headershadow

Authorization objects in HR Security

Print Friendly

Authorization objects related to master data

Below you will find an overview of important authorization objects within SAP HR:

  1. P_ORGIN
  2. P_ORGXX
  3. P_PERNR
  4. P_APPL
  5. PLOG
  6. P_TCODE
  7. P_PCR
  8. P_PYEVRUN
  9. P_PYEVDOC

a) HR Master Data Authorizations: P_ORGIN
The Authorization Object P_ORGIN (HR: Master Data) is used
during the authorization check on HR infotypes. The checks take
place when HR infotypes are edited or read. The system queries
the contents of the fields during the authorization check.
The authorization level field specifies the access mode. The following authorization levels exist:
· R (read) for read access
· M (matchcode) for read access using input help (F4)
· W (write) for write access
· E and D (enqueue and dequeue) for write access using the
· Asymmetrical double verification principle. E allows the user to create and change locked data
records and D allows the user to change lock indicators.
· S(symmetrical) for write access using the Symmetric Double Verification Principle
· always includes all other authorization levels simultaneously

b) HR: Master Data - Extended Check: P_ORGXX
The object HR: Master Data - Extended Check is used
during the authorization check on HR infotypes. The
checks take place when HR infotypes are edited or
read.
The fields SACHA, SACHP, SACHZ and SBMOD are filled from the Organizational Assignment infotype
(0001). Since this infotype has time-dependent specifications, an authorization may only exist for certain
time intervals depending on the user’s authorization. A user’s period of responsibility is represented by
all the time intervals for which he or she has P_ORGXX authorizations.
In the administrator group, all administrators who are responsible for an organizational area in
Personnel Administration or in Applicant Management are grouped together.
In the standard system, the check of this object is not active. Main authorization switch (transaction
OOAC) can be used to determine whether this check is to be carried out in addition to or instead of the
HR: Master Data check.
If the additional check is activated, an authorization check according to P_ORGIN takes place first. If the
result of this check is positive, a further check based on P_ORGXX is performed.

c) Personnel Number Check: P_PERNR
The Authorization Object HR: Master Data - Personnel
Number Check is used when you want to assign users
different authorizations for accessing their own
personnel number. If this check is active and the user
is assigned a personnel number in the system, it can
directly override all other checks with the exception of
the test procedures.
The following values are possible for the PSIGN field:
· I = Authorization for personnel number assigned, that is for the user’s own personnel number.
· E =Authorization for all personnel numbers excluding one’s own personnel number.
This check does not take place if the user has not been assigned a personnel number, or if the user
accesses a personnel number other than his or her own. In other words, this check is completely
irrelevant for personnel numbers that are not assigned to the user.

d) HR: Applicants: P_APPL
The object HR: Applicants is used during the
authorization check on HR applicant infotypes. The
checks take place when these infotypes are edited or
read.
The PERSA, APGRP, APTYP, VDSK1 and RESRF fields are filled from the Organizational Assignment
infotype (0001). Since this infotype has time-dependent specifications, an authorization may only exist
for certain time intervals depending on the user’s authorization.

e) Personnel Planning Authorization: PLOG
This authorization object is used to check the
authorization for specific fields in the Personnel
Planning components (Organizational
Management,Personnel Development, Training and
Event Management, and so on).
· Plan version : This field specifies which plan versions the user is authorized to access.
· Object type : This field specifies which object types the user is authorized to access.
· Infotype :This field specifies which infotypes the user is authorized to access.
· Subtype :This field specifies which subtypes of the infotpyes the user is authorized to access.
· Planning Status :This field specifies the planning status in which the user is authorized to access
information.
· Function Code: This field specifies the editing mode for which the user has authorization
(display, change, and so on).

f) HR: Transaction Code: P_TCODE
This authorization object enables to check whether a user is authorized to start the different HR
transactions. The transaction code is checked. Note that this object is not used in all HR transactions. We
distinguish between:
· HR transactions with a natural (their own) authorization object
· HR transactions without a natural (their own) authorization object
This authorization object contains the HR transaction codes without their own authorization object.
The P_TCODE authorization object is the HR equivalent of the Check Transaction Code at Start of
Transaction authorization object (S_TCODE). The P_TCODE authorization object was implemented
before the S_TCODE authorization object. Given the increased need to protect data in HR, it was
retained as an additional protection measure.

Authorization objects related to Payroll

a) The Personnel Control Record: P_PCR
This authorization object is used by the authorization check for
the payroll control record. This check takes place when the
control record is displayed using transaction PA03, or when the
control record is maintained.
The check also takes place in particular during maintenance using the payroll menu.
Specifications to the activity field
· 01 – Add or Create
· 02 – Change
· 03 – Display
· 06 – Delete

b) Posting Results to Accounting: P_PYEVRUN
This authorization object is used to
control the actions possible for posting
runs.
The following entries are possible in the run type field:
· AP Posting tax/SI Austria
· PP Payroll posting
· TP Posting Third-Party Remittance
· TR Travel Expenses Posting
· ZA Payroll Evaluation South Africa
Specifications to the activity field
· 01 – Add or Create
· 03 – Display
· 06 – Delete
· 10 – Post
· 85 – Reverse

Specifications of the simulation indicator field
· X – Simulation Run
· “_” – Live Run

c) HR: Posting Document: P_PYEVDOC
This authorization object is used to
protect actions on posting documents.
Specifications to the activity field
· 03 – Display
· 10 – Post
· 28 – Display Line Item
· 43 – Release

Priya Ranjan Singh has been working as an SAP Security Consultant since 2010. He have worked with Wipro Technologies ,Accenture in past and currently working with Ernst & Young.
More about

2 thoughts on “Authorization objects in HR Security


Comment author said

By Paul Ragnauth on 19 March 2015 at 16:31

What about the object P_abap?
------------------------------
Because the process of checking read authorizations for master data uses a lot of computing time, especially in the running of reports, you are provided with the P_ABAP authorization object (HR: Reporting). This enables you to restrict or completely deactivate the check for certain
reports.
The object does not replace the basic authorization required to start a report. Rather, P_ABAP simplifies and speeds up the process of checking the reported data. If you assign full authorization for this object, a user
will be able to view all the HR master data in the associated reports, even if he does not have authorization for the relevant infotypes and personnel
numbers.
The P_ABAP authorization object has an effect only in
reports that use the personnel administration logical database (PNP).
Exceptions are the reports of the payment medium programs for financial accounting and evaluation of logged changes in the infotype data.
Here, the P_ABAP authorization object is active, although the PNP logical
database is not used.

The following fields are checked:
>> ABAP Program Name
Report(s) for which a simplified authorization check is supposed to be run
>> Degree of simplification for an authorization check
1. Infotypes and organizational assignment are checked independently of each other. In other words, users can view all infotypes for all personnel numbers to which they have access. This approach speeds up the authorization check.
2. When the report is run without checks, no checks of HR master data or structural checks are carried out. This approach makes sense for “uncritical” reports, such as a room directory, and for users who already have full read access to HR master data.

Tip to simplify degree 1:
It can be used for report authorizations to infotypes that an administrator is not allowed to see. To do this, you need to assign a non-existing employee subgroup for this infotype in P_ORGIN (or a corresponding master data object) and the simplification degree “1” for this report in P_ABAP. By authorizing the infotype for a non-existing employee subgroup, it is only accessible if it’s read in a report where the authorization check is reduced by means of simplification degree 1.

Cheers!!

 

Leave a Reply


*