cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Guidance on HCM structural authorizations

Go to solution
RUDAVATH
Explorer

on ‎06-10-2013 5:04 PM

0 Kudos

Hi All,

Currently we are using standard role based security for HCM system(SAP ECC 6.), and client wants to go for Structural authorisation.

Current set up is like below.
Authorization object is - P_ORGIN

and Authorisation switch Values(OOAC) are like below

AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check
AUTSW APPRO 0 HR: Test Procedures
AUTSW DFCON 1 HR: Default Position (Context)
AUTSW INCON 0 HR: Master Data (Context)
AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)
AUTSW NNNNN 0 HR: Customer-Specific Authorization Check
AUTSW ORGIN 1 HR: Master Data
AUTSW ORGPD 0 HR: Structural Authorization Check
AUTSW ORGXX 0 HR: Master Data - Extended Check
AUTSW PERNR 0 HR: Master Data - Personnel Number Check
AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)

I need some help/Guidance on below.

1 We have employees with default positions 9* and do not have any organizational assignment(in IT0001), what switch should I enable and what should be the value(I have gone through the documentation alreadyt, but I need recommendation).in order to get the report on these employees

2 We have Employees with Positions starting 8* and 7* and do not have any organizational assignment(in IT0001), as these employees are not assigned with SAP default positions, how do I handle this in order to get the report on these employees. Is any body having similar situtation and what are the best practices are followed (Like usage of BADIs and Function Modules etc).

3. can authorisation switches DFCON and ORGPD can be enabled at the same time?

4. Whether DFCON will work along with P_ORGIN, because I did some testing but seems to be not working.

Responses will be highly appreciated and correct recommendations will be rewareded.

Thanks alot in advacne.

Regards,
R K

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

paul_davidson
Active Contributor
‎06-10-2013 9:16 PM
0 Kudos

Hi R K,

Structural authorizations are in addition to the P_ORGIN authorizations and modify them when you utilize P_ORGINCON.  With this authorization object there is an additional field to add in the structural authorization.  You can also use structural authorizations such as RH_GET_MANAGER_ASSIGNMENT to limit managers to view only the organizations that report to them.   

I do question why you have so many positions that are not in the org structure.  Who do these individuals report to?  If they report to someone in the structure, they should be added to that organizational unit.  Also Position # 99999999 should be utilized only for terminated employees, those no longer in the reporting structure.  Sounds like you have a number of employees without any organizational assignment.  Not sure how or why you are doing this.  In order to properly utilize structural authorizations, you should have everyone in the structure. 
As to your T77S0 settings, if you implement structural authorizations, then AUTSW ORGPD must be "1".  If you still have a number of employees not in the structure then you should have AUTSW DFCON set to "1", "2", "3" or "4" depending on your situation (See the F1 Help for details). 

In all, I would recommend making sure your org structure is set up properly before beginning with the structural authorizations.

Paul

Show replies
Show replies
RUDAVATH
Explorer
‎06-11-2013 10:40 PM
0 Kudos

HI Paul,

Thanks for the reply.

I checked with business why they have different kind of positions in the system like 8* and 7* etc.

The answer is that they created such positions for reporting purpose, and second thing these 8* and 7* positions don't report anybody in the system.

Here when ever employee gets retired they are assigned with 8* positions, which are meant for retirees. and we have advisors who are assigned with 7* positions. Both these groups do not have any org units assigned(IT0001).

Still client needs report on them via structural auths, I am not sure how can I archive this.

regarding the T77SO settings, I Knew that AUTSW ORGPD = 1 will enable the structural authorization. But what will happen to the SAP Default positions i.e 9&*, because I am not getting any report on them via structural profiles. system is ignoring them.

Can I use AUTSW DFCON along with P_ORGIN Auth object, ( If I have a number of employees not in the structure then you should have AUTSW DFCON), I think AUTSW DFCON and ORGPD should not be used simultaneously. and we should use DFCON along with P_ORGINCON only.

What should be the ORGPD value in order to pick employees with SAP Default positions, with and without ORG Assignment in IT0001.

Thanks

R K

paul_davidson
Active Contributor
‎06-12-2013 2:17 PM
0 Kudos

Hi R K,

The standard SAP recommendation is to use the Status "2" for Retirees.  This enables you to report on them by selecting the status.  Having them in positions with no structure makes it difficult to provide "structural authorizations" as requested by your client.  Structural authorizations only limit who a person can see and report on.  You did not describe how the business wants to report on the retirees or advisors and what access limits they want to apply. 

My recommendation would be to create a Function Module to select these retiree positions and a separate one for the advisor positions and set this up in T77PR.  Alternative would be to create a relationship to a Job so every 8* position has the same (or a few) Job(s) and every 7* position had another Job.  Then you could create a C-S-P evaluation path and use these few Job objects as entries in T77PR.   Alternative suggestion could be to create an Org Unit (Retiree Org) and put all retiree positions in that org and another org (Advisor Org) for all advisors (use evaluation path O-S-P).  Since you do not want to have to list every position, you should try to group them under another object if possible. 

We identify our Contractors by Employee Group and assign them to positions in the structure with the manager responsible.  Our retirees are also identified by Employee Group thus enabling authorizations and reporting on the EE Group without requiring structural authorizations.

As to the AUTSW settings, depending on what you come up with as a final solution would determine your settings.  You do need to have AUTSW  ORGPD and AUTSW INCON set to "1" if using P_ORGINCON.  AUTSW DFCON should be set to "4" if you want to allow access by default to positions not in the structure and "3" if you do not want to allow access by default.  DFCON setting has no effect on whether to use P_ORGINCON.  Please refer to the documentation for each switch.

Paul

Answers (0)

Ask a Question