Defining Authorization in Payroll Control Center

Objective

After completing this lesson, you will be able to define authorization in Payroll Control Center

Authorization in the Payroll Control Center

Introduction to this Unit

In Unit 5 Defining Payroll Control Center Roles, you learned how to create custom roles by copying roles from the standard PCC delivery with the transaction PFCG. In this unit, you will get acquainted with the user's authorization to work with PCC. An authorization enables you to execute certain functions in the SAP system. Every authorization relates to an authorization object and defines a value or values for each authorization field contained in the authorization object. Authorizations are grouped into profiles that are entered in the user master record. If you use the Profile Generator to define your authorizations, it automatically selects the authorization objects checked for your selected transactions. As a rule, security administrators are responsible for creating users and roles and assigning roles to users. However, knowing the details of the check made for each authorization object is still important. Below is an overview of the most important transactions and authorization objects checked for various PCC related activities and roles.

User and Roles

To log on to the SAP system, a user must have a user master record and a corresponding password. In the user master record, a user menu and the related authorization profiles are assigned to the user. This is done by assigning the user to one or several roles.

The following list defines the terms that are relevant to user master records:

  • Role is a collection of activities that allow a user to participate in one or more business scenarios in the organization. The assignment of users to roles safeguards the integrity of business data.
  • User menus provide access to the transactions, reports, or web-based applications contained in the roles. A user menu should have only the functions a user typically performs at work.
  • An authorization profile is generated for the activities contained in the role. This authorization profile defines the boundaries where users may perform actions in the SAP system.
  • The role assignment authorizes what the assigned users can access in the Authorization Profile.
The image describes the relation between users and roles in the system. It illustrates that you need a user first before you can create a role. This is done with transaction SU01 for the user and transaction PFCG for the role. Then you go back to the user menu and assign roles in the authorization profile.

The Most Important PCC Authorization Objects

The table, Authorization Objects. in the image shows several authorization objects you can use to define authorizations for PCC. Display these authorization objects using transaction SU21 (HR object class) in the SAP system.

Authorization objects enable complex checks of an authorization, which allow a user to carry out an action. An authorization object groups up to 10 authorization fields checked in an AND relationship. For a successful authorization, all field values of the authorization object must be maintained by the individual responsible for the configuration of authorizations. Authorization object fields are not considered input fields on a screen. Instead, they are system elements, such as infotypes, which must be protected.

You can learn fundamental knowledge of the authorization concept for SAP S/4HANA and SAP Business Suit in the course ADM940 and HCM specific aspects of authorization in the course HR940.

The table Authorization Objects shows several authorization objects you can use to define authorizations for PCC. Display these authorization objects using transaction SU21 (HR object class) in the SAP system

The image displays table Authorization Objects started with transaction SU21. Various authorization objects which can be utilized to define permissions for PCC..

Transaction SU21

The image shows the screen for Transaction SU21.

The image shows the screen after entering transaction SU21.

Creating and Updating New Roles

Next, let’s look at the full path (5 steps) for creating new roles.

The image illustrates the process steps which are used to update a role. This all happens using transaction PFCG.

Create Role Menu: Add Transaction

Start transaction PFCG. Provide a name for new roles (Do not enter a name that begins with a namespace prefix or the prefix SAP). Choose the Create Single Role / Change button. Enter a description the function of the role.

On the Menu tab, assign transactions, reports, programs, Internet links, and intranet links to the role. The system automatically uses the role menu structure activities to create the authorizations.

When creating new roles, we usually provide different transactions for the role. To do this, we just need to add the transactions to the menu. The system will automatically collect all necessary authorization objects, so the consultant only needs to collect specific information for the transaction. Different organizations are required for distinct countries.

Steps:

  1. Choose the Menu tab
  2. Choose the Transaction button
  3. Provide the transaction code on the next screen
  4. Choose the Assign Transaction button
  5. Save your entry
The image shows 2 screens that are related to providing transactions to roles. This is done with transaction PFCG.

Create Role Menu: Add a New Link (UI5 Application Link)

We need to provide authorization for our front-end application. For example, "My Process" will need to define the code for the application. This image below shows how it’s possible to get a correct name for any application, such as call transaction, find correct service text, and copy the link to the role.

Steps:

  1. Start transaction SICF
  2. Find the required service
  3. Choose the option Test Service from the Context Menu
The image shows that with another transaction, SICF, you can apply links to certain roles.

Next, you’ll copy the link to the role.

Steps:

  1. On the Menu tab, choose the Insert Node option
  2. Choose Other from the Picklist
  3. Then web address or file
  4. Provide the UI5 Application link and text on the pop-up window
  5. Choose the Apply (Entry) button
  6. Save your entries
The image shows in 2 screens how to add a new link to a role with transaction PFCG

Create Role Menu: Provide the OData Service Access

Next, you’re ready to provide the OData service access.

  1. Choose the Insert Node option.
  2. Choose Authorization Default. Services related to Authorization Default will not appear in the end user's menu. It must provide authorization to the back-end OData services.
  3. Choose the Hash value for the TADIR object (HT TADIR service) as SRV_TYPE and IWSV SAP Gateway Business Suite Enablement as Object Type on the pop-up window. Choose Hash value for the TADIR object (HT TADIR service) as SRV_TYPE.
  4. Enter mask PYC* and choose the required service name from the picklist.
  5. Choose the Copy button
  6. Choose the Copy button one more time
  7. Save your entries
The image shows the following with two screens: For new roles and the related role based menu, you must add the OData service access for the role.

Next, you’ll repeat the same sequence of steps for Object Type IWSG SAP Gateway Service Group Metadata. We need to take the same steps and provide information about another object.

The image shows how to complete adding OData service to a role. This requires four screens

Access the OData Services for Manage Configuration App

You must provide links that correspond to the services. Links are dependent on the object types and services. The image shows the objects that have to be assigned to the roles and users for whom you’re planning to grant configuration tool access.

The image shows a table for the following: You must provide links that correspond to the services. Links are dependent on the object types and services. The table shows the objects that have to be assigned to the roles and users for whom you’re planning to grant configuration tool access.

Role Menu with Access to All OData Services in Manage Configuration

This is what the menu looks like for the role with authorization for manage configuration application.

The image shows an example of a Role Menu with access to all OData Services in Manage Configuration,

Role Menu with Access to Specific OData Service in the Manage Configuration App

Next, let’s look at how to access specific OData services in Manage Configuration.

The image shows an example of a Role Menu with access to selected OData Services in Manage Configuration,

Configure Authorization

Now, it’s time to provide authorization. The system will collect all necessary authorization objects, so you just need to provide some attributes for the authorization objects. The image below shows how to go to the authorization profile.

Steps:

  1. Choose the Authorizations tab
  2. Choose theChange Authorization Data button
The image shows a screen with the steps how to access the authorization profile.

Check and Add the Required Authorization

The system automatically assigns the required authorization objects to the authorization profile. Check and add the required authorization and save your entries.

You need to add some authorization objects manually and then provide some attributes for these authorization objects. Add Authorization Object P_PYT_CFG PCC: Authorization for Configuration Application manually to the Role Authorization Profile. Provide the required values for the authorization object fields.

The image shows three screens with the following: After automatically assigned authorizations objects, a user must check and add required authorizations and save this step. Users might need to add some authorization objects manually and then provide some attributes for these authorization objects.

Generate Authorization

Choose Generate to generate an authorization profile for the authorizations. You are prompted for an authorization profile name. The system proposes a valid name in the customer name space.

Leave the tree display after the profile generation. If you change the menu selection and call the authorization tree display again, the authorizations for the new activities are added to the existing authorizations. Traffic lights may be switched to yellow because new, incomplete authorizations appear in the tree display. Assign values manually or delete them. Delete an authorization by deactivating it first and then deleting it.

The image shows that a user in transaction PFCG chooses the Generate option to generate an authorization profile for the authorizations. Users are prompted for an authorization profile name. The system proposes a valid name in the customer name space.

Assign and Compare User

On the User tab, assign users to the role. The user menu appears when the assigned user logs on to the system. The system automatically enters the generated authorization profiles in the user master record of this user, when you compare the user master. Assign the user to this role and transfer authorization profile to this user. Then just need to test this role.

The image shows two screens. First, with transaction PFCG, users are assigned to roles. The system automatically enters the generated authorization profiles in the user master record of this user, when you choosing User Comparison in PFCG. Screen two shows transaction SU01 and that a role is tested.

Verification of Authorization Assigned to Users

Test Role and Authorization

In this next step, you will test the new role that will be applied to the user. This is the last step to check that everything is working properly.

The image shows where we are in the process of testing roles and authorizations. We are now at the generate authorization step. This process started with transaction PFCG.

Useful Authorization Tools

The following three transactions are helpful tools for performing authorizations.

  • Transaction SUIM makes it possible to make complex searches across users, roles, transactions, and authorization objects.
  • Transaction SU53 is used for authorization issues. If someone tries to execute a transaction and receives a "not authorized to use transaction xxxx" error message, they can call the transaction, and the missing authorization objects and transaction codes will be displayed.
  • Transaction /IWFND/ERROR_LOG is used to check SAP Gateway error logs.

As described earlier, to apply best practices, consultants must run the PYC GENERATE PROVIDER report. First of all, they need to check whether they have the appropriate authorization.

In case consultant discover that they do not have authorization for PYC GENERATE PROVIDER report, follow the instructions in the next simulation.

Business Example

This practice shows how to Provide authorization for Generate Provider Sources report.

ExerciseStart Exercise

Business Example

This practice shows how to check the authorization for Generate Provider Sources report.

ExerciseStart Exercise

Test User Account

Once a test user has been assigned to a role and a comparison has been performed, the role and authorization must be tested. To do this, log in under a test user account and carefully check how the transactions, links, and services assigned to the role work.

the image shows in four screenshots that once a test user has been assigned to a role and a comparison has been performed, the role and authorization must be tested. To do this, log in under a test user account and carefully check how the transactions, links, and services assigned to the role work.

Full Authorization in Manage Configuration

For a full authorization, you will use Manage Configuration. For example, test user Z10_ADMIN got access to maintaining all objects in the Manage Configuration app.

The image shows with four screenshots to use Manage Configuration for applying full authorization.

Authorization Only for Validation Rule

Another role was assigned to another test user, Z10_VALRULE, who only got access to maintain validation rules in the Manage Configuration app. After thorough testing of the role, it can be assigned to the business users.

The image shows in three screenshots how an authorization for a user can be restricted to maintain validation rules in the Manage Configuration app.

Check the Necessary Authorization for the Generate Provider Sources Report

Business Example

In Unit 3, Introduction to SAP Best Practices, we discussed report PYC_GENERATE_PROVIDER. You, as PCC consultant, have already ensured that all Best Practice PCC objects and configurations have been successfully imported. Then, you need to display and generate the code containing the variable, constant, and other values for object preview in Manage Configuration App in the customer's system. You can do this by running the report PYC_GENERATE_PROVIDER. However, before running the report, it's necessary to ensure the user has full authorization for object P_PYT_CFG assigned to their role via transaction PFCG.

Steps

  1. Ensure that your user HRH65-## is authorized to run the report PYC_GENERATE_PROVIDER using the transaction SUIM.

    1. Call transaction SUIM.

    2. Expand the folder User.

    3. Expand the folder Users by Complex Selection Criteria.

    4. Choose By Authorizations.

    5. Enter P_PYT_CFG Authorization for Configuration Application in the Authorization Object field.

    6. Choose Execute.

    7. Choose Binoculars (Find) on the top toolbar.

    8. Enter your user ID HRH65-## in the Search Term field.

    9. Choose OK and then Close in the lower right corner of the Find pop-up window.

  2. Does the user Z##_USER we created in Exercise 23 have such authorization?

    Repeat steps 1.7-1.9 for user Z##_USER, which we created in Exercise 22.

    You can now be confident that user HRH65-## is authorized to execute the PYC GENERATE PROVIDER report, while user Z##_USER does not.

    The following exercise will demonstrate the method for manually adding the object P_PYT_CFG with full authorization to a role.

Manually Add the P_PYT_CFG Authorization Object into the Role

Business Example

The PCC consultant requires run a report PYC_GENERATE_PROVIDER, but currently, their user lacks the necessary authorization. As the security administrator, you need to add necessary authorization object to the PCC consultant role.

Steps

  1. Create user Z##_REPORT

    1. Call transaction SU01 User maintenance.

    2. Enter username Z##_REPORT in the field User.

    3. Choose Create icon in the upper left corner of the screen User maintenance: Initial screen.

    4. Enter Z##_REPORT in the Last name mandatory filed.

    5. Choose Logon Data tab and enter Welcome 1 in the New Password field. And then enter Welcome1 one more time in the Repeat Password field.

    6. Choose Training from the User Group drop-down list.

    7. Choose Default tab and define EN as Logon Language.

    8. Save the newly created user.

  2. Create a new role Z##_HRH65_ROLE. Add report PYC_GENERATE_PROVIDER to the new role menu. Add authorization P_PYT_CFG object to the new role authorization profile.

    1. Call transaction PFCG.

    2. Enter Z##_HRH65_ROLE in the role name field.

    3. Choose Create Single Role button to the right of the role name field.

    4. Enter Z## HRH65 Role for report PYC_GENERATE_PROVIDER as Role Description. Save the new created role.

    5. Choose Menu tab.

    6. Choose Insert Node option in the lower right corner of the button Transaction.

    7. Choose Report and enter PYC_GENERATE_PROVIDER in the Report field. Choose Enter (green checkmark) in the lower right corner of Transaction code for reports window.

    8. Choose Local Object button at the bottom of the popup Create Object Directory Entry window.

    9. Choose Authorization tab and the choose Pen (Change authorization data) icon.

    10. Choose Manually button at the top of the Change Role: Authorizations screen toolbar.

    11. Enter P_PYT_CFG in the Authorization Object field and choose green checkmark (Continue/Enter) in the lower right corner of the Manual selection for Authorizations window.

    12. Switch on display of technical name by choosing UtilitiesTechnical Name On.

    13. To expand Human Resources authorization object class, select the plus icon next to the name of the authorization class.

    14. To expand authorization object PCC: Authorization for Configuration Application, select the plus icon next to the name of the authorization object.

    15. Choose Pen (Change) icon next to the Authorization Activity in PCC authorization field. Select Display and Edit activities and save your configuration сlicking on the floppy disk icon in the lower right corner of the Define values screen.

    16. Choose Pen (Change) icon next to the PCC: Configuration Type Category authorization field. Select AN Analytics – Task list, DN Analytics Designer, KP KPI and VR Validation Rule – Task list from the drop-down list and save your configuration.

    17. Generate authorization profile of the newly created role. Choose Execute (green checkmark) in the lower right corner Assign Profile Name to the Generated Authorization Profile popup window.

    18. Choose Back to return to the Change Role screen.

  3. Assign user Z##_REPORT to the role Z##_HRH65_ROLE. Perform user comparison.

    1. Choose User tab and enter Z##_REPORT in the user field.

    2. After pressing Enter, the system will prompt you to assign the user to a role starting from today's date.

    3. Choose Save button.

    4. Choose User Comparison button.

  4. Login to the system with user Z##_REPORT and test authorization.

    1. Login to the system with the newly created user Z##_REPORT.

    2. Change the initial password.

    3. Choose report PYC_GENERATE_PROVIDER from the User Menu for Z##_REPORT

    4. Enter prefix SBP* KPI ID, Validation Rule ID and Analytic Designer ID.

    5. Run report.

Add the authorization for Analytics in Manage Configuration

Business Example

The customer requests authorization to maintain Analytics in Manage Configuration for the business user. As a Security Administrator, you need to set up authorization for the Manage Configuration user to display and edit the Analytics in Manage Configuration.

Steps

  1. Add to the role menu Z##_HRH65_ROLE links to Manage Configuration and Analytics Applications.

    1. Call transaction PFCG Role Maintenance.

    2. Enter Z##_HRH65_ROLE in the role name field and choose Pen (Change) icon next to the role name. Change role description.

    3. Choose Menu tab.

    4. Choose Insert Node button on the transaction toolbar.

    5. Choose OtherWeb address or file.

    6. Enter following in the pop-up window Add a WEB address or file path window:

      • Text: Analytics.
      • WEB address or file: /sap/bc/ui5_ui5/sap/hrpy_pcc_can_v1/index.html.

      Then choose green checkmark (Apply / Enter) in the lower right corner of the window.

      Note

      To get the service link call transaction SICF in parallel session

      • Enter prefix HRPY* in the Service name filed.
      • Execute transaction.
      • Close folder BSP.
      • Choose under the node UI5_UI5 service hrpy_pcc_can_v1 PCC Configuration Analytics.
      • Right click on the service hrpy_pcc_can_v1 PCC and choose Test Service from the drop-down list.

      Copy to clipboard part of the link /sap/bc/ui5_ui5/sap/hrpy_pcc_can_v1/index.html and paste to the WEB address or file field of the pop-up window Add a WEB address or file path window of the transaction PFCG.

    7. Choose Insert Node button on the transaction toolbar.

      • Choose OtherWeb address or file.
      • Enter following in the pop-up window Add a WEB address or file path window:
        • Text: Manage Configuration.
        • WEB address or file: /sap/bc/ui5_ui5/sap/hrpy_pcc_ctl_v1/index.html.
        • Then choose Apply / Enter green checkmark in the lower right corner of the window.

          Note

          In the transaction SICF under UI5_UI5 service from the parallel session:

          • Choose hrpy_pcc_ctl_v1 Payroll Control Center - Tasklist Configuration.
          • Right click on the service hrpy_pcc_ctl_v1 and choose Test Service from the drop-down list
          • Copy to clipboard part of the link: /sap/bc/ui5_ui5/sap/hrpy_pcc_ctl_v1/index.htm.

  2. Add the Hash value for HT TADIR service as IWSG SAP Gateway Service Group Metadata and IWSV SAP Gateway Service Group types for Manage Configuration and Analytics Applications.

    1. Choose Create folder (second icon in the upper left corner of the transaction toolbar).

      Enter Services in the Folder name field.

    2. Choose Insert Node option in the lower right corner of the button Transaction.

      • Choose Authorization Default from the list.
      • Choose HT TADIR Service from the Authorization Default drop down list.
      • Choose IWSG SAP Gateway Service Group Metadata.
      • Enter prefix PYC* in the first row of the table TADIR Service.
      • Choose PYC_CFG_ANALYTICS_SRV_0001 from the drop-down list.
      • Choose green checkmark (Copy) in the lower right corner of the Service window.

    3. Choose Insert Node option in the lower right corner of the button Transaction.

      • Choose Authorization Default from the list.
      • Choose HT TADIR Service from the Authorization Default drop down list.
      • Choose IWSV SAP Gateway Service Group
      • Enter prefix PYC* in the first row of the table TADIR Service.
      • Choose PYC_CFG_ANALYTICS_SRV 0001 from the drop-down list.
      • Choose green checkmark (Copy) in the lower right corner of the Service window.

    4. Choose Insert Node option in the lower right corner of the button Transaction.

      • Choose Authorization Default from the list.
      • Choose HT TADIR Service from the Authorization Default drop down list.
      • Enter prefix PYC* in the first row of the table TADIR Service.
      • Choose IWSG SAP Gateway Service Group Metadata.
      • Choose PYC_CFG_SRV_0001 from the drop-down list.
      • Choose green checkmark (Copy) in the lower right corner of the Service window.

    5. Choose Insert Node option in the lower right corner of the button Transaction.

      • Choose Authorization Default from the list.
      • Choose HT TADIR Service from the Authorization Default drop down list.
      • Choose IWSV SAP Gateway Service Group.
      • Enter prefix PYC* in the first row of the table TADIR Service.
      • Choose PYC_CFG_SRV 0001 from the drop-down list.
      • Choose green checkmark (Copy) in the lower right corner of the Service window.

    6. Drag and drop all 4 newly added services into the folder Services.

  3. Add transaction SU53 and /IWFND/ERROR_LOG for troubleshooting authorization issues.

    1. Choose Create folder (second icon in the upper left corner of the transaction toolbar)

      Enter Authorization Troubleshooting tools in the Folder name field.

    2. Choose Insert Node button on the transaction toolbar.
      • Choose Transaction from the list.
      • Enter SU53.
      • Then choose green checkmark (Apply / Enter) in the lower right corner of the window.
    3. Choose Insert Node button on the transaction toolbar.
      • Choose Transaction from the list.
      • Enter /IWFND/ERROR_LOG
      • Then choose green checkmark (Apply / Enter) in the lower right corner of the window
    4. Drag and drop both transactions into the folder Authorization Troubleshooting tools.
    5. Save your configuration.

  4. Configure the authorization profile.

    • Choose Authorization tab and the choose Pen (Change authorization data) icon.
    • Switch on display of technical name by choosing UtilitiesTechnical Name On.
    • To expand Basis: Administration authorization object class, select the plus icon next to the name of the authorization class.
    • To expand Table Access by Generic Standard Tools authorization object, select the plus icon next to the name of the authorization.
    • Choose Pen (Change) icon next to the Activity authorization field. Select Change and Display and save your configuration сlicking on the floppy disk icon in the lower right corner of the Define values screen.
    • To expand Human Resources authorization object class, select the plus icon next to the name of the authorization object class.
    • To expand PCC: Authorization for Configuration Application select the plus icon next to the name of the authorization object.
    • Che that AN-Analytics Task list already selected for (Change) icon next to the PCC: Configuration Type Category authorization field.
    • Generate authorization profile of the newly created role. Choose Execute (green checkmark) in the lower right corner Assign Profile Name to the Generated Authorization Profile popup window.
    • Choose Back to return to the Change Role screen.

  5. Perform user comparison.

    Choose User Comparison button and save the role.

  6. Login to the system with user Z##_REPORT and test authorization.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn