Authorizations

 

Talent Management uses the following authorization concepts:

  • SAP NetWeaver authorization concept that is based on assigning authorizations to users based on roles

    For this purpose, the roles mentioned under Standard Roles are available as a template. You can copy the standard roles to the customer namespace and adjust them to suit your requirements. You use the profile generator (transaction PFCG) to maintain roles.

    For more information, see the Authorizations section of the SAP ECC Security Guide.

  • HR-specific concept for the structural authorization check

    For this purpose, the authorization profiles mentioned under Standard Roles are available as a template. You can use the authorization profiles as an example for creating your own authorization profiles and then assign these profiles to the relevant users.

    For more information about the authorization profiles, see Customizing for Talent Management and Talent Development and choose Start of the navigation path Basic Settings Next navigation step Authorizations in Talent Management Next navigation step Define Structural Authorizations End of the navigation path

    For more information about the structural authorization check, see Structural Authorization Check (see SAP Library for SAP ERP and choose Start of the navigation path SAP ERP Central Component Next navigation step Human Resources Next navigation step HR Tools Next navigation step Authorizations for Human Resources End of the navigation path).

Role and Authorization Concept for Talent Management

Standard Roles

The table below shows the standard roles and structural authorization profiles that can be used for Talent Management.

Standard Roles and Structural Authorization Profiles

Role

Description

Structural Authorization Profile

SAP_SR_TMC_TMS_6

Authorizations for talent management specialists and talent management superusers (see Talent Management Specialist)

Talent Management Specialist: TMS_PROFILE

Talent Management Superuser: TMS_ALL

SAP_SR_TMC_MANAGER_6

Authorizations for managers with regard to Talent Management activities (see Manager in Talent Management)

TMS_MAN_PROF

SAP_SR_TMC_EMPLOYEE_6

Authorizations for employees with regard to Talent Management activities (see Employee in Talent Management)

None

For the documentation for the standard roles, see SAP Library for SAP ERP and choose Start of the navigation path SAP ERP Central Component Next navigation step Human Resources Next navigation step Talent Management Next navigation step Talent Management and Talent Development Next navigation step Roles in Talent Management Next navigation step Single Roles in Talent Management End of the navigation path.

The table below shows the roles that we recommend you no longer use.

Roles No Longer Recommended for Use

Role

Description

Note

SAP_TMC_TALENT_MANA_SPECIALIST

Authorizations for talent management specialists (see Talent Management Specialist)

This role is obsolete and was replaced by the role SAP_SR_TMC_TMS_6.

SAP_TMC_SUPER_TALENT_MANA_SPEC

Authorizations for talent management superusers (see Talent Management Superuser)

This role is obsolete and was replaced by the role SAP_SR_TMC_TMS_6.

SAP_TMC_MANAGER

Authorizations for managers with regard to Talent Management activities (see Manager in Talent Management)

We recommend that you use the role SAP_SR_TMC_MANAGER_6 instead of this role.

SAP_TMC_EMPLOYEE

Authorizations for employees with regard to Talent Management activities (see Employee in Talent Management)

This role is obsolete and was replaced by the role SAP_SR_TMC_EMPLOYEE_6.
Standard Authorization Objects

The table below shows the security-relevant authorization objects that are used by Talent Management.

Standard Authorization Objects

Authorization Object

Description

More Information

B_BUPA_RLT

Authorizations for business partner roles

Security Guide for SAP NetWeaver Application Server ABAP under SAP Business Partner Security

CA_POWL

Authorizations for the personal object worklist (POWL)

SAP Library for SAP ERP under Start of the navigation path SAP ERP Central Component Next navigation step Cross-Application Functions in SAP ERP Next navigation step Cross-Application Components Next navigation step Personal Worklist End of the navigation path in the section Assign Authorizations (Standard POWL)

S_RFC

Authorization check upon RFC access

SAP NetWeaver Security Guide for Remote Function Call (RFC) and Internet Communication Framework (ICF) under Authorization Object S_RFC

S_WFAR_OBJ

ArchiveLink: Authorizations for accessing documents

SAP NetWeaver Library under Start of the navigation path SAP NetWeaver by Key Capability Next navigation step Application Platform by Key Capability Next navigation step ArchiveLink End of the navigation path in the section Authorizations

PLOG

Authorization object that checks the authorization for certain fields of Personnel Planning components (Organizational Management, Personnel Development, Training and Event Management, and so on)

SAP Library for SAP ERP under PLOG (Personnel Planning)

P_HAP_DOC

Authorization object that controls a user's access to appraisal templates

SAP Library for SAP ERP under P_HAP_DOC (Appraisal Systems: Appraisal)

P_ORGIN

Authorization object used to check the authorization for accessing HR infotypes

SAP Library for SAP ERP under P_ORGIN (HR: Master Data)

P_TCODE

Authorization object used to check whether a user is authorized to start various HR transactions

SAP Library for SAP ERP under P_TCODE (HR: Transaction Code)

P_PERNR

Authorization object used if different authorizations are to be assigned for accessing a user's personnel number

SAP Library for SAP ERP under P_PERNR (HR: Master Data - Personnel Number Check)

For the documentation for the authorization objects PLOG, P_HAP_DOC, P_ORGIN, P_TCODE, and P_PERNR, see SAP Library for SAP ERP and choose Start of the navigation path SAP ERP Central Component Next navigation step Human Resources Next navigation step HR Tools Next navigation step Authorizations for Human Resources Next navigation step Technical Aspects Next navigation step Authorization Objects End of the navigation path.

Critical Combinations

  • Talent Review Meetings

    • All users that have access to the personal object worklist (POWL) for talent review meetings may create talent review meetings.

      Note Note

      In the standard SAP system, the POWL for talent review meetings is contained in the roles for talent management specialists for SAP NetWeaver Portal and SAP NetWeaver Business Client.

      End of the note.

    • Users have display and change authorization for all talent review meetings to which they are assigned as members of the support team. The POWL for talent review meetings provides users with a list of talent review meetings, which they can display and edit.

      Caution Caution

      All members of the support team for a talent review meeting have unrestricted access to all information available within this talent review meeting (for example, to all assigned managers and talents, and their profiles). When this information is accessed, there is no additional authorization check within the talent review meeting.

      End of the caution.

    • Those users that have display or change authorization for the related infotype record of the Object infotype (1000) also have display or change authorization for a talent review meeting. The infotype record is identified by the RM (Talent Review Meeting) object type and the ID of the talent review meeting. Users that have display authorization for this infotype record can call the talent review meeting in display mode. Users with change authorization for this infotype record can call the talent review meeting in change mode.

  • Talent Search

    • To be able to use the search, a user must be a talent management specialist with an assigned area of responsibility. This means that there must be a relationship 741 (Is Responsible For/Is in Area of Responsibility Of) between the user's central person (object type CP) and at least one organizational unit (object type O).

    • In Customizing, for the search fields that you want to use as search criteria, enter the infotype and the object type, if required, to define which authorization object is used for the authorization check. These settings specify whether this field is available to a user for selection in the search template and in the search results.

      Example Example

      The user wants to use the talent group as a search criterion and search for all talents that are assigned to a particular talent group. Therefore, the system checks whether the user has display authorization for relationship 743 (Has Talent For/Comprises Talent) between the object types CP (Central Person) and TB (Talent Group). To do so, it checks the authorization for the corresponding subtype of the infotype Relationships (1001).

      End of the example.

      For more information, see Customizing for Talent Management and Talent Development and choose Start of the navigation path Basic Settings Next navigation step Search Next navigation step Define Search Requests and Search Field Names End of the navigation path.

    • In the search results, the system displays only the objects for which the user has authorization through the authorization object PLOG as well as the corresponding structural authorization. For the object type CP, the system also checks whether the user has display authorization for the infotype Organizational Assignment (0001).

      Note Note

      If more than one person (object type P) is assigned to a central person (CP) (for example, employees in concurrent employment), it is sufficient for the talent search if the user has display authorization for one of these persons.

      End of the note.
Additional Functions

You can deactivate specific authorization checks that are performed in the standard SAP system when assigning employees (object type CP (Central Person)) to positions, job families, and talent groups. In the standard SAP system, when such relationships are created, the system checks whether the user (in this case, the talent management specialist) has the following authorizations:

  • For assigning employees to positions:

    Authorizations for

    • Employee (object type CP)

    • Position (object type S)

    • Relationship 740 (Is Successor Of)

  • For assigning employees to job families:

    Authorizations for

    • Employee (object type CP)

    • Job family (object type JF)

    • Relationship 744 (Has Potential For)

  • For assigning employees to talent groups:

    Authorizations for

    • Employee (object type CP)

    • Talent group (object type TB)

    • Relationship 743 (Has Talent For)

So that a talent management specialist is also able to create these relationships for employees (object type CP) for which he or she does not usually have change authorization (because of his or her structural authorization profile), the authorization check can be deactivated for employees for the respective employee assignment. The talent management specialist then only needs the change authorization for the object (of the object type Position, Job Family, or Talent Group) to which he or she wants to assign the employee, and for the relationship.

For more information, see Customizing for Talent Management and Talent Development and choose Start of the navigation path Basic Settings Next navigation step Authorizations in Talent Management Next navigation step Deactivate Authorization Check When Assigning Employees End of the navigation path.