In Human Resources, authorizations play a significant role since access to HR data must be strictly controlled. There are two main ways to set up authorizations for SAP Human Resources: You can set up general authorizations that are based on the SAP-wide authorization concept or you can set up HR-specific structural authorizations that check by organizational assignment if a user is authorized to perform an activity.
The structural profile determines which object in the organizational structure the user has access to.
The general profile determines which object data (infotype, subtype) and which access mode (Read, Write, ...) the user has for those objects.
In contrast to general authorization profiles, which are assigned using the Profile Generator (PFCG
transaction), you use table T77UA (User Authorizations = Assignment of Profile to User) to assign tructural profiles.
Structural profiles use the data model of the Organizational Management to build hierarchies using objects and relationships.
Steps to implement Structural Authorization
Let‟s take a business scenario to understand how structural authorization works. The scenario is as follows:
u201CUser SMITH is the chief of org. unit 00000220 u201CExecutive Board u2013Italyu201D and he should be allowed to access data of those employees who belongs to this org. unit.
The following section will tell you how this requirement can be addressed in SAP using structural authorization.
1. Step1: Maintain structural authorization profile in view T77PR
By entering a specific evaluation path (O-S-P in this example) in the field u201EEval. Path‟, you can determine that the user is only authorized to access objects along this evaluation path.
Evaluation paths "collect" objects from a start object in an existing structure according to their definition: The definition of an evaluation path determines the start object and which object types using which relationships are selected. Few more fields which you can enter in this view:
a. Period - In this field, you can define the profile according to the validity period of the structure. You
can enter the following options: Key date, all, and different periods such as current year, current
month and so on. If you select the entry D (current day), the structural authorization is limited to the structures valid on the current day.
b. Function Module - You can use this field to specify a function module that determines the root object dynamically at runtime.
The advantage of using function modules is that each time you define an authorization profile, the function module generates a user-specific profile for each user at runtime.
If a manager changes department, for example, the corresponding profile in the T77PR table
(Definition of Authorization Profiles) does not need to be changed.
O stands for
Org Unit
Org Unit Id
(Root object)
Following function modules are delivered in the standard system:
- RH_GET_MANAGER_ASSIGNMENT (Determine Organizational Units for Manager)
You can use this field to determine which level of a hierarchical structure a user is authorized to access.
2. Step2: Assign structure authorization profile to user in view T77UA
Impact of Structural Authorization on SAP HR Transactions
u2022The below screen shows the complete organization hierarchy of an organization using transaction PPOME.
Figure1: Complete Organization hierarchy for a IDES company
u2022When user SMITH logs on to the system and looks for the organization hierarchy using transaction
PPOME, it will look like as show below.
Figure2: Organization hierarchy for organization unit 00000220
You can easily notice that SMITH can only view organization hierarchy for organization unit 00000220 and not the complete organization hierarchy. Org hierarchy of org. unit 00000220
u2022When user SMITH tries to look for master data for personnel no. 1, he will get an error as shown in
the screen-shot below. Reason: Personnel no. 1 is not a part of org hierarchy 00000220.
Figure3: HR Master Data screen
u2022User SMITH will get an error if he wants to read employee 00000001 data using FM u201CHR_READ_INFOTYPEu201D as shown in the screen-shot below.
Figure5: Function module execution via SE37 transaction
u2022When user SMITH tries to look for details of position 50006025, he will get an error as shown in the screen-shot below. Reason: Position 50006025 is not a part of org hierarchy 00000220.
Figure4: Screen to maintain PD Objects
BADI for HR Authorization Checks
You can implement a customer-specific test procedure for general and structural authorization checks using a Business Add-In (BADI). The BADI for the structural authorization check is called HRBAS00_STRUAUTH.
if this is implemented in production for some time and later user decided not to have this check. How easy to revert back, do i just remove user from T77UA
if i have implemented this in production for some time, and user find it very troublesome can i still revert back not to check structural authorisation?
I manage to set up the structural authorisation, but I encounter some authorisation issue but unable to trace through SU53. Can anyone pls advise how to trace the missing authorisation
Hi Prasad, Implemented the same with Org unit ID.., but unable to maintain Masterdata for the same org unit also..Can u pls throw some info on this.. Regards Krishna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.