Structural Authorization

Former Member · ‎07-26-2007

Hi,

how to give security for HR? Is it mandetory Structural authorization for HR? otherwise SAP R/3 security administrator can maintain security for HR module like other modules SD, MM, PM etc..(without Structural authorization) ? normally what is the process in realtime ?

Thanks in advance

NAG

Matt_Fraser · ‎07-26-2007

Assuming you have sensitive data in your HR system, you will in all likelihood want to use structural authorizations, although from a technical standpoint it is not mandatory. A good way to think of it is that standard roles grant access to perform various actions or see various types of data, while structural profiles restrict which persons or org units in the org structure you can see the data or perform the actions on. Standard roles affect what you can see, structural profiles affect who you can see.

Structural profiles are usually assigned to positions in the org plan, not directly to people, although that doesn't have to be the case. This is done in org plan management, and the advantage of this approach is that as employees are hired into positions or change positions, their structural authorizations change automatically (assuming the correct scheduled jobs are running).

A good example of structural profiles in use would be for typical HR roles such as Manager (for Manager-Self-Service) or Time Administrator (for CATS). In the case of a manager, you will design and assign a standard role (in PFCG, as usual) with the various HR objects (P_ORGIN, P_PERNR, etc) that manager need in order to manage their teams, approve working times, etc. However, you probably don't want your managers to be able to do or see anything for employees other than those in their own departments. You could build a separate MSS role for each department, building in org key or other similar restrictions, but this would involve a lot of up-front and ongoing maintenance, and if there are lots of departments would very quickly become unwieldy.

The solution is to build just one MSS role, but also build one MSS structural profile, which will look at the user's org assignment and then restrict him/her to working with that org (and maybe a few others subordinate to it, if that's appropriate) only.

The key transactions and programs to keep handy when working with structural profiles are OOAC (activate structural authorization checks -- this is configuration and transportable), OOSP (create structural profiles -- also transportable), OOAW (create evaluation paths, which are used by structural profiles), PO13 (position maintenance, where you assign profiles to positions -- done in each system), RHPROFL0 (report, not tcode -- this evaluates all the profile to position assignments, the holders of those positions, and the usernames associated with those holders, ultimately assigning profiles to the user -- it will also create new users in batch for you), OOSB (checks which users have which profiles -- but not recommended as a way of directly assigning them), OOVK (creates relationships, which are used in evaluation paths), RHBAUS02 and RHBAUS00 (create indexes for users with large structural authorizations, for performance reasons), and RHSTRU00 (display structures via evaluation path, for testing and development purposes).

I hope that this information helps with your organization's decision on whether or not to implement structural profiles.

Regards,

Matt

Former Member · ‎07-27-2007

Matt, this is a very good overview!

Thanks

Nathan

Former Member · ‎10-17-2007

Hi Mati,

We are adding the structural profiles to users manually in OOSB transaction. Now we need to add new object type (for ex: Personnel number) to the existing profile.

can you provide us the procedure for this?

Thanks in advance

Hari

Matt_Fraser · ‎10-23-2007

Hari,

I'm not entirely certain what you're asking about. I can say that I don't recommend assigning the profiles directly to users via OOSB, though obviously it is possible to do it that way. I prefer to assign the profiles to the associated positions via PO13, then let RHPROFL0 match up profiles to users (I run a scheduled job every night, shortly after midnight, with four steps: RHPROFL0, PFCG_TIME_DEPENDENCY, RHBAUS02, and RHBAUS00).

If you mean that you wish to add additional objects for evaluation to the structural profile itself, you do this by changing or editing the evaluation path used by the profile. With OOSP you can drill into the profile and see which evaluation path it's using. With OOAW you can edit the path.

The evaluation path can have multiple lines in its definition, so that from a starting object it follows a relationship to subordinate object types, finds those objects, and can follow further different relationships to yet other object types, etc.

For example, in our organization we want managers to be able to see Courses and Qualifications as well as Positions and People in their respective orgs. So, I built a custom evaluation path, ZMSS, like follows:

No. Obj.Type A/B Relat'ship Rel.obj.type

10 O B 003 S

20 O B 002 O

30 S A 008 *

40 P B 025 E

50 O B 025 E

100 * A 031 Q

110 P A 032 Q

This starts with a supplied (from the profile) Org object, and finds incorporated Position (S) objects. It then also finds subordinate Org objects ("is line supervisor of") so it can go down further levels in the org plan. Then from the found Positions, it finds all holders (*, though P could work here too). From any Persons found as holders, it finds Courses (E) the person is enrolled in. It also does this for entire Orgs. Finally, from any objects of any type found, it finds required Qualifications, and from Persons it finds fulfilled Qualifications.

Via OOSP I see my structural profile, Z.MSS_STRUCT, which has a starting object type of O, uses the above ZMSS eval path to a depth of 5, and uses the standard function module RH_GET_MANAGER_ASSIGNMENT to find the starting O object.

Has this answered your question?

Regards,

Matt