HR Security

Nitin Sandal
Introduction

 A company’s employees are its most important resources

 The Human Resources Department is responsible for:

– Attracting
– Hiring
– Rewarding
– Terminating
employees

 The importance of HR processes to all functional areas has led

to the use of the term Human Capital Management (HCM) to
describe them
Human Resources with ERP

 Managing a company’s human capital is information intensive

 Electronic storage of data greatly simplifies the retrieval of

important data

 The SAP HR module provides tools to:

– Manage an organization’s structure, job roles and responsibilities,
and definitions
– Personal employee information
– Time management
– Payroll
– Travel management
– Employee training
Organizational Management

 Most companies have an organizational chart or plan to help

define an individuals responsibilities in the organization

 With ERP, the organizational chart provides a structure to

support additional tasks

 SAP R/3 provides an Organizational and Staffing Plan tool to

define a company’s management structure and define positions
within the organizational structure

 The plan can also define the individuals that hold each position
Organizational Management

 Organizational Units describe the different departments /

divisions / business processes within a company.

 Positions are actual placements held by an individual. There

is a one to one relationship between an employee and the
position he or she holds. It is typical that the employee inherits
most of his or her organizational assignment attributes through
the position since most of the structures in Personnel
Administration are mapped into the position, not the employee
directly.
Orgnizational Units

Positions

Person holding position

Manager’s Desktop

 The SAP HR Module provides the Manager’s

Desktop, a tool that provides access to all Human
Resource data and transactions in one location

 Human Resource data is very sensitive, so

controlling access is critical

 With an integrated information system, controlling

access is simplified as a range of authorization tools
are available
Advanced SAP HR Features

 Time Management
– Cross Application Time Sheets (CATS) record employee
working times and provide data to controlling (CO), Payroll
and Production Planning (PP).
 Payroll Management
 Travel Management
 Training and Development
 Succession Planning
Authorisation Concept

 Standard Authorizations

 Structural Authorizations
Standard Authorization

User

User Master
Record

Composite Role
Role
Profile
Role Composite
Role Authorisation Authorisation
Object

Field & Fields

Values
Key Authorization object for HR

 P_ORGIN – HR: Master Data : This authorization is used to restrict access to personnel master data
– The authorization level field specifies the access mode. The following authorization levels exist:

 R (Read) for read access

 M (Matchcode) for read access to input helps (F4)
 W (Write) for write access
 E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E
allows the user to create and change locked data records and D allows the user to change lock indicators.
 S (Symmetric) for write access using the Symmetric Double Verification Principle
 * always includes all other authorization levels simultaneously
Key R/3 HR Terms

 User Master Record stores key user information like user name, name, address,
authorization profiles and activity groups.

 Roles/Activity Groups are used to choose a menu of transactions and create the
corresponding authorization profile. After this, the activity group can be assigned to a user
through an organization unit or position (Object type AG).

 InfoTypes are units of information in the Human Resource Management System.

Recording employee data for administrative, time recording, and payroll purposes is of
primary importance for master data administration in HR. In the SAP System, the
information units used to enter master data are called infotypes

– Infotype 105 is the employee’s communication ID for a certain type of communication (e.g. R/3
System, Internet).

– Infotype 1001 is the collection of different type of relationships that are used to described the
relationship between position and it’s attributes (e.g. Personnel Number, Activity Groups).
Key Authorization object for HR

 P_ORGXX HR: Master Data - Extended Check

– The authorization object HR: Master Data - Extended Check is used during
the authorization check on HR infotypes. The checks take place when HR
infotypes are edited or read.

 P_PERNR HR: Master Data - Personnel Number Check

– You use the HR: Master Data - Personnel Number Check authorization
object if you want to assign users different authorizations for accessing
their own personnel number. If this check is active and the user is assigned
a personnel number in the system, it can directly override all other checks
with the exception of the test procedures.
– The following values are possible for the PSIGN field:
 I = Authorization for personnel number assigned, that is for own
personnel number
 E = Authorization for all personnel numbers excluding own personnel
number
Key Authorization object for HR

 P_PCR - This authorization object is used by the authorization

check for the payroll control record.

 P_PYEVRUN - You can use this authorization object to control

the actions possible for posting runs.

 P_PYEVDOC - You can use this authorization object to protect

actions on posting documents.

 P_TCODE - Access authorization to payroll schemas

(transaction PE01) and personnel calculation rules (transaction
PE02) is granted by authorization for the HR: Transaction Code
authorization object.
New Authorisation Objects

 P_ORGINCON (HR: Master Data with Context) :

 Authorization Object that is used during the authorization check for HR data.
This check takes place when HR infotypes are edited or read. You can map
user-specific contexts in HRMaster Data using P_ORGINCON.

 P_ORGXXCON (HR: Extended Check with Context):

 The authorization object P_ORGXXCON consists of the same fields as
P_ORGXX and has been expanded to include the PROFL field.

 P_NNNNNCON (HR Master Data: Customer-Specific Authorization

Object with Context) :
 If you have requirements that cannot be mapped using the P_ORGINCON and
P_ORGXXCON authorization objects and if you want to implement the context
solution, you can include an authorization object in the authorization checks
yourself.
Four Ways to Assign Roles In SAP Security

 PO10 - assigning activity groups via organizational units

 PO13 – assigning activity groups directly to the position

 SU01 – assigning activity groups directly to the User Master

Record

 PFCG – assigning a user directly to a activity group

Structural Authorizations

 Structural authorizations are used to grant access to

view information for personnel where HR has been
implemented.

 Access is granted to a user implicitly by the user’s

position on the organizational plan.

 Structural authorizations are not integrated into the

standard authorization concept and structural
authorization profiles are not the same as standard
authorization profiles.
Structural Authorizations

 Unassigned Users: User IDs that have been linked to a

Personnel Master Record via Infotype 105 MUST be assigned
a structural authorization profile regardless of whether they are
assigned to a node on the organizational plan or not.

 There is no way to trace structural authorization checks, and

structural authorization checks that fail do not show in SU53.

 Structural authorization profiles are not related to standard

security profiles in any way.
Structural Authorizations

 A user’s Overall Profile is determined from the intersection of

his or her structural and general authorization profiles, when
you use both structural and general authorizations.

 The structural profile determines which object in the

hierarchical structure the user has access to, the general profile
determines which object data (infotype, subtype) and which
type of authorization (Read, Write, ...) the user has for these
objects. The access mode for authorization objects in HR
Master Data is determined in the AUTHC field (Authorization
Level).
Brief steps to do Structural Authorization

 Step1 : TC OOAC (table T77S0)

To Activate the Structural Authorization switch

 Step 2 : TC OOSP
To Create Structural Authorization profiles

 Step 3 : Assign Structural Authorization profile to

user Id
– TC : SE38 and assign report RHRPROFL0 enter object id
for example ( Org unit )