Authorizations

The authorizations topic plays a fundamental role in the area of Human Resources since access to personnel data must be carefully protected. In SAP Human Resources, there is a two-part concept for setting up authorizations. You should familiarize yourself with this concept if you use Human Resources components.

Human Resources uses the authorization concept provided by SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for authorizations detailed in the Security Guide for SAP NetWeaver AS ABAP and in the Security Guide for SAP NetWeaver AS Java also apply to Human Resources.

Note Note

Furthermore, Human Resources has specific structural authorizations for which the organizational assignment is checked to see whether a user may perform an activity.

For detailed information about authorizations in Human Resources, see SAP Library for SAP ERP and choose Start of the navigation path SAP ERP Central Component Next navigation step Human Resources HR Tools End of the navigation path and the section Authorizations for Human Resources.

End of the note.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP NetWeaver AS ABAP and the User Management Engine’s user administration console on SAP NetWeaver AS Java.

Standard Roles

The table below shows the standard roles that are used by the Personnel Management components listed under Description.

Note Note

The standard roles for Human Resources components that are described in a separate chapter of this Security Guide are also in the Authorizations section. The same applies to the self-service components Employee Self-Service and Manager Self-Service that are also described under Start of the navigation path Cross-Application Components Next navigation step Self-Services End of the navigation path in this Security Guide.

End of the note.

Standard Roles
Role	Description
SAP_HR_BN*	Roles for the PA-BN (Benefits) component
SAP_HR_CM*	Roles for the PA-CM (Compensation Management) component
SAP_HR_CP*	Roles for the PA-CM-CP (Personnel Cost Planning) component
SAP_HR_OS*	Roles for the PA-OS (Organizational Structure) component
SAP_HR_PA_xx_*	Roles for the international versions and country versions of the PA-PA (Personnel Administration) component
SAP_HR_PA_PF_xx_*	Roles for the PA-PF (Pension Schemes) component
SAP_HR_PD*	Roles for the PA-PD (Personnel Development) component
SAP_HR_RC*	Roles for the PA-RC (Recruitment) component
SAP_HR_REPORTING	Role for the Human Resources Analyst Note This role is obsolete. We recommend that you no longer use this role. End of the note.
SAP_ASR_ADMINISTRATOR	Enhancement of the role SAP_HR_PA_xx_* for the HR administrators that use the functions of the component PA-AS (HR Administrative Services)

For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with xx, where xx represents the SAP country key, various roles exist for each of the country versions.

Standard Authorization Objects

The table below shows the security-relevant authorization objects that are used by Human Resources.

Note Note

For more information about the Human Resources authorization objects, see SAP Library for SAP ERP and choose Start of the navigation path SAP ERP Central Component Next navigation step Human Resources HR Tools Authorizations for Human Resources Technical Aspects Authorization Objects End of the navigation path .

End of the note.

Most Important Standard Authorization Objects
Authorization Object	Name	Description
P_ORGIN	HR master data	Used to check the authorization for accessing HR infotypes. The checks take place when HR infotypes are edited or read.
P_ORGINCON	HR master data with context	This authorization object consists of the same fields as the authorization object P_ORGIN, and also includes the field PROFL (structural profile). A check using this object enables user-specific contexts to be mapped in HR master data.
P_ORGXX	HR master data – extended check	You can use this object to determine that other fields are also to be checked. You can determine whether this check is to be performed in addition to or as an alternative to the HR Master Data authorization check.
P_P_ORGXXCON	HR master data - extended check with context	This authorization object consists of the same fields as the authorization object P_ORGXX, and also includes the field PROFL (structural profile). A check using this object enables user-specific contexts to be mapped in HR master data
P_TCODE	HR: transaction code	This authorization object checks some specific SAP Human Resources transactions.
PLOG	Personnel planning	Determines for which types of information processing a user has authorization.
PLOG_CON	Personnel planning with context	This authorization object consists of the same fields as the object PLOG, and also includes the field PROFL (structural profile). The check using this object enables user-specific contexts to be mapped.
P_ASRCONT	Authorization for process content	The Authorization for Process Content object is used by the authorization check for HR Administrative Services. It checks the authorization for access to various process contents and also runs through the authorization objects that you have specified in Customizing in the table T77S0 (see note below). For more information, see Authorization Concept of HCM Processes and Forms.
P_DEL_PERN	Deletion of personnel numbers in live systems	This authorization object is used in the report RPUDELPP and facilitates the deletion of personnel numbers in live systems. It is used by two roles, one for requesting the deletion and one for performing the deletion. These roles need to be assigned to two different users (double verification principle).
P_EICAU	Authorization for activity in the Employee Interaction Center	This authorization object checks the authorization for editing EIC activities. For more information, see Authorization Concept for Employee Interaction Center (EIC).

Note Note

In Customizing for certain authorization objects, you can specify whether they are to be checked. The table T77S0 in the Group for Semantic Short Text for PD Plan AUTSW groups all central switches and settings for the Human Resources authorization check. Note that changes to the settings severely affect your authorization concept.

For more information about changing the main authorization switch, see Customizing for Personnel Administration and choose Start of the navigation path Tools Next navigation step Authorization Management End of the navigation path .

End of the note.