SAP HCM: Decisions for setting up structural authorizations
The author is a SAP HCM subject Matter Expert since 1997 where he started in SAP. Niels Knuzen worked as consultant for SAP Nordic where he participated in numerous global roll outs and worked as instructor on the SAP HCM academies.
In 2003 he swapped to a nordic dairy company as SAP HCM architect. During these years he joined the global HCM customer group. In 2006 Niels Knuzen started his own company and has since been focusing on authorizations, identity management and security.
1 About this document
We will in this document focus on thoughts and decisions, which must be brought up before setting up the structural authorizations so they will cover those business needs we commonly face as consultants. The technical set up of structural authorizations is covered in a huge amount of documents, so in this document I primarily focus on the structures and methods to use for avoiding they end up as a never ending patchwork.
But lets try to face the business needs which could be:
- My HR partners should only have access to those employees they are responsible for.
- In projects we want our project managers to have access to all service technicians.
- We want our line managers substitute to have access to the managers employees except from ECM
- Instructors should only have access to those learners who participate on their courses
- Employees should only have access to those training catalogs, which belongs to their division.
The list of business needs which could be solved with structural authorizations are unlimited and therefore we need to follow some methods for avoiding our structural profiles ends up as a patchwork. This document is intended to help HR and Security consultant to cope with the structural profiles and to help them set up a concept for their structural profiles, describe and document it before implementation.
2 The technical intro to structural authorization and related objects.
structural authorizations are used to restrict access to employees and other object types in HCM. The structural authorizations is widely used to grant access to parts of the organisational structure based on the evaluation path SBESX or O-S-P.
Below you will find an example of an dynamic structural profile, which uses the customized attribute of an HR partner to find a starting point in the organisational structure and then uses the evaluation path SBESX to drill down from the organisational entry point from where the user is assigned as an HR Partner. The object type in this case is an organisational unit. The advantage of the dynamic structural authorizations is their ability to use attributes of the user for determination of access to content. A dynamical structural profile can therefore be reused by many users with different need to content. The most common know dynamic structural profile is the line manger which is a profile, which can be reused for all with a manager position.
Figur 1 Dynamic Structural profile.
The most common used structural profiles are the fixed profiles for organisational structures. These are based on an fixed entry point followed by an evaluation path. This is know as the fixed structural profiles and fixed indicates the starting point is locked to the profile and not based on any attributes from the user picked up by a function module. See example below in figure 2
Figur 2 Fixed Structural Profile I
The fixed structural profiles in this example gives access to an organisational structure with the evaluation path SBESX and it starts from the organisational unit O 50123456. You have the option to mark the profile to be display or maintain use. This is done with the radio button named Maintain. The status vector indicates the status of the object such as planned approved submitted. The depth indicates how many levels there will be shown when running a report, sign -never really used it, period: used for restricting to the authorization according to the validity period of the structure. The last field the Function Module is where you can assign a FM which is used to determine a starting point or an array of objects ID’s.
The structural profiles can also be created so they grant access to all ID’s of a certain object type. This is also characterized as fixed structural profiles, but in this case we don’t need the structural profiles. The advantage of these profiles is performance since there is no need for the system to drill down with an evaluation path and control the entries of HRP1001 -the relation table. These kind of structural authorizations will give you access to all ID’s of an objects type whether or not these are assigned to any structure. An example of this kind of structural profiles can be found in figure 3 below
Figur 3 Fixed Structural Profile II
The structural profiles are assigned the users in transaction OOSB/ alias table T77UA. In this table you have the option to set a validity period for the assignment and test which objects the profile grants access to for the user (press the I button)
Figur 4 OOSB/ T77UA
The assignment of users and structural profiles must be done automatically. There is also the BADI which from P_ORGINCON or P_HAP_DOC reads the users need for a structural profile and makes a “on the fly” buffer which is used for granting authorizations. the advantage of the BADI HRBAS00_GET_PROFL is no need for maintenance in OOSB. The disadvantage of using the BADI is in production where unskilled supporters from user administrators don’t know the functionality and it can be less transparent and finally result in SLA’s violations.
The alternative to manual maintenance is an automatic assignment tool, which assigns and removes redundant and obsolete structural profiles from the users.
2.1 The authorization objects which uses structural profiles.
In SAP HCM we have the context specific authorizations objects, which merges the structural authorization check with the “normal authorization check found in e.g. P_ORGIN such as:
- authorization mode
- info types
- personnel area
- employee group
- employee subgroup
- sub type of info type
- Organisational key
P_ORGINCON: The use of P_ORGINCON is the most common HR authorization object used today. It gives us the option of controlling employee access together with the structural dimension. This is known as context specific authorizations.
P_HAP_DOC is another authorization object which uses structural authorization to control performance appraisals. This authorization object is used in almost all performance appraisal implementations
There is also an context specific authorizations objects for enhance master data check P_ORGXXCON, but in all those authorization concepts for HCM I have been through there is no need for this, since P_ORGINCON is sufficient for handling all those authorization checks you need.
There is one tips which should be granted here. If you decide to use the context specific authorizations, then don’t mix them with none context authorization objects since it will bring you out of control with the access control. I once made a review with a customer who used P_ORGINCON together with P_ORGXX and this granted some unwanted tunnels of access, which was first removed when the control point in P_ORGXX was passed over to the organisational key in P_ORGINCON.
For the organizational key I can recommend my youtube video, which describes the customization of it. You can find the link here:
Video: Customization of Organizational Key
The organisational key is a piece of SAP HCM master data, which must be maintained together with the rest of the master data fields from personnel administration such as personnel area, employee group and subgroup.
3 The concepts for setting up structural profiles
When you decides how the structural profiles should be customized you must keep in mind that you which to create as few structural profiles as possible and those profiles you create are easy to recognize for use with your SAP roles. To many structural profiles have been created without any concept and this will give you an unstructured patchwork of profiles, some of them perhaps redundant. The unstructured set up of profiles also have an negative impact on performance because you will end up with redundancy of objects granted to a user through several structural profiles assigned. It is in all interest to have a concept for structural profiles so you secure the smoothness of day to day operation.
3.1 There are two main concepts for setting up structural profiles
The first concept is the 1:1 One business role = One structural profile. This concept uses one structural profile per business role. So if you have a business role called HR partner then you will also have a structural profile called HR_PARTNER, if you have a business role called LSO administrator you will have a structural profile called e.g. LSO_ADMIN. The 1:1 concepts is a set up where each business role have it’s own structural profile. So in case of a business partner all the structural requirement should be granted through the structural profile HR_PARTNER and there is no further needs for additional structural profiles for our HR partners.
This concept makes it easier for unskilled supporters to administrate because everybody can grasp the concept of a business role such as HR_PARTNER needs the structural profile HR_PARTNER. If a user is assigned several business roles then he/she will be assigned the number of structural profiles aligned with the business roles. This might grant redundant access to certain object ID’s but from an operational point in the user administration it is easy to support.
The other concept is As few structural as possible. With this concept we will reuse the structural profiles across business roles. This concept reduces the amount of structural profiles, which can be a benefit from a performance point of view. Especially for users who have many different roles. From a user administration point of view it might not be straight forward to understand and I will suggest that this concept is used together with an auto profile assignment tool based on the users role assignments.
3.2 The cons of using structural profiles
Most authorization consultants and user administration supporters have limited knowledge of the structural authorizations and this is a problem if you want to be true to your obligations stated in the SLA’s. You must therefore set up the profiles so they are aligned with the PFCG roles, which makes them easy to handle in production. Automatic assignment of profiles is as earlier mentioned always advisable. The more automatic assignment you can set up the less dependent you will be on resources and services, which is out of your operational area.
Large amount of structural profiles can have a negative impact on performance. Keep an eye on what each structural profile is supposed to grant. Review your structural profiles on a yearly basis for merging options and clean them up. Don’t leave unused structural profiles hang in the system since they will only disturb the day to day operation of user administration.
When you activate structural authorizations keep in mind that they will have an impact on other areas than HR so keep in mind who is else making use of HR data in your system before a quick switch in AUTSW ORGPD.
Don’t just create structural profiles one after the other for firefighting operational issues! Because it will end up as an unstructured patchwork. Have a concept for your structural profiles and keep it clean.
Make sure to document your structural authorizations so others, such as supporters, know about their existence and purpose.
Also remember to describe the need for structural profiles in your SAP roles in case they are using structural profiles. This will also help user administrators in solving daily issues.
3.3 Fixed versus Dynamic structural profiles
I mentioned in chap 2 some examples of fixed and dynamical structural profiles. The Fixed structural authorizations will all have a starting point + evaluation path (or without a evaluation path such as those in figure 3) These structural profiles are used for central & decentralized employee handlers, payroll clerks, time administrators. These structural profiles can be used by all users despite the user is not assigned to any position in the organisational structure or is not assigned to a person in personnel administration through PA0105.
Dynamic structural authorizations is the attribute dependent profiles, which uses a functionmodules. In most dynamical structural profiles you need to maintain P-US relation in IT0105 subtype 0001. This set up is used for line managers, HR partners, project managers and line managers substitutes. When I stated that in most cases you need a Person – user assignment through PA0105 then it is because you can use other attributes such as the users record itself or you can read attribute from those roles, which is assigned to the user. The attributes which is picked up by a function module in OOSP can come from all kind of areas and not only from the organisational structure.
One of the most common implementations with dynamical structural profiles is to set up customer relations with your own created function modules, but please consider the maintenance of these relations compared to use some existing attributes from the employees, which already is incorporated in an existing maintenance cycle. Security created attributes seems to fail over time regarding maintenance or clean up so I will always advice to use some attributes which is already maintained and reliable.
3.4 Evaluation path used for structural profiles
In transaction OOAW you can set up the evaluation paths. When the evaluation paths are set up you must avoid Recursions –where the evaluation path used is looping around the same master data. If you have recursions it will for sure kill your performance.
When you create your structural profile then create independent evaluation path per profile. It will give you enhanced flexibility for future changes. If you use the SBESX for all your profiles and you change it by adding a new relation to it then it will be used in all those structural profiles where SBESX is used. Hmm and don’t change the standard evaluation path’s under no circumstances make a copy of them instead.
Before you use the evaluation path you can test it in PPSS. When you test the evaluation paths through PPSS you can control if it is the correct objects, which is shown.
3.5 Prerequisites for implementing structural profiles.
The integration between OM & PA should be active so control that the PLOGI ORGA is switched on. You should also check the feature PLOGI for the integration, there might be a surprise you would like to avoid -own experience I was there 🙁
From an personnel administration point make sure the employees are assigned to the organisational structure and when terminated they should remain assigned to the organisational unit they came from. It is always difficult to solve an authorization problem in HR because there is many places in master data, which can be the cause for the authorization issue.
Especially when the structural profiles are handed to user administration you must make sure that there is someone who knows the relations between master data and structural authorizations. Unfortunately it is not always you have the luck with the competences you need and those supporters you get assigned so instead of having this risk give the supporters some tools, which will do those checks a skilled HR consultants normally will do. You can find examples of such RCAT: root cause analysis tools among different partners.
Hourly employee is sometime left outside of the organisational structure. To access these employees you will need either a customer specific function module or structural ALL access. The function module is preferred because you then remain structural control. If you have hourly employees without any organisational assignment they will be considered assigned to the default position.
3.6 The default position and how to handle it.
The position 99999999 is used for terminated employees. If you keep these employees assigned to their old organisational unit then you will be able to access them from an structural point of view, but that depends on the settings of the default position.
The structural authorization set up for default position have 4 different options. The 4 options are described here
- Fallback on Organizational Unit
- No Fallback on Organizational Unit
- Fallback (Initial Organizational Unit –> Authorization)
- No Fallback (Authorization is Always Granted)
The set up of the default position is handled through transaction OOAC. This is also the transaction where you switch on for which authorization checks you need in the system. In the previous chapter I described the hourly employees who sometimes is not assigned in the organisational structure. If you have chosen e.g. 4 for determination of the default position authorization then there will be access to all those who is on the default position which might not be according to your company’s compliance rules.
3.7 Indexation of structural profile RHBAUS00
In large HCM set ups where time, organisation, compensation, learning, appraisals, invoice handling, workflows are used you will for complex users discover long response times and perhaps time out’s. These time out’s can be a result of performance issues with structural authorizations. These issues can be handled with indexation. The indexation is started where you first assign the users to be indexed. This is done through transaction S_PH0_48000112 and then generate the index on a hourly schedule through transaction S_PH0_48000110.
PROS: The performance increase is significant!
CONS: You don’t have on-line access to objects so new object will be out of reach until next indexation has been executed for your user.
There is a wide range of transactions which can be used for testing. I will give you a few of those I use myself on a regular basis for structural profiles
- PPSS: test the evaluation paths.
- PPMDT: for back end test of MSS.
- SU53: Are there any issues?
- HRAUTH: Brilliant tool
You can also find my video regarding this subject on youtube