Optimizing HR Authorizations

Objectives

After completing this lesson, you will be able to:
  • Evaluate HR authorization profiles
  • Outline the setup for employee views of data in ESS
  • Restrict the maintenance of user data by the user
  • Outline the use of checks based on infotype subtypes
  • Outline the setup of authorizations for batch input sessions
  • Recognize the redundant read of objects
  • Outline customer enhancements available using business add-ins (BAdIs)

HR Authorization Workbench

Transaction HRAUTH enables you to evaluate the HR authorization profiles that exist for a user. This includes the structural authorization profiles as well as the HR Basis authorization profiles that are assigned to the user directly (using role maintenance) or indirectly (in Organizational Management).

In the HR Authorization Workbench, you can access several functions that enable selective evaluation of the authorization profiles. You can display the following information among other things:

  • The complete list of authorization main switches with the values set for them (in the function bar on the selection screen).

  • All of the persons assigned to the user in the Communication infotype (0105) (in the function bar on the selection screen).

  • The organizational units with which the user is related.

  • The structural authorization profiles.

  • The user's role assignments and standard profiles.

  • The authorizations based on HR authorization objects (of Personnel Administration/Personnel Planning - multiple selection is possible).

How to Evaluate HR Authorization Profiles

DemoStart Demo

The Authorizations Workbench is a graphical tool which can be used to run many reports from one location. It is meant to be a more user friendly tool than the report menu accessed by transaction code SUIM. If students are familiar with SUIM but haven’t seen the Workbench, they should find it much easier to use.

Employee Self-Service

Prerequisites: The AUTSW PERNR main switch must be activated to enable the authorization check by personnel number.

The user assignment for all employees who use the SAP Employee Self-Service must be maintained in infotype 0105.

Users who are not administrators should not be granted P_ORGIN authorizations.

Every employee who uses the SAP Employee Self-Service is granted the two authorizations mentioned for the P_PERNR authorization object: The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization grants write authorization for all data records of the 0006 infotype of the employee's own personnel number.

Data Maintenance

Prerequisites:

The AUTSW PERNR main switch must be activated to enable the authorization check by personnel number.

The user assignment for the corresponding administrator must be maintained in infotype 0105.

Each employee affected is granted the P_PERNR authorization shown in the figure No Maintenance of Own Data By Administrator.

Authorizations for an Infotype Subtype Check

Problem:

For certain infotypes (such as 0014, 0015, and 2010), you can create a new record without having to specify a subtype on initial access to the individual record maintenance. If an administrator wants to create a new record without specifying a subtype, the authorization check consequently takes place using the subtype <BLANK>. This often results in users with limited subtype authorizations not being able to access the infotype screen. There are two ways to avoid this:

  1. Users always explicitly specify a subtype for which they have authorization.

  2. Users are granted an additional authorization for the dummy subtype <BLANK>.

Hint

Solution 2 is preferred. In principle, users are not granted any unnecessary authorizations by this, since the <BLANK> subtype does not exist and is always explicitly checked when users access existing data records and when they create new data records.

Authorizations for Batch Input Sessions

You can define report-specific prefixes to protect batch input sessions. The prefix is set before the actual session name and can be checked generically later. This ensures that sessions are not processed without authorization.

Using the object Batch Input Authorizations (technical name: S_BDC_MONI) in the object class Basis Administration, you can create authorizations based on the session name and actions, for example, processing a batch input session or displaying a processing log.

You can define report-specific prefixes using the BIMAP feature to protect batch input sessions. The prefix is set before the actual session name and is then checked generically by the Batch Input Authorizations object. Example: The session name MEYERS becomes HR2MEYERS if a corresponding entry exists in the feature.

In the example shown in the figure Authorizations for Batch Input Sessions, the system proposes the HR2 prefix for the session name of the RPITUM00 program. All other programs do not use a prefix.

Hint

The BIMAP feature is delivered by SAP with an empty decision tree.

Redundant Read of Objects

To avoid unnecessary loss of performance, ensure that there are as few redundancies as possible when you define structural authorizations. In other words, the entries for a user in table T77PR should not overlap if possible (refer to the figure Redundant Read of Objects). This type of profile (several evaluation paths used) is often used to implement authorization requirements that cannot be met using a standard evaluation path.

In the present example, the profile needs to contain authorization for organizational units, jobs, positions, and persons. This combination is not covered by any standard evaluation path, which is why the two evaluation paths in the graphic are used.

However, this can lengthen the creation of the set of objects for the structural authorization because specific objects (O, S) are read several times. If the O-S-P and O_O_S_P evaluation paths are used simultaneously, organizational units (O) and positions (S) are read redundantly during the creation of the set of objects.

Proposed Solution:

You can avoid this if you define your own evaluation path that meets all the requirements of the authorization profile and reads the necessary objects only once. In the example used here, you could define a Z_O_S_C_P evaluation path, for instance.

Customer Enhancements Using BAdIs

You can find the BAdI HRPAD00AUTH_CHECK in the Implementation Guide (IMG) for Personnel Management under Personnel AdministrationToolsAuthorization ManagementBAdI: Set Up Customer-Specific Authorization Check. You can find information on implementing a BAdI in the documentation of the corresponding IMG activity. As soon as an implementation for this BAdI is active, all HR master data authorization checks of the standard system are stopped, and instead only the activated implementation is performed.

As for general authorization checks, you can also implement a customer-specific test procedure for the structural authorization check using a BAdI. You can find the Business Add-In HRBAS00_STRUAUTH in the IMG for Personnel Management under Organizational ManagementBasic SettingsAuthorization ManagementStructural AuthorizationBAdI: Structural Authorization. You can find information on implementing a BAdI in the activity documentation.

The BAdI HRBAS00_GET_PROFL is of particular interest if you implement the context solution: It means that you do not need to maintain table T77UA (User Authorizations). You find the BAdI in the Implementation Guide (IMG) for Personnel Management under Organizational ManagementBasic SettingsAuthorization ManagementStructural AuthorizationBAdI: Define Assigned Structural Profiles. You can find information on implementing a BAdI in the documentation of the corresponding IMG activity.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn