Sap Security Pages

Learn SAP Security & Authorizations Concepts

HCM Security HR Basics 

HR Basics

Aninda 6 Comments , , ,

SAP HR deals with private employee data much of which might be of sensitive nature. As a result the HR security is typically more stringent that security for the other SAP modules. In a lot of non HR applications, security is more geared towards prevention of wrongful entry of data into the system. However, in the case of HR, even the display of private data might lead to non compliance with prevailing laws and regulations.

Other than the overtly sensitive nature of HR data,another reason of separating it out into its own category on this site is to emphasize  two unique provisions in HR.

  • Firstly, most of SAP security is based on positive authorization, i.e presence of a particular authorization in the user buffer gives access to new functionality. HR is one area where negative authorization can also be used in addition to the existing positive authorizations. Negative authorization in this case prevents an user from accessing some application due to the presence of a certain authorization in his user buffer.
  • Secondly, HR uses structural authorizations to restrict HR access to a certain hierarchy within an authorization independent to the general authorizations assigned through roles.

6 thoughts on “HR Basics

  • Aaina
    April 19, 2011 at 11:08 pm
    Permalink

    Hello Aninda
    Do you know the use of parameter UGR value 10 and why we have to make sure it is not abused? Should we not assign SU3 to users so as to prevent them from updating this parameter?

    Reply
    • AnindaPost author
      April 20, 2011 at 3:53 am
      Permalink

      The UGR parameter is meant for default HR user group for a person. The user group is used as part of config entries to control the user interfaces (for example the infotype entries or number of tabs) in standard SAP HR transactions like PA20, PA30, etc. Also, this parameter just controls the user interface. So security will always be checked in the backend and there are ways to display infotypes even if they are not in the default interface. I am not aware how user group 10 has been used in your landscape as this is totally dependent on configuration.

      Please check with the functional HR guys about the ways in which user group is being used in your system. As you mention any user with access to SU3 will be able to change the default values for UGR maintained in their user master. I don’t believe taking away SU3 is the solution in this case as this might have other implications for maintenance. However someone ( a process owner) has to take a call about the sensitivity of users changing their UGR parameters.

      Reply
  • Shanker Balaji
    June 21, 2011 at 8:43 am
    Permalink

    Hello Aninda,

    Normally we do assign below parameters in SAP HR system :-

    CATS_APPR_PROF ESH_LINE
    CVR Z_ESHER
    MOL 45

    Can you please let me know why do we have to assign them in SAP.

    Reply
    • AnindaPost author
      June 21, 2011 at 12:33 pm
      Permalink

      Hi Shanker,

      User Parameters in general are used to provide default values for various transactions/applications
      CVR is used to provide the default time entry profile in CAT2
      MOL is MOLGA or the default country grouping
      CATS_APPR_PROF is the default for the CATS approval profile used by Time Approvers.

      Regards,
      Aninda

      Reply
  • Ly Bang
    July 17, 2014 at 2:56 am
    Permalink

    Hello Anida,

    Can you explain more deeply about structural authorization, what its differences from general authorization ?

    Thank you

    Reply
    • AnindaPost author
      September 26, 2014 at 1:34 pm
      Permalink

      Please read through the other posts in the HCM Security section. There’s lots of info already there.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *