-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Re: Structural Authorizations & non-HR modules
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Structural Authorizations & non-HR modules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 24 9:07 PM
- SAP Managed Tags
- Security
Gurus,
We have an existing R/3 system running HR with Structural Authorizations (SA) implemented. The structural authorizations are assigned to managers and used for reporting e.g. a manager can only see their reports vacation balances, time approvals, etc. We are now rolling out PS, SD, MM, PP, etc and are finding areas where at least PS and SD are affected. For example a user with a structural authorization is not able to assign a user outside of their reporting structure to a sales document or a project. Is there a (simple) way to support both without have to reengineer SAs or go to context sensitive SAs? It would be nice if we could exclude non-HR functions from the SAs
Below is the existing management structural authorization profile.
Does anyone have any ideas?
Thanks in advance.
Auth Profile No. Plan Obj Maint Eval Path Status Vec Period Function Mod
Z_MANAGER 1 01 O ZSBESX 12 D RH_GET_MANAGER_ASSIGNMENT
Z_MANAGER 2 01 C
Z_MANAGER 3 01 NA
Z_MANAGER 4 01 NB
Z_MANAGER 5 01 NC
Z_MANAGER 6 01 ND
Z_MANAGER 7 01 NE
Z_MANAGER 8 01 VA
Z_MANAGER 9 01 VC
Z_MANAGER 10 01 VE
Z_MANAGER 11 01 VB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 25 9:09 PM
- SAP Managed Tags
- Security
When we implemented payroll and travel we implemented structural authorizations and had a similar problem. We used BADI HRBAS00_STRUAUTH to deactivate structural authorizations for specific users of specific transactions. We created a custom Z table which had the user id and transaction code that should be deactivated. The logic in the BADI searched that table for the users login id (SY-UNAME) and current transaction code (SY-TCODE). If an entry is found structural authorizations was deactivatated. The code for deactivating the authorization was provided by SAP. Further documentation can be found at
http://help.sap.com/saphelp_46c/helpdata/en/69/a6c3a635e1d311ba4d0800060d888b/frameset.htm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 25 3:46 PM
- SAP Managed Tags
- Security
Hi Greg,
SA sets up the access on the org.management. This framework is used in several areas like crm srm etc. So if you assigned a user via this framework to another object this also has to go through the structural authorization check.
And of course this should be the case as the access should be consistent thoughout the system. Maybe you can include the objects in "non-HR-modules" with wildcards but that heavily depends on the scenario.
Also there are a bunch of BADI you can use to trick and tweak like HRBAS00_STRUAUTH.
Best regards,
Michael
PS: If you do not know the documentation http://service.sap.com/erp-hcm
on the leftside follow:
Services for mySAP ERP HCM -> Special Documentation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 25 9:09 PM
- SAP Managed Tags
- Security
When we implemented payroll and travel we implemented structural authorizations and had a similar problem. We used BADI HRBAS00_STRUAUTH to deactivate structural authorizations for specific users of specific transactions. We created a custom Z table which had the user id and transaction code that should be deactivated. The logic in the BADI searched that table for the users login id (SY-UNAME) and current transaction code (SY-TCODE). If an entry is found structural authorizations was deactivatated. The code for deactivating the authorization was provided by SAP. Further documentation can be found at
http://help.sap.com/saphelp_46c/helpdata/en/69/a6c3a635e1d311ba4d0800060d888b/frameset.htm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Jul 26 2:13 PM
- SAP Managed Tags
- Security
Thank you all for your input. The BADi suggestion should work nicely for us.
Thanks,
Greg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2006 Sep 20 7:30 PM
- SAP Managed Tags
- Security
We are considering implementing Structural Authorizations (SA) in conjunction with SAP’s Travel Management component. The intent is to use SA to control access to viewing and approving employee travel expenses. I would really appreciate any input on the following:
Does SA in fact actually work with Travel Management? I know from personal experience that SA can limit, for example which employees a manager can see. But will it also limit which Travel Management trips (i.e., just the trips of the people who report to them) a Manager could see?
I had read that the tolerance time authorization check (ADAYS) does not work with SA. So that, even though ADAYS is set to 15, when a manager moves from one org unit to another, the effect is immediate and they can no longer view info for the prior unit employees. Is this still the case or is there a way to make it work.
TIA
Bluesky