Hi

The PERNR switch is not related to structural authorizations, it's related to the P_PERNR authorization object. This object is used to grant/prohibit access to own HR data based on the link between user-id in employee number in infotype 0105 subtype 0001.

The switch for the structural authorizations is the ORGPD, you need to set this to '1', if you are going to use structural authorizations.

Regards

Morten Nielsen

Hi Raj

I now Norm&Carls Document - it's quite good - but keep in mind it's a couple of years old, (e.g. you should use the new PD Transactions like PPOME or PPOMW instead of the old ones etc..)

Regarding the two roles:

Structural authorization can't "live" alone - they are dealing with "Which" object - Person, Org units, positions etc, where the "regular" authorization are build around getting access to infotypes, transactions, report etc. This means that the user always will require a role granting access to the needed transactions, infotypes etc. The structural profiles are then used to limit/specify for which object this access should be granted.

I'm not entirely sure if this covers your question ? or perhaps, if I remember the document correctly, they suggest that you create a dummy structural profile for all employees, in order to avoid giving full access to users without a structural profile? This isn't necessary.

Structural profiles does not work the same way as ordinary profiles. If a user doesn't have a profile in transaction OOSB, the user will get the access granted to the user SAP* - just delete this entry in order to make sure that everybody without a profile get's full access.

I hope it helped - otherwise feel free to come back again

Regards

Morten Nielsen

Hi Raj

First off all - if you delete the SAP* everybody, without a profile will gain access to your HR objects. If a user isn't in OOSB he will get the access rights of the SAP* user, if SAP* is deleted then he wont have any access.

<i>1.When i created an org.plan the next time i have to get in is in the change mode?</i>

Yes, when it's create use PPOME (Or PPOMW) to maintain ite

<i>2.Can I create multiple org.plans? within the same client?(</i>

From a technical point of view - No Problem. From a business point of view I often find it more suitable only to have one - But that's of course a question of your scenario.

<i>3.Inspite of having SAP_ALL and SAP_NEW i get no authorization when i try to run Transaction ppom_old..i came to know that the object has to be * in the structural profile ALL and i set it to * it worked couple of days ago but i still have the same problem</i>

With a SAP_ALL you shouldn't be facing any authorization issues, not even with you newly created structural authorization (SAP_ALL has P_ABAP * included - this deactivates the structural profiles) try to do a SU53 after calling the transaction - or try to use PPOME instead of PPOM_OLD (it's an outdated transaction)

Regards

Morten Nielsen