Structural Authorizations and changes in Organizat...

Former Member · ‎06-18-2007

I am doing some research on Structural Authorizations and I'm trying to find out which pitfalls Structural Authorizations have.

Currently I am testing a few things:

- What happens to the person's authorizations when someone switches from one formation place to another, and how can I make sure the person gets the right authorizations? So, if the person goes from A to B, how can I make sure he looses authorizations belonging to A but gaines the authorizations belonging to B?

- What happens to authorizations when you change the organizational structure in PPOME? Will the authorizations stick to the formation places, or does this have to be done over?

Thnx for replies in advance.

Anja

Former Member · ‎06-19-2007

<i>- What happens to the person's authorizations when someone switches from one formation place to another, and how can I make sure the person gets the right authorizations? So, if the person goes from A to B, how can I make sure he looses authorizations belonging to A but gaines the authorizations belonging to B?</i>

This depends on how you assign the structural profiles - to user or to position. If you assign the profiles to the user, you must manually go into OOSB and remove the old profile and assign the correct B structural profile. Assigning to users isn't recommended, since this is VERY labor intensive.

The second method is to assign on the position (using PP01, for some position id, creating a PD profile [scroll down the list of possible relations] and then running program RHPROFL0 to regenerate the roles that position influences). If person moves from position A to position B, then since the profiles are assigned to position, the access will be updated when you execute RHPROFL0. So normally, you'd want to schedule this as a background job, run it nightly or such.

<i>- What happens to authorizations when you change the organizational structure in PPOME? Will the authorizations stick to the formation places, or does this have to be done over?</i>

If you change the org structure, it's my understanding that whatever org unit the profile points at will be evaluated in the auth check. So wherever org unit XXXXXXXXX is, SAP will evaluate the authorization in O-S-P fashion. You shouldn't have to 'redo' them, but a logic check is necessary to verify that access to that org unit makes sense for where it is.

Hope that's not too confusing.

manohar_kappala2 · ‎06-19-2007

Hi,

For the first question

What happens to the person's authorizations when someone switches from one formation place to another, and how can I make sure the person gets the right authorizations? So, if the person goes from A to B, how can I make sure he looses authorizations belonging to A but gaines the authorizations belonging to B?

it depends on how the assignment happens if the person is moved and if its position based secuirity then the person will automatically inherit the rights of the position he is now assigned to.

But if its a user based approach then u might need to change the profiles attached.

But this also gets updated dynamically depending on if u are using a function module.

And also the switches in OOAC for the tolerance time also decides on how the access control happends when a person moves to a different org unit.

So there is no unique case that would happen and it all depends on the security approach in place.

What happens to authorizations when you change the organizational structure in PPOME? Will the authorizations stick to the formation places, or does this have to be done over?

ORg strucuture is like a chart against which the system checks to interpret the PD profiles by matching the values in the pd profiles to the org structure. So it again depends on whether u are using a dynamic profiles (by using function modules) which calculate the access during runtime or if u are using static PD profiles which need to be reassigned or modified to meet a persons new postion.

Hope this helps

Manohar

Former Member · ‎06-19-2007

Thnx to both for the answers. I'm going to do a few more tests to see how things should work.

Former Member · ‎06-19-2007

Thnx to both for the answers. I'm going to do a few more tests to see how things should work.

Former Member · ‎06-19-2007

I really need to learn to use this forum. My apologies.

Message was edited by:

Anja Geenen

Former Member · ‎06-19-2007

I assigned the PD-profile to a position. When I assign the person to another position which is assigned to another PD-profile and after I run report RHPROFL0 and I check if the authorizations have changed, it says: ‘The object xxxxxx is not found’.

I need those authorizations for portal users. This means the users check the data (OM and PA) on the portal. So could this problem be because of checking on the portal?

Former Member · ‎06-20-2007

PD Profiles... are Nasty!!!!

RHPROFL0 will only update a users profile (PD or standard) if it has changed. Does the position you moved the person to have a different PD profile than what they originally had?

Try assigning the user with the new PD Profile via OOSB and see what happens from the portal end. If it works, then it could be a problem with your setup of the Position perhaps...

As I'm doing a security + portal implementation at the moment, I started using Tcode /NPZSU53 to check ESS auth checks. But its quite unreliable and you have to log in as the portal user, I found tracing authorisations via ST01 easier.

Hope this helps, don't entirely understand your issue.

Nathan Walker

Structural Authorizations and changes in Organizational Structure