roles (Authorization Object Authorization Time Periods for HR Master Data P_DURATION).

You can use the Authorization Periods for HR Master Data (P_DURATION) object in the authorization check for HR data. This check takes place when HR infotypes are being processed or read and is carried out as follows:

• When a user calls a report or a transaction to display or edit infotype data, the system checks whether the requested personnel data is authorized based on the organizational assignment of the user.
• If this is the case, the system checks whether the access authorization for the requested personal data at the infotype or subtype level is restricted by an authorization period in months. To do this, the system reads the settings in the Customizing activity Define default authorization periods for infotypes and subtypes.
• If a default authorization period is defined, the system checks whether this access authorization has been extended for specific roles (ID for role-specific authorization periods). To do this, the system reads the settings in the Customizing activity Assign role-specific authorization periods to time period ID.

The authorization object comprises the following fields:

• Data to which the user has access:
  • INFTY infotype
  • SUBTY subtype
• Organizational attributes of the clerk responsible (from infotype 0001, Organizational Assignment)
  • PERSA personnel area
  • PERSG Employee group
  • PERSK Employee subgroup
  • VDSK1 organizational key
• Authorization period
  • DUR_KEY ID role-specific authorization periods

To use all the options of the Time-Dependent Blocking of Data function, you must perform the following four steps in the SAP system:

I. Requirement: Set the Access auth. In the table v_T582A

If you want to limit the time of infotypes for display, you have to make a basic setting for this in the basic customizing of the infotypes. To do this, go to the customizing table v_T582A, select the infotype and mark the data field Access auth.

II. Activation : BAdI „HRPA00AUTH_TIME"

To activate the function of time-dependent blocking of data in principle, you have to implement and activate BAdI HRPA00AUTH_TIME.

III. Define default authorization periods for infotypes

In the past, you can restrict the display and maintenance of individual infotypes for all users.

IV. Role-specific authorization period

You can restrict the display and maintenance of infotypes from step III. Override this by creating a role-specific authorization period ID and assigning it to a new time period. You use this ID of a role in connection with the authorization object P_DURATION (Authorization Periods for HR Master Data). You assign this role to a user who usually has more extensive maintenance and display of infotypes in the past.

To use all the options of the Time-Dependent Blocking of Data function, you must perform the four steps in the SAP system, as shown in the previous figure. In the current figure you can see a customizing overview for the implementation of this sequence.

For the step I. Requirement: v_T582A (Access auth.) go to customizing using the Transaction SPRO and use the following path Personnel Management→Personnel Administration→Customizing Procedures→Infotypes. Choose the IMG activity Infotypes. Alternatively, you can get to the customizing table using transaction SM30 and table v_T582A.

For the steps

• II. Activation BAdI,
• III. Default authorization periods for infotypes and
• IV. Role-specific authorization period

go to customizing using the Transaction SPRO and use the following path Personnel Management→Personnel Administration→Tools→Data Privacy→Block→Time-Dependent Blocking of Data.

Finally, use the Role Maintenance (transaction PFCG) to use and set the role-specific authorization period ID.

To use the Time-Dependent Blocking of Data function, you must set the Indicator for access authorization for each infotype.

If you want to check or set the indicator, you have to do the following:

1. Go to customizing using the Transaction SPRO and use the following path: Personnel Management→Personnel Administration→Customizing Procedures→Infotypes. Choose the IMG activity Infotypes. Alternatively, you can get to the customizing table using transaction SM30 and table v_T582A.

2. In the screen Change view Infotype attributes (Customizing): Overview, select the relevant infotype and click the Details button.

3. Check and select the check box Access auth. to activate the possibilities of the time-dependent blocking of data.

The Access auth. (access authorization) allows you to define the time period during which an HR-infotype can be accessed.When you access infotype data for a particular person (employee or applicant), the system reads his/her organizational assignment and the work area (infotype, subtype and authorization level). Each infotype will generally have records with different validity periods. One person may also have different organizational assignments (Organizational Assignment infotype (0001)) over a certain time period. If different administrators (users) are responsible for these organizational assignments, this is taken into account when the authorization for a specific infotype validity period is checked.

If you do not set this indicator (initial value), the administrator is authorized to access the infotypes if the person had, has or will have an organizational assignment which, in accordance with the authorization profile allows him/her to access this data.

If you set this indicator (X), the authorization check depends on the current (system) date.

With this Business Add-In (BAdI) HRPA00AUTH_TIME you can implement customer-specific time logic in the PA authorization check, thereby enhancing the standard SAP authorization check. To activate the BAdI, you have to do the following:

1. Go to customizing using the Transaction SPRO and use the following path Personnel Management→Personnel Administration→Tools→Data Privacy→Block→Time-Dependent Blocking of Data. Choose the IMG activity BAdI: Set up customer-specific check for authorization periods.
2. The Definition Name of the BAdI is HRPAD00AUTH_TIME.
3. Choose an Implementation Name like Z_DUR_AS.
4. Copy the ABAP class CL_EXM_IM_HRPAD00AUTH_TIME from the data field Example Implementation Class into the data field Name of Implementing Class.
5. Save the result and assign it to a package.
6. Activate the Business Add-In implementation.

This BAdI is not implemented in the SAP standard delivery (sample implementation). As long as you do not create a BAdI implementation, the system performs the standard authorization checks for HR master data without additionally restricting the time logic.

The BAdI includes the following methods:

• CONSIDER_SY_DATUM_EXIT
• BEGDA_ENDDA_COMPAR_EXIT
• CONSIDER_TIME_BY_MAX_AUTH
• RESTRICT_PAYROLL_ACCESS

For more information about the standard settings (filters, single or multiple uses), see the Properties tab in the BAdI Builder (transaction SE18).

If you want to restrict access to the personal data, which is stored in infotypes and subtypes, the following things must be done:

1. Go to customizing using the Transaction SPRO and use the following path Personnel Management→Personnel Administration→Tools→Data Privacy→Block→Time-Dependent Blocking of Data. Choose the IMG activity Define default authorization periods for infotypes and subtypes.

2. Select the Entries button and enter an infotype/subtype with an assigned time period in months.

3. Test the access in the master data maintenance, for example using transaction PA30.

Use

In this Customizing activity you can define the minimum default authorization period with which you can restrict access to the personal data in the past, which is stored in infotypes and subtypes.

Depending on the country grouping, you specify a value (maximum of 30 characters) for the Authorization Period in Month for each infotype and subtype for all users, regardless of their roles.

Standard settings

The table is delivered empty. This means that access authorization for infotype and subtype data is not restricted. The time-dependent locking of data is not performed.

Activities

Check which minimum authorization periods for HR master data are required for all users in your country grouping and define the default authorization periods for each infotype and subtype. No entry means that the access authorization is not restricted.

If you need different roles for different authorization periods in your company, this is where you can define a time period ID to identify these authorization periods (letter code with a maximum of 32 letters). In the Customizing activity Assign Role-Specific Authorization Periods to Time Period IDs, you create a country-specific Authorization Period in Months (30 characters maximum) for each Time Period ID.

You use the time period ID in the authorization object Authorization Time Periods for HR Master Data (P_DURATION). Based on the time period ID, you can enhance the default authorization period for displaying and editing HR data in the past, depending on the user roles.

To define IDs for role-specific authorization periods, you have to do the following steps:

a. Go to customizing using the Transaction SPRO and use the following path Personnel Management→Personnel Administration→Tools→Data Privacy→Block→Time-Dependent Blocking of Data. Choose the IMG activity Define IDs for role-specific authorization periods.

b. Choose the New Entries button and set a Name for the Time Period ID, for example PY_10_YEARS_BACK.

c. Go to customizing using the Transaction SPRO and use the following path Personnel Management→Personnel Administration→Tools→Data Privacy→Block→Time-Dependent Blocking of Data. Choose the IMG activity Assign Role-Specific Authorization Periods to Time Period IDs. Set the Time Period ID for example PY_10_YEARS_BACK and assign a Time Period in Months -for example- 120.

Check which roles in your company need specific authorization periods and create the necessary time period IDs with the related texts.

For example, HR administrators, payroll administrators, and power users all need different authorization periods. The relevant entries in the Customizing views look like this:

d) Maintenance of the user roles:

Edit the authorizations and use the time period ID to assign the user role a role-specific authorization period. Use the authorization object P_DURATION ("Authorization Periods for HR Master Data") for this.

The figure shows a role with the authorization object P_DURATION as an example. The authorization field ID for Role-Specific Authorization is assigned the ID PY_10_YEARS_BACK. The Infotype authorization field is assigned to 0008 (Basic Pay). If you assign a user this role, he or she will be able to access data records of infotype 0008 (Basic Pay) ten years in the past.

When setting up HCM authorizations for reading and editing employee data records, there are many different options for customizing settings. In some cases, different customizing settings compete with one another. In this case there is a sequence of priorities, i.e. a sequence of which settings are more highly weighted. This sequence of priorities is as follows:

a) Low Priority: User is authorized to view all data sets.

b) High Priority: Default authorization periods for infotypes & subtypes.

c) Very High Priority: Role-specific authorization periods IDs.

When using the customizing Time-Dependent Blocking of Data, only data records can be read and changed whose start date is within the authorization period. If only the end date is within the authorized period, the data record can at least be read.

If you assign the manual profile SAP_ALL to a user, the user has all authorizations in the current SAP system. The assumption sounds logical for two reasons:1. Authorizations in AS-ABAP are always additive. This means that once assigned authorizations can only be supplemented, but usually not restricted.

2. The name of the manual profile SAP_ALL suggests that you have full authorization for this SAP system.

However, both assumptions do not apply in connection with HCM in general and for the topic of Time-Dependent Blocking of Data in particular.

The SAP HCM module has such special requirements that exclusion and restrictions are not unusual. This applies, for example, to the restrictions imposed by the authorization object PERNR, the structural authorizations and also to the topic of Time-Dependent Blocking of Data.

Even when assigning the manual profile SAP_ALL, you cannot rely on having all authorizations in the SAP system. In principle, the SAP_ALL calculations are restricted by the customizing Time-Dependent Blocking of Data.

Specifically, the following applies:

1. Customizing Default Authorization Time Periods restricts the SAP_ALL authorization for maintaining and displaying infotypes. This means that you only have limited access to data records in the past.

2. The Customizing Assign Authorization Time Period ID prioritizes the SAP_ALL authorization for maintaining and displaying infotypes in the past. The users do not have to be assigned a role with the corresponding Time Period ID (P_DURATION). One entry in the table is sufficient. If there are several entries, the restriction applies with the longer time period.