Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Structural authorization - creation of employee number

Former Member
0 Kudos

Hello Experts,

We are facing an issue with strutural authorization in creation of employee number,

I have tested without assigning stuctural authorization and it process the hiring action and generates the employee number

(Hiring action is carried through the adobe form which inturn calls the ABAP Function module),

for the same user if i assign Strctural profile with Function module RH_GET_MANAGER_ASSIGNMENT ( User is assigned to an employee who is Chief ) the hiring action which has to happen through adobe form is not happening and when we check in the program it is throwing an error as Failed strutural authorizations.

I checked whether the employee which has to generate lies within the organization unit of the manager ( who is chief) and it does lies with in the same org unit.

can you please help me in analysing why the employee is not getting gereating though the user is having proper HR authorizations and Strutural authorization assigned.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Shashidhar,

Run the rport RHUSERRELATIONS. You will get info on:

This includes structural authorization profiles and the HR Basis authorization profiles that are assigned to the user directly (using role maintenance) or indirectly (using Organizational Management).

the complete list of authorization main switches and the specified values (in the selection screen using the function bar)

all persons assigned to the user in the Communication infotype (0105) (in the selection screen using the function bar)

the organizational units that the user is related to

the structural authorization profiles

the useru2019s role assignments and standard profiles

the authorizations on the basis of HR authorization objects (in Personnel Administration/Personnel Planning u2013 multiple selection is possible here)

In addition, you can execute the report directly or in the background.

2. Check whether PERNR / structural auth profile switch is on?

3. Create a pernonnel number using PA40

4.Assign the personnel number to communication infotype (0105) using PA30

Thanks,

Sri

11 REPLIES 11

Former Member
0 Kudos

Hi ,

1.Check if your switches are on for structural authorization , look at help.sap.com or SAP PDF HR940..... on how to put the switch on

2.check if the Sysem userid is assigned/mapped to the employee number.

3.use OOSB transacation where you have defined the structural authroization profile and and display object to see if the sturcure is correct.

if the steps are followed correctly and display objects (OOSB) works fine everything should be alirght

by the way check using PA40 to see if the userid is mapped to the correct employee number.

Hope this helps you move forward

Former Member
0 Kudos

Shashidhar,

Run the rport RHUSERRELATIONS. You will get info on:

This includes structural authorization profiles and the HR Basis authorization profiles that are assigned to the user directly (using role maintenance) or indirectly (using Organizational Management).

the complete list of authorization main switches and the specified values (in the selection screen using the function bar)

all persons assigned to the user in the Communication infotype (0105) (in the selection screen using the function bar)

the organizational units that the user is related to

the structural authorization profiles

the useru2019s role assignments and standard profiles

the authorizations on the basis of HR authorization objects (in Personnel Administration/Personnel Planning u2013 multiple selection is possible here)

In addition, you can execute the report directly or in the background.

2. Check whether PERNR / structural auth profile switch is on?

3. Create a pernonnel number using PA40

4.Assign the personnel number to communication infotype (0105) using PA30

Thanks,

Sri

0 Kudos

Hi Sri,

Thanks a lot for the program RHUSERRELATIONS which is very useful and i came to know about the new tcode HRAUTH as wel.

1. The user ID is assigned to employee number in 105 Infotpe and 0001 subtype.

2. The authorization switch for Strutural authorization and Pernr both are active.

we are using position based structural authorization, so i have assigned the Strutural profile to Position and ran the Program RHPROFL0 which makes an entry in OOSB.

I tried logging in to the user for which i am facing the issue and tried to hire an employee in PA40 and the employee got created successfully with Structural authorization assigned.

we are facing the issue only through the program , the same user when tried to hire the employee through the adobe form it throws the error Structural authorization unsuccessful.

so Please suggest whether any Badi has to be used for the same.

0 Kudos

Hi,

we are facing the issue only through the program , the same user when tried to hire the employee through the adobe form it throws the error Structural authorization unsuccessful.

What error r you getting?

so Please suggest whether any Badi has to be used for the same.

You can implement a customer-specific test procedure for general and structural authorization checks using

a Business Add-In (BADI). The BADI for the structural authorization check is called HRBAS00_STRUAUTH. But NOT SURE whether it works in your case.

Thanks,

Sri

0 Kudos

Hi,

Please check that you Workflow Batch user (most likely WF-BATCH) has correct authorisations (SAP_ALL

Regards,

Saku

0 Kudos

Actually, since a few months the configuration prevents the user from having SAP_ALL, so that is certainly a wrong solution and answer by you.

0 Kudos

Well I learned something new today then (that is has been prevented by SAP). And at the end was the sarcasm bit... I forgot this was security forum which mean we need to be serious...

0 Kudos

>

> I tried logging in to the user for which i am facing the issue and tried to hire an employee in PA40 and the employee got created successfully with Structural authorization assigned.

>

> we are facing the issue only through the program , the same user when tried to hire the employee through the adobe form it throws the error Structural authorization unsuccessful.

.

You're almost there, have your developers run a debug on the adobe form and try to run some security traces, you might pickup some additional errors.

0 Kudos

Hi Experts

We are facing the same problem!

No problems when hiring an employee using transaction PA40 (and structural authorizations)

When we do this with the program we get error messages in structural aurthorizations.

The program uses call transaction PA40 for infotype 0000 and 0001

After theat we create the relationship between PA and OM (the call transaction PA40 will not do this.

We thought the problems would be solved after this but no.

The next infotypes are applied with CALL TRANSACTION PA30

When we excecute SU53 after the error, we get the message about problems in ths strucutral authorizations. The strating date of the object is hown as 01.01.1800

We did debug but not find the clue yet.

Hope you did allready find a solution and that you can share it with us.

Kind regards,

Rita

Former Member
0 Kudos

Hi Shashi,

Troubleshooting structural authorization issues is always a challenge.

SAP provides the RHAUTH01 report to give a list of the objects for a user. It doesn't tell us what objects are missing. Once you assign a structural authorization to an user, each different object type accessed, needs to be specifically maintained in the PD profile. To check this, investigate what all PD relationships your hiring action is modifying. You would need all these objects in your pd profile and also in PLOG in the user's roles.

what is the evaluation path you are using in your structural profile? The functional module RH_GET_MANAGER_ASSIGNMENT only gives a dynamic start object. You would need access to at least P, O and S objects in your pd profile if not more. You would also probably need to add access to the user's own pernr in the pd profile.

Can you run hiring action through PA40? This might help in identifying the infotype screen where you get the authorization error. Hope this gives you some pointers to the final solution.

Regards,

Aninda

Former Member
0 Kudos

Hi.

After 2½ days of frustration I finally nailed this.

Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.

When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:

This example might be useful


  data: ls_view_entry type hrview,
        ls_related_object type hrobject.

  ls_view_entry-plvar = '01'.
  ls_view_entry-otype = 'P'.
  ls_view_entry-objid = lv_pernr.
  ls_view_entry-begda = '18000101'.
  ls_view_entry-endda = '99991231'.
  ls_view_entry-maint = 'X'.

  ls_related_object-plvar = '01'.
  ls_related_object-otype = 'S'.
  ls_related_object-objid = lv_ny_objid.

  call function 'RH_VIEW_ENTRY_INSERT'
    exporting
      view_entry     = ls_view_entry
      related_object = ls_related_object.

Best regards

Poul Steen Hansen

Senior Technical Consultant

EDB Consulting Group A/S, Denmark