HR Structural Authorizations

Former Member · ‎11-09-2006

Hi All,

My company is ugrading to ECC 6.0 now they are planning to implement structural authorizations. They are currently using ESS and MSS, they are in dilemma whether to implement structural authorizations because of its complexity to maintain.

Iam wondering whether any of you have any experience with structural authorizatons, If so please do share your experience.

Thanks,

Kavitha

morten_nielsen · ‎11-09-2006

Hi

I have been using structural authorization a lot, I, depending on your requirement, I would always recommend using them.

Of course it will expand the complexity of your system, but you'll also gain a lot. e.g. giving managers access to own organizational unit etc.

If you are going for structural authorization i will suggest that you:

1. Creates a profile, "Own_Unit", with use of the function module feature using the function module RH_GET_ORG_ASSIGNMENT. The requirement here is that infotype 0105 0001 is maintained. By doing this you do not have to create a profile for all of your department. (If you have other requirement, you can even create your own functionmodules)

2. Have a look at the SAP* user in OOSB. If no entry for a user is found in OOSB, the user will get the access of SAP, normally that will be full access. A good idea, from a security point of view is therefor - delete the SAP entry, or create a new profile for this user, only containing the none critical issues.

3. At last have a look at the context solution, that is use P_ORGINCON instead of P_ORIGIN etc.

And then of-course please notice that structural authorization are only use on HR object, you can not use them e.g. to control access to cost center report. And on the other hand, when implemented it will impact your entire system, e.g. it will also control which persons you can assign to a maintenance order in PM etc.

Regards

Morten Nielsen

Former Member · ‎11-12-2006

Thanks for your response.

Are you currently using any automated tool or program for maintaining structural authorizations.

morten_nielsen · ‎11-13-2006

Hi

No, currently I only have access to the NetWeaver Sneak Peak .

But for the automatic maintenance of structural authorization you should look at the function module part - RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT - using those you can e.g. create a single authorization profile "Own_Unit".

If you have more advanced requirement, you can create your own modules, supporting these – have a look at function group RHGO.

For assigning them, use infotype 1017 (or maybe 1016, I can't remember exactly which one). Using this you assign the profiles to organizational structure. Then you use/schedule the report RHPROFL0 in order to assign the profiles to the users.

Regards

Morten Nielsen

Former Member · ‎11-13-2006

Hi,

Please advise on this issue.

Are there any ways of modifying the level of security from the HR personnel area down to the cost center or department level?

The Plant has various users who are in the same personnel area but in different groups (cost center/dept) that should not see other employees data.

We need to determine if we can modify the level of security?

I greatly appreciate any help in this issue.

Thanks

Kumar

Former Member · ‎10-23-2007

You can try using org keys with combinations of pers.area + cost centers. This will give you ability to control via P_ORGIN or P_ORGINCON if you are using structural authorizations.

Alternatively, you can model your org structure based on your cost center hierarchy, and implement structural auth.