Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

HRAUTH: Structural authorizations and SAP BW

Former Member
0 Kudos

Hello experts

I try to understand the current situation of our structural authorization in ERP.

I am responsible for the extraction into SAP BW and the generation of analysis authorizations.

I have checked HRAUTH of a few users and cannot find any temporal delimitation, e..g.

01 O 102001 01.01.1800 31.12.9999 X MANAGER

01 O 102039 01.01.1800 31.12.9999 X MANAGER

01 O 107732 01.01.1800 31.12.9999 X MANAGER

01 O 107732 01.03.2014 31.12.9999 X MANAGER

01 O 107732 01.03.2014 31.12.9999 X MANAGER

01 O 107732 01.03.2014 31.12.9999 X MANAGER

01 O 107732 01.03.2014 31.12.9999 X MANAGER

In this example you can see that end date for any case is 31.12.9999.

The organization 102001 is not valid any more for this user.

Also the organization 102039 is not valid.

Organization 107732 is valid since 01.03.2014 for this user, but HRAUTH shows the whole time validity.

Is this the correct behaviour? The authorizations in ERP seems to work. Executing FM RH_GET_MANAGER_ASSIGNMENT and RH_GET_ORG_ASSIGNMENT show the correct assigned organization.

When extracting these data into SAP BW, via datasource 0HR_PA_2, I am getting the same incorrect data as shown above in HRAUTH.

Any ideas?

Thanks for your help.

Thomas

1 ACCEPTED SOLUTION

former_member298454
Active Participant
0 Kudos

Thomas,

Can you share the screenshot of stucrtual authorization that is assigned to this user?

which is the node(org unit) where user(or manager) belongs to?

Thanks,Krishna

7 REPLIES 7

former_member298454
Active Participant
0 Kudos

Thomas,

Can you share the screenshot of stucrtual authorization that is assigned to this user?

which is the node(org unit) where user(or manager) belongs to?

Thanks,Krishna

0 Kudos

Hello Krishna

Here you can see the values in the PSA of 0HR_PA_2:

                    |O        |  102001|01.01.1800|31.12.9999|MANAGER  

X                 |O        |  102039|01.01.1800|31.12.9999|MANAGER 

         |          |O        |  107732|01.01.1800|31.12.9999|MANAGER 

|        |          |O        |  107732|01.03.2014|31.12.9999|MANAGER  

|        |          |O        |  107850|01.01.1800|31.12.9999|MANAGER 

|        |          |O        |  107850|01.05.2008|31.12.9999|MANAGER  

|        |          |O        |  108053|01.01.1800|31.12.9999|MANAGER 

|        |          |O        |  108437|01.01.1800|31.12.9999|MANAGER  

|        |          |O        |  108437|01.05.2008|31.12.9999|MANAGER  

|        |          |O        |  108659|01.01.1800|31.12.9999|MANAGER  

|        |          |O        |  108659|01.01.2009|31.12.9999|MANAGER  

|        |          |O        |  108660|01.01.1800|31.12.9999|MANAGER  

|        |          |O        |  108660|01.01.2009|31.12.9999|MANAGER  

|        |          |O        |  108661|01.01.1800|31.12.9999|MANAGER  

|        |          |O        |  108661|01.03.2014|31.12.9999|MANAGER  

|                   |O        |  108662|01.01.1800|31.12.9999|MANAGER  

|                   |O        |  108662|01.01.2009|31.12.9999|MANAGER 

Here you can see the screen of PPOME:

Why do we see organization 102001, 107732, 107850, 108661, 108662, etc. as authorized objects for this user, also the PPOME shows that he is "leader" of 108053 since 01.05.2014?

Thanks for your help!

Thomas

0 Kudos

Org units 107732,108661,108662 are belong to 108053 head node where he is the manager. He should have access to them.

As per the current date he is the manager of orgunit  108053 and its sub nodes .you can check 'period' column in structual authorization for more info.

Query -Organization 107732 is valid since 01.03.2014 for this user, but HRAUTH shows the whole time validity.

not sure why it is showing double entries, are you clicking INDX entried in HRAUTH to get this display?

Can you try with OOSB 'Display Objects' for this user and see his accessible objects?

Thanks,Krishna

0 Kudos

Hi Krishna

In HRAUTH we see these values for the user:

MANAGER 1 01 O O 107732 108053 PERSON 12 0 X F 01.03.2014 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 107850 108053 PERSON 12 0 X F 01.05.2008 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 108053 108053 PERSON 12 0 X F 01.01.1900 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 108437 108053 PERSON 12 0 X F 01.05.2008 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 108659 108053 PERSON 12 0 X F 01.01.2009 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 108660 108053 PERSON 12 0 X F 01.01.2009 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 108661 108053 PERSON 12 0 X F 01.03.2014 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 1 01 O O 108662 108053 PERSON 12 0 X F 01.01.2009 31.12.9999  RH_GET_MANAGER_ASSIGNMENT

MANAGER 5 01 P  102001 0   0 X  01.01.1900 31.12.9999  RH_GET_OBJECTS_OF_MANAGER

MANAGER 5 01 P  102039 0   0 X  01.01.1900 31.12.9999  RH_GET_OBJECTS_OF_MANAGER

MANAGER 5 01 P  102788 0   0 X  01.01.1900 31.12.9999  RH_GET_OBJECTS_OF_MANAGER

In parallel I opened an SAP message and I got this answer.

Is this the reason that we get more object IDs extracted into BW. Why do we see different Orgunits and incorrect time validities in BW?

"....Thank you for the system connection and adding authorization. You are
right, there is different object type shown in transaction HRAUTH than
in extractor. For the Object ID 102039 we have object type P shown in
HRAUTH and object type O in extractor. The right is to have object
type O as in extractor. The same can be checked when executing report
RHBAUS00 to fill the INDX with authorization object. Please use report
RHAUTH_VIEW_INDX to see the data in INDX (for details see the note
836478). That you can see object type P is display problem which is
cause by the wrong customizing.


In the MANAGER profile definition you have following:
MANDT PROFL  LFDNR PLVAR OTYPE OBJID  WEGID  SVECT DEPTH SSIGN MAINT PDATE PFUNC
200   MANAGER 005  01 P 00000000  0  X  RH_GET_OBJECTS_OF_MANAGER

Function module RH_GET_OBJECTS_OF_MANAGER is used to deliver root
objects and you specified that the root objects are type P. But this
function module delivers not only P but O objects too. Please see the
documentation and how it is done in our standard function module
RH_GET_MANAGER_ASSIGNMENT or  RH_GET_ORG_ASSIGNMENT . These function
modules determine O as root objects. The objects type O is filtered in
the code (line 91):

LOOP AT result_tab WHERE otype = 'O'.
    obj_tab-objid = result_tab-objid.
    OBJ_TAB-PLVAR = I77PR-PLVAR.                           "note 993660
    OBJ_TAB-OTYPE = RESULT_TAB-OTYPE.                      "note 993660
    COLLECT obj_tab.
  ENDLOOP.

The RH_GET_OBJECTS_OF_MANAGER delivers diverse objects type and you
specified that the root objects are P objects type. If so than please
deliver only objects type P. Or in your case if you want to evaluate
structure under all objects of manager please leave the object type
empty..."

0 Kudos

Thomas,

If I assume MANAGER structural profile should give access to Org unit, Poisition, Job , person etc in the head org unit where he/she isholding manager position.I see better option to use RH_GET_MANAGER_ASSIGNMENT FM to determine the root Org unit with proper evalutuion path.

If you modify your structual authorization with this FM and root object type 'O'(org unit)  with Evaluation path (to determine the accessible object under the Org unit)  then assigin this to users who are in 'manager' postion would give desired access OR can follow SAP's solution as well.

Why double entries:

If INDX teable is showing double entires as you shown in earlier screenshot , have a look at the reports RHBAUS02 , RHBAUS00, RHBAUS001 if they are running fine. Try deleting the INDX records for this user and re-create them, not sure if this helps.

Thanks,Krishna

0 Kudos

Thanks Krishna

We use report RHBAUS.

Is this report sufficient or do we need to run the other reports as well?

Regards

Thomas

0 Kudos


This is sufficient .

INDX  table content is moving to BI extractor as i understood , if INDX contenent is perfect then would not be any issue in BI side

To correct the issues of 1)dupllication of entries 2)inconsistency(i.e object type 'P' in OOSB and Object type 'O' in INDX for same object 102039 )

- Try assign the structural authorization to multiple users and see if the same problem persists , then

correct the structural authorizaiton in either of the way as below

modify your structual authorization with this FM and root object type 'O'(org unit)  with Evaluation path (to determine the accessible object under the Org unit)  then assigin this to users who are in 'manager' postion would give desired access

OR

can follow SAP's solution as well , then run the program for INDX generation.

These all I could think of to correct the issue , if it doesn't help then better to contact SAP.

Thanks,Krishna