hr security
DESCRIPTION
hr sapTRANSCRIPT
-
5/25/2018 HR Security
1/5
HR Security
Introduction on Authorizations
Authorization objects enable complex checks of an authorization, which allows a userto carry out an action. An authorization object can group up to 10 authorizationfieldsthat are checked in an A! relationship.
"or an authorization check to be successful, all field #alues of the authorization
object must be maintained accordingly. $he fields in an object should not be seen as
input fields on a screen. %nstead, fields should be regarded as system elements, suchas infotypes, which are to be protected.
&ou can define as many system access authorizations as you wish for an object bycreating a number of allowed #alues for the fields in an object. $hese #alue sets are
called authorizations. $he system checks these authorizations in ORrelationships.
SAP HR Asymmetrical Double Verification
%n this procedure, two users are always re'uired to be able to create or
change an infotype(s data. Here, the users do not have the sameauthorizationswhich is why the process is called asymmetrical. )ser A is
granted authorizations with the authorization le#el * +en'ueue, R +read and
- +match code for the /0R1% +or /0R122 authorization object insteadof complete write authorizations +authorization le#el 3 or 4. $hese
authorizations allow the user to create, change or delete locked records only.
)ser 5 is granted authorizations with the authorization le#el ! +de'ueue, Rand - for the authorization object /0R1% +or /0R122 instead of
complete write authorizations. $hese authorizations allow the user to unlocklocked records +or lock unlocked records only.
ew data is entered by user A and unlocked by user 5. *xisting data can be
changed in two ways6 )ser 5 locks the data, user A changes the data, anduser 5 unlocks the data again. Alternati#ely, user A creates a locked copy
from the unlocked data and changes this copy. )ser 5 then unlocks the data.$o delete unlocked data, user 5 locks the data which is then deleted by user
A.
%n this process, user A is always responsible for entering and changing dataand user 5 for appro#ing the changes.
SAP HR Symmetrical Double Verification
%n this procedure, two users are always re'uired to be able to create or
change an infotype(s data. $he users have the same authorizationsforthis. 5oth users are granted authorizations with the authorization le#el S
+symmetric, R +read and - +match code for the /0R1% +or /0R122authorization object instead of complete write authorizations +authorization
le#el 3 or 4. $hese authorizations allow each user to create locked datarecords, change locked data records, and relock unlocked data records. %n
addition, each user can unlock data as long as he or she is not the last personto ha#e changed the locked data. either user can delete data.
-
5/25/2018 HR Security
2/5
ew data is created by user A +or user 5 and locked by user 5 +or user A.
$o change existing data6 user A +or user 5 locks and changes the data and
user 5 +or user A unlocks the data.
Another user must be consulted to delete existing data.
Authorization 0bjects of HR 7lass
P!"H!P# $HR%"H& Pension 'und& Account Access(
Authorization object that is used during the authorization check for access to pension
fund accounts +" Accounts. $his check takes place in transactions or reports thatprocess account data.
P!D)!*+ $HR%D)& Statements SAP Scri,t(
Authorization object that enables you to determine the authorization check within
statements +with SA Script for ayroll 1ermany.
P!D#!P*S $HR%D#& Authorization "hec- for Access to P*S "om,any(
Authorization object that is used during authorization checks for 5S companies.
P!P.)VDO" $HR& Postin/ Document(
Authorization 0bject that is used to protect actions on posting documents
P!O"+*)"H $HR& Activities in the Off%"ycle +or-bench(
Authorization 0bject that is used during the authorization check for the off8cycleworkbench. $he /0735*7H authorization object ensures that each administrator
sees only the off8cycle acti#ities that he or she is authorized to perform.
P!*) $HR& *enefit Area(
Authorization 0bject that is used during the authorization check for benefits. $hischeck takes place when benefit tables are edited or read
P!"AS2 $HR& ime Sheet for Service Providers y,e34evel "hec-(
Authorization 0bject that is used during the authorization check for task type and
task le#el in the $ime Sheet for Ser#ice ro#iders.
P!P)01 $HR& Authorization for Personnel "alculation Schemas(
Authorization 0bject that is used during the authorization check for personnelcalculation schemas.
P!P)05 $HR& Authorization for Personnel "alculation Rule(
-
5/25/2018 HR Security
3/5
Authorization object that is used during the authorization check for personnelcalculation rules.
P!HR'!I'O $HR& Authorization "hec- InfoData 6aintenance for HR
'orms(
Authorization object that is used during the authorization check for the processing ofinfotypes for HR Forms.
P!HR'!6)A $HR& Authorization "hec- 6aster Data 6aintenance for HR'orms(
Authorization object that is used during the authorization check for HR Forms.
P!")RI' $HR& Statements(
Authorization object that is used in Statements to check which tasks anadministrator is authorized to perform.
P!APP4 $HR& A,,licants(
Authorization object that is used during the authorization check of Recruitment
infotypes. $he checks take place when applicant infotypes are edited or read.
P!P.)VR7 $HR& Postin/ Run(
Authorization object that is used during the authorization check for posting runs.
P!P"42 $HR& "lusters(
Authorization object that is used during the authorization check for access to 79xHR files +x : ;, using the 79x buffer +interface supported by HR.
P!P"R $HR& Payroll "ontrol Record(
Authorization object that is used during the authorization check for payroll control
record.
P!A*AP $HR& Re,ortin/(
Authorization object that is used during the authorization check for HR Reports.
P!OR8I $HR& 6aster Data(
Authorization object that is used during the authorization check for HR infotypes. $hecheck takes place when HR infotypes are edited or read.
P!P)RR $HR& 6aster Data 9 Personnel umber "hec-(
-
5/25/2018 HR Security
4/5
Authorization object that is used to assign users different authorizations foraccessing their own personnel number. $hese authorizations differ from those
defined in users? /0R1% profiles. %f this check is acti#e and the user has beenassigned a personnel number in the system, it can directly o#erride all other checks
with the exception of the test procedures. $his check does not take place if the userhas not been assigned a personnel number, or if the user accesses a personnel
number other than his or her own.
P!OR822 $HR& 6aster Data 9 ):tended "hec-(
Authorization object that is used during the authorization check for HR infotypes.$he check takes place when HR infotypes are edited or read.
P!"OD) $HR& ransaction "ode(
Authorization object that is used to check whether a user is authorized to start the
different HR transactions. $he transaction code is checked.
P!7SR $HR& 7S a: Re,orter(
Authorization object that is used during the authorization check for simulation andupdate runs of the US Tax Reporter+$ransaction );@.
P4O8 $Personnel Plannin/(
Authorization object that is used to check the authorization for specific fields in the
ersonnel -anagement components +Organizational Management, PersonnelDevelopment, Training and Event Management,.
P! $HR& 6aster Data& "ustomer%S,ecific Authorization Ob;ect(
Authorization object that does not yet exist in the system and that is created by you.
P!OR8I"O $HR& 6aster Data
-
5/25/2018 HR Security
5/5
+; that are customer8specific and if you want to implement the contextsolution, you can include an authorization object in the authorization checks yourself.
%n the standard system, the check of this object is not acti#e. &ou can use the
A)$S3 70 authorization main switch to control the use of the customer8specificauthorization object.
Structural Authorizations
Structural profiles are assigned in a different way to general authorization profiles.$o assign structural profiles, you use table $BB)A +)ser Authorizations : Assignment
of rofile to )ser, not Role -aintenance +"71 transaction as with generalauthorization profiles. $he authorization profiles are specified in the $BBR table
+!efinition of Authorization rofiles.&ou can protect +sub structures by making rele#ant entries in this table
A user?s 0#erall rofile is determined from the intersection of his or her structuraland general
authorization profiles, when you use both structural and general authorizations.$he structural profile determines which object in the hierarchical structure the userhas access toC the general profile which object data +infotype, subtype and which
type of authorization +Read, 3rite, ... the user has for these objects. $he access
mode for authorization objects in HR -aster !ata is determined in the A)$H7 field+Authorization 9e#el.
Steps to do Structural Authorization6
Step;6 $7 00A7 +table $BBS
Acti#ate the Structural Authorization switch
Step