Solving Context-Sensitive Authorizations

Objectives

After completing this lesson, you will be able to:

Outline issues related to the technical separation of general and structural authorization profiles
Outline how using context authorization objects can solve authorization issues
Generate context authorization objects

Context Authorization Issues

The technical separation of general and structural authorization profiles can cause context problems for users who perform different roles in a company. This is because you cannot simply add any number of structural and general authorization profiles required for different tasks in different contexts without overriding an authorization.

Consider a user who is a manager in the Accounting department. The user must be authorized to edit infotypes 0000 through 0007 of all the employees in the department. This user is also a manager for another organizational structure, Payroll. The user must have access to all payroll-relevant infotypes (0008 and 0015) for the employees in this organizational structure.

You cannot map the structural and general authorizations for such a user without the context solution because there is no relationship between a user’s structural profile and basis authorization. The missing relationship leads to overriding.

Context Problems in HR Authorizations (2)

You cannot create an assignment between a user’s specific structural profile (here, for example, structural profile 2) and a specific general profile (profile 2 with P_ORGIN).

The structural profiles (that is, the set of objects) and the general profiles (in this case, using P_ORGIN) are added to result in the overall profile. In the example shown in the figure, the manager has full read and write authorization for all objects from both the structural profiles.

When the authorization profiles are added, the following overall profile is produced:

All employees in the manager’s team and organizational structure
Full read and write authorization for infotypes 0000 to 0008 and for 0015

If you use a separate user for each context, it is easier to map different contexts or roles with the correct authorizations. For example, if the manager wants to perform activities as an accounting manager, the manager uses manager's user name. If the manager wants to perform the role of a payroll manager, the manager uses a second system user with the respective authorizations.

You may need many users to map the user-specific contexts in your organization. Therefore, the context solution has been developed for HR master data.

The Context Authorization Solution

The context solution is the context-sensitive realization of authorizations for HR master data. It enables you to do the following:

Avoid overriding authorizations unintentionally.
Relate individual general and structural authorization profiles to each other.

The context solution creates a technical connection between general and structural authorization profiles using special context-authorization objects. These context-authorization objects differ from the P_ORGIN and P_ORGXX authorization objects as they contain an additional field PROFL. You can enter structural profiles in this field.

Context Authorization Objects

The system uses the HR: Master Data with Context authorization object during the authorization check on HR infotypes. The check takes place when HR infotypes are edited or read. The system queries the contents of the fields during the authorization check.

You can use the authorization profile field, PROFL, to determine the structural profiles that a user is authorized to access.

In the standard system, the check of the HR: Master Data with Context authorization object is not active. You use the INCON authorization main switch to control the use of P_ORGINCON.

Hint

The structural profiles assigned to a user are determined from the T77UA User Authorizations (Assignment of Profile to Users) table. Therefore, you must only use structural profiles that are entered in this table in the PROFL field of the context authorization objects.

HR: Extended Check with Context

The system uses the HR: Extended Check with Context authorization object during the authorization check on HR infotypes. The check takes place when HR infotypes are edited or read.

The authorization profile field, PROFL, determines the structural profiles that the user is authorized to access.

In the standard system, HR: Extended Check with Context is not active. You use the XXCON authorization main switch to control the use of P_ORGXXCON.

Main Authorization Switches for the Context Solution

The figure Authorization Main Switches shows the standard switch settings.

You can edit the standard switch settings using transaction OOAC or in Customizing for Personnel Administration under Tools→Authorization Management→Edit Authorization Main Switch.

Authorization Main Switches

INCON: This switch controls whether the HR: Master Data with Context object should be used in the authorization check.
XXCON: This switch controls whether the HR: Extended Check with Context object should be used in the authorization check.
NNCON: This switch controls whether a customer-specific authorization object with context should be used in the authorization check.
DFCON: This switch controls how the authorization check should be run for persons in the 99999999 default position.

Create Customer-Specific Object with Context

Create the authorization object with transaction SU21, ensuring that you keep to the customer name range (Z/Y). To use the new authorization object you have created in the master data authorization check, the object must contain the INFTY, SUBTY, AUTHC, and PROFL fields.

The authorization profile field, PROFL, determines the structural profiles that the user is authorized to access.

In the standard system, the check of this object is not active. You can use the NNCON authorization main switch to control the use of your authorization object.

If you use customer-specific authorization objects, you must maintain these objects in transaction SU24 (Maintain Assignment of Authorization Objects to Transactions) in the same way as you maintain the authorization objects P_ORGIN, P_ORGXX, and P_PERNR.

Generate Context Authorization Objects

ExerciseStart Exercise

Business Scenario

Managers in charge of several departments should have different access authorizations in the respective departments for the master data of employees under their supervision.

Hint

The prerequisite for this exercise is that the "HR: Authorization main switch" ORGIN=0 and INCON=1 is set.

Continue to quiz