Main HR Authorization Object for Security
Some of the main HR authorisation objects are:
A D V E R T I S E M E N T
Object: PLOG Personnel Planning
Fields: PLVAR Plan Version
OTYPE Object Type
INFOTYP Infotype
SUBTYP Subtype
ISTAT Planning Status
PPFCODE Function Code
Definition:
The present object is used by the authorization check for PD data.
Field Details:
PLVAR - Plan version This field defines which plan version(s) the user may
access.
OTYPE - Object type This field defines which object types the user may access.
INFOTYP - Infotype This field defines, which infotypes, that is, attributes, of
an object the users (generally) may access.
SUBTYP - Subtype This field determines which subtypes the user may access for
given infotypes.
Relationships are special subtypes for infotype 1001. Consequently, the
relationships for which a user should have access authorization can also be
limited in this field.
ISTAT_D - Planning status This field determines in which planning status the
user may access information.
OKCODE - Function code This field defines for which type of information
processing (Display, Change ) the user is authorized.
The possible values are defined in table T77FC. This protection against
unauthorized access is extended by the structural authorization check. Two types
of function codes are distinguished in HR management. By marking the processing
method Maintenance in table T77FC the function codes are indicated, with which
objects may be maintained within the structure; Otherwise, only Display is
allowed. The function code has effects in connection with the structural
authorization. In table
T77PR, authorization profiles can be indicated which are to have maintenance
authorization for the structure. Without this authorization, you can only
display structures. Consequently, the overall authorization results from the
intersection between basis authorization and structural authorization.
Object: P_ABAP HR: Reporting
Fields: REPID ABAP Program Name
COARS Degree of simplification for authorization check
Definition:
The authorization object HR reporting (P_ABAP) is used in many ways:
HR Reporting with HR Reporting are reports with the RE.SAPDBPNP logical database
PNP .
Report: RPUAUD00 Logged changes in infotype data
Processing person-related data using payment medium programs from Accounting.
To 1. You can use the relevant authorization for these objects to control how
the objects UO.P_ORGIN HR: Master data (P_ORGIN), UO.P_ORGXX HR: Master data -
extended check (P_ORGXX) and CHAP.OHIX0010 structural authorization check are
used in specified reports to check the authorization for INFTY HR infotypes . In
this way, you can carry out a fine-tuned control on reports for infotype
authorization. This can be useful for functional reasons or to improve
performance at runtime of the corresponding reports.
For this object, specify the report name(s) and the degree of simplification to
be used for the authorization check.
Note:
Note that this object differs from the object UO.S_PROGRAM ABAP: Program run
checks . The latter is used for general program authorization checks. In HR
reports, these checks are carried out in addition to the HR infotype
authorization check. HR: Reporting , however, overrides the HR infotype
authorization check for selected reports, with the result that the authorization
checks are weakened or completely switched off.
Examples:
In your company, the authorization for infotypes is, for example, independent of
the authorization for specific organizational units (one administrator may be
authorized to access address, personal and education data only for personnel
area 0101 - but not for address data in personnel area 0101 and personal data in
personnel area 0102). If you enter 1 in the Degree of
simplification field, the above facts are taken into account in the specified
report and the check is carried out more quickly for a user with this
authorization. If certain HR reports are not critical (telephone lists etc.) and
authorization protection is not required, enter the report name and = * in the
Degree of simplification field. The system then checks whether the person
starting the report is authorized to do so (object - ABAP/4: Program run
checks), but performs no other checks (object - HR: Master data).
In your company, one user may have access to all HR infotype data. For this
user, enter * in the Report name and Degree of simplification fields. The system
then only checks whether this user is authorized to start the report in question
but not whether he/she is authorized to display the requested HR infotype data.
A time adminstrator should carry out time evaluations (report HR: Time - time
evaluation (RPTIME00) for employees with the organizational key 0001TIMEXXX .
For certain additional information that is needed internally (the program user
either cannot see this, or can only partially see it), the Basic pay infotype
(0008)must be imported, for example, to time
evaluation. To carry out time evaluation, the administrator must therefore have
display authorization for the Basic pay infotype (0008). If the administrator is
not to have display authorization for this infotype, the read authorization for
the Basic pay infotype can be restricted for individuals with the organizational
key 0001TIMEXXX for the report HR: Time - Time
evaluation (RPTIME00). For this, use the following authorization
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0008 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001TIMEXXX
Object HR: Reporting (P_ABAP)
Report name RPTIME00
Degree of simplification 1
In this way, a simple check is carried out for the authorization check
infotype in conjunction with the report HR: Time - Time evaluation (RPTIME00):
The infotype, subtype, level are checked, and then, independently, the
organizational assignment (in the example, the Organizational key field)
(according to degree of simplification 1 ). In report HR: Time - Time
evaluation
(RPTIME00), infotype Basic pay (0008) can also be read. However, if the check is
not in conjunction with the report HR: Time � Time evaluation (RPTIME00), all
fields of the object HR:
Master data (P_ORGIN) are checked together, but in this way there is no read
access to the Basic pay infotype (0008). TO 2. Evaluations of the logged changes
in infotype data are subject to infotype authorization checks. However, usually,
someone, who starts such an evaluation, has extensive authorizations. In this
case, it is useful, in order to ensure improved
performance, to do without the check of individual data and instead, grant the
user global authorization for logging evaluations using the report Logged
changes in the infotype data (RPUAUD00). For this, use an authorization for the
object, by specifying the value RPUAUD00 in the Report name field, and the value
2 in the Degree of Simplification field. To 3 The payment medium program of
accounting processes, in particular, confidential personal data. In addition the
check to see whether the user is authorized to start the program, a check to see
whether the corresponding authorization exists for the object is also carried
out, as an additionl security measure : The name of the payment medium program
must be entered in the Program name field, the value 2 (or * must be entered in
the Degree of simplification field.
Field Details:
Report name
COARS Degree of simplification
Object: P_APPL HR: Applicants
Fields: INFTY Infotype
SUBTY Subtype
AUTHC Authorization level
PERSA Personnel Area
APGRP Applicant group
APTYP Applicant range
VDSK1 Organizational Key
RESRF Personnel officer responsible for application
Definition:
This object is used for the applicant data authorization check. This check is
carried out when INFTY applicant infotypes are edited or read. When a
transaction for editing applicant data is accessed, the system first checks
whether the user has the minimum authorization. Depending on the transaction
this may be write authorization or read authorization ( AUTHC_D authorization
level = '*' or R). If the user has the minimum authorization, a further and more
detailed authorization check is carried out within the transaction itself.
Field Details:
INFTY Infotype
SUBTY Subtype
AUTHC_D Authorization level
PERSA Personnel area
APGRP Applicant group
APTYP Applicant range
VDSK1 Organizational key
RESRF Personnel officer responsible for applicant
Object: P_ORGIN HR: Master Data
Fields: INFTY Infotype
SUBTY Subtype
AUTHC Authorization level
PERSA Personnel Area
PERSG Employee Group
PERSK Employee Subgroup
VDSK1 Organizational Key
Definition:
The object HR: Master data (P_ORGIN) is used for authorization checks of
personal data. Checks are performed only when INFTY HR infotypes are edited or
read.
When you call up a transaction for editing of personal data, the system checks
that you at least have one read authorization ( AUTHC_D authorization level R).
If you do, a more specific authorization check is carried out within the
transaction. In HR reports that use the <DS:RE.SAPDBPNP logical database PNP ,
the system checks whether the user has a read
authorization for all infotypes before it displays the selection screen. This is
then followed by a more precise check for each selected person. The
authorization objects .S_PROGRAM ABAP/4:
Program run checks and UO.P_ABAP HR:
Reporting must also be taken into account.
Note that values specified for the individual fields do not generally contain
other values. The value ' ' must therefore be specified explicitly. The value '
' must always be used for the subtype field (reason: the field is initial if the
infotype does not support any subtypes, or if the subtype has not been
specified).
Field Details:
INFTY Infotype
SUBTY Subtype
AUTHC_D Authorization level
PERSA Personnel area
PERSG Employee group
PERSK Employee subgroup
VDSK1 Organizational key
Object: P_ORGXX HR: Master Data - Extended Check
Fields: INFTY Infotype
SUBTY Subtype
AUTHC Authorization level
SACHA Payroll Administrator
SACHP Administrator for HR Master Data
SACHZ Administrator for Time Recording
SBMOD Administrator Group
Definition:
The object HR: Master data - Extended check (P_ORGXX) can be used to check
authorization for personal data INFTY (HR infotypes) This check is not active in
the standard system. The program switch HR: Master data - Extended check (ORGXX)
can be used to add this check in the standard system or set it as an alternative
to UO.P_ORGIN HR: master data . The main switch settings can be processed using
transaction HR: Authorization switch (OOAC)
Field Details:
Administrator for the person being processed (stored in the
organizational assignment infotype)
SACHA Payroll administrator
SACHZ Time data administrator
SACHP HR master data administrator
SBMOD Administrator group
View of data:
INFTY Infotype
SUBTY Subtype
AUTHC_D Authorization level (write, read, write with lock indicator, unlock).
Object: P_PCLX HR: Clusters
Fields: RELID Area identifier for cluster in tables PCLx
AUTHC Authorization level
Definition:
This object is used in the authorization check when accessing PCLx (x = 1, 2,
3,4) HR files using the PCLx buffer (interface supported by HR).
Field Details:
Cluster ID: enter the cluster name in this field. Authorization level: in this
field you must specify the operation to be carried out on the cluster along with
the cluster ID specified above.
The values which can be entered here are R (read), U (update database) and S
(export data to PCLx buffer without database update).
|