Sunday, June 9, 2013

HR Security - Authorization objects

Authorization objects related to master data

a) HR Master Data Authorizations: P_ORGIN
The Authorization Object P_ORGIN (HR: Master Data) is used
during the authorization check on HR infotypes. The checks take
place when HR infotypes are edited or read. The system queries
the contents of the fields during the authorization check.
The authorization level field specifies the access mode. The following authorization levels exist:
· R (read) for read access
· M (matchcode) for read access using input help (F4)
· W (write) for write access
· E and D (enqueue and dequeue) for write access using the
· Asymmetrical double verification principle. E allows the user to create and change locked data
records and D allows the user to change lock indicators.
· S(symmetrical) for write access using the Symmetric Double Verification Principle
· always includes all other authorization levels simultaneously

b) HR: Master Data - Extended Check: P_ORGXX
The object HR: Master Data - Extended Check is used
during the authorization check on HR infotypes. The
checks take place when HR infotypes are edited or
read.
The fields SACHA, SACHP, SACHZ and SBMOD are filled from the Organizational Assignment infotype
(0001). Since this infotype has time-dependent specifications, an authorization may only exist for certain
time intervals depending on the user’s authorization. A user’s period of responsibility is represented by
all the time intervals for which he or she has P_ORGXX authorizations.
In the administrator group, all administrators who are responsible for an organizational area in
Personnel Administration or in Applicant Management are grouped together.
In the standard system, the check of this object is not active. Main authorization switch (transaction
OOAC) can be used to determine whether this check is to be carried out in addition to or instead of the
HR: Master Data check.
If the additional check is activated, an authorization check according to P_ORGIN takes place first. If the
result of this check is positive, a further check based on P_ORGXX is performed.

c) Personnel Number Check: P_PERNR
The Authorization Object HR: Master Data - Personnel
Number Check is used when you want to assign users
different authorizations for accessing their own
personnel number. If this check is active and the user
is assigned a personnel number in the system, it can
directly override all other checks with the exception of
the test procedures.
The following values are possible for the PSIGN field:
· I = Authorization for personnel number assigned, that is for the user’s own personnel number.
· E =Authorization for all personnel numbers excluding one’s own personnel number.
This check does not take place if the user has not been assigned a personnel number, or if the user
accesses a personnel number other than his or her own. In other words, this check is completely
irrelevant for personnel numbers that are not assigned to the user.

d) HR: Applicants: P_APPL
The object HR: Applicants is used during the
authorization check on HR applicant infotypes. The
checks take place when these infotypes are edited or
read.
The PERSA, APGRP, APTYP, VDSK1 and RESRF fields are filled from the Organizational Assignment
infotype (0001). Since this infotype has time-dependent specifications, an authorization may only exist
for certain time intervals depending on the user’s authorization.

e) Personnel Planning Authorization: PLOG
This authorization object is used to check the
authorization for specific fields in the Personnel
Planning components (Organizational
Management,Personnel Development, Training and
Event Management, and so on).
· Plan version : This field specifies which plan versions the user is authorized to access.
· Object type : This field specifies which object types the user is authorized to access.
· Infotype :This field specifies which infotypes the user is authorized to access.
· Subtype :This field specifies which subtypes of the infotpyes the user is authorized to access.
· Planning Status :This field specifies the planning status in which the user is authorized to access
information.
· Function Code: This field specifies the editing mode for which the user has authorization
(display, change, and so on).

f) HR: Transaction Code: P_TCODE
This authorization object enables to check whether a user is authorized to start the different HR
transactions. The transaction code is checked. Note that this object is not used in all HR transactions. We
distinguish between:
· HR transactions with a natural (their own) authorization object
· HR transactions without a natural (their own) authorization object
This authorization object contains the HR transaction codes without their own authorization object.
The P_TCODE authorization object is the HR equivalent of the Check Transaction Code at Start of
Transaction authorization object (S_TCODE). The P_TCODE authorization object was implemented
before the S_TCODE authorization object. Given the increased need to protect data in HR, it was
retained as an additional protection measure.

Authorization objects related to Payroll

a) The Personnel Control Record: P_PCR
This authorization object is used by the authorization check for
the payroll control record. This check takes place when the
control record is displayed using transaction PA03, or when the
control record is maintained.
The check also takes place in particular during maintenance using the payroll menu.
Specifications to the activity field
· 01 – Add or Create
· 02 – Change
· 03 – Display
· 06 – Delete

b) Posting Results to Accounting: P_PYEVRUN
This authorization object is used to
control the actions possible for posting
runs.
The following entries are possible in the run type field:
· AP Posting tax/SI Austria
· PP Payroll posting
· TP Posting Third-Party Remittance
· TR Travel Expenses Posting
· ZA Payroll Evaluation South Africa
Specifications to the activity field
· 01 – Add or Create
· 03 – Display
· 06 – Delete
· 10 – Post
· 85 – Reverse

Specifications of the simulation indicator field
· X – Simulation Run
· “_” – Live Run

c) HR: Posting Document: P_PYEVDOC
This authorization object is used to
protect actions on posting documents.
Specifications to the activity field
· 03 – Display
· 10 – Post
· 28 – Display Line Item
· 43 – Release





No comments:

Post a Comment