Skip to Content

Help in implementing SAP HCM Structural authorizations

Hi Folks,

My client was having SAP ECC with FICO modules and recently client went live with SAP HCM with OM,PA,TIME,PAYROLL and BENEFITS Modules.(HCM in the same system) During Go live we were using standard SAP Authorizations.

 

Now they wanted to Go for Structural authorizations. I am looking for some inputs on below.  We are using P_ORGIN Auth object for current security.

   

The FI users are 900 and HR users are around 100. What will be the impact on the FI users if I activate structural authorizations,as SAP HCM module also installed in the same ECC system along with FICO.

Because I read, If we don’t assign structural profiles to a user than they will get SAP* user profile. What does this mean?

What is the best practice to assign a structural profile to a user Directly via OOSP or via IT1017?

What are best practices in implementing structural authorizations.

If anybody having recent detailed step by step guide for structural profiles(Other than Norm & Carl), please share.

Regards,

K R

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    May 21, 2013 at 12:39 PM

    Hi,

    If you activate the Structural Authorizations, it will have an impact on the HR module but also on the FI module on the HR related objects, meaning all OM and PD objects.

    Technically it will impact all obejcts P_ORGIN or PLOG. When you activate the structural authorization, P_ORGIN should be replaced/completed by object P_ORGINCON. You'll need to change the authorization flags (transaction OOAC).

    Those new settings will only apply for the users specified as "structural users". Users that are saved in table T77UA (and T77UU) or transaction OOSB. If a user is not in this table, he will use the settings of the user "SAP*" that same table (user having "ALL" profile).

    You'll also need to define structural profile (who can access which object) that will use evaluation paths like in OM.

    Useful transaction is "HRAUTH". This is giving a summary of the config but also the specifics of a user.

    Those links could help you:

    Best regards,

    Jonathan

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Jonathan,

      Thanks for your valuable comments.

      As long as there is no overlapping between the users responsibility I think we can use P_PRGIN object..

      Can we use both P_ORGIN and  P_ORGINCON, and what are the considerations should we take.

      I am little confused by statement

      _______________________________________________________________________________

      Those new settings will only apply for the users specified as "structural users". Users that are saved in table T77UA (and T77UU) or transaction OOSB. If a user is not in this table, he will use the settings of the user "SAP*" that same table (user having "ALL" profile).

      ----------------------------------------------------------------------------------------------------------------------------------

      What does it mean "a user not in the table T77UA, will have user SAP* Settings.

      Is that mean user can access complete system without any restrictions, like assigning a SAP_ALL Profile to a user Or the user will have complete access to overall org structure? Please clarify.

      In my system we have 1000 users(900 FI and 100 Hr), If I assign structural profiles to all 100 HR users, what will be the impact on remaining 900 FI users. Do I need to create a dummy profile and assign to all 900 FI users as well.

      and what is the best practice in assigning a structural profile via OOSB or via IT1017.

      Please provide inputs on requested.

      Hi,

      If you'll use structural authorizations this will be together with the regular HR authorizations.

      The system will check if you can access for example infotype 0002 of a pernr (object P). You'll need to have the correct P_ORGINCON object in your role/profile but also this P listed in your structural access. If one of the 2 is missing, then you'll not have access...

      When you'll activate the structural flag, then P_ORGINCON object will be checked for everybody.

      Diffrence between P_ORGIN and P_ORGINCON is that P_ORGINCON has one more field "PROFL" which is the related structural profile.

      So you'll need to adapt all the roles containing P_ORGIN objects.

      Structural profile and users are linked via table T77UA (or TC OOSB). The system goes ALWAYS check in this table, even if you're not defined in there. If your user is not found, the system takes the defaut entry "SAP*" related to the profile "ALL" which is allowing to access all object through PLOG and P_ORGINCON. Meaning that regular HR authorizations would still be applied (not like SAP_ALL).

      I manage the structural profiles via OOSB. So that all the others are OK.

      No dummy profiles are needed. But you'll have to review FI roles have P_ORGIN objects.

      And you should pay attention, if a user is both working on FI and HR...

      Best regards,

      Jonathan

  • avatar image
    Former Member
    May 23, 2013 at 04:18 AM

    Hi K R ,

    Structural authorizations using the T77PR table.

    use the T77UA table (User Authorizations = Assignment of Profile to Users),which are assigned using the Profile Generator (PFCG transaction), you use table T77UA (User Authorizations = Assignment of Profile to User) to assign structural profiles.

    Structural profiles use the data model of the Organizational Management to build hierarchies using objects and relationships.

    Thanks

    Siva

    Add comment
    10|10000 characters needed characters exceeded