Outlining HCM Authorization Checks

The figure Authorization Objects shows a number of authorization objects that you can use to define authorizations for SAP ERP HCM. Display these authorization objects using transaction SU21 (HR object class) in the SAP system.

Authorization objects enable complex checks of an authorization, which allow a user to carry out an action. An authorization object groups up to 10 authorization fields that are checked in an AND relationship.

For a successful authorization, all field values of the authorization object must be maintained by the individual responsible for the configuration of authorizations. Authorization object fields are not considered input fields on a screen. Instead, they are system elements, such as infotypes, which must be protected.

You can define as many system access authorizations as you need for an object by creating several allowed values for the fields in the object. These value sets are called authorizations. The system checks these authorizations in OR relationships.

The HR: Master Data authorization object is used during the authorization check on HR infotypes. The authorization check takes place when HR infotypes are edited or read. The system queries the contents of the fields during the check.

The system uses the object HR: Master Data – Extended Check during the authorization check on HR infotypes. The checks take place when HR infotypes are edited or read.

The fields SACHA, SACHP, SACHZ, and SBMOD are filled from the Organizational Assignment infotype (0001). This infotype has time-dependent specifications and an authorization may exist only for certain time intervals, depending on the user’s authorization. A user’s period of responsibility is represented by all the time intervals for which the user has P_ORGXX authorizations.

All administrators responsible for an organizational area in Personnel Administration are grouped together in the administrator group.

In an SAP standard system, this extended check is not active. You can use the main authorization switch (transaction OOAC) to determine whether this check is to be carried out in addition to or instead of the HR: Master Data Check.

If the additional check is activated, the system performs an authorization check according to HR: Master Data. If the check result is positive, the system performs a further check according to HR: Master Data – Extended Check.

The authorization object HR: Master Data – Personnel Number Check is used when you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, this check directly overrides all other checks except for test procedures.

You can assign a user a personnel number using infotype 0105, subtype 0001.

The HR: Master Data - Personnel Number Check does not take place  for a user that is not assigned to a personnel number, or if the user accesses a personnel number other than his or her own.  This check is irrelevant for personnel numbers that are not assigned to a user.