SAP HR Security

Introduction
HR Security is Indirect/position based Security unlike the Direct based in SAP ECC. In HR, roles and
authorization are assigned to HR objects instead to the user directly.

Benefit of Position Based Security

 Automates security adjustments necessitated by an employee’s long-term movements in the
organization (HDA promotion, new hire, termination, transfer).
 Lower long-term security maintenance and administration costs despite the one-time
development costs.
 Facilitates general assignments to employees whose positions belong to the same organizational
unit.
Key Terminologies
1. INFOTYPES

Infotype is used to store personal data about an employee. An Infotype contains four digit code
and name of Infotype. Example − Infotype 002 contains employee personal data- like name,
date of birth, marital status, etc. There are predefined number ranges that SAP has defined for
Infotype.

HR and Payroll Data Infotype → 0000 to 0999

Organizational Data → Infotype 1000 to 1999
Time Data → Infotype 2000 to 2999

2. SUBTYPES

You can further divide an Infotype into groups, which are called subtypes. For example, an
Infotype Address, Infotype 0006 can be divided into subtypes - Permanent Residence and
Emergency address.

3. HR Objects Organisation Management is based upon the use of objects and relationships.
Object types are used to represent different elements in a company.

Organization Unit O
Job C
Position S
Person P
Cost Center K

4. Relationship
Relationships define how objects are mapped to each other in Org structure. Every relationship
has a top-down (starting with A) and a bottom-up version (starting with B). It’s a 3-digit code
and SAP delivers the valid relationship nos between the objects. To maintain relationship,

use Code: PP01 or PP03.

 E.g.
Organizational Unit (Org Unit) relationships:
Org Unit belongs to another Org Unit (A003)
Org Unit incorporates another Org Unit (B003)
Job Relationships:
Job describes a Position (A007)

Position Relationships:
Position reports to another Position (A002)
Position is a line supervisor of another Position (B002)
Position is held by a Person (A008)

Similarly:
Is described by -- B 007
Manages -- A 012
Is managed by -- B 012

5. ENTERPRISE STRUCTURE

The following elements define the Enterprise Structure:

COMPANY CODE

Highest level of the company structure, for which you can draw up a complete set of
accounts like Balance Sheet, Profit & Loss Statements.
 PERSONNEL AREA
Represents a subdivision of company code, classified on the geographical location or
functions of the enterprise. Therefore all Personnel Areas must be assigned to the same
country grouping.
PERSONNEL SUBAREA
Represents a subdivision of Personnel Area. All control features for enterprise structure
such as Pay scale, wage type structures and work schedule planning are controlled at
Personnel Subarea level.

6. Personnel Structure

i. EMPLOYEE GROUP
A general classification of employees. For example: Active, Retiree, External. Can be
used as an entity in authorization checks.

ii. EMPLOYEE SUBGROUP

Subdivision of Employee Group. For example, for the Active Employee Group, the
employee subgroup can be:
• Hourly wage earners
• Monthly wage earners
• Salaried
All control features for personnel structure such as Pay scale, wage type structures and
work schedule planning are defined at the Employee Subgroup level.

Transaction Codes

PA20 – Display HR Master Data used by HR/Security to display HR master data.

PA30 – Maintain HR Master Data used by HR/Security to maintain HR master data but security will have
limited access to maintain some of the info-types like Communication->System User Name.

OOSP Create PD Profile used to create PR profile by Security/HR.

OOSB used to assign PD profile to user directly.

OOAC used by security to activate the authorization Switches.

PP01/PP02 used to maintain any HR object in general.

Key Authorization Objects

P_ORGIN The object HR: Master data (P_ORGIN) is used for authorization checks of personal data.
Checks are performed only when HR infotypes are edited or read.
P_ ORGINCON This authorization object consists of the same fields as the P_ORGIN authorization
object and now includes the new PROFL field (structural profile). A check using this object enables
customer-specific contexts to be mapped in HR Master Data.

P_PERNR The HR: Master data - Personnel number check object (P_PERNR) can be used to check
authorization for personal data (HR infotypes).

This check is not active in the standard system but can be activated when the switch HR: Master
data - Personnel number check (P_PERNR) is set to 1. You can process the authorization switch with
the HR: Authorization switch transaction (OOAC). This check is only relevant for the user's assigned
personnel number.
 PLOG This is used by the authorization check for PD data.

HR Position based Security

OVERVIEW
 Concept of using the SAP HCM module to help security administrators control access.
 Can be used for both, HR and non-HR modules.
 Roles or authorization profiles (standard and PD/structural) are attached to positions or other
objects in the organization structure.
 The person who holds the position will inherit the access provided by the profiles or roles.
 No need to communicate with Security Administrators on people movements within the
organization.
 PD Profiles/Structural Authorizations only apply to HR security.

HR Reports

Program RHAUTUPD_NEW
Creates role assignments (Direct and Indirect) for users by evaluating where a person ‘sits’ within
the organizational structure. Can be used for both, HR and non-HR modules. Update Direct Role
Assignments – where roles are assigned directly to user master records via PFCG. Update Indirect
Role Assignments – Roles are assigned to HR Objects such as:
• Positions (S)
• Work Centers (A)
• Jobs (C)
• Persons (P)
• Organizational Units (O)
• User Master Record (US)
 It can be executed online via T-code PFUD or by scheduling program PFCG_TIME_DEPENDENCY
Program RHPROFL0
 This program creates Structural authorization profiles (PD Profiles) for users by evaluating where
a person ‘sits’ within an Organizational structure
• Analyses all the object holders in HCM Organizational structure
• For each holder, the PD profiles (stored in Infotype 1017) are read for each corresponding object
type (job, position etc.)
• Then generates corresponding profile assignments for the user that is assigned to the Personnel
Numberin Infotype 0105, subtype 0001
 Creates a batch job which needs to be activated to complete the process

SAP HCM – Security – Structural Authorization/PD Profile

Overview

As the name suggests structural authorization is used to restrict access on certain OM Objects like
Org unit, Jobs, tasks etc. In interaction with the access to authorization objects for PA master data,
they can restrict access to certain set of persons in the enterprise. A person’s total authorization is a
result of the interaction between his general authorizations (through roles) and his structural
authorizations (through PD profiles). It can be set using OOSP and can be assigned to user directly
using OOSB or indirectly to user’s position using info-type 1017.
PD Profile are of two types:
Dynamic using the HR function modules:
 RH_GET_MANAGER_ASSIGNMENT (Determine organizational units for manager)
 This function module finds the root Organizational Unit with which the user is
related via the position and relationship A012 (manages)
 RH_GET_ORG_ASSIGNMENT (Organizational assignment)
 This function module finds the root Organizational Unit to which the user is
organizationally assigned
Static: using the HR Object ID directly.

Basic Approach

There are four basic steps involved in implementing Structural authorizations:

 Define the PD profiles through transaction OOSP.

 Link the PD profiles you defined to an object type S (Position) in transaction PO13 or C
(Job) in transaction PO03 (infotype 1017 PD Profiles).
 Link the Personnel ID (Employee ID) to the User ID through the Personnel
Administration sub-module of HR (transaction PA30, infotype 0105, subtype 0001).
 Run program RHPROFL0 to adjust the user master records

Audit Requirements
1. PD Profile “ALL” should not be assigned to any user as it gives access to all HR objects (*).
2. P_PERNR object should be carefully used. By default, authorization switch for this object is
inactive.
3. Critical Info-type like Salary (0008) and HR reports for Time data should be restricted.
Troubleshooting Techniques:
Use of ST01 [System Trace] Tool

 This method represents the most reliable method for identifying missing HR
object authorizations required to execute HR t-codes.
 When analyzing HR authorizations traces in ST01, it is useful to note that HR authority checks
tend to be processed in a “maximum” to “minimum” manner.

For example, HR structural authority-checks against P_ORGINCON [HR: Master Data with
Context] generally progress in the following manner:
 Check for “*” value in the PROFL field.
 Check for “ALL” value in the PROFL field.
 Check for <Specific PD Profile Name associated with the Affected Organizational Unit(s)> in the
PROFL field.
 The user has failed the authority check for P_ORGINCON only if all three of the above types of
authority checks successively fail for the same combination of values in the other P_ORGINCON
fields

Useful Resources
https://help.sap.com/viewer/product/ERP_HCM/EHP8_HRSP_73/en-US

https://www.tutorialspoint.com/sap_hr/