7/30/2019 HR Authorization Objects for Security

1/8

Main HR Authorization Object for Security

Some of the main HR authorisation objects are:

Object: PLOG Personnel Planning

Fields: PLVAR Plan Version

OTYPE Object Type

INFOTYP Infotype

SUBTYP Subtype

ISTAT Planning Status

PPFCODE Function Code

Definition:

The present object is used by the authorization check for PD data.

Field Details:

PLVAR - Plan version This field defines which plan version(s) the user may access.

OTYPE - Object type This field defines which object types the user may access.

INFOTYP - Infotype This field defines, which infotypes, that is, attributes, of an object the users

(generally) may access.

SUBTYP - Subtype This field determines which subtypes the user may access for given infotypes.

Relationships are special subtypes for infotype 1001. Consequently, the relationships for which a user

should have access authorization can also be limited in this field.

ISTAT_D - Planning status This field determines in which planning status the user may access

information.

OKCODE - Function code This field defines for which type of information processing (Display, Change )

the user is authorized.

The possible values are defined in table T77FC. This protection against unauthorized access is extended

by the structural authorization check. Two types of function codes are distinguished in HR management.

By marking the processing method Maintenance in table T77FC the function codes are indicated, with

which objects may be maintained within the structure; Otherwise, only Display is allowed. The function

code has effects in connection with the structural authorization. In table

7/30/2019 HR Authorization Objects for Security

2/8

T77PR, authorization profiles can be indicated which are to have maintenance authorization for the

structure. Without this authorization, you can only display structures. Consequently, the overall

authorization results from the intersection between basis authorization and structural authorization.

Object: P_ABAP HR: Reporting

Fields: REPID ABAP Program Name

COARS Degree of simplification for authorization check

Definition:

The authorization object HR reporting (P_ABAP) is used in many ways:

HR Reporting with HR Reporting are reports with the RE.SAPDBPNP logical database PNP .

Report: RPUAUD00 Logged changes in infotype data

Processing person-related data using payment medium programs from Accounting.

To 1. You can use the relevant authorization for these objects to control how the objects UO.P_ORGIN

HR: Master data (P_ORGIN), UO.P_ORGXX HR: Master data - extended check (P_ORGXX) and

CHAP.OHIX0010 structural authorization check are used in specified reports to check the authorization

for INFTY HR infotypes . In this way, you can carry out a fine-tuned control on reports for infotype

authorization. This can be useful for functional reasons or to improve

performance at runtime of the corresponding reports.

For this object, specify the report name(s) and the degree of simplification to be used for the

authorization check.

Note:

Note that this object differs from the object UO.S_PROGRAM ABAP: Program run checks . The latter is

used for general program authorization checks. In HR reports, these checks are carried out in addition to

the HR infotype authorization check. HR: Reporting , however, overrides the HR infotype authorization

check for selected reports, with the result that the authorization checks are weakened or completely

switched off.

7/30/2019 HR Authorization Objects for Security

3/8

Examples:

In your company, the authorization for infotypes is, for example, independent of the authorization for

specific organizational units (one administrator may be authorized to access address, personal and

education data only for personnel area 0101 - but not for address data in personnel area 0101 and

personal data in personnel area 0102). If you enter 1 in the Degree of

simplification field, the above facts are taken into account in the specified report and the check is

carried out more quickly for a user with this authorization. If certain HR reports are not critical

(telephone lists etc.) and authorization protection is not required, enter the report name and = * in the

Degree of simplification field. The system then checks whether the person starting the report is

authorized to do so (object - ABAP/4: Program run checks), but performs no other checks (object - HR:

Master data).

In your company, one user may have access to all HR infotype data. For this user, enter * in the Report

name and Degree of simplification fields. The system then only checks whether this user is authorized to

start the report in question but not whether he/she is authorized to display the requested HR infotype

data.

A time adminstrator should carry out time evaluations (report HR: Time - time evaluation (RPTIME00)

for employees with the organizational key 0001TIMEXXX . For certain additional information that is

needed internally (the program user either cannot see this, or can only partially see it), the Basic pay

infotype (0008)must be imported, for example, to time

evaluation. To carry out time evaluation, the administrator must therefore have display authorization

for the Basic pay infotype (0008). If the administrator is not to have display authorization for this

infotype, the read authorization for the Basic pay infotype can be restricted for individuals with theorganizational key 0001TIMEXXX for the report HR: Time - Time

evaluation (RPTIME00). For this, use the following authorization

Object HR: Master data (P_ORGIN) (two authorizations)

Infotype 0008 ' '

Subtype * ' '

Authorization level R ' '

Organizational key ' ' 0001TIMEXXX

7/30/2019 HR Authorization Objects for Security

4/8

Object HR: Reporting (P_ABAP)

Report name RPTIME00

Degree of simplification 1

In this way, a simple check is carried out for the authorization check infotype in conjunction with the

report HR: Time - Time evaluation (RPTIME00): The infotype, subtype, level are checked, and then,

independently, the organizational assignment (in the example, the Organizational key field) (according

to degree of simplification 1 ). In report HR: Time - Time evaluation

(RPTIME00), infotype Basic pay (0008) can also be read. However, if the check is not in conjunction with

the report HR: Time Time evaluation (RPTIME00), all fields of the object HR:

Master data (P_ORGIN) are checked together, but in this way there is no read access to the Basic pay

infotype (0008). TO 2. Evaluations of the logged changes in infotype data are subject to infotype

authorization checks. However, usually, someone, who starts such an evaluation, has extensive

authorizations. In this case, it is useful, in order to ensure improved

performance, to do without the check of individual data and instead, grant the user global authorization

for logging evaluations using the report Logged changes in the infotype data (RPUAUD00). For this, use

an authorization for the object, by specifying the value RPUAUD00 in the Report name field, and the

value 2 in the Degree of Simplification field. To 3 The payment medium program of accounting

processes, in particular, confidential personal data. In addition the check to see whether the user is

authorized to start the program, a check to see whether the corresponding authorization exists for the

object is also carried out, as an additionl security measure : The name of the payment medium program

must be entered in the Program name field, the value 2 (or * must be entered in the Degree of

simplification field.

Field Details:

Report name

COARS Degree of simplification

7/30/2019 HR Authorization Objects for Security

5/8

Object: P_APPL HR: Applicants

Fields: INFTY Infotype

SUBTY Subtype

AUTHC Authorization level

PERSA Personnel Area

APGRP Applicant group

APTYP Applicant range

VDSK1 Organizational Key

RESRF Personnel officer responsible for application

Definition:

This object is used for the applicant data authorization check. This check is carried out when INFTY

applicant infotypes are edited or read. When a transaction for editing applicant data is accessed, the

system first checks whether the user has the minimum authorization. Depending on the transaction this

may be write authorization or read authorization ( AUTHC_D authorization level = '*' or R). If the user

has the minimum authorization, a further and more detailed authorization check is carried out within

the transaction itself.

Field Details:

INFTY Infotype

SUBTY Subtype

AUTHC_D Authorization level

PERSA Personnel area

APGRP Applicant group

APTYP Applicant range

VDSK1 Organizational key

RESRF Personnel officer responsible for applicant

7/30/2019 HR Authorization Objects for Security

6/8

Object: P_ORGIN HR: Master Data

Fields: INFTY Infotype

SUBTY Subtype

AUTHC Authorization level

PERSA Personnel Area

PERSG Employee Group

PERSK Employee Subgroup

VDSK1 Organizational Key

Definition:

The object HR: Master data (P_ORGIN) is used for authorization checks of personal data. Checks are

performed only when INFTY HR infotypes are edited or read.

When you call up a transaction for editing of personal data, the system checks that you at least have one

read authorization ( AUTHC_D authorization level R). If you do, a more specific authorization check is

carried out within the transaction. In HR reports that use the

7/30/2019 HR Authorization Objects for Security

7/8

PERSG Employee group

PERSK Employee subgroup

VDSK1 Organizational key

Object: P_ORGXX HR: Master Data - Extended Check

Fields: INFTY Infotype

SUBTY Subtype

AUTHC Authorization level

SACHA Payroll Administrator

SACHP Administrator for HR Master Data

SACHZ Administrator for Time Recording

SBMOD Administrator Group

Definition:

The object HR: Master data - Extended check (P_ORGXX) can be used to check authorization for personal

data INFTY (HR infotypes) This check is not active in the standard system. The program switch HR:

Master data - Extended check (ORGXX) can be used to add this check in the standard system or set it as

an alternative to UO.P_ORGIN HR: master data . The main switch settings can be processed using

transaction HR: Authorization switch (OOAC)

Field Details:

Administrator for the person being processed (stored in the

organizational assignment infotype)

SACHA Payroll administrator

SACHZ Time data administrator

SACHP HR master data administrator

SBMOD Administrator group

7/30/2019 HR Authorization Objects for Security

8/8

View of data:

INFTY Infotype

SUBTY Subtype

AUTHC_D Authorization level (write, read, write with lock indicator, unlock).

Object: P_PCLX HR: Clusters

Fields: RELID Area identifier for cluster in tables PCLx

AUTHC Authorization level

Definition:

This object is used in the authorization check when accessing PCLx (x = 1, 2, 3,4) HR files using the PCLx

buffer (interface supported by HR).

Field Details:

Cluster ID: enter the cluster name in this field. Authorization level: in this field you must specify the

operation to be carried out on the cluster along with the cluster ID specified above.

The values which can be entered here are R (read), U (update database) and S (export data to PCLx

buffer without database update).