topic Re: Structural Authorizations in Application Development and Automation Discussions

Structural Authorizations

Former Member — Wed, 06 Dec 2006 15:50:57 GMT

Hi All,

We are implementing Structural Authorizations and I would like to know whether the AUthorization Switch PERNR to be 1 or 0.Please advice and suggest if there are any helpful documents for implementing structural auths.

Thanks in Advance,

Raj

Re: Structural Authorizations

Former Member — Wed, 06 Dec 2006 20:19:10 GMT

IT should be 1. Refer to Structural Authorizations Step by Step, with Gotchas Too by Norm and Carl. A very good document. You can get that on the web.

Re: Structural Authorizations

Former Member — Wed, 06 Dec 2006 20:23:52 GMT

Hi Madhavi,

Thanks for the reply

I was referring with the same document you mentioned.But it has 1 at the beginning and 0 (zero)as standard at the end of the document.

Confused??

Any help appreciated.

Thanks

Raj

Re: Structural Authorizations

morten_nielsen — Thu, 07 Dec 2006 08:13:54 GMT

The PERNR switch is not related to structural authorizations, it's related to the P_PERNR authorization object. This object is used to grant/prohibit access to own HR data based on the link between user-id in employee number in infotype 0105 subtype 0001.

The switch for the structural authorizations is the ORGPD, you need to set this to '1', if you are going to use structural authorizations.

Regards

Morten Nielsen

Re: Structural Authorizations

Former Member — Thu, 07 Dec 2006 18:54:39 GMT

Thanks Morten,

I have been following the steps from Norm&Carls Big Document about Structural Auth.Im doing a test on it.Created an Org plan by myself and started testing it how it works...came across issues like ..

step 10 in the document

>set up regular security and assign to user id

why do i have to create two roles ,one for employee regular hr transactions and one for manager..and how should i test them if i have to?

plz advice ..

Thanks

Raj

Re: Structural Authorizations

morten_nielsen — Thu, 07 Dec 2006 21:38:15 GMT

Hi Raj

I now Norm&Carls Document - it's quite good - but keep in mind it's a couple of years old, (e.g. you should use the new PD Transactions like PPOME or PPOMW instead of the old ones etc..)

Regarding the two roles:

Structural authorization can't "live" alone - they are dealing with "Which" object - Person, Org units, positions etc, where the "regular" authorization are build around getting access to infotypes, transactions, report etc. This means that the user always will require a role granting access to the needed transactions, infotypes etc. The structural profiles are then used to limit/specify for which object this access should be granted.

I'm not entirely sure if this covers your question ? or perhaps, if I remember the document correctly, they suggest that you create a dummy structural profile for all employees, in order to avoid giving full access to users without a structural profile? This isn't necessary.

Structural profiles does not work the same way as ordinary profiles. If a user doesn't have a profile in transaction OOSB, the user will get the access granted to the user SAP* - just delete this entry in order to make sure that everybody without a profile get's full access.

I hope it helped - otherwise feel free to come back again

Regards

Morten Nielsen

Re: Structural Authorizations

Former Member — Thu, 07 Dec 2006 22:27:57 GMT

Thanks again Morten,

So,if i delete the sap* entry ,eveybody without a profile gets full access and thereon by implementing structural auths,we can limit access..rite.kool.

I have couple of questions more..like

1.When i created an org.plan the next time i have to get in is in the change mode?

2.Can I create multiple org.plans? within the same client?(Dont mind me if the question itself is wrong)

3.Inspite of having SAP_ALL and SAP_NEW i get no authorization when i try to run Transaction ppom_old..i came to know that the object has to be * in the structural profile ALL and i set it to * it worked couple of days ago but i still have the same problem..plz advice

Raj

Re: Structural Authorizations

morten_nielsen — Fri, 08 Dec 2006 08:23:58 GMT

Hi Raj

First off all - if you delete the SAP* everybody, without a profile will gain access to your HR objects. If a user isn't in OOSB he will get the access rights of the SAP* user, if SAP* is deleted then he wont have any access.

1.When i created an org.plan the next time i have to get in is in the change mode?

Yes, when it's create use PPOME (Or PPOMW) to maintain ite

2.Can I create multiple org.plans? within the same client?(

From a technical point of view - No Problem. From a business point of view I often find it more suitable only to have one - But that's of course a question of your scenario.

3.Inspite of having SAP_ALL and SAP_NEW i get no authorization when i try to run Transaction ppom_old..i came to know that the object has to be * in the structural profile ALL and i set it to * it worked couple of days ago but i still have the same problem

With a SAP_ALL you shouldn't be facing any authorization issues, not even with you newly created structural authorization (SAP_ALL has P_ABAP * included - this deactivates the structural profiles) try to do a SU53 after calling the transaction - or try to use PPOME instead of PPOM_OLD (it's an outdated transaction)

Regards

Morten Nielsen

Re: Structural Authorizations

Former Member — Mon, 11 Dec 2006 14:39:53 GMT

Thanks Morten I awarded the points too.

Re: Structural Authorizations

Former Member — Mon, 18 Jun 2007 08:12:40 GMT

I reposted my question in a new thread 'Structural Authorizations and Organizational changes'.

Thnx for replies in advance.

Anja

Message was edited by:

Anja Geenen

Re: Structural Authorizations

Former Member — Fri, 17 Jul 2009 07:28:53 GMT

This message was moderated.