HCM Processes & Forms: Security? Have your cake and eat it too!
This will quite possibly be my shortest HCM P&F blog but probably one of the more useful ones. Whenever we talk about HR related information and the web, one of the first things that comes to mind is the big “S” word…..security. Security folk’s ears will perk up and the hair on the back of their neck will bristle when you mention some new such-and-such you want to implement through the portal. Why stop there though? Let’s throw those security people a real curve ball. Heck, let’s dump a whole tool bag of wrenches in their gears! (haha)
Consider this all too common scenario/problem….For your managers, you need to restrict the information they can see via their regular MSS access. However, when they are involved in some HCM P&F process (for example, an employee transfer), they need to see other information they normally don’t have access too (for example, the open positions of another manager). Now, if you presented that scenario to most security people, there would be much gnashing of teeth and you would get an angry look as they mutter some curse at you under their breath….and that would be letting you off easy! (haha) Luckily, SAP thought ahead and made a flexible and relatively easy solution for this. In fact, we have not one, but three options!!! So, yes, as the title of this blog implies, we can have our cake and eat it too…just exactly how we like it!
With HCM P&F, SAP provides us with a specialized authorization object called P_ASRCONT. Our options for authorization checking are then open to the following 3 possibilities:
1. Use ONLY your existing, traditional HR authroization.
This basically involves tweaking your exisitng authorizations so the users have access to the information they need. This is probably going to require a lot more work, and you must take care in what extent you allow access to information. This often involves adjusting the authorization on what (read, change, etc) an end user (employee, manager, or admin) can do with additional infotypes. Being cautious, it could actually limit the functionality you might provide and change your process design. (for example, because you don’t want to open up too much access to managers, you might put their work in a process off to an HR admin that has great access).
2. Use ONLY the P_ASRCONT object for the HCM P&F processes.
As a direct opposite of the first option, this option basically opens up authorization for anything involved in your HCM P&F processes. It’s more of a “loose” authorization. This really provides more of a protection for the process data (process object) and attachment data than actual infotype (master data) checks.
3. Use a combination of 1 and 2 above.
Per SAP’s own documentation “This is the safest method that you can use. It is therefore recommended that you use this method.“ Using this method, not only are the objects checked but the data content as well. In other words, not only are we checking the data from the forms (process object and attachments) but also the master data checks as well (access to infotypes).
I will save you from the pain of reading reworded information that SAP documentation already provides. I simply wanted to make you aware of this feature of HCM P&F and direct you to the proper place for more information on the subject. Refer to the help documentation link below for more information about the advantages and disadvantages of each method listed above, as well as information on proper implementation of your selected choice.
As always, I hope this helps!