There are two ways to set up HR Security – HR General Authorizations and HR Structural Authorizations.
HR Structural Authorizations are position based and are used to restrict access to organizational objects like jobs, tasks, organizational units, person, position etc.
Here we will be discussing about HR General Authorization concepts.
HR General Authorizations are role based. Roles are created using PFCG tcode with necessary authorizations so that users can perform their tasks.
Roles are generated to provide the necessary authorizations. We have already discussed about role and authorization concept in our R/3 Security related topics. Please refer to them for more details.
We know that authorization objects are one of the most important elements as far as sap authorization concepts are concerned. Below is a list of some of the most important authorization objects used in HR Security:
Important HR Security Authorization Objects
Sl No. |
Authorization Object |
Description |
|---|---|---|
1 |
P_APPL |
HR: Applicants |
2 |
P_PCLX |
HR: Clusters |
3 |
P_PCR |
HR: Payroll Control Record |
4 |
P_ABAP |
HR: Reporting |
5 |
P_ORGIN |
HR: Master Data |
6 |
P_PERNR |
HR: Master Data – Personnel Number Check |
7 |
P_ORGXX |
HR: Master Data – Extended Check |
8 |
P_TCODE |
HR Transaction Code |
9 |
PLOG |
Personnel Planning |
10 |
P_NNNNN |
Customer-Specific Authorization Object |
11 |
P_ORGINCON |
HR: Master Data with Context |
12 |
P_ORGXXCON |
HR: Extended Check with Context |
13 |
P_NNNNNCON |
HR Master Data: Customer-Specific Authorization Object with Context |
|
|
|
|
Before we move ahead with the HR General Authorization checks and authorization objects, lets have a look at the various HR data types which are important for understanding HR Security concepts:
- Personnel Administration (PA) Data – This data is related to the various features of employees and applicants of an organization. By applicants we mean those who apply for jobs via job application (i.e. people who intend to be on the payroll of an organization). Both employee and applicant data is stored in PA infotype. We have already discussed about the infotype range for PA infotypes and OM infotypes in our HR Infotype Section. Authorization objects P_ORGIN(CON), P_ORGXX(CON) and P_PERNR are used to restrict access to PA data for employees. Authorization object P_APPL is used to restrict access to data for applicants. We will have a detailed discussion on these authorization objects in coming topics.
- Personnel Planning (PP) Data – Personnel Planning is also referred to as Organizational Management (OM). The information for this data type is related Organizational data like position, job, task, person etc. The data is stored in tables of the form HRPXXXX where XXXX stands for infotypes. Similarly, the data for Personnel Administration – employees and applicants are stored in PAXXXX and PBXXXX tables respectively where XXXX stands for infotypes. Authorization object PLOG is used to restrict access to PP data.
- Time Evaluation and Payroll Results data – These data are stored in cluster tables. Cluster tables are of the form PCL1, PCL2 etc. Access to these data is restricted via authorization object P_PCLX.
In our earlier section on R/3 Security we discussed about the check indicator value “Do Not Check” in our discussion section related to SU24 concepts. Certain authorization objects “apart” from BASIS and HR could be set to “Do Not Check” so as to skip the authority-check for these authorization objects. Since SU24 could not be used for skipping check for HR objects, we have an option in HR Security to selectively switch off check for certain HR Authorization objects. This can be done via tcode OOAC. The “authorization switch” for HR Authorization objects can also be switched off via table T77S0 as shown in the figure below:
We will discuss more about the concept of HR General Authorization in the coming topics.
Next – HR Authorization Fields