Sunday, 15 September 2013

HR Authorization in SAP

HR Authorizations

Question :
Anyone know if there is a way of restrict the access to HR data by payroll area?

Answer :
As delivered by SAP, Only in certain tcodes with authorization object P_PCR.
If you want to make it a a pre-condition for master data you will have to activate the customer defined auth object and control this as one of the fileds.
A close equivalent is Employee group and Employee sub-group which is controlled with P_ORGIN.

Question :
How can I activate the customer defined auth object?

Answer :
1. Create the authorization object to be user, NOote: it is Highly recommended you create it to REPLACE P_ORGIN if the access is to be limiteed as a VALUE-SET with fields in P_ORGIN.  If not you will be giving access to users you do not intend.
2. Turn on the Customer object in tcode OOAC record AUTSW NNNNN; change the 0 to 1.
3.run program RPUACG00 to load the code used to check the authority.
The custom authorization object can contain any field in infotype 0001

Question :
Where can I create a customer authorization object? Our relese is 45B.
I can't find either tcode OOAC.

Answer :
Create the customer Authorization object in transaction SU21,
OOAC is not available in 4.5 you will have to read the docuentationof the autorization object P_ORGIN and drill down and you will see reference to an include you must modify to activate the exit. it is something like MSAUTH0(?) SAP fixed this in 4.6 so it is a config table, in prior versions it is a code "fix"

Why don't you just use the Org Key field in P_orgin? can define combination of fields from IT0001 (incl payroll area..i believe) as an auth field. 

No comments:

Post a Comment