HR General Authorization Concept

 


There are two ways to set up HR Security – HR 
General Authorizations and HR Structural Authorizations.


HR Structural Authorizations are position based and are used to restrict access to organizational objects like jobs, tasks, organizational units, person, position etc.


Here we will be discussing about HR General Authorization concepts.


HR General Authorizations are role based. Roles are created using PFCG tcode with necessary authorizations so that users can perform their tasks.

Roles are generated to provide the necessary authorizations. We have already discussed about role and authorization concept in our R/3 Security related topics. Please refer to them for more details.

We know that authorization objects are one of the most important elements as far as sap authorization concepts are concerned. Below is a list of some of the most important authorization objects used in HR Security:

 


Important HR Security Authorization Objects

Sl No.

Authorization Object

Description

1

 P_APPL

 HR: Applicants

2

 P_PCLX

 HR: Clusters

3

 P_PCR

 HR: Payroll Control Record

4

 P_ABAP

 HR: Reporting

5

 P_ORGIN

 HR: Master Data

6

 P_PERNR

 HR: Master Data – Personnel Number Check

7

 P_ORGXX

 HR: Master Data – Extended Check

8

 P_TCODE

 HR Transaction Code

9

 PLOG

 Personnel Planning

10

 P_NNNNN

 Customer-Specific Authorization Object

11

 P_ORGINCON

 HR: Master Data with Context

12

 P_ORGXXCON

 HR: Extended Check with Context

13

 P_NNNNNCON

 HR Master Data: Customer-Specific Authorization Object with Context

 

 

 


Before we move ahead with the HR General Authorization checks and authorization objects, lets have a look at the various HR data types which are important for understanding HR Security concepts:



  • Personnel Administration (PA) DataThis data is related to the various features of employees and applicants of an organization. By applicants we mean those who apply for jobs via job application (i.e. people who intend to be on the payroll of an organization). Both employee and applicant data is stored in PA infotype. We have already discussed about the infotype range for PA infotypes and OM infotypes in our HR Infotype Section. Authorization objects P_ORGIN(CON), P_ORGXX(CON) and P_PERNR are used to restrict access to PA data for employees. Authorization object P_APPL is used to restrict access to data for applicants. We will have a detailed discussion on these authorization objects in coming topics.


  • Personnel Planning (PP) DataPersonnel Planning is also referred to as Organizational Management (OM).  The information for this data type is related Organizational data like position, job, task, person etc. The data is stored in tables of the form HRPXXXX where XXXX stands for infotypes. Similarly, the data for Personnel Administration – employees and applicants are stored in PAXXXX and PBXXXX tables respectively where XXXX stands for infotypes. Authorization object PLOG is used to restrict access to PP data.
  • Time Evaluation and Payroll Results dataThese data are stored in cluster tables. Cluster tables are of the form PCL1, PCL2 etc. Access to these data is restricted via authorization object P_PCLX.


In our earlier section on R/3 Security we discussed about the check indicator value
Do Not Check” in our discussion section related to SU24 concepts. Certain authorization objects “apart” from BASIS and HR could be set to “Do Not Check” so as to skip the authority-check for these authorization objects. Since SU24 could not be used for skipping check for HR objects, we have an option in HR Security to selectively switch off check for certain HR Authorization objects. This can be done via tcode OOAC. The “authorization switch” for HR Authorization objects can also be switched off via table T77S0 as shown in the figure below:

 




We will discuss more about the concept of HR General Authorization in the coming topics.

 

 

Next – HR Authorization Fields