Structural Authorizations

Structural Authorizations as the name suggests are used to restrict access to a certain organizational structure. As such they are only used while accessing HR data. In general, structural authorizations serve two purposes

  • Restrict access to certain OM objects like Org Units, Jobs, Tasks, Qualification Catalogs etc.
  • In interaction with the access to authorization objects for PA master data, they can restrict access to certain set of persons in the enterprise.

While using structural authorizations, its important to note that

  • A person’s total authorization is a result of the interaction between his general authorizations (through roles) and his structural authorizations (through PD profiles).
  • Secondly, structural authorizations are always used to restrict access. You can never use structural authorizations to grant access. It can only be used to restrict access to a smaller set of objects or people than is already given though a general authorizations.
  • While using structural authorizations to restrict access, we need to ensure to add access to the corresponding objects are also added to the user’s roles through PLOG.

Since we have already extensively discussed, security roles and their assignment we will use the next few articles to describe PD profiles and their assignment.

15 thoughts on “Structural Authorizations

  • January 20, 2011 at 4:57 am
    Permalink

    I have been involved in 2 projects with structural Authorization.
    Both had to do with ESS/MSS
    Restricting certain Managers from see data of another group.. etc
    Would you happen to have some documentation on SA or how to set it up step by step and a sample of a configuration or real project.
    Am loving your website…..

    Reply
  • January 20, 2011 at 5:19 am
    Permalink

    Can you recommend any reading material on structural authorization –
    The way you have explained the concept makes 100 % sense pls can you recommend a good book or source of info on this topic.
    It’s as if am thirsty for knowledge.

    Reply
    • January 20, 2011 at 1:34 pm
      Permalink

      Hi BlackPro,

      SAP-Press has quite a few books which cover structural authorizations. “Authorizations in SAP ERP HCM” is one of them. You can also google “structural authorizations step by step”. You will discover quite a few resources. Some usual suspects are sap.help.com and sap sdn. If you are looking formal training, you can sign up for the SAP course “HR940”. It covers all aspects of HR security.

      Regards,
      Aninda

      Reply
  • September 17, 2012 at 6:51 am
    Permalink

    HI Aninda,

    I have noticed that there are some lines in a structural auth profile for object types R,G,H,KI,KU without any IbjectID, Eval path, function module or any others.

    I would like to know what it means and why are some Object types included with no additional values. Pls help.

    Thanks,
    Dev

    Reply
    • September 17, 2012 at 7:44 am
      Permalink

      Hi Venkat,

      The lines in the PD profile with the just the object type specified denote that this profile gives access to all values for this object type.

      Regards,
      Aninda

      Reply
  • October 3, 2012 at 4:08 pm
    Permalink

    hi we are implementing structural authorizations and its working perfectly for managers but employees are unable to see any data not even their own data.

    We are using get manager function module for managers and get org assignment for users.

    under eval path i have given O-O-S-P FOR both manager and user profile.

    When i gave * in user’s role for profile field in P_ORGINCON it works fine.

    Please suggest if i am doing something wrong.

    We basically want to do it using func modules.

    Reply
    • October 7, 2012 at 10:06 pm
      Permalink

      Hi Dave,

      Do you mean that managers can view data for their reports but users can not view their own data?

      Access to users own data is controlled through P_PERNR. You don’t need to use a PD profile for controlling access to own data.

      You should also check if the access issues are for users own default position or users trying to access other folks on default position? Your statement about about * in PROFL in P_ORGINCON suggests this as one of the potential problems. Access to employees on default positions is controlled through the DFCON auth switch. There is a separate blog post here which talks about the various values for this flag and their impact.

      Regards,
      Aninda

      Reply
  • October 10, 2012 at 1:04 pm
    Permalink

    hi,

    I am trying to use function module RH_GET_Person_FROM_USER to get the personnel number of a user so he can get access only to his pernr in the structural authorizations.

    When i go to se37 and test the function module it is working fine. But when i try to use it in structural profile, its not giving output when the user tries to view his data in PA20. I think i am using wrong evaluation paths, I tries P-S-O and A008. But no luck. It will be great if you can point me in the right direction. I am not sure what is the actual relationship type between Person and user (between P and US object types)

    Reply
    • October 13, 2012 at 8:52 pm
      Permalink

      If RH_GET_Person_FROM_USER just returns the pernr from the user id, you do not need any evaluation path or relationship in the PD profile definition. Just set the object type as P and FM as RH_GET_Person_FROM_USER.

      Reply
  • December 12, 2012 at 4:37 pm
    Permalink

    Hi Aninda,
    Do you need to implement structural authorization as a prereqisite for Idirect role provisioning? I do not think so especially when users are not executing HR T-CODES at my new client’s. Iknow the Org structure is a must but not sure if users need PD profiles in T77UA (OOSB). Do you think I should create the “ORGANIZATION” PD profile using a FM as the client has a budget for HR implentation in 4 months but not presently.
    Please advise

    Reply
  • November 12, 2013 at 3:35 am
    Permalink

    Hi Aninda

    I would like to know if we can enforce structural authorization on Finance objects like Company code in any way. Is there a possibility to extend structural authorization to non HR objects.

    I mean when a user is trying to run FBVB or something instead of creating derived roles with company codes for each, i want to know if we can make company code HR relevant and use a custom functional module to check from a table which user has access should be granted access to which company code.

    Thanks,
    Chandra

    Reply
  • December 20, 2013 at 8:37 am
    Permalink

    Hi Aninda,

    I am trying to Map Evaluation path for Structural profiles.

    Path to Map:
    Where can I see the user’s evaluation path?
    The easiest and most complete way to do check a specific user’s evaluation path is on transaction code HRAUTH.
    There you can find all the Structural Profiles assigned to this user, and the evaluation paths mapped to those profiles.
    Transaction HRAUTH > tab ‘User Specific’ > enter username > button ‘Structural Profiles’:

    You can find all Evaluation Paths on the system on transaction code OOAW (or table T77AW).
    Select a specific evaluation path and click on ‘Evaluation path (individual maintenance)’ for further details on each evaluation path.

    This can be done on transaction code OOSP.
    This transaction is responsible for Structural Profiles maintenance.
    Select a specific structural profile and click on ‘Evaluation path (individual maintenance)’ for further details on each structural profile, including its evaluation path.

    After completing these steps.. I went and checked in Organization and Staffing,

    Its says ” No evaluation Path assigned for Structural evaluation”

    What could be the problem??

    Please help…

    Thanks,
    Prathibha

    Reply
    • January 13, 2014 at 3:19 pm
      Permalink

      Sorry, you lost me at the line “After completing these steps.. I went and checked in Organization and Staffing”. Please note that all PD profiles need an evaluation path.

      Reply
  • May 1, 2014 at 1:58 pm
    Permalink

    Hi. I hope you can help me with this. I am new to HCM, and in the process of creating roles for our HR users. I want to allow a group of users access to display all employee types, but only update hourly employees. I can’t seem to find the authorization object that allows this. Can you help?
    Thanks — J

    Reply
    • June 5, 2014 at 9:12 am
      Permalink

      Hi Jeri,

      The key to solving this is to understand how hourly employees are classified in your system. Typically hourly employees will be a separate employee group/ subgroup. If this holds true for you client, you can use P_ORGIN or P_ORGINCON for restricting access.

      Thanks,
      Aninda

      Reply

Leave a Reply to Jeri Cancel reply

Your email address will not be published. Required fields are marked *