PD Profiles – Definition

PD profiles are created through the OOSP transaction. SAP provides a few standard profiles but to a large extent, PD profiles are created by individual customer depending on their requirements.

OOSP - PD Profiles
OOSP - PD Profiles

The definition of PD profiles is stored in the T77PR table. Lets have a look at the definition of the standard PD profile for “MANAGER”

T77PR - PD Profile Definition
T77PR - PD Profile Definition

Some features to note about the definition of the PD profile.

  • Each record in the table is independent of the other records and gives access to a certain number of objects.
  • Each record has values for PV (Plan Version), OT (Object Type ), Object ID, EvalPath (Evaluation Path), StatV (Status Vector), Depth, M (Maintenance Flag), Selection Period and Function Module.
  • PV denotes the plan version for which the profile is valid.
  • OT is the object type of the object id value.
  • Object ID gives the start object when an evaluation path is used in the profile or an individual object.
  • If evaluation path is maintained, the PD profile returns the object along the PD profile. maintaining an evaluation path will only work if a start object value is maintained explicitly or dynamically through Function Modules.
  • Status Vector is used to determine the status of the objects/relationships while creating the structure. A StatV of 12 for example will consider relationships of status Active (1) or Planned (2).
  • Depth determines the level of the hierarchial structure till which the evaluation path is constructed. No maintained value indicates that the entire org structure returned by the evaluation path will be constructed.
  • Maintenance(M) flag determines whether a person will be able to maintain the returned objects.
  • Period determines the validity period of the objects/relationships while creating the structure. A value of D creates the structure which is valid on that day. A blank value indicates that the structure is not limited by the validity dates for the corresponding relationships.
  • The function module field can be used to dynamically generate a start object. Efficient use of this option can greatly reduce the maintenance effort for PD profiles. Two standard function modules are supplied by SAP, RH_GET_MANAGER_ASSIGNMENT returns the org unit for which the user is a chief while RH_GET_ORG_ASSIGNMENT returns the org unit for a user. New function modules can be created by customers as per requirement.

19 Replies to “PD Profiles – Definition”

  1. Is the creation of function modules responsibility of the security team or the HR functional team? Also what are the benefits of function modules? Thanks in advance….

    1. Te function module entry in OOSP (PD Profile Definition) is meant to determine the start object dynamically during run-time. If you are comfortable with ABAP no one is really stopping you from writing your own function module. However, in general security administrators shouldn’t be expected to write code. In fact the HR functional team is also mainly responsible for configuring the system. Writing code is almost exclusively left to the ABAP team.

    1. I already mentioned the benefit in my earlier reply. The function module entry in OOSP (PD Profile Definition) is meant to determine the start object dynamically during run-time. . Since the start object is determined dynamically, it takes into account a changing OM structure leading to less maintenance for PD profiles.

  2. Do we need to have indirect role assignments when using Function Modules or would Direct role assignment work them function modules just fine?

    1. The function modules are used for defining PD profiles. There is really no connection between using FMs in PD profiles and using indirect role assignment.

  3. Hello Aninda
    Maybe I am just getting confused now…would appreciate if you could clarify…in OOSP under the auth profiles I see sequence # and different object types, object IDs and different evaluation paths…so when we assign an auth profile to the user how does all this come into play? Like in your example above the profile Manager has so many entries and if a user A is assigned the profile Manager then what evaluation path does this user get access to? Thanks

    1. While defining PD profiles through OOSP, please remember that each line (sequence numbers 1, 2, 3) are independent of each other. Each line will give access to the objects returned by the evaluation path mentioned under it.

  4. Well my question is or maybe i m still confused that when we assign the auth profile to the user then which auth profile (which one from the sequence) is assigned? Thanks

    1. If you take the example of MANAGER profile, its a single profile with a number of independent lines in its definition. So every line in the sequence will be independently assigned to user, once MANAGER is assigned to user in OOSB.

  5. Hi,
    I am facing a peculiar issue with PD profiles. as per business requirements, I have used 2 evaluation paths.
    1. O-O-S-P (display only for US)
    2. ZU-O-S-P (for IT department only)

    ZU = business line( like HR , IT)
    O = Org units like US EMEA AUS
    I wanted them to work together and I can give a person access to only IT
    only in US. However, it doesnt work that way. The user is able to access all ZU-O-S-P which means he can change Orgs for India also.
    Any suggestions ?

    1. Check if the evaluation paths are working correctly. Transaction PPST is a good place to check this. If evaluation path needs to be corrected you would need to get in touch with OM consultants.

      1. I have the issue resolved by using P_ORGINCON object. PPST and PPSS are very useful tcodes for checking the evaluations . Thank you very much for your help and this great blog you are running.

  6. Aninda,
    what is the difference between ALL PD Profile and having * in P_ORGINCON for Structural Profile.

    In our client, for some people just having ALL in P_ORGINCON does not work. But when replaced with * in P_ORIGINCON.

    any idea why it is happening like this?

    1. Please read through “http://www.sapsecuritypages.com/auth-switches-dfcon-orgpd/”. The difference is subtle and depends on a number of factors.

    1. If you have table logging set up in your SAP environment, you can look at the changes for the T77PR customizing object in transaction OY18 or SCU3. Thanks….Aninda

Leave a Reply

Your email address will not be published. Required fields are marked *