SlideShare a Scribd company logo

SAP HCM authorisations: streamline processes and improve HR data security

Download as PPTX, PDF
Sven Ringling
Sven Ringling

This document provides an overview of authorizations in SAP HCM and recommendations for improving authorization design. It discusses using dynamic start objects and structural profiles to reduce the number of roles and improve performance. Common pitfalls like combining authorizations from different roles or improperly using objects like P_PERNR are outlined. The presentation also provides tips for redesigning authorizations through approaches like composite roles, assigning roles via organizational management, and leveraging BAdI extensions. Overall it aims to help optimize and streamline authorization structures.

Technology
1 of 50
iProConference: SAP HCM Best Practise London, 8th November 2012 HR Authorisations Anja Marxsen Sven Ringling #HCMBP2012
Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 2
Overview General auth. Struct. auth. What? e.g. PA30, Context-dep. IT 2001 2007 OM structure Where? e.g. all P from personnel area, all O, S, C, E Training catalogue www.iprocon.com slide: 3
Example context-dependent auth. Glenn is also a leader of his team and may read master data. Glenn is responsible for time management. He may maintain time data for a special unit. User Structural profile: „Time manager“ Structural profile: „My team“ www.iprocon.com slide: 4
Overlapping of authorisation Maintain time data + Read master data A special org unit + His own team www.iprocon.com slide: 5
Solution: context-dependent auth. context Glenn is also a leader of his team and may read master data. context Glenn is responsible for time mgmt. He may maintain time data for a special unit. Structural profile „Time manager“ Structural profile „own team“ www.iprocon.com slide: 6
Context-dependent authorisation 2 roles and 2 profiles together lead to a mix of objects and authorisations Context-dependent authorisation can assign a profile to a special role Tip No more mix. Everybody can only do what he is supposed to do. www.iprocon.com slide: 7
Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 8
Why do we have so many roles? General authorisation can restrict both: access to data and access to persons Functional range of SAP HCM applications increases Functions are becoming decentralised – more users need different access www.iprocon.com slide: 9
Possible solutions  Implement structural authorisation with dynamic start object  Stay with general authorisation but ► ►  use object P_NNNNN use custom object + BAdI Reduce maintenance effort using reference roles www.iprocon.com slide: 10
N structural profiles - 1 for each location Responsible for your own location: Responsible for 2 locations: . . . www.iprocon.com slide: 11
How to create dynamic profiles Standard function module RH_GET_ORG_ASSIGNMENT dynamically identifies the assigned org unit. Position Holder IT 0105 Person ORGASS Org unit Belongs to User www.iprocon.com slide: 12
Get more out of dynamic profiles Many users stop at standard options • Org unit: user is line manager of • Org unit: user is staff member of Real life requirements are more diverse • PAs capturing data for managers or whole teams • Managers not having access more than 2 levels down (“grandfather principle”) • Other roles like resource planners, event managers,… You can achieve much with little custom programming • … and a good deal of analysis and conceptual thinking • Nevertheless: always try to avoid complexity via pragmatic processes www.iprocon.com slide: 13
Dynamic – but different start object I 1. Create custom relationship between position and other org unit: Org Unit A Org Unit B Position Position Person Person www.iprocon.com slide: 14
Dynamic – but different start object II 2. Copy evaluation path ORGASS and replace your own relationship: www.iprocon.com slide: 15
Dynamic – but different start object III 2. Copy function module and replace your own evaluation path: www.iprocon.com slide: 16
Tip for enhanced use ■ If the access to persons can„t be determined from org structure you can also develop a custom function module that may identify relevant persons by ► user parameter ► master data ► customizing ►… ■ In this case evaluation path and start object remain empty. www.iprocon.com slide: 17
How to reduce number of roles  Dynamic start object ■ Dynamic in general auhorization through custom object or ■ P_NNNNN or BAdI Reference role www.iprocon.com slide: 18
P_NNNNN You need access to all persons of your own cost center. Standard authorisations don„t provide cost center. Using the organisational key leads to 1 role for each user. You may also use P_NNNNN with additional coding. Tip 1 role for all users www.iprocon.com slide: 19
Additional coding for P_NNNNN ■ The report RPUACG00 generates coding in program MPPAUTZZ ■ Here you can add your own coding. ■ Note! After every regeneration the custom code gets lost. www.iprocon.com slide: 20
How to decrease amount of roles  Dynamic start object  Dynamic in general auhorization through custom object or ■ P_NNNNN or BAdI Reference role www.iprocon.com slide: 21
Concept of reference roles Derived Role Personnel Area: 1000 Reference Role Derived Role Personnel Area: * Personnel Area: 2000 Inheritance of all authorisations except for the organisational levels Derived Role Personnel Area: 3000 www.iprocon.com slide: 22
Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 23
Avoid these pitfalls ■ P_PERNR ■ P_ABAP ■ time dependent check - T582a ■ Adding rights from different roles, particularly backend and XSS ■ BAdI: all methods! www.iprocon.com slide: 24
P_PERNR Possible values: E = exclude own personnel number I = include own personnel number Not like this! Rule: Basis is always ‚normal„ authorisation – P_PERNR is checked last E: less rights for own personnel number (e.g. Change IT0008) I: more rights for own personnel number (e.g. ESS) www.iprocon.com slide: 25
Authorisation Object P_ABAP Often difficult to provide access to non-critical reports (e. g. phone list) P_ABAP deactivates HR authorisation check (COARS = 2) Tip doesn„t replace the basic authorisation but to start a report! Recommendation: 1 role with non-critical reports for all users www.iprocon.com slide: 26
Time dependent check The date-dependent check is not carried out for each infotype by default. You can change the setting in table view V_T582A. www.iprocon.com slide: 27
Rights from different roles adding up ■ It is a common misconception that authorisations are only used together, when in the same role ► ► E.g.: if one role allows to read infotype 0002 and a different role holds rights for transaction PA20, then the user cannot access infotype 0002 in PA20  WRONG! When a user wants to perform any action, authorisations from all roles assigned are applied ■ Example: HR team leader ► ► ► Role „HR Manager UK“ gives access to transaction PA30 and HR infotypes only for personnel areas in the UK Role „Manager for MSS“ gives access to all HR infotypes without restrictions (assumption: MSS assigns right people only) Problem: combining both roles gives access to all HR data globally www.iprocon.com slide: 28
BAdI for general auth. checks You must consider all these methods during implementation to ensure that the standard authorization check continues to work! Otherwise, you deactivate the complete authorization check. www.iprocon.com slide: 29
Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 30
Redesigning HR Authorisations ■ General approach / test ■ Performance improvement of structural authorisation ■ Composite roles ■ OM assignment? ■ Assign structural profiles via BAdI ■ Further improvements through BAdIs? ■ Performance improvement through object P_ABAP ■ Migrating to context-dependent authorisation ■ Amend profile generator for better defaults in transaction PFCG www.iprocon.com slide: 31
General approach In role maintenance, biz process or system performance -> detailed analysis & decide fix? Efficency issues Loss of Control? Full process based redesign Initial User Workshop New requirements? New roles or new concepts, e.g. context or BAdI required? Check issues and decide fix (may be wrong usage of objects or requiring new concepts) Some things don’t work www.iprocon.com slide: 32
Tips for Test and Cut-Over ■ 4 elements of authorisation test users do, what they need to?  key users test their own process ► Can users do more than they should?  Key users and tech experts test others‟ process ► Performance  tech experts perform mass test together with key users ► User maintenance process  end to end acceptance test with user admin and business users ► Can ■ Cut-Over ► Keep old roles as a contingency and allow them to be assigned for a limited period of time in case of issues ► Do not tell key users before test is completed www.iprocon.com slide: 33
Improve performance for struct. auth. better: P Evaluationpathwith  nonspecifi edtarget  object reduces performance Save user data in SAP memory www.iprocon.com slide: 34
Use composite roles The more roles you have the more maintenance effort you need for user assignment Role „Reports for stores “ Role „PA decentral“ Combine single roles into composite roles Role „Time manager“ Tip Composite role „Store office“ Modular design of role concept reduces maintenance effort www.iprocon.com slide: 35
Assign roles via org management Organisational Unit Role Job Work Center Role Role Role Role User Role Position Person www.iprocon.com slide: 36
Assign structural profiles via BAdI Maintenance of table T77UA takes too much effort or doesn„t fulfill the requirements Assignment of structural profiles either from the field PROFL or following your own logic via BAdI HRBAS00_ GET_PROFL Tip No need of maintaining table T77UA. Dynamic assignment of structural profiles. www.iprocon.com slide: 37
Further improvements through BAdIs The BAdIs available are very powerful • You may find ways to improve performance or usability by making good use of them • Risk: users / data security team learn that “everything is possible somehow”  you end up reinventing the system Examples • Allow access to some infotypes only in specific transactions, e.g. access to IT0002 fields for reporting, but not in transactions, where NI number is shown • Capture additional payments up to certain limit • Rights to change HR data for most users “switched on/off”, if central team wants to avoid changes at certain times www.iprocon.com slide: 38
Book recommendation www.iprocon.com slide: 39
Appendix ■ P_NNNNN ■ Reference role www.iprocon.com slide: 40
Step by Step 1. 2. 3. Create P_NNNNN Take over P_NNNNN in standard authorisation check Activate P_NNNNN www.iprocon.com slide: 41
Create P_NNNNN www.iprocon.com slide: 42
Take over in standard auth. check Report RPUACG00 www.iprocon.com slide: 43
Activate P_NNNNN Table T77S0 www.iprocon.com slide: 44
P_NNNNN with context www.iprocon.com slide: 45
Reference role You might have roles for decentralised use that only differ in one or few org level fields (e.g. personnel area). In the standard, the plan version is the only org level Tip You can change existing fields to org levels via Report PFCG_ORGFIELD_CREATE Only the reference role needs to be maintained. www.iprocon.com slide: 46
1. Create an org level field Use report PFCG_ORGFIELD_CREATE to create a new org level because the standard provides only the plan version as an org level. Result: derived role A3 HCM Berechtigungen www.iprocon.com slide: 47
2. Derive role from reference role A role becomes a reference role as soon as another role has been derived from that role. A3 HCM Berechtigungen www.iprocon.com slide: 48
3. Maintain the reference role Transfer the authorisations of the reference role to the derived roles via button „Copy data“ – except for the organisational levels. Reference Role www.iprocon.com slide: 49
Ask for our in-house workshops SAP HR Authorisations design • Full (re)design • Additional modules / processes Reviewing your HR Authorisations system Preparing for a rollout • Incl. international rollout Switching to structural authorisations • …or context sensitive authorisations www.iprocon.com slide: 50

Recommended

How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practicesJonathan Eemans
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
How to launch workflow from plsql
How to launch workflow from plsqlHow to launch workflow from plsql
How to launch workflow from plsqlFeras Ahmad
 
SAP Plant Maintenance.pptx
SAP Plant Maintenance.pptxSAP Plant Maintenance.pptx
SAP Plant Maintenance.pptxAnirbanGhosh573275
 
Pp 07-new
Pp 07-newPp 07-new
Pp 07-newSri Apriyanti Husain
 

Recommended

How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practicesJonathan Eemans
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
How to launch workflow from plsql
How to launch workflow from plsqlHow to launch workflow from plsql
How to launch workflow from plsqlFeras Ahmad
 
SAP Plant Maintenance.pptx
SAP Plant Maintenance.pptxSAP Plant Maintenance.pptx
SAP Plant Maintenance.pptxAnirbanGhosh573275
 
Pp 07-new
Pp 07-newPp 07-new
Pp 07-newSri Apriyanti Husain
 
GB payroll with employee central
GB payroll with employee centralGB payroll with employee central
GB payroll with employee centralAjay Kumar ☁
 
SAP HCM: Talent Management Story
SAP HCM: Talent Management StorySAP HCM: Talent Management Story
SAP HCM: Talent Management StoryAndrey Kulikov
 
Sap hcm payroll concept - Best SAP HR Training Institute in Pune
Sap hcm payroll concept - Best SAP HR Training Institute in PuneSap hcm payroll concept - Best SAP HR Training Institute in Pune
Sap hcm payroll concept - Best SAP HR Training Institute in PuneAspire Techsoft Academy
 
Optimising SAP HR Authorisation by using custom development incl. BAdIs
Optimising SAP HR Authorisation by using custom development incl. BAdIsOptimising SAP HR Authorisation by using custom development incl. BAdIs
Optimising SAP HR Authorisation by using custom development incl. BAdIsSven Ringling
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationKenBowers
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
SAP EAM/PM Organization Structure
SAP EAM/PM Organization StructureSAP EAM/PM Organization Structure
SAP EAM/PM Organization StructureIITian Academy
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsUL Transaction Security
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-qAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
SAP HR - PPT
SAP HR - PPTSAP HR - PPT
SAP HR - PPTsaiprasadbagrecha
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Step by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesStep by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesnanda nanda
 
Quality Inspection Lot Sample Postings Reversal-Solution Brief
Quality Inspection Lot Sample Postings Reversal-Solution BriefQuality Inspection Lot Sample Postings Reversal-Solution Brief
Quality Inspection Lot Sample Postings Reversal-Solution BriefVijay Pisipaty
 
Training&development
Training&developmentTraining&development
Training&developmentSittie Pieron Abutazil-du
 
Step by step_create_om_infotype
Step by step_create_om_infotypeStep by step_create_om_infotype
Step by step_create_om_infotypeJoshiRavin
 
Lsmw by guntupalliharikrishna
Lsmw by guntupalliharikrishnaLsmw by guntupalliharikrishna
Lsmw by guntupalliharikrishnaHari Krishna
 
Payroll configuration
Payroll configurationPayroll configuration
Payroll configurationgayathri166
 
Sap successfactors tutorial
Sap successfactors tutorialSap successfactors tutorial
Sap successfactors tutorialMichele Jardim
 
Sap hcm online training
Sap hcm online training Sap hcm online training
Sap hcm online training saptrmit
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiamagnificsairam
 

More Related Content

What's hot

GB payroll with employee central
GB payroll with employee centralGB payroll with employee central
GB payroll with employee centralAjay Kumar ☁
 
SAP HCM: Talent Management Story
SAP HCM: Talent Management StorySAP HCM: Talent Management Story
SAP HCM: Talent Management StoryAndrey Kulikov
 
Sap hcm payroll concept - Best SAP HR Training Institute in Pune
Sap hcm payroll concept - Best SAP HR Training Institute in PuneSap hcm payroll concept - Best SAP HR Training Institute in Pune
Sap hcm payroll concept - Best SAP HR Training Institute in PuneAspire Techsoft Academy
 
Optimising SAP HR Authorisation by using custom development incl. BAdIs
Optimising SAP HR Authorisation by using custom development incl. BAdIsOptimising SAP HR Authorisation by using custom development incl. BAdIs
Optimising SAP HR Authorisation by using custom development incl. BAdIsSven Ringling
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationKenBowers
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
SAP EAM/PM Organization Structure
SAP EAM/PM Organization StructureSAP EAM/PM Organization Structure
SAP EAM/PM Organization StructureIITian Academy
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsUL Transaction Security
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Step by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesStep by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesnanda nanda
 
Quality Inspection Lot Sample Postings Reversal-Solution Brief
Quality Inspection Lot Sample Postings Reversal-Solution BriefQuality Inspection Lot Sample Postings Reversal-Solution Brief
Quality Inspection Lot Sample Postings Reversal-Solution BriefVijay Pisipaty
 
Step by step_create_om_infotype
Step by step_create_om_infotypeStep by step_create_om_infotype
Step by step_create_om_infotypeJoshiRavin
 
Lsmw by guntupalliharikrishna
Lsmw by guntupalliharikrishnaLsmw by guntupalliharikrishna
Lsmw by guntupalliharikrishnaHari Krishna
 
Payroll configuration
Payroll configurationPayroll configuration
Payroll configurationgayathri166
 
Sap successfactors tutorial
Sap successfactors tutorialSap successfactors tutorial
Sap successfactors tutorialMichele Jardim
 

What's hot (20)

GB payroll with employee central
GB payroll with employee centralGB payroll with employee central
GB payroll with employee central
 
SAP HCM: Talent Management Story
SAP HCM: Talent Management StorySAP HCM: Talent Management Story
SAP HCM: Talent Management Story
 
Sap hcm payroll concept - Best SAP HR Training Institute in Pune
Sap hcm payroll concept - Best SAP HR Training Institute in PuneSap hcm payroll concept - Best SAP HR Training Institute in Pune
Sap hcm payroll concept - Best SAP HR Training Institute in Pune
 
Optimising SAP HR Authorisation by using custom development incl. BAdIs
Optimising SAP HR Authorisation by using custom development incl. BAdIsOptimising SAP HR Authorisation by using custom development incl. BAdIs
Optimising SAP HR Authorisation by using custom development incl. BAdIs
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
SAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview PresentationSAP HCM Structural Authorization Overview Presentation
SAP HCM Structural Authorization Overview Presentation
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
SAP EAM/PM Organization Structure
SAP EAM/PM Organization StructureSAP EAM/PM Organization Structure
SAP EAM/PM Organization Structure
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM Authorizations
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 
SAP HR - PPT
SAP HR - PPTSAP HR - PPT
SAP HR - PPT
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 
Step by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notesStep by-step-guide-on-how-to-create-an-sap-oss-notes
Step by-step-guide-on-how-to-create-an-sap-oss-notes
 
Quality Inspection Lot Sample Postings Reversal-Solution Brief
Quality Inspection Lot Sample Postings Reversal-Solution BriefQuality Inspection Lot Sample Postings Reversal-Solution Brief
Quality Inspection Lot Sample Postings Reversal-Solution Brief
 
Training&development
Training&developmentTraining&development
Training&development
 
Step by step_create_om_infotype
Step by step_create_om_infotypeStep by step_create_om_infotype
Step by step_create_om_infotype
 
Lsmw by guntupalliharikrishna
Lsmw by guntupalliharikrishnaLsmw by guntupalliharikrishna
Lsmw by guntupalliharikrishna
 
Payroll configuration
Payroll configurationPayroll configuration
Payroll configuration
 
Sap successfactors tutorial
Sap successfactors tutorialSap successfactors tutorial
Sap successfactors tutorial
 

Similar to SAP HCM authorisations: streamline processes and improve HR data security

Sap hcm online training
Sap hcm online training Sap hcm online training
Sap hcm online training saptrmit
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiamagnificsairam
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiamagnificsmily
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiamagnificsmile
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiamagnifics
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiamagnificsha
 
Labeling all the Things with the WDI Skill Labeler
Labeling all the Things with the WDI Skill Labeler Labeling all the Things with the WDI Skill Labeler
Labeling all the Things with the WDI Skill Labeler Kwame Porter Robinson
 
DN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLX
DN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLXDN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLX
DN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLXDataconomy Media
 
Technical debt in ML | Jaroslaw Szymczak | DN18
Technical debt in ML | Jaroslaw Szymczak | DN18Technical debt in ML | Jaroslaw Szymczak | DN18
Technical debt in ML | Jaroslaw Szymczak | DN18DataconomyGmbH
 
Technical debt in machine learning - Data Natives Berlin 2018
Technical debt in machine learning - Data Natives Berlin 2018Technical debt in machine learning - Data Natives Berlin 2018
Technical debt in machine learning - Data Natives Berlin 2018Jaroslaw Szymczak
 
Agile contract for working software
Agile contract for working softwareAgile contract for working software
Agile contract for working softwareJoshua Lai
 
Business Applications of Predictive Modeling at Scale - KDD 2016 Tutorial
Business Applications of Predictive Modeling at Scale - KDD 2016 TutorialBusiness Applications of Predictive Modeling at Scale - KDD 2016 Tutorial
Business Applications of Predictive Modeling at Scale - KDD 2016 TutorialQiang Zhu
 
CHEQROOM Webinar: Get your school equipment organized
CHEQROOM Webinar: Get your school equipment organizedCHEQROOM Webinar: Get your school equipment organized
CHEQROOM Webinar: Get your school equipment organizedCHEQROOM
 
Southeast Michigan AUG - April 24 2018
Southeast Michigan AUG - April 24 2018Southeast Michigan AUG - April 24 2018
Southeast Michigan AUG - April 24 2018Daniel Eads
 
Behavior Driven Development - Material de clase PMA
Behavior Driven Development - Material de clase PMABehavior Driven Development - Material de clase PMA
Behavior Driven Development - Material de clase PMACarlos Ble
 
Phase One Rules Demo w corp Overview
Phase One Rules Demo w corp OverviewPhase One Rules Demo w corp Overview
Phase One Rules Demo w corp OverviewStan Ascher
 

Similar to SAP HCM authorisations: streamline processes and improve HR data security (20)

Sap hcm online training
Sap hcm online training Sap hcm online training
Sap hcm online training
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,india
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,india
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,india
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,india
 
Sap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,indiaSap hcm online and remote based training in usa,uk,india
Sap hcm online and remote based training in usa,uk,india
 
Labeling all the Things with the WDI Skill Labeler
Labeling all the Things with the WDI Skill Labeler Labeling all the Things with the WDI Skill Labeler
Labeling all the Things with the WDI Skill Labeler
 
DN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLX
DN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLXDN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLX
DN18 | Technical Debt in Machine Learning | Jaroslaw Szymczak | OLX
 
Technical debt in ML | Jaroslaw Szymczak | DN18
Technical debt in ML | Jaroslaw Szymczak | DN18Technical debt in ML | Jaroslaw Szymczak | DN18
Technical debt in ML | Jaroslaw Szymczak | DN18
 
Technical debt in machine learning - Data Natives Berlin 2018
Technical debt in machine learning - Data Natives Berlin 2018Technical debt in machine learning - Data Natives Berlin 2018
Technical debt in machine learning - Data Natives Berlin 2018
 
Agile contract for working software
Agile contract for working softwareAgile contract for working software
Agile contract for working software
 
Sprint 53
Sprint 53Sprint 53
Sprint 53
 
Business Applications of Predictive Modeling at Scale - KDD 2016 Tutorial
Business Applications of Predictive Modeling at Scale - KDD 2016 TutorialBusiness Applications of Predictive Modeling at Scale - KDD 2016 Tutorial
Business Applications of Predictive Modeling at Scale - KDD 2016 Tutorial
 
CHEQROOM Webinar: Get your school equipment organized
CHEQROOM Webinar: Get your school equipment organizedCHEQROOM Webinar: Get your school equipment organized
CHEQROOM Webinar: Get your school equipment organized
 
Southeast Michigan AUG - April 24 2018
Southeast Michigan AUG - April 24 2018Southeast Michigan AUG - April 24 2018
Southeast Michigan AUG - April 24 2018
 
Behavior Driven Development - Material de clase PMA
Behavior Driven Development - Material de clase PMABehavior Driven Development - Material de clase PMA
Behavior Driven Development - Material de clase PMA
 
Software requirements
Software requirementsSoftware requirements
Software requirements
 
Phase One Rules Demo w corp Overview
Phase One Rules Demo w corp OverviewPhase One Rules Demo w corp Overview
Phase One Rules Demo w corp Overview
 
Cavaros
CavarosCavaros
Cavaros
 
Drools & jBPM Workshop Barcelona 2013
Drools & jBPM Workshop Barcelona 2013Drools & jBPM Workshop Barcelona 2013
Drools & jBPM Workshop Barcelona 2013
 

More from Sven Ringling

Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?
Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?
Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?Sven Ringling
 
Concur vs SAP on premise Travel Management
Concur vs SAP on premise Travel ManagementConcur vs SAP on premise Travel Management
Concur vs SAP on premise Travel ManagementSven Ringling
 
SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...
SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...
SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...Sven Ringling
 
Managing cost and realising benefits from your SAP HCM or other HR system
Managing cost and realising benefits from your SAP HCM or other HR systemManaging cost and realising benefits from your SAP HCM or other HR system
Managing cost and realising benefits from your SAP HCM or other HR systemSven Ringling
 
Managing Change in International SAP HCM Projects
Managing Change in International SAP HCM ProjectsManaging Change in International SAP HCM Projects
Managing Change in International SAP HCM ProjectsSven Ringling
 
Right Sourcing: The Role of HR in Creating Shareholder Value
Right Sourcing: The Role of HR in Creating Shareholder ValueRight Sourcing: The Role of HR in Creating Shareholder Value
Right Sourcing: The Role of HR in Creating Shareholder ValueSven Ringling
 

More from Sven Ringling (6)

Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?
Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?
Liebe Personalabteilung, Was ist Euer Beitrag zur Digitalen Transformation?
 
Concur vs SAP on premise Travel Management
Concur vs SAP on premise Travel ManagementConcur vs SAP on premise Travel Management
Concur vs SAP on premise Travel Management
 
SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...
SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...
SAP HR new Feature: Personnel (Sub)Areas and Employee (Sub)Groups Come with V...
 
Managing cost and realising benefits from your SAP HCM or other HR system
Managing cost and realising benefits from your SAP HCM or other HR systemManaging cost and realising benefits from your SAP HCM or other HR system
Managing cost and realising benefits from your SAP HCM or other HR system
 
Managing Change in International SAP HCM Projects
Managing Change in International SAP HCM ProjectsManaging Change in International SAP HCM Projects
Managing Change in International SAP HCM Projects
 
Right Sourcing: The Role of HR in Creating Shareholder Value
Right Sourcing: The Role of HR in Creating Shareholder ValueRight Sourcing: The Role of HR in Creating Shareholder Value
Right Sourcing: The Role of HR in Creating Shareholder Value
 

Recently uploaded

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

SAP HCM authorisations: streamline processes and improve HR data security

  • 1. iProConference: SAP HCM Best Practise London, 8th November 2012 HR Authorisations Anja Marxsen Sven Ringling #HCMBP2012
  • 2. Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 2
  • 3. Overview General auth. Struct. auth. What? e.g. PA30, Context-dep. IT 2001 2007 OM structure Where? e.g. all P from personnel area, all O, S, C, E Training catalogue www.iprocon.com slide: 3
  • 4. Example context-dependent auth. Glenn is also a leader of his team and may read master data. Glenn is responsible for time management. He may maintain time data for a special unit. User Structural profile: „Time manager“ Structural profile: „My team“ www.iprocon.com slide: 4
  • 5. Overlapping of authorisation Maintain time data + Read master data A special org unit + His own team www.iprocon.com slide: 5
  • 6. Solution: context-dependent auth. context Glenn is also a leader of his team and may read master data. context Glenn is responsible for time mgmt. He may maintain time data for a special unit. Structural profile „Time manager“ Structural profile „own team“ www.iprocon.com slide: 6
  • 7. Context-dependent authorisation 2 roles and 2 profiles together lead to a mix of objects and authorisations Context-dependent authorisation can assign a profile to a special role Tip No more mix. Everybody can only do what he is supposed to do. www.iprocon.com slide: 7
  • 8. Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 8
  • 9. Why do we have so many roles? General authorisation can restrict both: access to data and access to persons Functional range of SAP HCM applications increases Functions are becoming decentralised – more users need different access www.iprocon.com slide: 9
  • 10. Possible solutions  Implement structural authorisation with dynamic start object  Stay with general authorisation but ► ►  use object P_NNNNN use custom object + BAdI Reduce maintenance effort using reference roles www.iprocon.com slide: 10
  • 11. N structural profiles - 1 for each location Responsible for your own location: Responsible for 2 locations: . . . www.iprocon.com slide: 11
  • 12. How to create dynamic profiles Standard function module RH_GET_ORG_ASSIGNMENT dynamically identifies the assigned org unit. Position Holder IT 0105 Person ORGASS Org unit Belongs to User www.iprocon.com slide: 12
  • 13. Get more out of dynamic profiles Many users stop at standard options • Org unit: user is line manager of • Org unit: user is staff member of Real life requirements are more diverse • PAs capturing data for managers or whole teams • Managers not having access more than 2 levels down (“grandfather principle”) • Other roles like resource planners, event managers,… You can achieve much with little custom programming • … and a good deal of analysis and conceptual thinking • Nevertheless: always try to avoid complexity via pragmatic processes www.iprocon.com slide: 13
  • 14. Dynamic – but different start object I 1. Create custom relationship between position and other org unit: Org Unit A Org Unit B Position Position Person Person www.iprocon.com slide: 14
  • 15. Dynamic – but different start object II 2. Copy evaluation path ORGASS and replace your own relationship: www.iprocon.com slide: 15
  • 16. Dynamic – but different start object III 2. Copy function module and replace your own evaluation path: www.iprocon.com slide: 16
  • 17. Tip for enhanced use ■ If the access to persons can„t be determined from org structure you can also develop a custom function module that may identify relevant persons by ► user parameter ► master data ► customizing ►… ■ In this case evaluation path and start object remain empty. www.iprocon.com slide: 17
  • 18. How to reduce number of roles  Dynamic start object ■ Dynamic in general auhorization through custom object or ■ P_NNNNN or BAdI Reference role www.iprocon.com slide: 18
  • 19. P_NNNNN You need access to all persons of your own cost center. Standard authorisations don„t provide cost center. Using the organisational key leads to 1 role for each user. You may also use P_NNNNN with additional coding. Tip 1 role for all users www.iprocon.com slide: 19
  • 20. Additional coding for P_NNNNN ■ The report RPUACG00 generates coding in program MPPAUTZZ ■ Here you can add your own coding. ■ Note! After every regeneration the custom code gets lost. www.iprocon.com slide: 20
  • 21. How to decrease amount of roles  Dynamic start object  Dynamic in general auhorization through custom object or ■ P_NNNNN or BAdI Reference role www.iprocon.com slide: 21
  • 22. Concept of reference roles Derived Role Personnel Area: 1000 Reference Role Derived Role Personnel Area: * Personnel Area: 2000 Inheritance of all authorisations except for the organisational levels Derived Role Personnel Area: 3000 www.iprocon.com slide: 22
  • 23. Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 23
  • 24. Avoid these pitfalls ■ P_PERNR ■ P_ABAP ■ time dependent check - T582a ■ Adding rights from different roles, particularly backend and XSS ■ BAdI: all methods! www.iprocon.com slide: 24
  • 25. P_PERNR Possible values: E = exclude own personnel number I = include own personnel number Not like this! Rule: Basis is always ‚normal„ authorisation – P_PERNR is checked last E: less rights for own personnel number (e.g. Change IT0008) I: more rights for own personnel number (e.g. ESS) www.iprocon.com slide: 25
  • 26. Authorisation Object P_ABAP Often difficult to provide access to non-critical reports (e. g. phone list) P_ABAP deactivates HR authorisation check (COARS = 2) Tip doesn„t replace the basic authorisation but to start a report! Recommendation: 1 role with non-critical reports for all users www.iprocon.com slide: 26
  • 27. Time dependent check The date-dependent check is not carried out for each infotype by default. You can change the setting in table view V_T582A. www.iprocon.com slide: 27
  • 28. Rights from different roles adding up ■ It is a common misconception that authorisations are only used together, when in the same role ► ► E.g.: if one role allows to read infotype 0002 and a different role holds rights for transaction PA20, then the user cannot access infotype 0002 in PA20  WRONG! When a user wants to perform any action, authorisations from all roles assigned are applied ■ Example: HR team leader ► ► ► Role „HR Manager UK“ gives access to transaction PA30 and HR infotypes only for personnel areas in the UK Role „Manager for MSS“ gives access to all HR infotypes without restrictions (assumption: MSS assigns right people only) Problem: combining both roles gives access to all HR data globally www.iprocon.com slide: 28
  • 29. BAdI for general auth. checks You must consider all these methods during implementation to ensure that the standard authorization check continues to work! Otherwise, you deactivate the complete authorization check. www.iprocon.com slide: 29
  • 30. Agenda ■ Overview: General / Structural / Context Authorisation Check ■ How to reduce the number of roles ■ Avoid these pitfalls ■ How to approach a redesign www.iprocon.com slide: 30
  • 31. Redesigning HR Authorisations ■ General approach / test ■ Performance improvement of structural authorisation ■ Composite roles ■ OM assignment? ■ Assign structural profiles via BAdI ■ Further improvements through BAdIs? ■ Performance improvement through object P_ABAP ■ Migrating to context-dependent authorisation ■ Amend profile generator for better defaults in transaction PFCG www.iprocon.com slide: 31
  • 32. General approach In role maintenance, biz process or system performance -> detailed analysis & decide fix? Efficency issues Loss of Control? Full process based redesign Initial User Workshop New requirements? New roles or new concepts, e.g. context or BAdI required? Check issues and decide fix (may be wrong usage of objects or requiring new concepts) Some things don’t work www.iprocon.com slide: 32
  • 33. Tips for Test and Cut-Over ■ 4 elements of authorisation test users do, what they need to?  key users test their own process ► Can users do more than they should?  Key users and tech experts test others‟ process ► Performance  tech experts perform mass test together with key users ► User maintenance process  end to end acceptance test with user admin and business users ► Can ■ Cut-Over ► Keep old roles as a contingency and allow them to be assigned for a limited period of time in case of issues ► Do not tell key users before test is completed www.iprocon.com slide: 33
  • 34. Improve performance for struct. auth. better: P Evaluationpathwith  nonspecifi edtarget  object reduces performance Save user data in SAP memory www.iprocon.com slide: 34
  • 35. Use composite roles The more roles you have the more maintenance effort you need for user assignment Role „Reports for stores “ Role „PA decentral“ Combine single roles into composite roles Role „Time manager“ Tip Composite role „Store office“ Modular design of role concept reduces maintenance effort www.iprocon.com slide: 35
  • 36. Assign roles via org management Organisational Unit Role Job Work Center Role Role Role Role User Role Position Person www.iprocon.com slide: 36
  • 37. Assign structural profiles via BAdI Maintenance of table T77UA takes too much effort or doesn„t fulfill the requirements Assignment of structural profiles either from the field PROFL or following your own logic via BAdI HRBAS00_ GET_PROFL Tip No need of maintaining table T77UA. Dynamic assignment of structural profiles. www.iprocon.com slide: 37
  • 38. Further improvements through BAdIs The BAdIs available are very powerful • You may find ways to improve performance or usability by making good use of them • Risk: users / data security team learn that “everything is possible somehow”  you end up reinventing the system Examples • Allow access to some infotypes only in specific transactions, e.g. access to IT0002 fields for reporting, but not in transactions, where NI number is shown • Capture additional payments up to certain limit • Rights to change HR data for most users “switched on/off”, if central team wants to avoid changes at certain times www.iprocon.com slide: 38
  • 40. Appendix ■ P_NNNNN ■ Reference role www.iprocon.com slide: 40
  • 41. Step by Step 1. 2. 3. Create P_NNNNN Take over P_NNNNN in standard authorisation check Activate P_NNNNN www.iprocon.com slide: 41
  • 43. Take over in standard auth. check Report RPUACG00 www.iprocon.com slide: 43
  • 46. Reference role You might have roles for decentralised use that only differ in one or few org level fields (e.g. personnel area). In the standard, the plan version is the only org level Tip You can change existing fields to org levels via Report PFCG_ORGFIELD_CREATE Only the reference role needs to be maintained. www.iprocon.com slide: 46
  • 47. 1. Create an org level field Use report PFCG_ORGFIELD_CREATE to create a new org level because the standard provides only the plan version as an org level. Result: derived role A3 HCM Berechtigungen www.iprocon.com slide: 47
  • 48. 2. Derive role from reference role A role becomes a reference role as soon as another role has been derived from that role. A3 HCM Berechtigungen www.iprocon.com slide: 48
  • 49. 3. Maintain the reference role Transfer the authorisations of the reference role to the derived roles via button „Copy data“ – except for the organisational levels. Reference Role www.iprocon.com slide: 49
  • 50. Ask for our in-house workshops SAP HR Authorisations design • Full (re)design • Additional modules / processes Reviewing your HR Authorisations system Preparing for a rollout • Incl. international rollout Switching to structural authorisations • …or context sensitive authorisations www.iprocon.com slide: 50