Skip to Content

       This will quite possibly be my shortest HCM P&F blog but probably one of the more useful ones. Whenever we talk about HR related information and the web, one of the first things that comes to mind is the big “S” word…..security. Security folk’s ears will perk up and the hair on the back of their neck will bristle when you mention some new such-and-such you want to implement through the portal. Why stop there though? Let’s throw those security people a real curve ball. Heck, let’s dump a whole tool bag of wrenches in their gears! (haha)        

       Consider this all too common scenario/problem….For your managers, you need to restrict the information they can see via their regular MSS access. However, when they are involved in some HCM P&F process (for example, an employee transfer), they need to see other information they normally don’t have access too (for example, the open positions of another manager). Now, if you presented that scenario to most security people, there would be much gnashing of teeth and you would get an angry look as they mutter some curse at you under their breath….and that would be letting you off easy! (haha) Luckily, SAP thought ahead and made a flexible and relatively easy solution for this. In fact, we have not one, but three options!!! So, yes, as the title of this blog implies, we can have our cake and eat it too…just exactly how we like it! 

        With HCM P&F, SAP provides us with a specialized authorization object called P_ASRCONT. Our options for authorization checking are then open to the following 3 possibilities:

  

1. Use ONLY your existing, traditional HR authroization.

This basically involves tweaking your exisitng authorizations so the users have access to the information they need. This is probably going to require a lot more work, and you must take care in what extent you allow access to information. This often involves adjusting the authorization on what (read, change, etc) an end user (employee, manager, or admin) can do with additional infotypes. Being cautious, it could actually limit the functionality you might provide and change your process design. (for example, because you don’t want to open up too much access to managers, you might put their work in a process off to an HR admin that has great access).

 

2. Use ONLY the P_ASRCONT object for the HCM P&F processes.

As a direct opposite of the first option, this option basically opens up authorization for anything involved in your HCM P&F processes. It’s more of a “loose” authorization. This really provides more of a protection for the process data (process object) and attachment data than actual infotype (master data) checks.

 

3. Use a combination of 1 and 2 above.

Per SAP’s own documentation “This is the safest method that you can use. It is therefore recommended that you use this method.“ Using this method, not only are the objects checked but the data content as well. In other words, not only are we checking the data from the forms (process object and attachments) but also the master data checks as well (access to infotypes).  

 

        I will save you from the pain of reading reworded information that SAP documentation already provides. I simply wanted to make you aware of this feature of HCM P&F and direct you to the proper place for more information on the subject. Refer to the help documentation link below for more information about the advantages and disadvantages of each method listed above, as well as information on proper implementation of your selected choice.

 

Authorization Concept of HCM P&F

 

As always, I hope this helps!

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. barin desai
    hi chris

    in absense of any system to check this i want to ask you one question.

    Wouldn’t structural authorization resolve this issue.

    regards
    barin

    (0) 
  2. Ian Stubbings
    Hi Chris

    We also recently went through a lot of pain with structural auths. I am wondering if we had made wider use of P_ASRCONT we could have had less!

    I will check your blog with the S&A team today to get their view.

    Cheers
    Ian

    (0) 
  3. Raja Kishore Jogam
    Chris,
    Nice one. I think, it is time for you to write a book on HCM PF.

    Anyways, do you have any inside information of what is been planned for EhP5? Or do you already have a blog already on this?

    (0) 
  4. Bernhard Escherich
    Hi Chris,

    as always I liked your blog.

    The funny thing for security in HCM P&F for me is that the same people who have the paper formulas open on their desk require the tightest security for the digital process. But this is perhaps another story.

    Cheers,
    Bernhard

    (0) 
    1. Christopher Solomon Post author
      Bernhard, you nailed it! I am amazed at times some of the security related requests that are made. Here’s one recently that made me fall out of my chair laughing. A client had folks in the UK with sensitive HR info on their forms. Hence, they wanted the session to time out around 30 minutes or so. So then, once live, we get all these support request because the UK folks claim the forms/sessions are timing out and closing too quickly. So we check it again and tell them it is set for 30 minutes. The answer….”Ahhh 30 minutes is fine except when they all go to lunch, then it should allow the session to stay open for 2 hrs in case people were working and forgot to save their work before lunch….just like they could do with their previous Word docs.” I KID YOU NOT!!!! hahahahahaha Figure that one out. Needless to say, we had to do a little education and training with them.
      (0) 
  5. Biswajit Das
    Great one..We faced the similar issue.Structural Authorization brought nightmares.

    Even if we mention system to do check only on P_ASRCONT but system does min authorization check for employees always. Again strutural check is done inside the minimum auth check.

    Is there any thing we are looking wrong?

    (0) 

Leave a Reply