Solved: Structure Authorization Issue

Former Member · ‎10-06-2010

Hi guys,

I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial. After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.

We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.

They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.

Please help

Thanks

Former Member · ‎10-07-2010

Hi Faisal,

You may have deleted bit too much:

In OOSP (T77PR) check that you have profile ALL:

ALL | 0 | ** | * | | X | | | | | |

In OOSB (T77UA) check that you have assignment:

SAP* | ALL

You can also switch structural authorisation check off in OOAC (T77S0):

AUTSW | ORGPD | 0

That should help and restore access to the other team.

Regards,

Saku

sdipanjan · ‎10-06-2010

Hi,

It seems you are working on HR Security for first time. So, before you start Structural Authorization let me put a pre-requisites for the same:

To understand the Structural Authorization concept and the reason behind for developing such security model you need to have a basci overview of [HR Organizational Management|http://help.sap.com/saphelp_rc10/helpdata/en/bb/bdaff3575911d189240000e8323d3a/frameset.htm] in SAP. Please note that the main concept of HR has not been changed too much from SAP 4.7 EE version. So you need not to look for latest ehp4 version.

I am not discussing about the details of OM.... before you start Structural Authorization you should have a clear understanding of the objects like O, S, P etc.... their inter-relation and dependencies.

After you are through with basics of OM you can easily understand the model of an Organization by using Org. Management which is called Organizational Plan. This is the graphical view of your Organization from the Top most position (CEO or MD etc.) to the most native or granular lowest level of employees existing in your organization with the relationship in-between the connecting layers. For details on OM and setting up Org. Plan you can have a look into [Organizational Management Integration|https://websmp201.sap-ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700007865042002E].

Note: If you are following the new generation SAP business by design which has came from SAP as an On Demand Solution in the On Demand market place then you can check the [New generation OM set up|https://websmp201.sap-ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700000813262010E].

We will have the discussion on HR structural Auth in the next post (better to keep in separate from this introductory part and good for character limitations).

Regards,

Dipanjan

sdipanjan · ‎10-06-2010

Now lets start with some overview of Structural Authorization.

Before we move into some depth of this, you need to have a basic concept which may be misleading from the presence of word Authorization in this phrase "Structural Authorization". The word Authorization in SAP comes with an primitive idea that reveals the phenomena as "The Permission or privileged to perform some Transactional (or may be reporting) action". But for Structural Auth. this is different as there is not concept of granting access to any action in a HR specific Transactional activity.

After you get the idea of OM in SAP HR you can understand the reason why I have said in such a way. It's like you are in a Spider Net. Where each crossing or section represents one object (like person, position or org. unit etc.) and Structural Authorization determines how much you can move surround to your node. So the actions still need to be determined by the concept of Authorization Objects (HR related Authorization Objects starts with P. Do a search in SU21 and/or go through the [HR Auth Object documentations|http://help.sap.com/saphelp_erp60_sp/helpdata/en/5c/73ba3bd14a6a6ae10000000a114084/content.htm]).

Now what we understood from the above discussion is that the Structural Authorization is not an Independently existing creature but it supplements the [General Authorization Check in HR|http://help.sap.com/saphelp_erp60_sp/helpdata/en/83/72ba3bd14a6a6ae10000000a114084/content.htm].

In the next section lets discuss about the procedure to set up Structural Authorization for HR Security.

regards,

Dipanjan

Former Member · ‎10-07-2010

Hi Faisal,

You may have deleted bit too much:

In OOSP (T77PR) check that you have profile ALL:

ALL | 0 | ** | * | | X | | | | | |

In OOSB (T77UA) check that you have assignment:

SAP* | ALL

You can also switch structural authorisation check off in OOAC (T77S0):

AUTSW | ORGPD | 0

That should help and restore access to the other team.

Regards,

Saku

Former Member · ‎10-07-2010

SAQ thank you so much for your reply, I think you are on the right track. Yes I deleted OOSP (T77PR) check that you have profile ALL. Actually I deleted all the entries or everything from this transaction. Please advise how I can fix this issue. I was doing lot of things and I resolved above issue to execute (PPOCE) it was giving this message u201Cerror creating nee org unitu201D but Once I deleted the SAP* entry from the (OOSB) transaction and it corrected this issue but I have another issue with two errors on su53; (Failed HR Structure authorizations) and (u201CHR Trace: checks when creatingu201D) whenever any user execute (PPOCE) it was giving u201CAction cancelledu201D error and close the page.

Unfortunately none of the user in sandbox can create org units using (PPOCE) even though they all have SAP_ALL.

Please let me know what steps I should take to resolve this issue with creating org units and OM. Please tell me how I can restore OOSP entries. There were more then 10 entries I deleted included SAP_ALL.

Also I turned the PD switch off OOAC (T77S0)

AUTSW | ORGPD | 0

Thanks again

Faisal

Former Member · ‎10-07-2010

Hey Fellows

I still canu2019t resolve this issue: is there anyway I can back it up all the structure authorizations that I created because I donu2019t want this structure authorization stay inside of the system for noting. I tried my best to remove everything related to structure authorization setting.

1) I went into u201COOACu201D and turn the PERNR switch off

AUTSW PERNR 0

2) I went into u201COOPSu201D to turn off the structure authorization

PLOGI u2013 ORGA is 0

3) I went into u201COOSPu201D and remove all the structure profile and I also deleted all other profiles which was listed there.

4) I also went into u201CPO13u201D (position), and Infotype 1017 for all relevant nodes on the Organizational Plan. In this case all Positions (Tcode PO13), but Iu2019m not sure how am I going to delete position since itu2019s not showing any org unit and positions that I created in 1st place.

5) I also ran the report u201CRHPROFL0u201D to assign or try to remove profiles to all user IDu2019s, but Iu2019m not if I can remove profile from the user IDu201Ds, and how.

Here are some errors we are getting when anybody tries to execute following transactions.

PPOCE:: Now executed but whenever we try to create or hit create icon and select u201C new organization unit it gives this error u201DAction Cancelledu201D and page close down, the SU53 says this:

Failed HR Structure Authorizations

Date 10/07/2010 12:51:45 Plan Version 01 Obj. Type O Object ID 50000374 Action DISP

Date 10/07/2010 12:51:46 Plan Version 01 Obj. Type O Object ID 50000378 Action AEND

Date 10/07/2010 12:53:30 Plan Version 01 Obj. Type O Object ID 50000379 Action AEND

Date 10/07/2010 12:53:30 Plan Version 01 Obj. Type O Object ID 50000378 Action INSE

HR Trace: Checks when Creating

Date 10/07/2010 12:53:30 Plan Version 01 Obj. Type O Relation A002 Obj. Type O

PPOC_OLD: Itu2019s giving the u201CNo authorization u201C error. The SU53 says this:

Failed HR Structure Authorizations

Date 10/07/2010 13:03:15 Plan Version 01 Obj. Type O Object ID 00000000 Action INSE

I just donu2019t want to keep my structure authorization. I want to remove all the structure authorizations so other transactions works fine.

Please help

Thanks again

Faisal

Former Member · ‎10-07-2010

Hi Faisal

Sounds like you are having a nightmare.

Anybody

Would it be any good just asking for the sandbox to be deleted and re-created? Presuming this isn't the source Dev client?

Sorry if this is a stupid suggestion (I have no BASIS knowledge)

Cheers

David

Former Member · ‎10-07-2010

Thanks for cheering me up David,

I think this would be my last option but I want to try my best to resolve this issue. It's also good to troubleshoot something I implemented my own. They won't refresh it sandbox now since whole team is Prototyping in there

I'll see if any other experts give me better instruction to resolve it

Thanks anyway

Faisal

sdipanjan · ‎10-07-2010

> I still canu2019t resolve this issue: is there anyway I can back it up all the structure authorizations that I created because I donu2019t want this structure authorization stay inside of the system for noting. I tried my best to remove everything related to structure authorization setting.

>

> 1) I went into u201COOACu201D and turn the PERNR switch off

> AUTSW PERNR 0

>

You need to Turn off the ORGIN switch.

> 2) I went into u201COOPSu201D to turn off the structure authorization

> PLOGI u2013 ORGA is 0

>

Structural Authorization will be switched Off by setting value of ORGPD to 0 in OOAC. PLOGI u2013 ORGA = 0 in OOPS is to set the PD-PA switch Off.

> 3) I went into u201COOSPu201D and remove all the structure profile and I also deleted all other profiles which was listed there.

>

Not required.

> 4) I also went into u201CPO13u201D (position), and Infotype 1017 for all relevant nodes on the Organizational Plan. In this case all Positions (Tcode PO13), but Iu2019m not sure how am I going to delete position since itu2019s not showing any org unit and positions that I created in 1st place.

>

> 5) I also ran the report u201CRHPROFL0u201D to assign or try to remove profiles to all user IDu2019s, but Iu2019m not if I can remove profile from the user IDu201Ds, and how.

>

> Here are some errors we are getting when anybody tries to execute following transactions.

>

> PPOCE:: Now executed but whenever we try to create or hit create icon and select u201C new organization unit it gives this error u201DAction Cancelledu201D and page close down, the SU53 says this:

>

Delete the Org. Plant in PPOCE.

regards,

Dipanjan

Former Member · ‎10-07-2010

Thank you so much guys.

I resolved the issue without deleting the org unit. There was lot of org units have been created and ass org units were disappeared thatu2019s why I canu2019t even see it, but once this thing resolved all the org units came backu2026Wow

I created SAP* with all profile and it has resolved the issue.

Thanks guys

Faisal

sdipanjan · ‎10-07-2010

Structural Authorization Check

Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.

On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.

In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.

Steps to Perform to Set Up Structural Authorization Check in brief:

(Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)

1. Integration: Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.

2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.

(Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)

3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.

4. Create Org. Plan (check the first post).

(Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)

5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.

6. Create record for Infotype 0105 - TCode is PA30.

7. Create Structural Authorization Profiles u2013 TCode = OOSP

8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).

9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].

Please check and let us know for any query.

Regards,

Dipanjan

Former Member · ‎10-07-2010

Dipanjan

I also like to thank you for your effort to write lot of Structure authorizations details. I want to let you know the steps that you mentioned I followed when I created the structure authorizations. Iu2019m not that naive in HR because I have learned and implemented whole TVM security implementation and use all part of HR authorization except structure authorizations.

Thanks again

Fasial.

Former Member · ‎10-07-2010

Hello Faisal,

The Practical solution of this issue is to check if structural authorization switch is off in OOAC (T77S0)

Then check for the User for which you are getting SU53 is assigned to any structural or not check entry in T77UA table ,if you get the user id in that table please remove user from any position (If assigned ) and run RHPROFL0 .

For Position Assignment you can use Tcode PO13 .

Thanks

Dheeraj