Documente Academic
Documente Profesional
Documente Cultură
HR Security Goal:
In Human Resources, authorizations play a significant role since access for HR data must be strictly controlled thus our goal is to restrict access to this sensitive HR data by means of authorization.
HR /HCM Components
HR/HCM
HR Data
Master data in SAP HR is held in info types
0000-0999 Personnel Administration 1000-1999 Organizational Mgmt Info type 2000-2999 Time Mgmt Info type
Example
We are delighted to offer you the position (IT 0001) of ______. You will belong to ______ department (IT 0001). Your joining date will be ______(IT0000)and you will be paid a salary of ______ (IT 0008). You will be paid monthly allowances ______ (IT 0008 or IT 0014) and we are also offering you a joining bonus of ______ (IT 0015)
HR Authorizations
Authorization Levels: Create data ( in sap hr we do this by creating new records )
HR Authorization Objects
P_ORGIN HR: Master Data Definition: The object HR: Master data (P_ORGIN) is used for authorization checks of personal data. Checks are performed only when INFTY HR info types are edited or read. Fields: INFTY SUBTY AUTHC PERSA PERSG PERSK VDSK1 Info type Subtype Authorization level Personnel Area Employee Group Employee Subgroup Organizational Key
HR Authorization Objects
P_PERNR HR: Personnel No. Check Definition: This object is used when you want to assign users to different authorization for accessing personnel no. Fields: AUTH PSIGN INFTY SUBTY Authorization level Interpretation of assigned personnel no. Info type Subtype
HR Authorization Objects
P_APPL HR: Applicants
Definition:
If any personnel officer in any company requires authorization to edit applicant data Fields: INFTY SUBTY AUTHC PERSA APGRP APTYP VDSK1 RESRF Info type Subtype Authorization level Personnel Area Applicant group Applicant range Organizational Key Personnel officer responsible for application
HR Authorization Objects
P_PERNR Definition:
The P_PERNR authorization object is delivered in SAP HR (HCM) to enable Employee Self Service. Using this object users you can configure authorizations to allow users to update their own data without giving them access to update other user's data
Fields:
AUTHC - Authorization Level PSIGN - Interpretation of Assigned Authorization (I) INFTY Info type SUBTY - Subtype
10
HR Authorization Objects
P_TRAVL : Authorization object Travel Expenses
Definition:
This authorization object is used for submission/approval of Timesheets, Reimbursement Fields:
AUTHF AUTHP AUTHS BUKRS KOSTL PERSA PERSG PERSK PTZUO VDSK1 HR-TRIP: Operation and Status old HR-TRIP: Personnel number check HR-TRIP: Status new when trip is saved Company code Cost center Personnel area Employee group Employee subgroup Employee grouping for Travel Management Organizational key
11
HR Authorization Objects
AUTHF fields explained in detail
Characteristics for 1st position R W D X S Result Read trip data Write trip data (Create, change, copy) Delete trip data Settle trip data Analyze statistics database Characteristics for 2nd position Blank 1 2 3 4 5 6 * Result New trip Request Request approved Trip data Trip approved Request on hold Trip on hold All statuses
Result New trip Open To be settled Settled Canceled Posted (FI, payroll or DME) All statuses
Read an approved trip that is to be settled Create a new trip Change an approved request that is settled Delete a request Settle an approved trip that is to be settled
12
HR Authorization Objects
AUTHP explained in details
In the field AUTHP the value for the personnel number check must be defined
Value
Meaning
13
To restrict access to personnel data in certain substructures of an organizational unit Providing authorization for various level.
14
Example
An organizational structure divides into three sub trees (organizational units O2, O3, and O4)
A user needs three profiles for this organizational structure that allow him or her to read/change data in O3, O2 or O4 AND in all lower level organizational units.
If you were to use the general authorization concept (values in fields) here, you would have to enter all objects under the initial object in every authorization profile.
15
16
Thank You
www.tcs.com
17