Hello Julius,

Thanks for leaving ball in my court.

Yes its new requirement , let me explain clearly.

We have 3 type of users in SAP-HR.

1)HR Admin

2)Time Admin

3)Payroll Admin

here, we restricted the above users based on their PA's(Personnel Area's)

Ex:    P_ORGIN

Authorization level          : * (As per business requirement)

Infotype                             :  (As per business requirement)

Personnel Area               : 1002

Employee Group             : *

Employee Subgroup      : *

Subtype                             : *

Organizational Key          : * ( and this is same as PSA)

Note: Org Key value and PSA value is same in my System.

As of now in my system the above format existed and  for ex: one payroll admin can see other employee details under his Personal Area. I meant to say here org Key = *, so one PSA person can see another PSA person details, to avoid this we can put here PSA name instead of  " * ".

In my organization there is no Structural authorization concept.

Kindly let me know if you are looking more on the same. I really appreciate if any prompt responses. Thanks.

This message was moderated.

Hi Ramesh,

If your requirement is to have authorizations based on the PSA (assuming Personnel Sub Area) then I believe using the org key is indeed the best approach.

As far as your math is concerned (175 PSA's times 6 roles), it would only make sense to create 1050 separate roles if you have 1050 or more HR administrators. If from an organizational point of view certain administrators are always responsible for more than one PSA then I wouldn't bother creating one role for each PSA. You could save yourself a lot of effort by combining those PSA's into the same role.

If you really do have 6 administrators for each PSA then perhaps structural authorizations isn't such a bad idea. If you can come up with a function module that retrieves the persons from the PSA that the user is responsible for (eg if all users belong to the PSA they are responsible for then you can just get all persons belonging to that PSA) then you can get away with having only 6 roles and let the structural authorizations take care of the PSA (and therefore also PA) part. That would save you a lot of time in build, maintenance and provisioning.

Good luck,

Brent

Hi Brent,

Am very thankful to you for putting effort/analysis to solve my issue.

Yes, you are correct but in my case the requirement will change according to my core team, that's the reason am in confusion either if I go for 1050 roles creation , is there any consequences which I need to face at run time or in case of maintenance..

I tried in different formats but am unable to decrease the size of role matrix and am failing while convincing the user in the form of clubbing one or more PSA's into one role.

This is some what complex situation(usually no one can maintain 1050 roles only for single HR module 🙂  which is not best practice)

But any way thanks again, your reply makes me more clarification about this issue.

thanks for your inputs.. Good day

Regards,

Ramesh Badam