SAP HR Security
SAP HR Security
Introduction
HR Security is Indirect/position based Security unlike the Direct based in SAP ECC. In HR, roles and
authorization are assigned to HR objects instead to the user directly.
Infotype is used to store personal data about an employee. An Infotype contains four digit code
and name of Infotype. Example − Infotype 002 contains employee personal data- like name,
date of birth, marital status, etc. There are predefined number ranges that SAP has defined for
Infotype.
2. SUBTYPES
You can further divide an Infotype into groups, which are called subtypes. For example, an
Infotype Address, Infotype 0006 can be divided into subtypes - Permanent Residence and
Emergency address.
3. HR Objects Organisation Management is based upon the use of objects and relationships.
Object types are used to represent different elements in a company.
Organization Unit O
Job C
Position S
Person P
Cost Center K
4. Relationship
Relationships define how objects are mapped to each other in Org structure. Every relationship
has a top-down (starting with A) and a bottom-up version (starting with B). It’s a 3-digit code
and SAP delivers the valid relationship nos between the objects. To maintain relationship,
Position Relationships:
Position reports to another Position (A002)
Position is a line supervisor of another Position (B002)
Position is held by a Person (A008)
Similarly:
Is described by -- B 007
Manages -- A 012
Is managed by -- B 012
5. ENTERPRISE STRUCTURE
Highest level of the company structure, for which you can draw up a complete set of
accounts like Balance Sheet, Profit & Loss Statements.
PERSONNEL AREA
Represents a subdivision of company code, classified on the geographical location or
functions of the enterprise. Therefore all Personnel Areas must be assigned to the same
country grouping.
PERSONNEL SUBAREA
Represents a subdivision of Personnel Area. All control features for enterprise structure
such as Pay scale, wage type structures and work schedule planning are controlled at
Personnel Subarea level.
6. Personnel Structure
i. EMPLOYEE GROUP
A general classification of employees. For example: Active, Retiree, External. Can be
used as an entity in authorization checks.
Transaction Codes
P_ORGIN The object HR: Master data (P_ORGIN) is used for authorization checks of personal data.
Checks are performed only when HR infotypes are edited or read.
P_ ORGINCON This authorization object consists of the same fields as the P_ORGIN authorization
object and now includes the new PROFL field (structural profile). A check using this object enables
customer-specific contexts to be mapped in HR Master Data.
P_PERNR The HR: Master data - Personnel number check object (P_PERNR) can be used to check
authorization for personal data (HR infotypes).
This check is not active in the standard system but can be activated when the switch HR: Master
data - Personnel number check (P_PERNR) is set to 1. You can process the authorization switch with
the HR: Authorization switch transaction (OOAC). This check is only relevant for the user's assigned
personnel number.
PLOG This is used by the authorization check for PD data.
OVERVIEW
Concept of using the SAP HCM module to help security administrators control access.
Can be used for both, HR and non-HR modules.
Roles or authorization profiles (standard and PD/structural) are attached to positions or other
objects in the organization structure.
The person who holds the position will inherit the access provided by the profiles or roles.
No need to communicate with Security Administrators on people movements within the
organization.
PD Profiles/Structural Authorizations only apply to HR security.
HR Reports
Program RHAUTUPD_NEW
Creates role assignments (Direct and Indirect) for users by evaluating where a person ‘sits’ within
the organizational structure. Can be used for both, HR and non-HR modules. Update Direct Role
Assignments – where roles are assigned directly to user master records via PFCG. Update Indirect
Role Assignments – Roles are assigned to HR Objects such as:
• Positions (S)
• Work Centers (A)
• Jobs (C)
• Persons (P)
• Organizational Units (O)
• User Master Record (US)
It can be executed online via T-code PFUD or by scheduling program PFCG_TIME_DEPENDENCY
Program RHPROFL0
This program creates Structural authorization profiles (PD Profiles) for users by evaluating where
a person ‘sits’ within an Organizational structure
• Analyses all the object holders in HCM Organizational structure
• For each holder, the PD profiles (stored in Infotype 1017) are read for each corresponding object
type (job, position etc.)
• Then generates corresponding profile assignments for the user that is assigned to the Personnel
Numberin Infotype 0105, subtype 0001
Creates a batch job which needs to be activated to complete the process
As the name suggests structural authorization is used to restrict access on certain OM Objects like
Org unit, Jobs, tasks etc. In interaction with the access to authorization objects for PA master data,
they can restrict access to certain set of persons in the enterprise. A person’s total authorization is a
result of the interaction between his general authorizations (through roles) and his structural
authorizations (through PD profiles). It can be set using OOSP and can be assigned to user directly
using OOSB or indirectly to user’s position using info-type 1017.
PD Profile are of two types:
Dynamic using the HR function modules:
RH_GET_MANAGER_ASSIGNMENT (Determine organizational units for manager)
This function module finds the root Organizational Unit with which the user is
related via the position and relationship A012 (manages)
RH_GET_ORG_ASSIGNMENT (Organizational assignment)
This function module finds the root Organizational Unit to which the user is
organizationally assigned
Static: using the HR Object ID directly.
Basic Approach
Audit Requirements
1. PD Profile “ALL” should not be assigned to any user as it gives access to all HR objects (*).
2. P_PERNR object should be carefully used. By default, authorization switch for this object is
inactive.
3. Critical Info-type like Salary (0008) and HR reports for Time data should be restricted.
Troubleshooting Techniques:
Use of ST01 [System Trace] Tool
This method represents the most reliable method for identifying missing HR
object authorizations required to execute HR t-codes.
When analyzing HR authorizations traces in ST01, it is useful to note that HR authority checks
tend to be processed in a “maximum” to “minimum” manner.
For example, HR structural authority-checks against P_ORGINCON [HR: Master Data with
Context] generally progress in the following manner:
Check for “*” value in the PROFL field.
Check for “ALL” value in the PROFL field.
Check for <Specific PD Profile Name associated with the Affected Organizational Unit(s)> in the
PROFL field.
The user has failed the authority check for P_ORGINCON only if all three of the above types of
authority checks successively fail for the same combination of values in the other P_ORGINCON
fields
Useful Resources
https://help.sap.com/viewer/product/ERP_HCM/EHP8_HRSP_73/en-US
https://www.tutorialspoint.com/sap_hr/