Structural Authorization

Defined
HR Structural Authorization permit access to personnel
data based on the users position or span of authority
within the organizational structure.

Structural

General

Authorization

Authorization

Org, PD,
TEM, Quals

Personnel
Admin

TC: OOSB

TC: PFCG

Structural Authorization
High Level Process
Configuration &
Switch Settings

Evaluation Path

Determine Root
Org Unit

Create Structural
Authorization
Profile

Link Structural
Authorization
Profile
to User Id

STRUCTURAL AUTHORIZATIONS PROCESS FLOWCHART

PA/PD Integration
Turned
On
(POLGI/ORGA)

Structural
Authorization
Activated via
(TC: OOAC or
T77S0)

Evaluation Paths
Maintained
(T778A/
V_T77AW))

Structural
Authorization
Waiting Period
(TC: OOAC or
T77S0)

SAP User ID
linked to PA via
IT0105 Record

Organizational
Structure
Developed

Dynamically
assign
Root Org Unit
(Function Module)

Structural
Authorization
Profiles
Developed (TC:
OOSP or T77PR)

Manually
assign
Root Org Unit

Dynamically

Organizational
Structure
(Org Unit/Position)

Structural Auth
Profiles
Linked
PD Object
(IT1017)

SAP Program
RHPROFLO
Executed

Employee Record
assigned
IT0001

Manually

Execute Reports to
Optimize
Performance

SAP User ID linked

Structural Auth.
Profile
(TC: OOSB or
T77UA

User Access
Restricted
Based on Org
Structure

PA/PD Integration Active

Structural Authorizations
Activated
Change from 0 to 1

Refer to OSS Note 339367 refers to OSS Note 363083

Maintenance of the switch AUTH_SW P_ORGPD to
import 4.7 functionality

TC: OOAC
T77S0

4.6 and
below

Structural Authorizations
Activated
4.7

Structural Authorizations
Waiting Period

Create Organizational Structure

Transaction code PPOME

Create organizational units (object type O)
Create jobs (object type C)
Create positions (object type S)
Assign chief positions especially if the
relationship A012 is being used in function
modules

Create Organizational Structure

Create Personnel Master Records

All personnel require personnel number
Create IT0105, subtype 0001 record for all
EEs linking SAP user id to personnel
number which is linked to the org structure
All personnel require IT0001 record

Create Personnel Master Records

IT0105

IT0001

Evaluation Paths
Use SAP standard evaluation paths
SAP standard function modules read
delivered evaluation paths
Create customer defined evaluation paths
Customer defined function modules
specify customer defined evaluation paths

Evaluation Paths
T778A

V_T77AW

Create Structural Authorization

Profiles
Transaction code OOSP or T77PR
Screen # 1
Profile: Enter profile name and description
Save Structural Authorization Profile

Assign Root Org Unit

Option 1: Dynamically.
Function Module:
RH_GET_MANAGER_ASSIGNMENT
determines the root organizational unit to
which the user is assigned as Manager via
the A012 chief relationship.
Assign function module in T77PR In field
PFUNC

Screen # 2 T77PR
When Function
Module is
being used,
leave Object
ID field Blank

RH_GET_MANAGER_ASSIGNMENT:
Determines the root org unit object to
which the user is assigned as Manager
via the A012 chief relationship.
(Supervisor)

 Screen # 2 (Continued)
Auth Profile: Select profile for pop-up box
No.: Enter Line/Sequence/Interval numbers 5, 10, 15
etc.
Plan version: Enter active plan. Ex. 01
Object type: Enter object type end user will be
authorized to change or display (O Org Unit, S
Position, C Job, P- person, and any customer defined
objects)
Object ID: If assign root org unit is being used, enter
org unit id value. If you are using function modules to
dynamically determine the root org unit, leave this field
blank
Maintenance: If checked, maintain authorization is
granted for object type, if uncheck, only display
authorization granted.
Evaluation Path: Enter evaluation path defined
inT77UA

 Screen # 2 (Continued)
Status vector: Planning status authorization

1 Active
2 Planned
3 Submitted
4 Approved
5 Rejected
To grant access to Active and Planned status(s) enter
12

Depth: Enter the number of levels from the

root org unit of the org structure.
Sign: Process structural authorization top
down (+) or bottom-up (-)

 Screen # 2 (Continued)
Time period: Restrict access based on the
validity period of the org structure.

D Current Day
M Current Month
Y Current Year
P Past
F Future

Function module:
Leave this field blank if root org unit is defined in
field Object id
Determine the root org unit using SAP standard or
Customer defined function modules

 Screen # 2 (Continued)
Add multiple rows in this table for all PD
objects the structural authorizations are
permitting to change and/or display

Assign Root Org Unit

Option 2: Dynamically.
Function Module:
RH_GET_ORG_ASSIGNMENT
determines the root organizational unit to
which the user is organizationally assigned.
Assign function module in T77PR In field
PFUNC

Screen # 2 T77PR

A customer defined Function

Module may be used

RH_GET_ORG_ASSIGNMENT

Determines the root organizational unit to

which the user is organizationally assigned.

Assign Root Org Unit

Option 3: Dynamically.
Customer Defined Function Module:
Copy and modify SAP standard function
modules to specify customer defined
evaluation paths
Assign function module in T77PR In field
PFUNC

Assign Root Org Unit

Option 4: Manually
Function Module not used.
Manual assignment of root organizational
unit
Define root organizational unit in T77PR In
field OBJID

Screen # 2 T77PR

When Object
ID is being
used, leave
Function
Module field
Blank

Structural Authorization Profile

Completed

Link User ID to Structural

Authorization Option # 1
Assign Structural Authorization to PD Object

Restrict user access based on PD objects.

Assign structural authorization defined in
transaction code OOSP or T77PR by creating an
IT1017 to a PD object. Example: Create IT1017 to
org unit or position depending on your
requirements
This is linking the structural authorization to the
organizational structure.
IT1017 is required if you are going to dynamically
populate T77UA by linking user id to structural
authorization profile.

Assign IT1017 to Position

Execute transaction code PP01 > Create PD Profiles > Assign Structural
Authorization Profile

Link User ID to Structural

Authorization
Execute SAP Program RHPROFL0 on a
nightly or emergency basis.
Report dynamically links the user id
(IT0105, Subtype 0001) to the designated
structural authorization profile in T77UA
based on the assignment of IT1017 to PD
objects.

RHPROFL0 program report output

T77UA auto
populated by the
RHPROFL0
program

Link User ID to Structural

Authorization Option # 2

Can be assigned manually

IT1017 is not necessary
Transaction code OOSB or T77UA
Ensure customizing of the table in permitted
in Production client
This method is no recommended. Can be
very labor intensive

Manually Link User ID to

Structural Authorization
Execute transaction code OOSB > Click on New Entries > Enter user id,
corresponding structural authorization profile, enter start date, enter end
date and click on the save icon.

Optimize Structural
Authorization Performance
Manually enter user ids in T77UU User Table for
Batch Input. Stores user id in SAP memory
(T77UU). Not recommended.
Dynamically add/remove user ids in T77UU
executing program RHBAUS02 based on the
number of objects.
Execute nightly program RHBAUS00 to
regenerate indexes saved in table INDX.
Indexes regenerated and saved in table INDX
ODD note 836478 dated 4/21/05: Display Index
Report: RHAUTH_VIEW_INDX

Congratulations !
You have completed the configuration of
structural authorizations.
Do not know of any method to trace
structural authorizations
Test, test user ids for both structural
authorizations and PA/PD authorization
assigned to roles in TC: SU01.

Customer Defined Structural

Authorizations
Use BADl: HRBAS00_STRUAUTH
Customer defined logic for Structural
Authorization
Use BADI: HRPAD00AUTH_CHECK,
which allows the customer to input their
own coding into this customer exit for HR
Master Data.
Example: Restrict authorizations based on
Business Area, Plant, etc.

Reporting Considerations
Customer Defined Reports: Use HR Macros in
your custom program to engage structural
authorizations from the LDB. If LDB is not being
accessed, need to code structural authorizations in
program
SAP Standard Reports: There may be some
circumstances you do not want structural
authorizations checked. Copy standard reports and
remove authorization checks.

Lessons Learned
Keep in mind, users with new structural
authorizations will not be effective until
next day if RHPROFLO is ran nightly.
Remember to assign Authorization Groups
to customer defined z-tables in order to
maintain in Production client.
Assign all end users structural
authorizations.

WHATS NEW IN 4.7

Transaction code SU53: Reasons for failed Structural authorizations are
displayed

Context Structural Authorizations

Context Structural Authorizations

Context Structural Authorizations

Context Structural Authorizations

Context Structural Authorizations

Questions ?

Contact Information
kenneth.p.bowers.jr@saic.com
864-940-7282