HR Security
Nitin Sandal
Introduction
A company’s employees are its most important resources
The Human Resources Department is responsible for: – – – –
Attracting Hiring Rewarding Terminating
employees
The importance of HR processes to all functional areas has led to the use of the term Human Capital Management (HCM) to describe them
Human Resources with ERP
Managing a company’s human capital is information intensive
Electronic storage of data greatly simplifies the retrieval of important data
The SAP HR module provides tools to: – – – – – –
Manage an organization’s structure, job roles and responsibilities, and definitions Personal employee information Time management Payroll Travel management Employee training
Organizational Management
Most companies have an organizational chart or plan to help define an individuals responsibilities in the organization
With ERP, the organizational chart provides a structure to support additional tasks
SAP R/3 provides an Organizational and Staffing Plan tool to define a company’s management structure and define positions within the organizational structure
The plan can also define the individuals that hold each position
Organizational Management
Organizational Units describe the different departments / divisions / business processes within a company.
Positions are actual placements held by an individual. There is a one to one relationship between an employee and the position he or she holds. It is typical that the employee inherits most of his or her organizational assignment attributes through the position since most of the structures in Personnel Administration are mapped into the position, not the employee directly.
Orgnizational Units
Positions Person holding position
Manager’s Desktop
The SAP HR Module provides the Manager’s Desktop, a tool that provides access to all Human Resource data and transactions in one location
Human Resource data is very sensitive, so controlling access is critical
With an integrated information system, controlling access is simplified as a range of authorization tools are available
Advanced SAP HR Features
Time Management –
Cross Application Time Sheets (CATS) record employee working times and provide data to controlling (CO), Payroll and Production Planning (PP).
Payroll Management Travel Management Training and Development Succession Planning
Authorisation Concept Standard
Structural
Authorizations
Authorizations
Standard Authorization User User Master Record
Composite Role
Role Profile
Role
Composite Role
Authorisation
Authorisation Object
Field & Values
Fields
Key Authorization object for HR
P_ORGIN – HR: Master Data : This authorization is used to restrict access to personnel master data –
The authorization level field specifies the access mode. The following authorization levels exist:
R (Read) for read access M (Matchcode) for read access to input helps (F4) W (Write) for write access E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators. S (Symmetric) for write access using the Symmetric Double Verification Principle * always includes all other authorization levels simultaneously
Key R/3 HR Terms
User Master Record stores key user information like user name, name, address, authorization profiles and activity groups.
Roles/Activity Groups are used to choose a menu of transactions and create the corresponding authorization profile. After this, the activity group can be assigned to a user through an organization unit or position (Object type AG).
InfoTypes are units of information in the Human Resource Management System. Recording employee data for administrative, time recording, and payroll purposes is of primary importance for master data administration in HR. In the SAP System, the information units used to enter master data are called infotypes –
Infotype 105 is the employee’s communication ID for a certain type of communication (e.g. R/3 System, Internet).
–
Infotype 1001 is the collection of different type of relationships that are used to described the relationship between position and it’s attributes (e.g. Personnel Number, Activity Groups).
Key Authorization object for HR
P_ORGXX HR: Master Data - Extended Check –
The authorization object HR: Master Data - Extended Check is used during the authorization check on HR infotypes. The checks take place when HR infotypes are edited or read.
P_PERNR HR: Master Data - Personnel Number Check –
–
You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures. The following values are possible for the PSIGN field:
I = Authorization for personnel number assigned, that is for own personnel number E = Authorization for all personnel numbers excluding own personnel number
Key Authorization object for HR
P_PCR - This authorization object is used by the authorization check for the payroll control record.
P_PYEVRUN - You can use this authorization object to control the actions possible for posting runs.
P_PYEVDOC - You can use this authorization object to protect actions on posting documents.
P_TCODE - Access authorization to payroll schemas (transaction PE01) and personnel calculation rules (transaction PE02) is granted by authorization for the HR: Transaction Code authorization object.
New Authorisation Objects
P_ORGINCON (HR: Master Data with Context) :
P_ORGXXCON (HR: Extended Check with Context):
Authorization Object that is used during the authorization check for HR data. This check takes place when HR infotypes are edited or read. You can map user-specific contexts in HRMaster Data using P_ORGINCON.
The authorization object P_ORGXXCON consists of the same fields as P_ORGXX and has been expanded to include the PROFL field.
P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context) :
If you have requirements that cannot be mapped using the P_ORGINCON and P_ORGXXCON authorization objects and if you want to implement the context solution, you can include an authorization object in the authorization checks yourself.
Four Ways to Assign Roles In SAP Security
PO10 - assigning activity groups via organizational units
PO13 – assigning activity groups directly to the position
SU01 – assigning activity groups directly to the User Master Record
PFCG – assigning a user directly to a activity group
Structural Authorizations
Structural authorizations are used to grant access to view information for personnel where HR has been implemented.
Access is granted to a user implicitly by the user’s position on the organizational plan.
Structural authorizations are not integrated into the standard authorization concept and structural authorization profiles are not the same as standard authorization profiles.
Structural Authorizations
Unassigned Users: User IDs that have been linked to a Personnel Master Record via Infotype 105 MUST be assigned a structural authorization profile regardless of whether they are assigned to a node on the organizational plan or not.
There is no way to trace structural authorization checks, and structural authorization checks that fail do not show in SU53.
Structural authorization profiles are not related to standard security profiles in any way.
Structural Authorizations
A user’s Overall Profile is determined from the intersection of his or her structural and general authorization profiles, when you use both structural and general authorizations.
The structural profile determines which object in the hierarchical structure the user has access to, the general profile determines which object data (infotype, subtype) and which type of authorization (Read, Write, ...) the user has for these objects. The access mode for authorization objects in HR Master Data is determined in the AUTHC field (Authorization Level).
Brief steps to do Structural Authorization
Step1 : TC OOAC (table T77S0) To Activate the Structural Authorization switch
Step 2 : TC OOSP To Create Structural Authorization profiles
Step 3 : Assign Structural Authorization profile to user Id –
TC : SE38 and assign report RHRPROFL0 enter object id for example ( Org unit )