Show TOC

 Methods for Checking Authorizations

Use

The following section provides you with an overview of the three methods for checking authorizations that you can use to protect personal data in HCM Processes and Forms .

Features

For all the methods described below, the system calls the method CHECK_MIN_PERNR_AUTHORIZATION of the BAdI HRPAD00AUTH_CHECK from the function module HR_CHECK_AUTHORITY_PERNR, which ensures at least one minimum check of personal data. The method checks whether access to at least one data record for the personnel number is possible. The system does not check whether the user is authorized to access an existing infotype record. It only checks whether the user is authorized to access any infotype, even if there is no data record for an infotype in the system.

In addition, this method checks the settings you made in the authorization main switches for HR. The scope of these authorization checks depends on how you have set up the authorization main switches.

Note Note

For more information, see the Implementation Guide for Personnel Management under Start of the navigation path Personnel Administration Next navigation step Tools Next navigation step Authorization Management Next navigation step Maintain Authorization Main Switches End of the navigation path .

Note: If you have implemented the BAdI HRPAD00AUTH_CHECK (IMG Activity BAdI: Set Up Customer-Specific Authorization Check ) it is run for HCM Processes and Forms .

End of the note.

Caution Caution

Note also that changes made to the authorization main switches have implications for the authorization checks in all HR applications. It is strongly recommended that you only change the settings after careful consideration of the consequences for other applications in SAP Human Capital Management.

End of the caution.
Method 1: Exclusive Use of the Authorization Object P_ASRCONT (Authorization for Process Content)

You can use this method to check access to various process contents. Examples of such contents are certain forms that are used in processes. You can use the authorization object at the level of the following process types to specify which activities a user is allowed to perform on the objects:

  • Processes

  • Attachments that the system displays through the Digital Personnel File (DPF) or the Process Browser

  • Form scenarios

    For more information, see Contexts for Checking Authorizations .

The authorization object contains a simplified check for personnel numbers that are accessible by users. You therefore do not need to specify which personnel numbers or organizational units need to be assigned authorizations to read, write, and so on. Only the following options are possible:

  • Authorization only for the user's own personnel number

  • Authorization for all personnel numbers, excluding the user's own number

  • Authorizations for all personnel numbers

    Note Note

    For more information, see the documentation for the authorization object P_ASRCONT.

    Note that these authorizations for personnel numbers can only be processed in connection with the processes in HCM Processes and Forms . They have no effect on the access authorizations for employee data in the backend system.

    End of the note.

Advantages of the Method

  • You can control access to the process contents.

  • You do not need to change the existing HR authorizations.

  • If you create new processes, forms and so on, you only need to adjust the authorization objects if you have set them up for the new process or form groups (content types) in Customizing.

Disadvantages of the Method

  • You must add the authorization object to the profiles of the roles or users .

Method 2: Exclusive Use of HR Authorizations

In this method you use the traditional HR authorizations that you can activate using the HR authorization main switches. You can also use this method to check the authorizations for the forms that the system uses in the processes. The forms are linked to the authorization checks for the HR infotypes. If the user has no authorization for the data displayed in the form, the form is displayed without content and with an appropriate error message.

Advantages of the Method

  • You do not have to change the existing authorization profiles for the users or roles.

  • You can use the HR authorization profiles to control access to the data and personnel numbers used in the process.

Disadvantages of the Method

  • You cannot control access to the following objects with these authorizations:

    • Start application

    • Process data

    • Forms

    • Attachments

      These missing checks can result in users being able to gain unauthorized access to process data and attachments at the start of an application if they have the specified authorizations for the personnel number and the transaction.

  • You must adjust the authorization profile for every new process that you set up if new infotypes have been introduced that you did not list previously in the profiles.

  • The authorizations that you assign here also apply to access to data in the backend system. It can therefore occur that employees with a user in the backend system can gain unauthorized access to data in the backend system (in Reporting, for example).

Method 3: Using a Combination of Both Methods

This is the safest method that you can use. It is therefore recommended that you use this method. In this way, you can combine the advantages of the authorization object P_ASRCONT with those of the traditional HR authorizations.

Advantages of the Method

  • The system checks access to the application objects as well as the contents contained in them. You can thus fully protect the data and avoid users accessing processes and data for which they have no authorization.

Disadvantage of the Method

  • You must add the authorization object P_ASRCONT and the traditional HR authorizations to the authorization profiles of the users and roles for the employees that use HR Administrative Services .

    Note Note

    Note that you can protect the infotype data in the backend system with settings in the workflow. You can specify in the individual workflow steps who can save data in the infotypes of the backend system.

    End of the note.

    You can avoid this disadvantage by setting up your authorizations and processes in the following way:

    • Only HR administrators receive authorizations for reading and updating backend data. You set up these authorizations using the traditional HR authorization objects.

      Other persons involved in the processes, such as employees and managers, only receive authorization for processes and forms using the authorization object P_ASRCONT.

    • When setting up the workflow, you use a standard task that saves data in the backend system. You assign a (virtual) processor that has the relevant HR authorizations to this standard task.

      The system saves the data in a background step in the backend system. HR administrators only receive work items for postprocessing data if an error occurs.

      For more information, see Standard Task TS17900100: Edit Form and Standard Task TS17900108: Save Form Data .

The following settings are recommended:

  • Use the authorization object P_ASRCONT to protect process and attachment data from unauthorized access. Use the following Activities characteristics in the authorization object P_ASRCONT for your employees:

    • S – Start Process/Form

    • R – Read

    • P – Process Form

    • D – Withdraw Process

      In addition, add the activity A - Approve Form for your managers and the activity X - Save Application Data During a Process for your HR administrators.

  • Set up further authorization checks for processes that process particularly sensitive data.