Objectives:
- Protection of person-related data (law)
- Secure data that is related to persons and employees stored in SAP Systems (Moral obligation) Ex:only authorized users should have the permission to change the wage details for an employee
Technical Main Risks :
- ACCESS TO PERSONAL DATA
- EXECUTION OF MASTER DATA REPORTS
- STANDARD SAP TRANSACTIONS: SA38, ...
- ACCESS TO DATABASE TABLE
- AD-HOC QUERIES
STRUCTURAL AUTHORIZATIONS
- grant access to view information on HR
- are used to manage access on organisational plan
- are NOT integrated into the standard authorization concept
- Structural authorization profiles are not the same as standard authorization profiles (ECC, BW, ...)
The HR data to be protected are defined via object type P
User-specific structural profiles can be created using function modules. Combined with the PLOG authorization object, structural authorizations are also used to protect resource planning data in HR.
Structural authorizations are based on hierarchy level (organisational plan). This is called "structure" in structrural authorization.
MAIN AUTHORIZATION SWITCH
Main authorization switch enable structural authorization in SAP HR
Activation: Tcode: OOAC Table:T77UA
Main transactions:
Use for | Tcode | infotype |
All organizational plan maintenance | PPOME,PPO_OLD,PPOC_OLD,PPME,PO13 | |
Hiring applicants | PB30, PB40 | 4000 |
Maintain master records | PA41, PA40, PU00 | |
Salary & wage | PU03, PA30,PA20 | 0002,0003,0006,0009,0011,0014 |
Absence | PA30 | 2001, 2013 |
View their own wage | PC00_M16_CEDT | 0008,0014,0015,2010 |
Salary validation | PA30,C138 | |
External payments | PC00_M99_CIPE | |
Travel requests and expenses | TP04,TRIP,TP01,TP02,TP03,TP04,PR05 | |
HOW TO PROTECT MASTER DATA ?
The main authorization object to protect master data on HR is : P_ORGIN.
- P_ORGIN is used usually together with the P_ORGXX authorization object.
- P_ORGXX is usually to define responsabilities for personel administrators. It is possible to put restrictions on infotypes and to define different authorization levels.
- P_PERNR allows to control access data of individual users. It is used to restrict user to change their own data.
- P_SIGN: Personel number assigned to the user
Advice: P_SIGN authorization field must be set to authorization value 1
HOW TO PROTECT HR REPORTING ?
Authorization object: P_ABAP
Set the authorization field COARS
1:perform an authorization check independently of infotype and organizational assignment
2: No authorization check on the authorization object of HR master data
*: No checks will be performed at all
PAYROLL
Authorization object:P_TCODE:HR Transaction code
Authorization object:P_PCR : Payroll control record
Authorization object:P_PYEVDOC: Posting documents
Authorization object:P_PYEVRUN: Posting runs
SEGREGATION OF DUTIES ON HR
Employees who hire the applicant and who is responsible for recording applicant information
Employees who initiate the payments and employees who records user information
Wage payment must be validated
Maintain personal record <>Maintain HR master data
...