Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What is the best way to assign the structural authorization profile

former_member401700
Explorer

‎07-24-2012 12:35 PM

0 Kudos

Hi Experts,

In our current project we are designing the HR Roles and Authorizations for our client. We are a bit confuse in assigning the structural profile in different ways like at IT-1017 in OM either Position/Org unit level or at user level through OOSB T-Code (T77UA table) to user. Kindly suggest best practice in assigning the same.

Thanks & regards

Shafi Ahammad M.

6 REPLIES 6

Former Member

‎07-24-2012 5:50 PM

0 Kudos

I think good practice is indirect assignment ie assign to the Position/Org unit level. In this way even the new resource comes on board and if you assign the position, automatically the user gets the associated role/profile. If it is direct user assignment, we keep adding for each and every user comes onto the board. So good practice is indirect assignment through Position/Org level units.

former_member401700
Explorer
In response to Former Member

‎07-25-2012 1:08 PM

0 Kudos

Hi Venkata Battula,

Thanks for your response, we have created one structural profile and assigned to position who is managing the org unit, the aim of that structural profile is to access the master data of the employees of that org unit simultaneously we have created the standard R/3 role by defining the infotypes & objects which the position can access (In P_ORGIN, PLOG). Now how to link the structural role and standard R/3 role with out assigning the standard R/3 role at user level, so that if user is replaced by some one other the back-end authorizations/same authorizations will apply to that new user.

Thanks & regards,

Shafi Ahammad M.

Former Member
In response to Former Member

‎07-25-2012 3:13 PM

0 Kudos

Hi Shafi,

I hope it is not possible in that case. You need to create the new user and assign the same profile and we also have the copy option for that.

Hope this understand.

Cheers,

Simbhu

Former Member
In response to Former Member

‎07-25-2012 6:19 PM

0 Kudos

Structural profiles and security profiles are different purpose. Structural profiles are only for Structures access and security roles are for ITs access. Both profiles can be assigned to Position/Org unit.

Here is an example

Ex. An administrator who is supposed to access all employees in own department, role authorization will not help because Org Unit is an Object correct, so you  need to use structural authorization...

Ex. If the same administrator is supposed to access all employees based on Ent.Strucutre/Pers.Stru. criterias, role authorization alone sufficient.

Ex. If the same administrator is supposed to access all employees in his own department but not managerial level, then you need both authorizations i.e. role and structural...

An administrator can be assigned both authorizations to access ITs and Objects...

Authorizations (both)can be assigned directly to the position (which is called Indrect Role Assignment) so that they will be assigned to the User automatically whoever occupies.. we donot need to generate each and everytime the user changes..


former_member401700
Explorer
In response to Former Member

‎07-26-2012 6:45 AM

0 Kudos

HIi Venkata Battula,

In our case the person/position who is managing the org unit only can only see the objects of that org unit & HR data of the persons who occupied the positions under that org unit. He should not able to access the data of other org units. Even in his org unit he is allowed to access some IT's only.

For this what we have done is we have created a structural authorization profile & Authorization profile maintenance through OOSP. Authorization profile maintenance we've maintained at org unit level with evaluation path O-S-P, status vec as 12 and all remaining fields kept as blank. This structural profile is assigned to respective position & org unit through IT-1017. Then we created a standard R/3 role as per the requirement & assigned to the respective position through IT-1001, as we assigned it to position we removed the user ID from the back-end R/3 role. When we are testing the same with the user ID of the validations are not working.

Note: In the other way if we assign the the user to R/3 role and structural profile to user ID through OOSB all validations are working fine as per the requirement.

But our intention is not to assign these roles at user level, why because in future if some other person occupies that position the validations should work automatically with out assigning the same roles to that new user.

Thanks & regards,

Shafi Ahammad M.

Former Member

‎07-25-2012 10:04 PM

0 Kudos

Shafi,

If you want to do indirect provisioning for standard roles and PD profiles, it is quite possible. PD Profiles can be assigned to the position/Org Unit through INFTY 1017.

For your standard roles, you can create a relationship (INFTY 1001) between the position and the role (AG object). Using PP01 or PO13, create a relationship between the role and position using relationship subtype B007. Run the RHPROFL0 report to do the indirect assignment to the user ID of the person attached to that postion. You now have both the roles and PD profiles assigned to your position and indirectly to the user.