Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Difference between Indirect and Structural Authorization

Former Member

‎11-29-2010 8:16 AM

0 Kudos

Hi,

Can someone enlighten me the difference between Indirect and Structural Authorization (if possible with an example)

Thanks In Advance.

Regards,

Sriram

3 REPLIES 3

Former Member

‎11-29-2010 9:45 AM

0 Kudos

Hi,

Firstly, this question should go to SAP Security forums.

The indirect role assignment are the roles that are assigned to positions, where in a Structural authorization is where a specific authorization values is assigned directly to the organizational positions.

The indirect assignment is done from PFCG transaction code. Click the user tab use the GOTO button and you should have the "Organizational Management" option. However, transaction OOSB need to be executed to assign a user for a structural authorization.

Hope this helps!!

Regards,

Raghu

Former Member

‎12-03-2010 7:34 AM

0 Kudos

Hi Sriram,

SAP HCM Security can be implemented adopting one of the following methods

1. Direct role assignment (User based): Roles and profiles directly assigned to User Master Records via SU01/PFCG

2. Indirect role assignment (Position based):

This is Concept of using the SAP HCM module to help security administrators control access.Can be used for both, HR and non-HR modules.Roles or authorization profiles (standard and PD/structural) are attached to positions or other objects in the organization structure.The person who holds the position will inherit the access provided by the profiles or roles (assigned to position via OM IT1001). Here there is no need to communicate with Security Administrators on people movements within the organization.PD Profiles/Structural Authorizations (assigned to position via OM IT1017) only apply to HR security.

3. Structural Authorizations:

In addition to the standard authorization, R/3 system enables further restriction by confining the users to perform their tasks within specific organizational layers.

Structural Authorizations restrict the visibility and, hence the activities enabled by the general authorizations, into specific organizational levels in the HR organizational tree.To enable the restrictions, profiles specific to the PD area of the HR Module, popularly known as PD Profiles are used.

Example:

SCENARIO 1:

A company hires people throughout the United States. Each district manages its own operations.

Each district decides whether new positions are created, changed, or discontinued.

As such, each district must have the ability to create and change positions in the R/3 system.

However, a district is not to have access to create or change positions for another district.

In this case, the standard authorization object PLOG is not sufficient to provide the desired restrictions since you may only restrict by granting access to all positions or no positions.

Structural authorizations may be implemented in addition to the standard authorizations to determine which particular positions are accessible.

SCENARIO 2:

Managers at a company have the authority to approve time for people that report to them.

As such, each manager must have the ability to approve time in the R/3 system.

However, a manager is not to have access to approve time for people that do not report to them.

In this case, the standard authorization object P_ORGIN is not sufficient to provide the desired restrictions without an exorbitant number of roles. Structural authorizations may be implemented in addition to the standard authorizations to determine which particular employee records are accessible.

I have few documentation dealing with this subject in a more detailed manner, do let me know if you would need them as well. As far as your question posted in blog is concerned, hope the above information is helpful.

Cheers!

Sandipan

Former Member
In response to Former Member

‎10-28-2013 7:45 PM

0 Kudos

Hello all.

Regarding the comment for the Indirect role:

2. Indirect role assignment (Position based):

This is Concept of using the SAP HCM module to help security administrators control access.Can be used for both, HR and non-HR modules.Roles or authorization profiles (standard and PD/structural) are attached to positions or other objects in the organization structure.The person who holds the position will inherit the access provided by the profiles or roles (assigned to position via OM IT1001). Here there is no need to communicate with Security Administrators on people movements within the organization.PD Profiles/Structural Authorizations (assigned to position via OM IT1017) only apply to HR security.

  • Is it possible to do the mapping for a position to a role from another non-HR system (and a role not allocated in the HR system).
  • If so, should i import the roles from the other SAP system to HR system?
  • How HR know which roles are created in the other systems?

Many thanks in advanced.

Best regards.