Skip to Content

Objectives:

 

  • Protection of person-related data (law)
  • Secure data that is related to persons and employees stored in SAP Systems (Moral obligation) Ex:only authorized users should have the permission to change the wage details for an employee

 

Technical Main Risks :

 

  • ACCESS TO PERSONAL DATA
  • EXECUTION OF MASTER DATA REPORTS
  • STANDARD SAP TRANSACTIONS: SA38, …
  • ACCESS TO DATABASE TABLE
  • AD-HOC QUERIES

 

STRUCTURAL AUTHORIZATIONS

  • grant access to view information on HR
  • are used to manage access on organisational plan
  • are NOT integrated into the standard authorization concept
  • Structural authorization profiles are not the same as standard authorization profiles (ECC, BW, …)

The HR data to be protected are defined via object type P

User-specific structural profiles can be created using function modules. Combined with the PLOG authorization object, structural authorizations are also used to protect resource planning data in HR.

Structural authorizations are based on hierarchy level (organisational plan). This is called “structure” in structrural authorization.

MAIN AUTHORIZATION SWITCH

Main authorization switch enable structural authorization in SAP HR

Activation: Tcode: OOAC                                  Table:T77UA

Main transactions:

 

Use for  Tcode  infotype 
 All organizational plan maintenance  PPOME,PPO_OLD,PPOC_OLD,PPME,PO13  
 Hiring applicants  PB30, PB40  4000
 Maintain master records  PA41, PA40, PU00  
 Salary & wage  PU03, PA30,PA20  0002,0003,0006,0009,0011,0014
 Absence  PA30  2001, 2013
 View their own wage  PC00_M16_CEDT  0008,0014,0015,2010
 Salary validation  PA30,C138  
 External payments  PC00_M99_CIPE

 

 Travel requests and  expenses  TP04,TRIP,TP01,TP02,TP03,TP04,PR05  

 

HOW TO PROTECT MASTER DATA ?

 

The main authorization object to protect master data on HR is : P_ORGIN.

  • P_ORGIN is used usually together with the P_ORGXX authorization object.
  • P_ORGXX is usually to define responsabilities for personel administrators. It is possible to put restrictions on infotypes and to define different authorization levels.
  • P_PERNR allows to control access data of individual users. It is used to restrict user to change their own data.
  • P_SIGN: Personel number assigned to the user

Advice: P_SIGN authorization field must be set to authorization value 1

 

HOW TO PROTECT HR REPORTING ?

Authorization object: P_ABAP

Set the authorization field COARS

1:perform an authorization check independently of infotype and organizational assignment

2: No authorization check on the authorization object of HR master data

*: No  checks will be performed at all

 

PAYROLL

Authorization object:P_TCODE:HR Transaction code

Authorization object:P_PCR : Payroll control record

Authorization object:P_PYEVDOC: Posting documents

Authorization object:P_PYEVRUN: Posting runs

 

 

 

SEGREGATION OF DUTIES ON HR

  • Employees who hire the applicant and who is responsible for recording applicant information
  • Employees who initiate the payments and employees who records user information
  • Wage payment must be validated
  • Maintain personal record <>Maintain HR master data
To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. VASU MALYAVANTHAM
    Hi,

    The information is very clear and usefull to all the consultants. Here i have a doubt, is it possible to restrict the access as per the field level? because one person enter the data first time and the same person should not have a chance to change the data and his manager has to change the data, is there any way for this.

    Regards,
    Vasu.M

    (0) 

Leave a Reply