SAP HR/PY Structural Authorisations

June 11th, 2008 Posted in Configuration, Security

I had added a new developer to the customer’s HR/PY landscape, but they couldn’t see any of the Employee Data in the Development or QA system. According to SU01, the roles and profiles were identical to a developer who could see the data.

After hunting around my disks (because it has happened to me before !!), I found a note about Table T77UA, which has prompted this reminder to both myself and any one else who has to work with HR/PY Developers.

HR Security

HR Security comprises the General Authorisation Profiles as managed by Role Maintenance (transaction PFCG), plus Structural Profiles.  To assign Structural Profiles, you use table T77UA (User Authorizations = Assignment of Profile to User).  The Structural Authorisation’s themselves are specified in the T77PR table (Definition of Authorization Profiles).  You protect structures (or substructures) of the Organisational Chart by making relevant entries in this table.

  1. When you use both Structural and General Authorisations , a user’s Overall Profile is determined from the intersection of the two.
  2. The structural profile determines which object in the hierarchical structure the user has
    access to;
  3. The general profile determines which object data (infotype, subtype) and which type of
    authorization (Read, Write, …) the user has for these objects.
  4. The access mode for authorization objects in HR Master Data is determined in the AUTHC field (Authorization Level).

Steps to do Structural Authorisation:

  1. Use transaction OOAC (updates table T77S0) to Activate the Structural Authorisation switch
  2. Use transaction  OOSP (updates table T77PR) to Create Structural Authorisation profiles. You protect (sub)structures by making relevant entries in this table.
  3. Assign regular Role Authorisation via PFCG.
  4. Assign Structural Authorisation profile to User Id. Apparently, some releases have a report RHRPROFL0 that you can use to assign the object id. However, I use transaction SM30 to update Table – T77UA (User Authorizations = Assignment of Profile to User).
  5. Organizational Plans are created using PPOCE
This entry was posted on Wednesday, June 11th, 2008 at 12:42 pm and is filed under Configuration, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
blog comments powered by Disqus