HR Security

HR Security

Nitin Sandal

Introduction 

A company’s employees are its most important resources



The Human Resources Department is responsible for: – – – –

Attracting Hiring Rewarding Terminating

employees 

The importance of HR processes to all functional areas has led to the use of the term Human Capital Management (HCM) to describe them

Human Resources with ERP 

Managing a company’s human capital is information intensive



Electronic storage of data greatly simplifies the retrieval of important data



The SAP HR module provides tools to: – – – – – –

Manage an organization’s structure, job roles and responsibilities, and definitions Personal employee information Time management Payroll Travel management Employee training

Organizational Management 

Most companies have an organizational chart or plan to help define an individuals responsibilities in the organization



With ERP, the organizational chart provides a structure to support additional tasks



SAP R/3 provides an Organizational and Staffing Plan tool to define a company’s management structure and define positions within the organizational structure



The plan can also define the individuals that hold each position

Organizational Management 

Organizational Units describe the different departments / divisions / business processes within a company.



Positions are actual placements held by an individual. There is a one to one relationship between an employee and the position he or she holds. It is typical that the employee inherits most of his or her organizational assignment attributes through the position since most of the structures in Personnel Administration are mapped into the position, not the employee directly.

Orgnizational Units

Positions Person holding position

Manager’s Desktop 

The SAP HR Module provides the Manager’s Desktop, a tool that provides access to all Human Resource data and transactions in one location



Human Resource data is very sensitive, so controlling access is critical



With an integrated information system, controlling access is simplified as a range of authorization tools are available

Advanced SAP HR Features 

Time Management –

   

Cross Application Time Sheets (CATS) record employee working times and provide data to controlling (CO), Payroll and Production Planning (PP).

Payroll Management Travel Management Training and Development Succession Planning

Authorisation Concept  Standard

 Structural

Authorizations

Authorizations

Standard Authorization User User Master Record

Composite Role

Role Profile

Role

Composite Role

Authorisation

Authorisation Object

Field & Values

Fields

Key Authorization object for HR 

P_ORGIN – HR: Master Data : This authorization is used to restrict access to personnel master data –

     

The authorization level field specifies the access mode. The following authorization levels exist:

R (Read) for read access M (Matchcode) for read access to input helps (F4) W (Write) for write access E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators. S (Symmetric) for write access using the Symmetric Double Verification Principle * always includes all other authorization levels simultaneously

Key R/3 HR Terms 

User Master Record stores key user information like user name, name, address, authorization profiles and activity groups.



Roles/Activity Groups are used to choose a menu of transactions and create the corresponding authorization profile. After this, the activity group can be assigned to a user through an organization unit or position (Object type AG).



InfoTypes are units of information in the Human Resource Management System. Recording employee data for administrative, time recording, and payroll purposes is of primary importance for master data administration in HR. In the SAP System, the information units used to enter master data are called infotypes –

Infotype 105 is the employee’s communication ID for a certain type of communication (e.g. R/3 System, Internet).

–

Infotype 1001 is the collection of different type of relationships that are used to described the relationship between position and it’s attributes (e.g. Personnel Number, Activity Groups).

Key Authorization object for HR 

P_ORGXX HR: Master Data - Extended Check –



The authorization object HR: Master Data - Extended Check is used during the authorization check on HR infotypes. The checks take place when HR infotypes are edited or read.

P_PERNR HR: Master Data - Personnel Number Check –

–

You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures. The following values are possible for the PSIGN field:  

I = Authorization for personnel number assigned, that is for own personnel number E = Authorization for all personnel numbers excluding own personnel number

Key Authorization object for HR 

P_PCR - This authorization object is used by the authorization check for the payroll control record.



P_PYEVRUN - You can use this authorization object to control the actions possible for posting runs.



P_PYEVDOC - You can use this authorization object to protect actions on posting documents.



P_TCODE - Access authorization to payroll schemas (transaction PE01) and personnel calculation rules (transaction PE02) is granted by authorization for the HR: Transaction Code authorization object.

New Authorisation Objects 

P_ORGINCON (HR: Master Data with Context) : 



P_ORGXXCON (HR: Extended Check with Context): 



Authorization Object that is used during the authorization check for HR data. This check takes place when HR infotypes are edited or read. You can map user-specific contexts in HRMaster Data using P_ORGINCON.

The authorization object P_ORGXXCON consists of the same fields as P_ORGXX and has been expanded to include the PROFL field.

P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context) : 

If you have requirements that cannot be mapped using the P_ORGINCON and P_ORGXXCON authorization objects and if you want to implement the context solution, you can include an authorization object in the authorization checks yourself.

Four Ways to Assign Roles In SAP Security



PO10 - assigning activity groups via organizational units



PO13 – assigning activity groups directly to the position



SU01 – assigning activity groups directly to the User Master Record



PFCG – assigning a user directly to a activity group

Structural Authorizations 

Structural authorizations are used to grant access to view information for personnel where HR has been implemented.



Access is granted to a user implicitly by the user’s position on the organizational plan.



Structural authorizations are not integrated into the standard authorization concept and structural authorization profiles are not the same as standard authorization profiles.

Structural Authorizations 

Unassigned Users: User IDs that have been linked to a Personnel Master Record via Infotype 105 MUST be assigned a structural authorization profile regardless of whether they are assigned to a node on the organizational plan or not.



There is no way to trace structural authorization checks, and structural authorization checks that fail do not show in SU53.



Structural authorization profiles are not related to standard security profiles in any way.

Structural Authorizations 

A user’s Overall Profile is determined from the intersection of his or her structural and general authorization profiles, when you use both structural and general authorizations.



The structural profile determines which object in the hierarchical structure the user has access to, the general profile determines which object data (infotype, subtype) and which type of authorization (Read, Write, ...) the user has for these objects. The access mode for authorization objects in HR Master Data is determined in the AUTHC field (Authorization Level).

Brief steps to do Structural Authorization



Step1 : TC OOAC (table T77S0) To Activate the Structural Authorization switch



Step 2 : TC OOSP To Create Structural Authorization profiles



Step 3 : Assign Structural Authorization profile to user Id –

TC : SE38 and assign report RHRPROFL0 enter object id for example ( Org unit )