topic Re: Structural Authorizations & non-HR modules in Application Development and Automation Discussions

Structural Authorizations & non-HR modules

Former Member — Mon, 24 Jul 2006 20:07:07 GMT

Gurus,

We have an existing R/3 system running HR with Structural Authorizations (SA) implemented. The structural authorizations are assigned to managers and used for reporting e.g. a manager can only see their reports vacation balances, time approvals, etc. We are now rolling out PS, SD, MM, PP, etc and are finding areas where at least PS and SD are affected. For example a user with a structural authorization is not able to assign a user outside of their reporting structure to a sales document or a project. Is there a (simple) way to support both without have to reengineer SAs or go to context sensitive SAs? It would be nice if we could exclude non-HR functions from the SAs

Below is the existing management structural authorization profile.

Does anyone have any ideas?

Thanks in advance.

Auth Profile No. Plan Obj Maint Eval Path Status Vec Period Function Mod

Z_MANAGER 1 01 O ZSBESX 12 D RH_GET_MANAGER_ASSIGNMENT

Z_MANAGER 2 01 C

Z_MANAGER 3 01 NA

Z_MANAGER 4 01 NB

Z_MANAGER 5 01 NC

Z_MANAGER 6 01 ND

Z_MANAGER 7 01 NE

Z_MANAGER 8 01 VA

Z_MANAGER 9 01 VC

Z_MANAGER 10 01 VE

Z_MANAGER 11 01 VB

Re: Structural Authorizations & non-HR modules

McF — Tue, 25 Jul 2006 14:46:18 GMT

Hi Greg,

SA sets up the access on the org.management. This framework is used in several areas like crm srm etc. So if you assigned a user via this framework to another object this also has to go through the structural authorization check.

And of course this should be the case as the access should be consistent thoughout the system. Maybe you can include the objects in "non-HR-modules" with wildcards but that heavily depends on the scenario.

Also there are a bunch of BADI you can use to trick and tweak like HRBAS00_STRUAUTH.

Best regards,

Michael

PS: If you do not know the documentation http://service.sap.com/erp-hcm

on the leftside follow:

Services for mySAP ERP HCM -> Special Documentation

Re: Structural Authorizations & non-HR modules

Former Member — Tue, 25 Jul 2006 20:09:04 GMT

When we implemented payroll and travel we implemented structural authorizations and had a similar problem. We used BADI HRBAS00_STRUAUTH to deactivate structural authorizations for specific users of specific transactions. We created a custom Z table which had the user id and transaction code that should be deactivated. The logic in the BADI searched that table for the users login id (SY-UNAME) and current transaction code (SY-TCODE). If an entry is found structural authorizations was deactivatated. The code for deactivating the authorization was provided by SAP. Further documentation can be found at

http://help.sap.com/saphelp_46c/helpdata/en/69/a6c3a635e1d311ba4d0800060d888b/frameset.htm

Re: Structural Authorizations & non-HR modules

Former Member — Wed, 26 Jul 2006 13:13:33 GMT

Thank you all for your input. The BADi suggestion should work nicely for us.

Thanks,

Greg

Re: Structural Authorizations & non-HR modules

Former Member — Wed, 20 Sep 2006 18:30:25 GMT

We are considering implementing Structural Authorizations (SA) in conjunction with SAP’s Travel Management component. The intent is to use SA to control access to viewing and approving employee travel expenses. I would really appreciate any input on the following:

Does SA in fact actually work with Travel Management? I know from personal experience that SA can limit, for example which employees a manager can see. But will it also limit which Travel Management trips (i.e., just the trips of the people who report to them) a Manager could see?

I had read that the tolerance time authorization check (ADAYS) does not work with SA. So that, even though ADAYS is set to 15, when a manager moves from one org unit to another, the effect is immediate and they can no longer view info for the prior unit employees. Is this still the case or is there a way to make it work.

TIA