SAP HR Organizational Management Tutorial Part 1

In this tutorial we will cover the key concepts in the OM module of SAP HR

Object Types Entities within OM are maintained as ob ect types !e"#" Or# $nits% positions % obs& Relationships 'inks ob ects to#ether !e"#" person to position% position to Or# $nit& Validity ates (alidates life span of ob ects !n"o types )ata input screens used to record relevant information

Object Types Each aspect of OM is recorded as an ob ect type% a way of #roupin# similar data to#ether" *or e+ample% or#ani,ational unit is an ob ect type% position is another ob ect type" Relationships -here are many ob ects within OM% and the creation of relationships is the way that data is linked to#ether" .hen you build the hierarchical or#ani,ational structure% you are creatin# a relationship between or#ani,ational unit ob ects" If you attach a position to an or#ani,ational unit% you are creatin# a relationship between the position ob ect and the or#ani,ational unit ob ect" Validity ates .henever you create an ab ect or a relationship between ob ects% you must enter start and end dates" -hese validity dates ensure that data entries can only be made within a specified lifespan" !n"o types -hese are the data input screens used to record the OM information" Some info types are automatically updated /behind the scenes01 other info types re2uire you to manually input the information" 'ets look into the different O#$%&T T'P%S in detail OM is based upon the use of Ob ect -ypes and Relationships" Ob ect -ypes #roup similar data to#ether" Althou#h an or#ani,ational plan can consist of many ob ect types% the five basic buildin# block ob ect types and their /codes0 are as follows3

-he Personnel Administration !PA& module of the SAP HR system holds the person related data in info types in the master data file" -he Or#ani,ation Mana#ement !OM& module looks at the or#ani,ation0s departmental structure and holds the data in ob ect types" OM ob ect types are a way of #roupin# similar data" -he system assi#ns a code for each ob ect type" -hese ob ects are created and maintained separately and are then linked to#ether usin# relationships" Organizational unit

Ob ect type O is used for Or#ani,ational $nit" Or#ani,ational units are units of your company that perform a function" -hese units can be departments% #roups or pro ect teams% for e+ample" 4ou create the or#ani,ational structure of your company by relatin# or#ani,ational units to one another" -he or#ani,ational structure is the basis for the creation of an or#ani,ational plan"

Position

Ob ect type S is used for Position" Positions are used to distribute tasks to different positions and to depict the reportin# structure in your or#ani,ational plan" Positions are concrete and are held by employees in a company" Positions are assi#ned to or#ani,ational units and can inherit characteristics from a ob" $ob

Ob ect type & !classification& is used for 5ob"

Positions are held by people in the company !e"#" secretary in the marketin# department% HR mana#er&" 5obs% in contrast% are classifications of functions in an enterprise !e"#" secretary% mana#er&% which are defined by the assi#nment of tasks and characteristics" 5obs serve as ob descriptions that apply to several positions with similar tasks or characteristics" .hen you create obs% they are listed in a ob catalo#" .hen you create a new position !e"#" secretary in the marketin# department&% you can relate it to a ob that already e+ists in the ob inde+ !e"#" secretary&" -he position then automatically inherits the tasks and characteristics of the ob" -his si#nificantly reduces data entry time% as tasks and characteristics do not have to be assi#ned to each position separately% instead they are inherited via the descriptive ob" 6ote however% that specific tasks and characteristics can also be assi#ned directly to positions"

5obs are also important in the followin# components3

Personnel 7ost Plannin# 7areer and Succession Plannin# 7ompensation Mana#ement

.hen you create obs% they are listed in a ob catalo#" A ob catalo# is a list of obs maintained for an enterprise" &ost &enter

Ob ect type ( is used for 7ost 7enter" 7ost centers are a 7ontrollin#8*inance item that represents the ori#in of costs" 7ost center are e+ternal from OM and will be created and maintained in the 7ontrollin# module" 7ost centers can have relationships with either or#ani,ational units or positions"

7ost center assi#nments are inherited alon# the or#ani,ational structure"

Person

Ob ect type P is used for Employee" A person is #enerally an employee in the company who holds a position" Additional information for employees is maintained in PA !e"#" address% basic pay% etc"&"I-999: !Or#ani,ational Assi#nment& contains the position assi#nment% definin# ob% or#ani,ational unit% and cost center assi#nment"

Other noteworthy Ob ect -ype is TAS(S

Ob ect -ype T is used for tasks -asks are individual duties and responsibilities that must be undertaken by employees

-asks can be clubbed under two headin#s As part of workflow As part of personnel mana#ement to describe obs and positions SAP HR Or#ani,ational Mana#ement -utorial Part ; Relationships .e need to look at two types of Relationships in SAP 1) Relationships with same Ob ect -ypes *) Relationships with different Ob ect -ypes 'et0s look into them in detail <

Relationships +ith Same Object Types

Or#ani,ational units are related with each other to form a hierarchical structure" Each or#ani,ational unit is created as an individual ob ect type" $sin# the e+ample above% the or#ani,ational unit of =Re#ion Office> is an ob ect type% as are the or#ani,ational units of *inance ? Accountin# and Human Resources" -o create the interrelated hierarchy% a relationship must e+ist between Re#ional Office and *inance ? Accountin# and between Re#ional Office and Human Resources" Relationships are formed in both directions% therefore Re#ional Office incorporates *inance ? Accountin# and *inance ? Accountin# belon#s to the Re#ional Office" .hen you create a relationship between ob ects% SAP automatically creates the correspondin# reverse relationship" Relationships +ith i""erent Object Types

Any SAP or#ani,ational unit will have positions attached to it" -he or#ani,ational units ob ect would therefore be linked the position ob ect types as a relationship" In the e+ample detailed above% the or#ani,ational unit ob ect of Human Resources has a relationship of /incorporates/ with the position ob ect of HR Mana#er% therefore the

position ob ect of HR Mana#er has a relationship of /belongs to/ with the or#ani,ational unit ob ect of Human Resources" &ommon relationships

Ob ects are linked thou#h relationships" 4ou create relationships between the individual elements in your or#ani,ational plan" Several linked ob ects can represent a structure" -here are different types of relationships% as the type of connections between elements varies

SAP HR Or#ani,ational Mana#ement -utorial Part @

Once you have created different OM Ob ects % you will need to maintain Info types related to it" 'et0s look into SAPAHR OM Info type Maintenance < -here are two Methods to Maintain SAP < Or#ani,ational Mana#ement Info types :" $sin# Or#ani,ation and Staffin# -ransaction ;"$sin# the %,pert Mode" In this tutorial we will look into the E+pert Mode -he %,pert Mode is an interface that is ideal for maintainin# details" Individual ob ects are selected usin# the Ob ect Mana#er" Info types for that particular ob ect can now be maintained" -ransaction code PP-1 can be used to maintain all ob ect types" )ue to authori,ation restrictions% you may not have access to PP9:" Instead% you will have to use one of the followin# transactions% which restrict access to one particular ob ect type3

PO1- Or#ani,ational $nit PO-. 5ob PO1. Position PO-1 .ork 7enter

-he PP9: screen is shown below" Screens for PO:9%PO9@%PO:@ ? PO9: are very similar

:" Plan Version/ It is important to ensure that you are workin# in the correct plan version at all times !for this you can also default the plan version in the user parameter

;" Object !n"ormation3 -he ob ect type% I) and abbreviation are displayed so the user can ensure that the ri#ht ob ect is bein# edited" @" Status3 Select the status of the info type you want to maintain usin# the tab pa#es !select Active which has status B :&" C" !n"o type3 Select the info type you want to maintain" D" Validity Period3 Start and end dates specify the period durin# which the ob ect e+ists in the plan version selected" !mportant OM !n"otypes :"!T---1 0 escription3 It #ives an Ob ect0s Abbreviation and 6ame

;"!T---*1 Relationships3

-here are many different relationship types that you can create between ob ect types Each individual relationship represents a subtype of the Relationships infotype !I-:99:&" 6ot all relationships apply to every ob ect" Relationship records can manually be created usin# the E+pert Mode interface% but they are also automatically created when usin# other interfaces !e"#" Or#ani,ation and Staffin#% Simple Maintenance&" .hen creatin# a relationship% the inverse relationship is usually automatically created by the system"

HR #asics

SAP HR deals with private employee data much of which mi#ht be of sensitive nature" As a result the HR security is typically more strin#ent that security for the other SAP modules" In a lot of non HR applications% security is more #eared towards prevention of wron#ful entry of data into the system" However% in the case of HR% even the display of private data mi#ht lead to non compliance with prevailin# laws and re#ulations" Other than the overtly sensitive nature of HR data% another reason of separatin# it out into its own cate#ory on this site is to emphasi,e two uni2ue provisions in HR"

*irstly% most of SAP security is based on positive authori,ation1 i"e" presence of a particular authori,ation in the user buffer #ives access to new functionality" HR is one area where ne#ative authori,ation can also be used in addition to the e+istin# positive authori,ations" 6e#ative authori,ation in this case prevents a user from accessin# some application due to the presence of a certain authori,ation in his user buffer" Secondly% HR uses structural authori,ations to restrict HR access to a certain hierarchy within an authori,ation independent to the #eneral authori,ations assi#ned throu#h roles"

!n"o types
!n"o types or !n"ormation Types always form an inte#ral component of any discussion on SAP H7M" In #eneral info types are structures to stores related HR data" *or e+ample% address of an employee is stored in a uni2ue info type 999E" Similarly we have different info types storin# personal data 2---*34 ban5 details 2---634 basic salary 2---73% etc" Some info types are further subAdivided into subtypes% an e+ample bein# the address info type" An address entry can belon# to the subtype permanent residence% temporary residence% emer#ency address% mailin# address% etc" Info types are relevant from a security standpoint as SAP provides standard authori,ation ob ects which allow us to secure info type% subtype combinations for users" -he first thin# to note from the above e+amples is that all of them are attributes of a person" 4ou store address of a person% salary of a person% bank details of a person" However% info types can ust as well store attributes of HR ob ects like positions% obs% tasks% etc" )ependin# on whether an info type stores attributes for a person or a HR ob ect% we can divide them into info types re2uired in Personnel Administration 2PA3 or Personnel Planning 2PP3 respectively" -he PP info types are also referred to as info types for Organizational Management 2OM3 or Personnel e8elopment 2P 3" -he distinction between PA and PP info types is important for security as the two basic types of info types are secured by means of different authori,ation ob ects" Another point to note from the above e+amples is the fact that each info type is associated with a uni2ue C di#it number" -his uni2ue identifier mi#ht vary from 9999 to FFFF and is broken into subAran#es dependin# on the type of the information stored as shown below

---- 0 -666 < Personnel Administration !PA&

1--- 0 1666 < Personnel Plannin# !PP& *--- 0 *666 < -ime Mana#ement !PA& 9--- 0 9666 < Recruitment !PA& 6--- 0 6666 < 7ustomer Specific !7an store either PA or PP information dependin# on info type confi#uration

-his preliminary introduction to info types would help us in our later discussions when we investi#ate ways to secure individual info types"

Types o" HR ata

A discussion of SAP security for a particular application area% like HR% *I7O% S)% MM #enerally starts with an outline of the applications8transactions for the particular area and the authori,ation ob ects needed to secure them" -his is fully ustified as most of the time1 security administrators are #iven a list of tcodes and asked to provide security for them" Startin# from the tAcode list we would normally look up the individual S$;C entries% look up the documentation for the linked authori,ation ob ects% determine if the default values of the linked authori,ation ob ects are enou#h to #rant access% investi#ate whether the S$;C entries for the transaction should be chan#ed and maintain appropriate values for the ob ects in the roles dependin# on re2uested access" In the present article% we will adopt a sli#htly different approach for HR" Instead of the transactions that we are tryin# to secure% let us instead start with a discussion of the data we are tryin# to secure" SAP application security is remarkably consistent while accessin# the same data% even thou#h data is accessed throu#h different transactions" So once we #et a han# of the authori,ation ob ects needed to secure a class of data% we can basically use the same ob ects to secure any transaction which use the same data" HR data4 other than con"iguration data4 are contained in three basic groups o" tables" Personnel Administration 2PA3 data consists o" attributes "or people4 +hether employees or applicants and is stored in the PA in"o types" .e have already come across PA data in our introductory article on Info types" Each info type in #eneral is associated with a table in the )ata )ictionary" ata "or employees are stored in PA tables +hile data "or applicants are stored in P# tables) :or e,4 employee addresses +ill be stored in PA---; +hile applicant addresses is stored in P#---;) All PA and P# tables share a common authorization group PA" So unless we are prepared to modify the default authori,ation #roups for each table% a person with access to PA authori,ation #roup throu#h standard table maintenance transactions !like SE:E% SM@9% SM@:&% will have access to A'' the PA8PG tables" )ue to the sensitive and private nature of PA data% this level of access is rarely #iven to any user in a production system" Instead access is #iven to individual info type% subtype combinations" The authorization objects to secure PA data "or employees are P<OR=!> 2&O>34 P<OR=?? 2&O>3 and P<P%R>R +hile P<APP@ is used to secure PA data "or applicants" Personnel Planning 2PP3 data store "or AHR ObjectsB" -hese ob ects are identified by letter codes like Person !P&% Position !P&% Or#ani,ation $nit !O&% 5ob !7&% 7ost 7enter !H&% -ask !-&% etc" -hese different HR ob ects are used for Personnel Plannin#% Personnel )evelopment or

Or#ani,ational Mana#ement" PP data is also stored in in"o types but the underlying tables are o" the "orm HRP???? +here ???? C uniDue in"o type id" !E+ Info type Ob ect !:999& is stored in table HRP:999" Some PP info type like I- :9:I have both a correspondin# HRP and HR- tables% HRP:9:I and HR-:9:I" -his is determined by the structure of the info types and doesn0t impact security&" Security "or PP in"o types is controlled by authorization Object P@O=" The "inal major types o" HR data are contained in HR clusters) These are cluster tables P&@14 P&@*4 P&@.4 etc +hich store time e8aluation results4 payroll results4 etc) Access to HR payroll clusters is controlled through the P<P&@? authorization object) 6ow let us levera#e our knowled#e of the different types of HR data and the correspondin# authori,ation ob ects to provide security for one of the most common HR transactions% PA@9 which allows the maintenance of HR Master )ata" Specifically we use the transaction to maintain the address of a user" -he first screen shows the initial PA@9 screen when we have selected the user to modify"

PA@9 A Initial Screen

6ow we select the address info type and click the chan#e button which leads us into the Address screen" .e can update the address maintained for the employee" In addition PA@9 allows us to save maintain te+t for an info type entry by usin# the menu path EditAJMaintain te+t" An info type with maintained te+t is indicated by the hi#hli#hted te+t icon in the info type header as shown below"

PA@9 A $pdate Address !n the seDuence o" actions abo8e +e update address 2!T ---;3 o" an employee " Since address is an attribute of an employee we know that we are dealin# with PA data" As a double confirmation% address data is stored in I- 999E which falls in the ran#e of PA info types !refer to the earlier post on info types for individual ran#es&" Hence +e +ould need to pro8ide update access 2E C Erite3 to authorization objects P<OR=!> 2&O>34 P<OR=?? 2&O>3 and P<P%R>R "or in"o type ---;) Ehich o" these objects are actually chec5ed are determined by the 8alues o" the authorization s+itches which we have already encountered

in an earlier postK !n addition to the actual address +e also maintained some te,t "or the in"o type entry) This te,t ho+e8er is not stored in the in"o type table but in cluster tables) So an update access to P<P&@? is needed as +ell" -he su;C entry for PA@9 makes our ob easy as it already provides the default cluster id which stores the te+t !clusters P7 and -L&" Ee are not updating attributes "or any HR objects in the abo8e seDuence) So +e do not need to be concerned +ith P@O=) Ho+e8er4 there are other operations in PA.- +hich in"act updates P data) Hence4 SF*9 de"aults "or PA.-4 list P@O= as +ell" The abo8e analysis becomes especially use"ul +hen trying to secure obscure t1codes +ithout correct SF*9 de"aults maintained) Once +e understand +hat 5ind o" data the t1 code is accessing4 +e can predict +hat all security is needed to e,ecute it)

Authorization S+itches
In our article on S$;C% we saw the feasibility of selectively switchin# off checks for certain authori,ation ob ects" However% HR ob ects !ob ects for authori,ation class HR& can not be marked as =)o not check>" However% there is another option for selectively switchin# off checks for HR ob ects" -his is done be settin# the values of authori,ation switches !throu#h transaction OOA7& or directly modifyin# the HR confi# table !-IIS9&" -he available authori,ation switches are shown below"

HR Authori,ation Switches 4ou can look at the standard SAP documentation for the functionality of each of the switches but let me list a few of them

AFTSE 0 OR=!> < Switch on !:& or off !9& for authori,ation ob ect PMORNI6" -his ob ect is used to check for access to Personnel Administration !PA& master data throu#h info types" AFTSE 0 P%R>R < Switch on or off check for PMPER6R ob ect for an employee0s own personnel number AFTSE 0 OR=P < Switch off !9& or on !:%;%@%C& the structural authori,ation checks"

Securing PA ata
.e have already come across PA !Personnel Admin& master data in our initial discussion of different types of the HR data" Out of the bo+% SAP provides three main authori,ation ob ects for securin# PA master data% P<OR=!>4 P<OR=?? and P<P%R>R" 'et0s see how we can use each one of these in our security desi#n landscape" PA master data stored in different info types is essentially the attributes for the employees of the or#ani,ation" -o store these attributes each employee is associated +ith a uniDue personnel number or P%R>R" SAP H7M currently allows a person to have multiple pernrs as part of its e+tended confi#uration but that is beyond the scope of our discussion on basic HR security" -he basic transaction for maintenance of PA master data is PA@9" -he first screenA print shows the initial screen of PA@9 with the pernr and name of an employee"

PA@9 A Initial screen !n HR4 the pernr similar in use to the system id used in the security system" !n "act +e use the in"o type -1-G 2communication34 subtype ---1 to store the SAP system id

corresponding to the pernr "or a user" 'ater we will find that this link is mandatory for the use of the PMPER6R authori,ation ob ect"

PA@9 A Info type 9:9D -he "irst step in usin# any of the PA master data authori,ation ob ects is s+itching on the corresponding authorization s+itches "or them in the transaction OOA&" *or e+% to switch on security checks for PMORNI6 and PMPER6R we need to set the authori,ation switches A$-S.AORNI6 and A$-S.APER6R values to : respectively" Once switched on% any access to PA master data will check the user master for these authori,ation ob ects" The most important in"o type +ith regard to any discussion on PA master data security is the Organization Assignment 2---13 in"o type" -he screenAprint below shows the I- 999: screen with the different data contained in it" -his info type is important as the data fields of this info type are also part of the #eneral authori,ation ob ects and are checked durin# data access" *or e+% Personnel Area% EE #roup% EE sub#roup% 7ost 7enter% Payroll Area and the three Administrator fields are all used in the authori,ation ob ects"

PA@9 A Info type 999: -he three common authori,ation ob ects with their authori,ation fields are #iven below P<OR=!> 2HR/ Master ata3
Authorization Field INFTY SUBTY AUTHC Long Text Info type Subtype Authorization Level

PE SA PE S" PE S$ &'S$(

Per!onnel Area E#ployee "roup E#ployee Sub%roup )r%anizational $ey

P<OR=?? 2HR/ Master ata 0 %,tended &hec53

Authorization Field INFTY SUBTY AUTHC SACHA SACHP SACH* SB+)' Long Text Info type Subtype Authorization Level Payroll Administrator Master Data Administrator Time Recording Administrator Administrator roup

P<P%R>R 2HR/ Master ata 0 Personnel >umber &hec53

Authorization Field AUTHC PSIGN INFTY SUBTY Long Text Authorization Level Interpretation of Assigned Authorization Info type Subtype

As you might ha8e noticed4 many o" these "ields +ere part o" the org assignment in"o type" -hus if a security concept is built around personnel area% employee #roup% employee sub#roup we can switch on the check for PMORNI6 and use the auth ob ect in our roles or if the security concept is based around the time% master data and payroll administrators we can use the PMORNLL authori,ation ob ect" In some rare scenarios we mi#ht even want to use both the authori,ation ob ects in our roles" A case +here both o" them might be used is a scenario +here +e ha8e di""erent master data administrators "or a single personnel area) Here instead of creatin# of roles with all the different combinations for PMORNI6 !Personnel Area&

and PMORNLL !Administrators&% we can reduce the number the of roles by separatin# out these two accesses into different roles" *inally a combination of the PMORNI6 and PMORNLL roles will be assi#ned to a user to make up the total access of a HR rep" 'ou +ould also notice that the standard authorization objects do not ha8e any option to secure PA data at the le8el o" the personnel sub area or cost center) A solution in such cases is pro8ided by the Organization (ey "ield" -his is a :C character field which can be confi#ured to be derived from any of the I- 999: fields or can be even manually entered by the administrator" -he P<P%R>R authori,ation ob ect is a bit different in functionality from the other two ob ects" The P<P%R>R object pro8ides one o" the 8ery "e+ e,amples o" negati8e authorization concept in SAP) The object is used to pro8ide di""erent authorization to an administrator +hen accessing his o+n P%R>R" -he most common e+ample is of a compensation analyst havin# access to update the basic pay info type" -hou#h as part of his usual responsibility% how would be e+pected to maintain the basic pay of other employees% we would not want him to #ive himself a raise" It0s at this uncture that PMPER6R and its ne#ative authori,ation comes to the rescue" -he master data authori,ation of this person mi#ht typically be maintained as the followin# PMORNI6 I6*-4 999O PERSA P A$-H7 .% R% M PMPER6R I6*-4 999O PSIN6 E A$-H7 .% )% S% E In the above case% the PMORNI6 authori,ation #ives the comp analyst access to maintain !A$-H7 < . < .rite& the basic pay !I- 999O& for others but when accessin# his own pernr% the value of PMORNI6 is overAridden by the access in PMPER6R" -he value of PSIN6 as E !E+clusive& denotes that while accessin# I- 999O for his own pernr% his access will e+clude the values maintained for A$-H7 !.% )% S% E&" -he only possible values for A$-H7 which e+cludes the C #iven values are R !Read& and M !match code& and as a result the administrator only has display access to his own pay data" It0s very important to remember a few points when tryin# to use PMPER6R" :irstly P<P%R>R can only be used to pro8ide access to a personHs o+n pernr or personnel record) A corollary o" this4 is the reDuirement that "or P<P%R>R to +or5 a 8alid system id should be maintained "or !T -1-G4 subtype ---1" -his is necessary as the SAP system

needs to identify a personnel record with a user master record" Secondly4 the only t+o possible 8alues o" the PS!=> "ield are % 2%,clusi8e3 and ! 2!nclusi8e3) A 8alue o" I doesnHt ma5e much in this case as by de"inition4 a I 8alue can be interpreted as either o" the t+o possible 8alues"

Securing P

ata

Personnel e8elopment 2P 3 ata is part of the Personnel Planning 2PP3 ata model used in SAP H7M" -he PP )ata model is made up distinct HR object types li5e positions 2S34 Persons 2P34 $obs 2&34 Tas5s 2(3% etc" -he main use of this data is in Personnel e8elopment 2P 34 Organizational Management 2OM3 and the Training and %8ent Management subA modules of SAP H7M" In contrast to the PA master data which essentially store data for persons% P data mainly store the attributes o" the di""erent PP object types" Also% the allo+ed PP in"o types depend on the object type and are controlled through con"iguration settings" P) data is especially relevant for security as it used to define the Or#ani,ational Structure of an enterprise and Or#ani,ational Structure in turn is used for the position based security assi#nment and structural authori,ations" P data is secured by the authorization object4 P@O= 2Personnel Planning3 " -he fields of this ob ect are #iven below"
Authorization Field PL&A )TYPE INF)TYP SUBTYP ISTAT PPFC)'E Long Text Plan !ersion "b#ect Type Info type Subtype Planning Status $unction %ode

.e can better appreciate the use of this ob ect by lookin# at one of the basic transactions for maintenance of P) data < PP9:"

PP9:AInitial Screen In the initial screen of PP9:% we can easily spot the fields for Plan (ersion% Ob ect types% Info types and Plannin# Status !the tabs for Active% Planned% Submitted% Approved% Re ected&" -he buttons hi#hli#hted in the toolbar are for different activities on the info type selected" -he permissible activities for the ob ect and info type combination are contained in the P*7O)E field of the authori,ation ob ect" Amon# the hu#e multitude of possible values of P*7O)E like I6SE !create&% disp !display&% )E' !delete&% 7$-I !delimit&% 'IS) !'ist )isplay&% AE6) !7han#e&% 'IS- !'ist )isplay with 7han#e&% etc we discuss only the last two" In the first e+ample we select info type Ob ect !I- :999& and click the chan#e button" -he info type chan#e screen allows us to chan#e the name and abbreviation of the ob ect !AE6)&

PP9:A 7han#e Ob ect In the second e+ample% we select Relationship !I- :99:& and click the second button from ri#ht to #et into the Overview Screen which shows all the =relationships> created for the Ob ect" -he access bein# tested is 'IS-" Also note that accessin# overview screen from a pure display transaction like PP9:Mdisp would have checked for 'IS) !'ist display&" I- :99: is also one of the P) info types which can be secured at the subtype level" Each relationship record shown on the screen !like A99; < reports% G99I describes& is a separate subtype and is meant to link two different ob ect types" -he different relationships between these PP ob ects are actually used to build the entire Or#ani,ational Hierarchy of the enterprise"

PP9:A 'ist )isplay with 7han#e In addition to the P'ON ob ect% PP ob ects can be further secured throu#h Structural Authori,ations"

P<A#AP 2HR Reporting3

-he authori,ation checks for PA master data !throu#h PMORNI6% PMORNLL% PMPER6R% etc& while runnin# HR reports are very involved and pose a si#nificant performance penalty to the system" *or each pernr selected in the report% the authori,ation system carries out a check for each of the info types bein# accessed" -he PMAGAP !HR Reportin#& is used in such cases to simplify the authori,ation check for PA master data when runnin# HR Reports based on the lo#ical databases SAP)GP6P or SAP)GPAP" -he fields available in the ob ect are #iven below
Authorization Field Long Text

C)A S EPI'

Degree of Simplification of the Authorization %hec& A'AP Report (ame

-he 7OARS field can have two values correspondin# to two different de#rees of simplification"

&OARS C 1" -he authori,ation checks for the info type8subtype combination and for or#ani,ational assi#nment are to be checked separately" &OARS C *" -he report is run without any authori,ation checks for PA master data"

In practice% PMAGAP can be used in two main cases" A value of 7OARS B : can simplify the authori,ation checks si#nificantly reducin# the time needed to e+ecute a report" -his is the case for a number of reports in the payAtime component of H7M" *or e+ample% an e+port of PA master data durin# a typical payroll run would have to read a lar#e number of PA info types for all the employees in the enterprise" $sin# PMAGAP in this case would ensure that the report completes in a reasonable amount of time" Also since these reports are #enerally run by payroll staff who already have access to almost all user data% a detailed authori,ation check for all users0 info types is often unnecessary" A second case for usin# PMAGAP appears when we want non HR users to be able to run some non sensitive reports on HR data without #ivin# them direct access to PMORNI6% PMORNLL and similar ob ects" A value of 7OARS B ; would enable these users to run the said report without any authori,ation check for PA master data" Its important to note that a PMAGAP authori,ation is always restricted to particular reports as a value of P or SAP)GP6P would allow any reports on master data to be run without checkin# proper authority checks"

Organizational Management
-his article about organizational management is meant to be a launch pad to our discussion on structural authorizationsA an uni2ue and indispensable part of HR security" .e have already have had a brief idea on Or# M#mt or OM when talkin# about the P'ON authori,ation ob ect" 'et0s take the discussion forward to the ne+t level" OM deals with the representation of the personnel or#ani,ational structure within an enterprise within SAP H7M" OM uses the same data model as used by Personnel Plannin#" The data model uses object1oriented design and uses the concepts o"

Object Types Relationships !n"o types

-he data model can be represented by the followin# #raphic" 6ote that ob ect types% Person and &ost &enter are shown as oran#e bo+es instead of blue ones" These are %,ternal Objects and not created in the OM component) Ho+e8er4 they ha8e relationships +ith normal OM objects)

OM )ata Model A typical or# structure when represented by the same data model mi#ht look somethin# like the #raphic !transaction PPO7& shown below

PP7O A Or# structure showin# positions and or# units In OM% each element in an or#ani,ation is represented by a distinct ob ect with individual characteristics" Relationships are used to link one ob ect to another" -he ob ects and their relationships can be created and maintained throu#h standard transactions !like PP9:&" -he network created by ob ects and relationships are fle+ible enou#h to facilitate personnel plannin#% pro ections and evaluations of the or# structure" 7ustomi,in# is used to enhance the e+istin# ob ect types or create completely new ones" 7ustomi,in# also allows the creation of new relationships and maintenance of those relationships for e+istin# or new ob ect types" %ach standard object type is represented by a letter code 2P C Person4 O C Org Fnit4 S C Position4 & C $ob3 +hile customized object types are represented by t+o letters li5e 6P) Relationships on the other hand are represented by a . digit code li5e --7 2belongs to34 -1* 2manages3) &ustomer relationships are also . letters long but start +ith J4 li5e J*-) The uniDue object id "or an object type is stored in !T 1--- 2table HRP1---3

HRP:999 A Positions .hile the relationship bet+een t+o objects is stored in the !T 1--1 2table HRP1--13)

HRP:99: A Relationships for a position *inally% the or# structure composed throu#h these two tables is displayed throu#h the PPOSE transaction as shown below

PPOSE A Or# Structure )isplay

%8aluation Paths
An %8aluation Path is a chain o" relationships bet+een related OM objects in the Organizational Hierarchy" )ifferent evaluation paths can be used to return different sets of OM ob ects even when all of the individual paths start from the same start ob ect" As such4 e8aluation paths are used in a lot in OM reports and in structural authorizations) %8aluation Paths are createdKmaintained through the transaction OOAE sho+n belo+ " -he standard SAP system ships with a number of preAdefined evaluation paths" Since the standard evaluation paths can only use the standard relationships and ob ects defined in SAP% it stands to reason that we need to create new evaluation paths to use our own relationships8OM ob ects"

OOA. A (iew for Evaluation Paths As an e+ample we select the e8aluation path P%RSO> and see how it0s defined

OOA. A )efine Evaluation Path

The P%RSO> e8aluation path is meant to return the OM objects used in sta""ing along a standard organizational hierarchy) As such it can be used to e8aluate the R o" a line super8isor and is used as such in the MA>A=%R structural pro"ile" -he definition of the evaluation path starts with an or# unit" -he path returns all positions !S& assi#ned to the start or# unit !O& and the persons !P& linked to the said positions" *inally to build the entire or# hierarchy the path continues to evaluate the subAordinate or# units and positions !lines @9 and C9&" Once defined% the evaluation path can be used to return a particular 8ie+ o" the org hierarchy through the PPST transaction"

PPS- A Evaluation Options

-he report output shows the evaluated ob ects"

PPS- A Report )isplay In the ne+t article% we e+plore the use of evaluation paths in definin# structural authori,ations or P) profiles

Structural Authorizations
Structural Authorizations as the name su##ests are used to restrict access to a certain or#ani,ational structure" As such they are only used while accessin# HR data" In #eneral% structural authori,ations serve two purposes

Restrict access to certain OM ob ects like Or# $nits% 5obs% -asks% and Qualification 7atalo#s etc" In interaction with the access to authori,ation ob ects for PA master data% they can restrict access to certain set of persons in the enterprise"

.hile usin# structural authori,ations% it0s important to note that

A person0s total authori,ation is a result of the interaction bet+een his general authorizations 2through roles3 and his structural authorizations 2through P pro"iles3" Secondly% structural authorizations are al+ays used to restrict access" 4ou can never use structural authori,ations to #rant access" It can only be used to restrict access to a smaller set of ob ects or people than is already #iven thou#h a #eneral authori,ation" .hile usin# structural authori,ations to restrict access% we need to ensure to add access to the correspondin# ob ects is also added to the user0s roles throu#h P'ON"

P Pro"iles 0 e"inition
P pro"iles are created through the OOSP transaction" SAP provides a few standard profiles but to a lar#e e+tent% P) profiles are created by individual customer dependin# on their re2uirements"

OOSP A P) Profiles The de"inition o" P pro"iles is stored in the TLLPR table" 'et0s have a look at the definition of the standard P) profile for =MA6ANER>

-IIPR A P) Profile )efinition Some features to note about the definition of the P) profile"

Each record in the table is independent of the other records and #ives access to a certain number of ob ects" Each record has values for P( !Plan (ersion&% O- !Ob ect -ype &% Ob ect I)% EvalPath !Evaluation Path&% Stat( !Status (ector&% )epth% M !Maintenance *la#&% Selection Period and *unction Module" P( denotes the plan version for which the profile is valid" O- is the ob ect type of the ob ect id value" Ob ect I) #ives the start ob ect when an evaluation path is used in the profile or an individual ob ect" If evaluation path is maintained% the P) profile returns the ob ect alon# the P) profile" Maintainin# an evaluation path will only work if a start ob ect value is maintained e+plicitly or dynamically throu#h *unction Modules"

Status (ector is used to determine the status of the ob ects8relationships while creatin# the structure" A Stat( of :; for e+ample will consider relationships of status Active !:& or Planned !;&" )epth determines the level of the hierarchical structure till which the evaluation path is constructed" 6o maintained value indicates that the entire or# structure returned by the evaluation path will be constructed" Maintenance !M& fla# determines whether a person will be able to maintain the returned ob ects" Period determines the validity period of the ob ects8relationships while creatin# the structure" A value of ) creates the structure which is valid on that day" A blank value indicates that the structure is not limited by the validity dates for the correspondin# relationships" -he function module field can be used to dynamically #enerate a start ob ect" Efficient use of this option can #reatly reduce the maintenance effort for P) profiles" -wo standard function modules are supplied by SAP% RH<=%T<MA>A=%R<ASS!=>M%>T returns the or# unit for which the user is a chief while RH<=%T<OR=<ASS!=>M%>T returns the or# unit for a user" 6ew function modules can be created by customers as per re2uirement"

P Pro"iles 0 Assignment
P) profiles can be assi#ned to users in two basic ways

Transaction OOS# can be used to assign one or more P pro"iles directly to users" Addin# entries to the -II$A table throu#h SM@98SM@: has the same effect"

OOSG A Assi#n P) Profiles

P pro"iles can also be assigned to OM objects li5e positions through in"o type 1-1L !throu#h transactions like PP9:8PP9@&"

PP9:A7reate P) Profile for Position Also note that a user +ithout an entry in the TLLFA table +ould by de"ault ha8e the P pro"ile access +hich is assigned to the SAPI user in the table" SAP pro8ides a standard program RHPRO:@-4 to read the P pro"ile 8alues "rom !T 1-1L "or a position and create an entry in the TLLFA table "or the user assigned to the position" *or SAP installations usin# indirect assi#nment of profiles% this pro#ram is #enerally scheduled to run in batch every ni#ht" A screen with the various options available for this pro#ram is shown below"

RHPRO*'9 A -ransfer I- entries to -II$A Assi#nin# the P) profiles to the position instead of direct assi#nment in the -II$A table can potentially save a lot of effort in manual maintenance of profile entries and is the recommended practice"

P Pro"iles 0 Per"ormance
!n a large organization using structural authorizations4 the P pro"iles assigned to a user might return thousands o" distinct objects) %8aluating the entire P pro"ile at run time to generate the object list4 "or each access to HR data4 can lead to a signi"icant degradation in per"ormance o" HR transactions" Since the performance penalty is mostly due to the evaluation of the entire ob ect list for a user durin# run time% the situation can be improved by storin# the list of ob ects for a user" SAP pro8ides a table TLLFF to store an inde, o" all objects returned by the P pro"iles "or each user" However% since this is a static list of the ob ects we have to periodically re#enerate the inde+ for all users who are maintained in this table" If a user is not entered in this table% his P) profiles are evaluated at runtime to #enerate the ob ect list" -his will consume more time but will not adversely impact performance if the number of ob ects for the user is below a certain critical threshold" -he -II$$ table is very rarely maintained manually" SAP provides two pro#rams% RH#AFS-* 0 &hec5 and compare TLLFF 2user data in SAP memory3 and RH#AFS-- 0 Regeneration o" !> ? "or Structural Authorization4 to automate updatin# of the table and re#eneration of the user inde+es" -he screen below shows% the selection criteria for the RHGA$S9; report" -he report can be run for one or multiple users and for a certain threshold level of HR ob ects" The program e8aluates the P pro"iles "or all the users entered in the selection screen and i" the number o" authorized objects returned is more than the threshold 8alue updates the user in the TLLFF table) &on8ersely i" the number o" objects "or a user "alls belo+ the threshold4 the user entry is remo8ed "rom the TLLFF table " -ypically% a weekly batch run should be sufficient to take care of chan#in# or# structure and the profile assi#nment for users"

RHGA$S9; A $pdate user data in SAP memory -he RHGA$S99 pro#ram is #enerally run after the last run for RHGA$S9; has completed and hence finished updatin# entries in -II$$" The RH#AFS-- program re1generates the inde,es4 and hence the objects authorized "or a user4 "or all users entered in selection +hose entries also e,ist in TLLFF) In a practical scenario the OM structure of an enterprise keeps chan#in# from day to day" Since% the inde+ only stores the ob ects that were effective durin# the last time when it was reA#enerated% RHGA$S99 should be scheduled to be run periodically" A daily batch run for the pro#ram is mostly sufficient to take care of the chan#in# or# structure however even in such cases1 inde+es of individual users mi#ht need to be specifically re#enerated throu#h the pro#ram or its linked tcode% S<PH-<97---11-)

RHGA$S99 A Re#enerate user I6)L

&onte,t Solution
!n the modern enterprises4 itHs 8ery common that dual responsibilities are per"ormed by the same indi8idual) *or e+ample a 'ine Mana#er in the -rainin# department of an Or#ani,ation needs access to certain info types !like or# assi#nment% personal data% education% etc& for all employees as part of the process structure" In addition to the above% by virtue of his position in the or# hierarchy as a 'ine Mana#er% he would also need si#nificantly more access !like basic pay for instance& to the employees who report up to him" This is problem o" conte,tual security and is can not be handled properly through the structures that +e ha8e co8ered so "ar" 'et us investi#ate further about the possible security solution in this case and try to understand why it mi#ht not meet the full re2uirements" .e would need at least two roles for the trainin# mana#er < on role with trainin# info types and a second one with info types needed by the line mana#er" *urther we also likely to have two P) profiles as well < on with access to all employees and the other with access to only the direct reports" .hen the ; structural and #eneral authori,ation profiles are assi#ned to the same person% like to the -rainin# Mana#er in our discussion% we find that he has access to both sensitive and non sensitive info types for all employees" -he sensitive access is not limited to only the direct reports as the security system has no way of understandin# that access in the mana#er role needs to be restricted to only the direct reports !the people who are part of the mana#er P) profile&" The conte,t solution introduced as part o" SAP RK. 9)L see5s to address this 8ery gap in HR security" The conte,t solution introduces ne+ authorization s+itches and the corresponding authorization objects) -o switch on checks for any of the new ob ects% the

correspondin# switches should be set to :" It0s also customary to switch off checks !value 9& for the non conte+t authori,ation ob ects" -he relevant switches are #iven below

AFTSE1!>&O> HR/ Master ata 2&onte,t3 for ob ect P<OR=!>&O> AFTSE1??&O> HR/ Master ata 0 %nhanced &hec5 2&onte,t3 for ob ect P<OR=??&O> AFTSE1>>&O> HR/ &ustomer1Speci"ic Authorization &hec5 2&onte,t3 for customer speci"ic authorization object" -he switch corresponds to A$-S.A66666 !HR3 7ustomerASpecific Authori,ation 7heck& in the non conte+t solution"

In addition to the three switches above there is a fourth switch used by the conte+t solution" -his last switch < AFTSE 0 :&O> 0 HR/ e"ault Position 2&onte,t3 < is analo#ous to OR=P switch used in normal structural authori,ation as it controls access to non inte#rated personnel numbers !persons who are on a default position and as a result are not mapped to the or#ani,ational structure&" -he fields for the individual authori,ation ob ects PMORNI67O6 and PMORNLL7O6 are #iven below" P<OR=!>&O> Authorization :ield I6*-4 S$G-4 A$-H7 PERSA PERSN PERSH ()SH : PRO*' P<OR=??&O> Authorization :ield I6*-4 S$G-4 A$-H7 SA7HA SA7HP SA7HR SGMO) PRO*' @ong Te,t Info type Subtype Authori,ation 'evel Payroll Administrator Master )ata Administrator -ime Recordin# Administrator Administrator Nroup Authori,ation Profile @ong Te,t Info type Subtype Authori,ation 'evel Personnel Area Employee Nroup Employee Sub#roup Or#ani,ational Hey Authori,ation Profile

4ou will notice that new authori,ation ob ects differ from the correspondin# old ob ects in a sin#le respect" Goth of these have the new field PRO:@ 2Authorization Pro"ile3" -he PRO*' field is meant to store the value of the P) profile for which each #eneral authori,ation is valid" In other words% the PRO*' field serves to link the #eneral authori,ation with the correspondin# structural authori,ation" 7onte+t problems% like the one we discussed about the -rainin# mana#er% can now be easily solved by maintainin# the correct P) profile on the role" -he conte+t solution is truly a welcome addition to the other security features of SAP H7M as it allows us to solve scenarios which couldn0t be solved with the means at our disposal till now" However it comes at the cost of increased maintenance effort as now in addition the P) profiles assi#ned to the user% we need to maintain the correct P) profiles for the role as well" Also% we should remember that the conte+t solution only addresses the conte+t problems for accessin# people !PA master data&" -here is still no conte+t solution for P) data secured throu#h P'ON"

:&O> M OR=P 0 Auth S+itches

My apolo#ies if the title of the post makes no sense" Probably that0s because of the relatively niche nature of the topic" However% in the last few months% I have come across a few installations where people have run into issues due to security confi#uration around access to non inte#rated positions !the so called default position& and thou#ht a new post mi#ht be in order" Goth )*7O6 and ORNP) are authori,ation switches !refer to my post on Authori,ation Switches for some back#round& which control how your SAP security system handles access to employees with non inte#rated positions !these are the people who e+ist in the HR component but are not linked to any positions in the Or# M#mt Structure&" Settin# the proper values for these switches is a one time activity when confi#urin# Structural Authori,ations in your SAP system" Since structural authori,ations use the OM structure to control access to employees% it0s a valid 2uestion AHo+ do you +ant to control access to %%sKPernrs +hich are not part o" the OM structureNB These authorization s+itches help ans+er the Duestion) -he screen below shows a view from transaction OOA7 usin# the switches"

OOA7 < )*7O6 and ORNP) Switches >ote that both these s+itches control access to non integrated persons but shouldnHt be used at the same time) Fse OR=P s+itch +hen using plain 8anilla structural authorizations and :&O> +hen using the conte,t solution) -here is also a sli#ht difference in the meanin# of the different values possible" Access to these non inte#rated persons can be controlled by the value of the Or# $nit stored in info type 999: !or# Assi#nment&" However if there is no or# unit also maintained in the info type% the system provides the option of #ivin#8 denyin# access to all these persons" -hese two different cases are hi#hli#hted in the below screenshots from I- 999:"

Or# Assi#nment < )efault Position with no Or# $nit

Or# Assi#nment < )efault Position with Or# $nit Possible Values "or OR=P K :&O> and their meaning : B 7heck access to Or# $nit maintained in I- 999: for persons not linked to the OM structure" If no values are maintained in I- 999:% deny authori,ation to the person" ; B )o not check access to Or# $nit maintained in I- 999: for persons not linked to the OM structure" )eny access to all these persons" @ B 7heck access to Or# $nit maintained in I- 999: for persons not linked to the OM structure" If no values are maintained in I- 999:% #ive authori,ation to the person"

C B )o not check access to Or# $nit maintained in I- 999: for persons not linked to the OM structure" Nive access to all these persons" 9 !ORNP)& B Structural Authori,ations are switched off" So the check for pernrs not present in OM doesn0t arise" 9!)*7O6& B same behavior as maintainin# : for )*7O6 with one important difference" 7onte+t solution is activated by switchin# on one or more of the I67O6% LL7O6% 667O6 switches which in turn activates authority check for the PMORNI67O6% PMORNLL7O6 or the custom R ob ect" I would e+plain with an e+ample% *or )*7O6 B :% I67O6 B : you would need an authori,ation with PMORNI67O6 with all values P !PRO*'% PERSA% etc& to #et access to pernrs with default position and no or# unit maintained" *or )*7O6 B 9% I67O6 B : you would need an authori,ation with PMORNI67O6 with PRO*' value P to #et access to pernrs with default position and no or# unit maintained" PERSA need not be P"

!ndirect Role Assignment 8ia OM

.e have come across the Or#ani,ational Mana#ement !OM& component while talkin# about SAP H7M" -he OM component in SAP is used to map the Or#ani,ational Hierarchy of an enterprise by means of HR ob ects and Relationships between these ob ects" In this post we will discuss about the possibility of usin# OM to simplify some of the userArole assi#nments tasks that need to be handled by a security administrator" 'et0s start with a sample or# hierarchy created in PPOME transaction as shown below" .e start with a root or# unit ! HR ob O& =I)ES Root> with =I)ES India> and =I)ES Gan#alore> under it" > I)ES India> includes the position !HR ob S& of =)irector < India> which is also set as the 'ine Mana#er for it" -he position is filled by person !HR ob P& =Mister )irector>" Ee ma5e the basic assumption that the SAP access "or a user corresponds to his position in the org structure o" the enterprise)

PPOME A A Sample Or# Hierarchy 7onsider the access for =Mister )irector>" In the case of direct role assi#nment% any role would be assi#ned to the user id for =Mister )irector> throu#h S$9: or P*7N" 6ow let0s consider% that =Mister )irector> #ets promoted to be the 7EO of =I)ES Root> and a new person comes to take his place" However% since the roles for the India )irector were directly assi#ned to his user id% he will continue to keep his old access even in his new position" Also the new person fillin# the position of =)irector < India> will have to be manually assi#ned with enou#h access to enable him to do his ob" -his same situation will repeat for every transfer% promotion% demotion !and most other or# chan#es in #eneral& that takes place in an enterprise" *or an enterprise with more than a few thousand employees% the effort involved in keepin# user access in sync with the or# hierarchy is substantial" In addition to the monetary cost of the effort% their is a time penalty as users would need to wait for the $ser Admin team to ad ust their security before they can start usin# SAP" Indirect role assi#nment comes to the rescue in such situation and if confi#ured correctly can reduce the routine maintenance effort appreciably" In indirect assi#nment% instead o directly assi#nin# the roles to user id for =Mister )irector> we assi#n the roles to the position =)irector India> !-he standard SAP confi#uration allows role assi#nments to the OM ob ects < Position% Or# $nit% .ork 7enter% -ask and can be used dependin# on business cases& such that any user occupyin# the position would automatically #et the access needed for =)irector India>" -here are four technical prere2uisites for the use of indirect role assi#nment throu#h Or# M#mt

An active plannin# version must be defined in the system" Roles8profiles are assi#ned to the OM ob ects defined in the active plan" -he $ser and Personnel masters are linked via the I- 9:9D !communication& subtype 999: !system id&" -his translates to maintainin# the SAP user id for a user in I- 9:9D% 999: for the user0s personnel number with an active validity date" -he HRMORNMA7-I(E customi,in# switch is set to 4ES in the PRN6M7$S- table either as the default value or as an entry in the table" -he evaluation path $SMA7-NR is defined and suitably ad usted in the system" -he evaluation path is actually used by SAP to assi#n roles to the users durin# user comparison and is the last and the most vital co# in the wheel" -he screenAshot below shows the default definition of the evaluation path in OOA."

OOA. A )efinition of $SMA7-NR evaluation path Once the above prere2uisites are met% we can ust #o ahead and create indirect role assi#nments between roles and HR ob ects" !ndirect role assignment through P:&= can be accessed through the AOrganization ManagementB button shown below" -he blue lines correspond to indirect role assi#nments"

P*7N A Indirect Role Assi#nment throu#h OM 7lickin# the Or# M#mt button opens the below screen where we can check the e+istin# assi#nments for the role !both direct and indirect&" 6ew role assi#nments can e created usin# the hi#hli#hted button

P*7N A Indirect Role Assi#nment throu#h OM ; Roles can also be assigned through PP-1) An indirect role assignment is a relationship bet+een object type A= 2Acti8ity =roup or Role3 and HR objects li5e positions4 org units4 etc) Gelow screen shows a new assi#nment !relationship G99I& between the users0 position and the role ob ect !ob ect type AN&

PP9: A 7reate G99I relation between S and AN -he final step in the process of indirect role assi#nment is to copy the roles from the HR ob ects to the users" One o" the most common +ays to achie8e this is to e,ecute the P:F transaction +ith the option "or HR reconciliation chec5ed) In productive systems% this pro#ram is normally scheduled to run everyday at midni#ht to sync user access with a chan#in# or# structure"

P*$) A $ser Master Reconciliation -he critical success factor for indirect role assi#nment is to understand how correctly your or# hierarchy mirrors the roles8 responsibilities of your users" Some of the 2uestions that need to be discussed with your business owners% functional consultants and security team are

.hat is the correlation between the roles8responsibilities users and their position in the or# structureK .ho will be responsible for maintainin# the or# structure and how fre2uentlyK .ill users need their old access even if they move to a new positionK How will contractors be #iven accessK 7ontractors are normally not part of the or# structure and don0t occupy a position" So do you continue to directly assi#n roles to contractors or do you link them to the or# structure in some way !for e+ample throu#h positions8 obs8tasks&K

Are you only concerned about a central E77 system or are there other systems in the landscape !G.% 7RM% SRM% APO% etc&K .ill the roles assi#ned in these other systems also be determined by the users0 positions in E77K

Pro"ile Assignment 8ia OM

In the last article we have already looked at the process of indirect role assi#nment throu#h OM ob ects" SAP pro8ides another option to achie8e indirect assignment o" security through the org structure o" the enterprise) This method in8ol8es indirect assignment o" authorization pro"iles) -hou#h much less common nowAaAdays as most companies have moved to a system where access is based on roles instead of authori,ation profiles% there is really nothin# preventin# its use in even a role based system" -he basic concept of indirect assi#nment remains the same" !nstead o" creating #--L relationships4 bet+een the userHs position and object type A=4 +e maintain in"o type 1-1; "or the position +ith the pro"ile names) An e+ample screenAshot is #iven below" -hrou#h confi#uration% it0s also possible to maintain I- :9:E for other or# ob ects like obs% or# units% tasks% etc"

PP9: A 7reate I- :9:E !Standard Profiles&

To copy the pro"iles "rom HR objects to users4 the report RHPRO:@- is used +ith the options sho+n belo+) -his report can also be scheduled to run in the back#round everyday at midni#ht to sync up user access !both P) profiles and #eneral authori,ation profiles& with a chan#in# or# structure"

RHPRO*'9 A 7opy I- :9:EA:9:I values to users

HR Processes and :orms

A #rowin# tendency of HR departments around the world has been to decentrali,e the maintenance of HR data" So instead of one ma or services department handlin# the data for the entire or#ani,ation% we are movin# towards a situation where each department has its own HR representative who owns the data for the department0s employees" Even for or#ani,ations usin# a shared services model for HR% the trend is to simplify data entry procedures so that even HR analysts with limited e+posure to SAP transactions can #et their obs done efficiently" It was from this need to simplify the user interface for users that SAP came up with the concept of HR processes and forms" -he technolo#y is based on Adobe forms and more such more intuitive for a be#innin# user than SAP transaction" -o a lar#e e+tent% a process maps to a HR action like hire% transfer% retire" Each process in turn is tied to one or more forms which the HR administrator fills up with data" -here is provision to do data validation durin# the submission of the forms to ensure that data entered make sense" .orkflows can be confi#ured so that on submission of the forms% the process is routed to one or more level of approvals before the action actually comes into effect" Most processes are e+posed to end users throu#h portal links" Gefore lookin# at the security aspects of a process% let0s first look at how a process would look like to a HR Administrator" Gefore an administrator can start a process% he first needs to choose a start ob ect" -he start ob ect can be an employee !like in the e+ample below& or an OM ob ect !like a position or or# unit&"

Select an Employee for a Process After choosin# the start ob ect% the administrator would need to select the actual process for the start employee" On selection% an Adobe form opens up where data can be entered" -he fields and validations in the form are part of the confi#uration done by H7M functional consultants"

Start process for an employee Security around HR forms and processes is hi#hly customi,able by confi# settin#s for each process" SAP has used a ne+ authorization object P<ASR&O>T 2Authorization "or Process &ontent3 to restrict access to processes and "orms" *urther% confi#uration in SPRO allows us to use ust this ob ect% the standard HR ob ects for securin# personnel data !PMORNI6% PMORNLL& or both for securin# process contents" -he details for this ob ect are #iven below

Authori,ations for processes : -he acti8ities "ield value allows HR administrators to read% process% approve or submit forms or processes" -he authorization scope value of : or ; allows them to access a process when only they are the tar#et ob ect or for all tar#et ob ects e+cept their own" -his is important as

ideally we wouldn0t want an administrator to #ive themselves a raise" -he &ontent Type "ield takes two values% P for Processes and * for *orms" *inally we also have the &ontent =roup "ield which is similar in use to a table or pro#ram authori,ation #roup" -his free form te+t field allows us to #roup access for similar processes8forms to a select #roup of users" This same te,t 8alue needs to be maintained in the process groups "or each "orm and process that +e +ould li5e to secure) -his portion of the work is performed by the functional consultant and out of scope of the ob of the security administrator"

Specifyin# a process #roup for a process In the e+ample #iven earlier and the one ri#ht below% we have used two authori,ations" .e have used the content #roup REMP'O4EE to #roup processes that an employee should be able to start for his own pernr and this is maintained as part of the Employee Self Service access" -he HR Administrator access on the other hand !#iven below& allows them to start any HR processes" -he HR administrator however are prevented from startin# these processes for their own pernrs

Authori,ations for processes ;