This document describes how the Structural Authorization, its importance and the configuration steps. It
can be used as a best practice which includes test scenarios.
Explanation was given with the help of screenshots, but please do not expect that all the possible
customizing options are shown with screenshots. While going through this document, try to access your
own system for perfect understanding.
Authorizations
Authorizations control system users access to system data and are therefore a fundamental prerequisite
for the implementation of business software.
General Authorizations
o Single Role
o Composite Role
role
Structural Authorization
The Structural Authorization determines to which object/objects in the organizational structure the user
has an access.
It describes the special authorizations that you can define in Personnel Planning and Development in
addition to the basic access authorizations
The General Authorization determines which object data (infotype, subtype) and which access mode
(Read, Write ...) the user has an access.
General Data
Structural Authorizations will be assigned to Users with Structural Profiles in table T77UA (User
Authorizations) or using Transaction Code OOSB.
Initially system checks the table T77UA consists of Username with a Structural Profile attached to it or not.
If there is no entry in the table T77UA for the user, then the system checks whether the User is assigned
with profile SAP*, else authorization is denied.
In the standard system, there will be a User Name - SAP* assigned with Profile - ALL, which means,
when we first implement mySAP HR, all users have complete authorization concerned to Structural
Authorization.
Note: If you delete the SAP* row, no user can pull the report for any standard org Structure. (Never
ever delete the standard entry)
IMG Configuration
Step 1
Node
Transaction Code
Table Name
Save it.
Authorization Profile: (Mandatory)
No: (Optional)
Sequential Number
Enter the Plan Version to which the profile is authorized for the Organization Plan
Enter an Object ID of the mentioned Object type. So that employee can access the Org Units
under that object.
o When you work with infotype records, this field allows you to use the Fast entry feature.
Fast entry enables you to create numerous infotype records without having to exit and reenter the infotype window.
To select the object that the infotype record should belong to, either:
Enter the object's eight-digit code
Use the matchcode feature to search for the object
Maintenance (Optional)
Enter the Evaluation Path to focus on the objects involved in the relationship of Evaluation Path or
can leave it as blank.
Use this field to identify the status that a Relationship infotype must have in order for an object to
be reported on.
1 active
2 planned
3 submitted
4 approved
5 rejected
NOTE:
By Default value 1 (active) is used as the status vector.
Depth (Optional)
Contains a number from one to six digits that corresponds with the different levels of an
organizational structure (one being the highest level, and all subsequent numbers representing
lower levels).
The level number determines how much information is SHOWN in an inquiry/report
If you do not wish to limit report documentation, leave the field blank
Sign (Optional)
The +/- sign is only used, if structural authorization profiles are to be created that are to process
the structure "from top to bottom",
Example:
An authorization profile should only allow persons within the organizational structure to be
accessed.
Period (Optional)
Use this field if you want to restrict the authorization according to the validity period of the
structure.
D
M
Y
P
F
All
Key date
Current
month
Current
year
Past
Future
This field allows you to specify a function module to determine the root object of the structural
authorization.
For more information on function modules, refer to the IMG under Maintain PD Profiles.
Step 2
Node
Transaction Code
Table Name
Note:
If you delete the SAP* row, no user can pull the report for any standard org Structure.
Go to New Entries and give below details
Authorization Profile
Start Date
: From which date the user should have an access for the mentioned profile
End Date
: Till what date the User can have the access for the mentioned profile
Exclusion
Conclusion
As per the configured profile, Employee with username TRAIN_INDIA3 will have access to view Org
Units only.
Example 1
Transaction Code
S_AHR_61016494
Organizational Structure with Positions
Object Type
Evaluation Path : O_S_P (System takes the evaluation path which contains Org Units only. As the profile is
authorized only for Org Units)
Click on Execute.
Output will be displayed with only Org Units. Positions and Persons will not be displayed.
Actual Screen will be displayed as below, with all the org units, positions and persons. If we havent
assigned any profile to the User.
Example 2
Selected the above report S_AHR_61016494 Organizational Structure With Positions.
Below Screen will be displayed.
Selected the inputs
Plan Version
Object Type
: S - Position (In the TEST 1, Org Unit O is selected. Check the output if we select S)
Evaluation Path : O_S_P (System takes the evaluation path which contains Org Units only. As the profile is
authorized only for Org Units)
Click on Execute.
Output will be displayed with Blank Page, as the authorization exists for Org Units only.
Function Modules
Enter one of the following function modules in SE37