HR Security

HR Security Goal:
In Human Resources, authorizations play a significant role since access for HR data must be strictly controlled thus our goal is to restrict access to this sensitive HR data by means of authorization.

HR /HCM Components

HR/HCM

Organizational Management Personnel Administration Payroll Administration Time Administration

ESS/MSS E-Recruitment E-Learning etc.

HR Data
Master data in SAP HR is held in info types

What are Info types?

Info types are also called information types and are pre-defined templates to enter sensible related information. Always represented with 4 digit number only.

0000-0999 Personnel Administration 1000-1999 Organizational Mgmt Info type 2000-2999 Time Mgmt Info type

4000-4999 Recruitment related Info type

9000-9999 For Custom Development

Example
We are delighted to offer you the position (IT 0001) of ______. You will belong to ______ department (IT 0001). Your joining date will be ______(IT0000)and you will be paid a salary of ______ (IT 0008). You will be paid monthly allowances ______ (IT 0008 or IT 0014) and we are also offering you a joining bonus of ______ (IT 0015)

HR Authorizations
Authorization Levels: Create data ( in sap hr we do this by creating new records )

View data ( by viewing the records created)

Maintain data ( by changing/deleting records)

HR Authorization Objects
P_ORGIN HR: Master Data Definition: The object HR: Master data (P_ORGIN) is used for authorization checks of personal data. Checks are performed only when INFTY HR info types are edited or read. Fields: INFTY SUBTY AUTHC PERSA PERSG PERSK VDSK1 Info type Subtype Authorization level Personnel Area Employee Group Employee Subgroup Organizational Key

HR Authorization Objects
P_PERNR HR: Personnel No. Check Definition: This object is used when you want to assign users to different authorization for accessing personnel no. Fields: AUTH PSIGN INFTY SUBTY Authorization level Interpretation of assigned personnel no. Info type Subtype

HR Authorization Objects
P_APPL HR: Applicants

Definition:
If any personnel officer in any company requires authorization to edit applicant data Fields: INFTY SUBTY AUTHC PERSA APGRP APTYP VDSK1 RESRF Info type Subtype Authorization level Personnel Area Applicant group Applicant range Organizational Key Personnel officer responsible for application

HR Authorization Objects
P_PERNR Definition:

The P_PERNR authorization object is delivered in SAP HR (HCM) to enable Employee Self Service. Using this object users you can configure authorizations to allow users to update their own data without giving them access to update other user's data

Fields:

AUTHC - Authorization Level PSIGN - Interpretation of Assigned Authorization (I) INFTY Info type SUBTY - Subtype

10

HR Authorization Objects
P_TRAVL : Authorization object Travel Expenses

Definition:
This authorization object is used for submission/approval of Timesheets, Reimbursement Fields:
AUTHF AUTHP AUTHS BUKRS KOSTL PERSA PERSG PERSK PTZUO VDSK1 HR-TRIP: Operation and Status old HR-TRIP: Personnel number check HR-TRIP: Status new when trip is saved Company code Cost center Personnel area Employee group Employee subgroup Employee grouping for Travel Management Organizational key

11

HR Authorization Objects
AUTHF fields explained in detail
Characteristics for 1st position R W D X S Result Read trip data Write trip data (Create, change, copy) Delete trip data Settle trip data Analyze statistics database Characteristics for 2nd position Blank 1 2 3 4 5 6 * Result New trip Request Request approved Trip data Trip approved Request on hold Trip on hold All statuses

Characteristics for 3rd position Blank 0 1 2 3 4 *

Result New trip Open To be settled Settled Canceled Posted (FI, payroll or DME) All statuses

R41 W W22 D1* X41

Read an approved trip that is to be settled Create a new trip Change an approved request that is settled Delete a request Settle an approved trip that is to be settled

12

HR Authorization Objects
AUTHP explained in details

In the field AUTHP the value for the personnel number check must be defined

Value

Meaning

Own personnel number only

All personnel numbers except own

All personnel numbers

13

Structural Authorization Check

Authorization based on Organizational element, business event hierarchies, qualification. Etc You can grant authorizations for objects that are stored in a hierarchical structure using the structural authorization check. Access is granted to a user implicitly by the users position on the organizational plan.

To restrict access to personnel data in certain substructures of an organizational unit Providing authorization for various level.

14

Example
An organizational structure divides into three sub trees (organizational units O2, O3, and O4)

A user needs three profiles for this organizational structure that allow him or her to read/change data in O3, O2 or O4 AND in all lower level organizational units.
If you were to use the general authorization concept (values in fields) here, you would have to enter all objects under the initial object in every authorization profile.

15

Role based V/S Structural Authorization

Role Based Assign roles to users Structural Assign roles to organizational element

Direct role assignment

Control access to data

Indirect role assignment

Control access to organizational objects

16

Thank You

www.tcs.com

17