Solved: Hi Team, This is the Question regarding HR securi...

Former Member · ‎01-16-2015

I have created one role for HR Admin and one structural profile for the same,and assigned both to one HR Admin (test user- which is hired in PA40 and maintained IT 0105,Subtype 0001).

Purpose of role and Strutural profile : HR Admin should be able to edit,display,change IT 0001,0002,0006,0008 for all emps in the organization which are mentioned in strutural profile( i have mentioned 3 Org Units in the structural profile, for each org unit one position is there and each position occupied by one person.)

So totally this HR Admin should be able to modify the data for only 3 emps.But in this case HR Admin cna bale to modify one more emp data who is not comes under any orgunit which is mentioned in the structural profile.

And In the role i have given below values.

P_ORGIN

Authorization level :E,R,S,W

Infotype :0001,0002,0006

Personnel Area : US01

Employee Group :1

Employee Subgroup :U4

Subtype 😘

Organizational Key :CA04-CA05,US01

P_PERNR

auth1 :

Authorization level R, W

Infotype 0002, 0006

Interpretation of assigned per I

Subtype *

auth2 :

Authorization level E, S, W

Infotype 0001, 0008

Interpretation of assigned per E

Subtype *

auth3:

Authorization level M, R

Infotype 0008

Interpretation of assigned per : I

Subtype *

My Ques is GR Admin user is able to modify other emp data whos orgunit is not comes under any org unit which is mentioned in Strutural profile , which is assigned to HR Admin.

And i observed one thing here, the extra emp personal area, sub area,emp grp,sub grp,org key is covered in the above access but in the strutural profile the org unit is not there.

Please suggest how HR Admin can able to modify HR master data of that employee.

Regards,

Venu.

former_member298454 · ‎01-20-2015

Venu,

From your screenshots , I assume that you are using P_ORGIN in your design so no context solution has been invoked in your design.

Hence , ORGPD should have been switched on for enabling structural authorizations instead DFCON.

If perner 8 must have been isolated - not integerated in OM structure (default position), set the required value (1,2,3,4) for ORGPD and switch off DFCON.

Possible Values for ORGPD/ DFCON and their meaning

1 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, deny authorization to the person.

2 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Deny access to all these persons.

3 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, give authorization to the person.

4 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Give access to all these persons.

Thanks,Krishna

pmuschick · ‎01-19-2015

Further help can only be provided if you attach the settings/switches for HR authorizations and the user specific objects. Please have a look at HRAUTH for a list of the switches and the user-specific data in the dedicated tab. Additionally you have to describe your structural profile, there can be so many reasons for this that any hints are just rough guesses for usual errors.

Former Member · ‎01-19-2015

Hi Peter,

Thank you. I will attach the required details soon.

Regards,

Venu.

Former Member · ‎01-19-2015

Please find the attached Doc for Auth switches and mentioned in structural profile as well as

Switches in OOAC :

And in the images attached the description as below

Image 1)User HR Auth objects in HRAUTH

Image 2) Switches in HRAUTH and same in OOAC also.

Image 3: Structural profile of the user in HRAUTH

Image 4: OOSP defined

Image5 :

the Actual Structural profile in OOSB or OOSP: here we can see only the hr user can able to access perners 7 ( his own pernr),10,11,12,13.

But my ques is the HR admin user can able to modify other pernr (pernr num 😎 which are not populated in the Structural profile

Image 6 :T77UA entries for user

What I observed that the extra user pernr HR Mater data ( personal area, emp grp, sub grp, org key) num which the hr admin can able to access, is covered in role which assigned to the HR admin .

But the extra perner num is not comes under any of the org units mentioned in the structural profile.

Please suggest how to proceed further

Regards,

Venu.

former_member298454 · ‎01-20-2015

Venu,

From your screenshots , I assume that you are using P_ORGIN in your design so no context solution has been invoked in your design.

Hence , ORGPD should have been switched on for enabling structural authorizations instead DFCON.

If perner 8 must have been isolated - not integerated in OM structure (default position), set the required value (1,2,3,4) for ORGPD and switch off DFCON.

Possible Values for ORGPD/ DFCON and their meaning

1 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, deny authorization to the person.

2 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Deny access to all these persons.

3 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, give authorization to the person.

4 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Give access to all these persons.

Thanks,Krishna

pmuschick · ‎01-20-2015

As replied by Krishna please activate AUTSW.ORGPD for structural authorizations checking.
Additionally if it still does not work please provide us with some information on personnel number 8 (Area, Group, Subgroup, organizational position and so on.)

From a general point of view I can only advise you to restart/rethink the main switches as a useful context solution with P_ORGINCON is IMHO a better approach than only P_ORGIN (for example).

Former Member · ‎01-20-2015

Hi Peter/Krishna,

The perner 8 is assigned to position and the org unit, not a default position.

@Krishna,

Q1 )Do you mean ,if any person not assigned to OM Structure (default position :99999999)do we need to switch ON the AUTSW ORGPD to (1,2,3,4) or we just need to switch ON if we want to use structural auth concept ?

Q2) What are the default settings in OOAC ,if we want to implement both general authorization and structural auth concept.

Please suggest on this.

Q3) Possible Values for and their meaning : from this can i understand that this settings required when any user is not linked in OM Structure. Please correct me ,if i am wrong.

And if the person is linked to OM Structure what is the default values for ORGPD/ DFCON

Q4)Can we use P_ORGINCON instead of P_ORGIN (as all the fields of this auth object covered

in P_ORGINCON) and we need to make sure that structural profile is included in the role (in P_ORGINCON) as well as assign the same to the user in OOSB.

to user P_ORGINCON needed to switch on AUTSW INCON to "1"?

Regards,

Venu.

Former Member · ‎01-20-2015

01:19:48

Hi ,

As suggested i tried below ways.

Case1 Task A : Maintained the Switches in OOAC as below.

AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check

AUTSW APPRO 0 HR: Test Procedures

AUTSW DFCON 0 HR: Default Position (Context)

AUTSW INCON 0 HR: Master Data (Context)

AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)

AUTSW NNNNN 0 HR: Customer-Specific Authorization Check

AUTSW ORGIN 1 HR: Master Data

AUTSW ORGPD 1 HR: Structural Authorization Check

AUTSW ORGXX 0 HR: Master Data - Extended Check

AUTSW PERNR 1 HR: Master Data - Personnel Number Check

AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)

Just switched P_ORGIN , P_PERNR and ORGPD.

In this case the pernr number (8-is assigned to OM Struture).

As per the above settings i am able to restrict the HR Admin from doing any activity on pernr ( 8 ) data .

Task B: I have removed the structural profile to the HR Admin and tried to modify the data of other emps. HR Admin was not

able to view (even though the personal area,sub area etc covered in the role authorizations) any emps data except his own

data.

Reason what i assume is in OOAC the structural auth check (ORGPD) activated,hence its checking whether structural profile is assigned to user or not ?. Please correct me,if i am wrong.

Case 2 : I have changed the settings in OOAC and maintained as mentioned below. ( switched off ORGPD and switched on

P_ORGINCON)

AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check

AUTSW APPRO 0 HR: Test Procedures

AUTSW DFCON 0 HR: Default Position (Context)

AUTSW INCON 1 HR: Master Data (Context)

AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)

AUTSW NNNNN 0 HR: Customer-Specific Authorization Check

AUTSW ORGIN 1 HR: Master Data

AUTSW ORGPD 0 HR: Structural Authorization Check

AUTSW ORGXX 0 HR: Master Data - Extended Check

AUTSW PERNR 1 HR: Master Data - Personnel Number Check

AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)

And added P_ORGINCON manually in the role , maintained auth values and strutual profile in it.

As per the settings above i am able to restrict the HR Admin from doing any activity on pernr (8) data .

Hence my assumption is settings in Task1 (CASE 1) and in CASE2 gives the same results as expected.

Conclusion :

If we dont want to use P_ORGINCON (contains Structural profile as field) we can go for OOAC settings as mentioned in TASK1

.Otherwise we can go for Case2 seetings.

Please correct me ,if i am wrong.

Case 3 : I have Defined Strutual profile as below in OOSP.

Profile No. PV OT RootObType ObjectID Maintained

HRADMIN_US 1 1 O 50000113 O-S-P

HRADMIN_US 2 1 O 50000116 O-S-P X

HRADMIN_US 3 1 O 50000117 O-S-P X

There are totally 3 org units. for the last 2 Org units i have given maintenance activity (X).

The HR Admin comes user The first Org Unit (50000113) for which the Maintenance activity not given.

Under this HR Admin Org unit (50000113) ,2 positions are there, One is occupied by this HR Admin (pernr 7) and other is by

Assistant HR Admin (pernr 11).

But this HR Admin not able to edit the Assistant HR Admin data . Does this bcz we did not check the maintenance button for

this org unit in Structural profile ???( even though we give Write/Edit Access in the role) ?

Please correct me ,if i am wrong. And how the HR Admin can able to edit his own data (does P_PERNR is by passing all these

auth checks?).

Regards,

Venu.

former_member298454 · ‎01-21-2015

Venu,

Q1) ORGPD & DFCON both are for enabling structural authorization .

ORGPD - Plain structural authorization

DFCON - Context solution

Q2) You have to switch on either of the above switch to enable structurla authorization concept.

Q3) Yes , You are right

Q4) While using Context solution , AUTSW INCON should be "1" and you can avoid manual maintenance on OOSB.

The PD_Profiles that are assigned to user via P_ORGINCON will get assigned in OOSB table (automatically through standard BADI if you implemented it)

Case 1 & 2 : Your conclusion is right for case 1 -OOAC setting

But if you use P_ORGINCON then switch off P_ORGIN , ORGPD and activateDFCON.

Case 3:P_PERNR with 'I' value will authorize user to access his own records though he doesn't have respective PD profile.

But it is not true with P_PERNR with 'E'.

general authorization( Write access in role) and sturcutual authorization(maintenance should be checked) to enable the write access.

Thanks,Krishna

Former Member · ‎01-27-2015

Hi Krisha,

I have doubt on Q4) While using Context solution , AUTSW INCON should be "1" and you can avoid manual maintenance on OOSB.

The PD_Profiles that are assigned to user via P_ORGINCON will get assigned in OOSB table (automatically through standard BADI if you implemented it)

does it means we no need to assign the strutural profile to the user id in OOSB ,if we user P_ORGINCON ? and we no need to assign the S.P to the position (PO13- PD profile) ?

And if we want to use P_ORGINCON auth object we need to avtvate INCON and what is the default values DFCON (consider the case where the users not assigned to org struture ) value 3?

Regards,

Venu.

former_member298454 · ‎01-27-2015

There are multiple strategies are available on assiignment of structural authorizations to user.

Few as follows

- Assigning PD profiles to posisiton/Org Unit/OM data(1017 IT) - RHPROFL0 will have to run and update the respective pd profiles to user in OOSB table.

- Assigning PD profile via P_ORGINCON object thorugh pfcg role ,then you can automate the assignment of pd profile ro users in OOSB using std BADI

If you are using P_ORGINCON , yes you need to activate

INCON - to switch on P_ORGINCON

DFCON - to manage how the default positions should be managed (refer 1,2,3,4 values & its explanations)

ignore ORGPD

Thanks,Krishna

Hi Team, This is the Question regarding HR security.