Checking HCM authorizations
In this document we are going to see the tools for the HCM authorizations. We can use the following tools:
- Transaction HRAUTH – The tool that can be used for analyzing authorizations.
- Report RHUSERRELATIONS – The report that can be used to check the HR authorizations settings
Transaction HRAUTH -When calling the HRAUTH transaction, two tabs will be displayed: Overview and User-Specific.
- Information about the authorization related BAdis, and if these BAdis have been implemented in the system. Is it also possible to navigate to them and documentation is also available.
- Information about the authorizations settings in table T77S0, and the assigned value for them.
- Also, the profile assigned to SAP* will be displayed.
- If a job has been scheduled for reports RHPROFL0, RHBAUS00, RHBAUS01 or RHBAUS02 the last execution date will be displayed (for further information about these reports, please check their documentation).
- Information about entries in tables T77PR (structural profiles), T77UA (assignment of users to structural profiles), T77UU (user in SAP memory), HRP1016 and HRP1017 – these two tables are important as authorizations (standard and structural), can also be assigned through the organizational structure.
- With button we can see the Auth. Access flag for all the infotypes maintained in table V_T582A.
- User’s organizational unit
- User’s personnel numbers
- Roles and standard profiles
- HR authorization Objects (P_ORGIN, P_ORGXX…)
- Structural profiles
- Entries in table INDX
- Entries in T77UA
- Entries in T77UU
The most important development here is button . This calls report RSUSR050. Using this report it is possible to compare users, roles, authorizations and profiles, and it is also possible to compare them across systems (if corresponding RFC connection has been set up). For further information, check the report documentation.
Report RHUSERRELATIONS – Use report RHUSERRELATIONS to check HR authorization settings. Enter the user with the authorization issue in field ‘User name’.
- Button : Use this button to display the main authorization settings in T77S0. Is it also possible to check these values entering this table in transaction SM30. These parameters are:
AUTSW ORGPD HR: Structural Authorization Check – This parameter can have the following values:
0 – Structural authorizations will not be checked in Personnel Administration. IMPORTANT- they will be always checked in Org. Management.
1 – If an organizational unit is assigned in infotype 0001, the system checks against this organizational unit. If no organizational unit is assigned, the system rejects the authorization.
2 – The system does not evaluate the organizational unit and rejects the authorization.
3 – If an organizational unit exists, the system checks against this organizational unit. If no organizational unit is assigned, it grants the authorization.
4 – The system does not evaluate the organizational unit and grants the authorization. For information about this parameter, please check note 339367.
AUTSW ORGIN HR: Master Data – If this parameter is set to 1, P_ORGIN authorization object will be checked.
AUTSW ORGXX HR: Master Data – Extended Check. If this parameter is set to 1, P_ORGXX authorization object will be checked.
AUTSW NNNNN HR: Customer-Specific Authorization Check. If this parameter is set to 1, customer authorization object will be checked. In order to know the name of this authorization object (it should be in the customer namespace), just check the coding of include MPPAUTZZ. There, under the ‘authorization-check’ statement you will have the name of that authorization object. Customer authorization object must contain fields INFTY Infotype and SUBTY Subtype. It is possible also to use any of the fields from infotype 0001 organizational Assignment or in PA0001 structure, and customer-specific additional fields as long as they are NUMC or CHAR type fields. In addition field TCD Transaction Code and INFSU Infotype/subtype (4 characters for the infotypes and 4 for the subtype) can be used. These are the only fields allowed for the customer authorization object. In case different field is used, issues could arise. In order to generate the coding, report RPUACG00 should be run for this custom authorization object.
AUTSW PERNR HR: Master Data – Personnel Number Check – If this parameter is set to 1, authorization object P_PERNR will be checked. Check that users do not have the object P_PERNR set with the SIGN = *. This might lead to an undefined state. The only possible values here must either be E or I.
AUTSW DFCON HR: Default Position (Context). Same possible values as AUTSW ORGPD.
AUTSW INCON HR: Master Data (Context) – If this parameter is set to 1, context authorization object P_ORGINCON will be checked.
AUTSW XXCON HR: Master Data – Enhanced Check (Context) – If this parameter is set to 1, context authorization object P_ORGXXCON will be checked.
AUTSW NNCON HR: Customer-Specific Authorization Check (Context) – If this parameter is set to 1, context customer authorization object will be checked. Customer context authorization object must contain fields INFTY Infotype, SUBTY Subtype, AUTHC Authorization Level and PROFL Authorization Profile. It is possible also to use any of the fields from infotype 0001 organizational Assignment or in PA0001structure, and customer-specific additional fields as long as they are NUMC or CHAR type fields. In addition field TCD Transaction Code and INFSU Infotype/subtype (4 characters for the infotypes and 4 for the subtype) can be used.
AUTSW ADAYS HR: Tolerance Time for Authorization Check. This setting has by default value 15.
After checking these settings you will now know which are the authorization objects involved.
- Button : with this button you can display the employee number assigned to the user you are analyzing. This is important to know for example when checking P_PERNR authorizations.
- Push button : Use this button in order to analyze structural profiles assigned to the user. Select the pushbutton and press F8. You will get a list with all the structural profiles assigned to the user (this is the assignment done in T77UA). There you can select the following options:
- : Selecting a profile, you will get the objects included in that profile (configuration in table T77PR).
- : to get the complete list of objects the user has authorizations for, according to the structural profile. This will list all the objects, including just the employees directly assigned to the profile. This means that employees assigned to the default position will not be listed here. If an object is displayed in this list the user will have authorization to that object according to the Structural authorizations. However, we still have to check if the user has authorization to it, according to the HR authorizations.
- Push button : select this pushbutton to display the HR authorization values assigned to the user. Select the HR authorization objects (P_ORGIN, P_ORGXX….) and execute the report. You will get a list with all the authorization values assigned to the user. Then you will have to check if according to these values, the user should be able to see that object or not.
I think it could be very hepful.