02-04-2015 6:44 AM
Hello experts
I try to understand the current situation of our structural authorization in ERP.
I am responsible for the extraction into SAP BW and the generation of analysis authorizations.
I have checked HRAUTH of a few users and cannot find any temporal delimitation, e..g.
01 O 102001 01.01.1800 31.12.9999 X MANAGER
01 O 102039 01.01.1800 31.12.9999 X MANAGER
01 O 107732 01.01.1800 31.12.9999 X MANAGER
01 O 107732 01.03.2014 31.12.9999 X MANAGER
01 O 107732 01.03.2014 31.12.9999 X MANAGER
01 O 107732 01.03.2014 31.12.9999 X MANAGER
01 O 107732 01.03.2014 31.12.9999 X MANAGER
In this example you can see that end date for any case is 31.12.9999.
The organization 102001 is not valid any more for this user.
Also the organization 102039 is not valid.
Organization 107732 is valid since 01.03.2014 for this user, but HRAUTH shows the whole time validity.
Is this the correct behaviour? The authorizations in ERP seems to work. Executing FM RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT show the correct assigned organization.
When extracting these data into SAP BW, via datasource 0HR_PA_2, I am getting the same incorrect data as shown above in HRAUTH.
Any ideas?
Thanks for your help.
Thomas
02-04-2015 9:35 AM
Thomas,
Can you share the screenshot of stucrtual authorization that is assigned to this user?
which is the node(org unit) where user(or manager) belongs to?
Thanks,Krishna
02-04-2015 9:35 AM
Thomas,
Can you share the screenshot of stucrtual authorization that is assigned to this user?
which is the node(org unit) where user(or manager) belongs to?
Thanks,Krishna
02-04-2015 2:53 PM
Hello Krishna
Here you can see the values in the PSA of 0HR_PA_2:
|O | 102001|01.01.1800|31.12.9999|MANAGER
X |O | 102039|01.01.1800|31.12.9999|MANAGER
| |O | 107732|01.01.1800|31.12.9999|MANAGER
| | |O | 107732|01.03.2014|31.12.9999|MANAGER
| | |O | 107850|01.01.1800|31.12.9999|MANAGER
| | |O | 107850|01.05.2008|31.12.9999|MANAGER
| | |O | 108053|01.01.1800|31.12.9999|MANAGER
| | |O | 108437|01.01.1800|31.12.9999|MANAGER
| | |O | 108437|01.05.2008|31.12.9999|MANAGER
| | |O | 108659|01.01.1800|31.12.9999|MANAGER
| | |O | 108659|01.01.2009|31.12.9999|MANAGER
| | |O | 108660|01.01.1800|31.12.9999|MANAGER
| | |O | 108660|01.01.2009|31.12.9999|MANAGER
| | |O | 108661|01.01.1800|31.12.9999|MANAGER
| | |O | 108661|01.03.2014|31.12.9999|MANAGER
| |O | 108662|01.01.1800|31.12.9999|MANAGER
| |O | 108662|01.01.2009|31.12.9999|MANAGER
Here you can see the screen of PPOME:
Why do we see organization 102001, 107732, 107850, 108661, 108662, etc. as authorized objects for this user, also the PPOME shows that he is "leader" of 108053 since 01.05.2014?
Thanks for your help!
Thomas
02-05-2015 3:21 PM
Org units 107732,108661,108662 are belong to 108053 head node where he is the manager. He should have access to them.
As per the current date he is the manager of orgunit 108053 and its sub nodes .you can check 'period' column in structual authorization for more info.
Query -Organization 107732 is valid since 01.03.2014 for this user, but HRAUTH shows the whole time validity.
not sure why it is showing double entries, are you clicking INDX entried in HRAUTH to get this display?
Can you try with OOSB 'Display Objects' for this user and see his accessible objects?
Thanks,Krishna
02-06-2015 6:21 AM
Hi Krishna
In HRAUTH we see these values for the user:
MANAGER 1 01 O O 107732 108053 PERSON 12 0 X F 01.03.2014 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 107850 108053 PERSON 12 0 X F 01.05.2008 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 108053 108053 PERSON 12 0 X F 01.01.1900 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 108437 108053 PERSON 12 0 X F 01.05.2008 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 108659 108053 PERSON 12 0 X F 01.01.2009 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 108660 108053 PERSON 12 0 X F 01.01.2009 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 108661 108053 PERSON 12 0 X F 01.03.2014 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 1 01 O O 108662 108053 PERSON 12 0 X F 01.01.2009 31.12.9999 RH_GET_MANAGER_ASSIGNMENT
MANAGER 5 01 P 102001 0 0 X 01.01.1900 31.12.9999 RH_GET_OBJECTS_OF_MANAGER
MANAGER 5 01 P 102039 0 0 X 01.01.1900 31.12.9999 RH_GET_OBJECTS_OF_MANAGER
MANAGER 5 01 P 102788 0 0 X 01.01.1900 31.12.9999 RH_GET_OBJECTS_OF_MANAGER
In parallel I opened an SAP message and I got this answer.
Is this the reason that we get more object IDs extracted into BW. Why do we see different Orgunits and incorrect time validities in BW?
"....Thank you for the system connection and adding authorization. You are
right, there is different object type shown in transaction HRAUTH than
in extractor. For the Object ID 102039 we have object type P shown in
HRAUTH and object type O in extractor. The right is to have object
type O as in extractor. The same can be checked when executing report
RHBAUS00 to fill the INDX with authorization object. Please use report
RHAUTH_VIEW_INDX to see the data in INDX (for details see the note
836478). That you can see object type P is display problem which is
cause by the wrong customizing.
In the MANAGER profile definition you have following:
MANDT PROFL LFDNR PLVAR OTYPE OBJID WEGID SVECT DEPTH SSIGN MAINT PDATE PFUNC
200 MANAGER 005 01 P 00000000 0 X RH_GET_OBJECTS_OF_MANAGER
Function module RH_GET_OBJECTS_OF_MANAGER is used to deliver root
objects and you specified that the root objects are type P. But this
function module delivers not only P but O objects too. Please see the
documentation and how it is done in our standard function module
RH_GET_MANAGER_ASSIGNMENT or RH_GET_ORG_ASSIGNMENT . These function
modules determine O as root objects. The objects type O is filtered in
the code (line 91):
LOOP AT result_tab WHERE otype = 'O'.
obj_tab-objid = result_tab-objid.
OBJ_TAB-PLVAR = I77PR-PLVAR. "note 993660
OBJ_TAB-OTYPE = RESULT_TAB-OTYPE. "note 993660
COLLECT obj_tab.
ENDLOOP.
The RH_GET_OBJECTS_OF_MANAGER delivers diverse objects type and you
specified that the root objects are P objects type. If so than please
deliver only objects type P. Or in your case if you want to evaluate
structure under all objects of manager please leave the object type
empty..."
02-06-2015 10:03 AM
Thomas,
If I assume MANAGER structural profile should give access to Org unit, Poisition, Job , person etc in the head org unit where he/she isholding manager position.I see better option to use RH_GET_MANAGER_ASSIGNMENT FM to determine the root Org unit with proper evalutuion path.
If you modify your structual authorization with this FM and root object type 'O'(org unit) with Evaluation path (to determine the accessible object under the Org unit) then assigin this to users who are in 'manager' postion would give desired access OR can follow SAP's solution as well.
Why double entries:
If INDX teable is showing double entires as you shown in earlier screenshot , have a look at the reports RHBAUS02 , RHBAUS00, RHBAUS001 if they are running fine. Try deleting the INDX records for this user and re-create them, not sure if this helps.
Thanks,Krishna
02-06-2015 10:09 AM
Thanks Krishna
We use report RHBAUS.
Is this report sufficient or do we need to run the other reports as well?
Regards
Thomas
02-06-2015 3:02 PM
This is sufficient .
INDX table content is moving to BI extractor as i understood , if INDX contenent is perfect then would not be any issue in BI side
To correct the issues of 1)dupllication of entries 2)inconsistency(i.e object type 'P' in OOSB and Object type 'O' in INDX for same object 102039 )
- Try assign the structural authorization to multiple users and see if the same problem persists , then
correct the structural authorizaiton in either of the way as below
modify your structual authorization with this FM and root object type 'O'(org unit) with Evaluation path (to determine the accessible object under the Org unit) then assigin this to users who are in 'manager' postion would give desired access
OR
can follow SAP's solution as well , then run the program for INDX generation.
These all I could think of to correct the issue , if it doesn't help then better to contact SAP.
Thanks,Krishna