The following section provides you with an overview of the three methods for checking authorizations that you can use to protect personal data in
HCM Processes and Forms
.
For all the methods described below, the system calls the method CHECK_MIN_PERNR_AUTHORIZATION of the BAdI HRPAD00AUTH_CHECK from the function module HR_CHECK_AUTHORITY_PERNR, which ensures at least one minimum check of personal data. The method checks whether access to at least one data record for the personnel number is possible. The system does not check whether the user is authorized to access an existing infotype record. It only checks whether the user is authorized to access any infotype, even if there is no data record for an infotype in the system.
In addition, this method checks the settings you made in the authorization main switches for HR. The scope of these authorization checks depends on how you have set up the authorization main switches.
Note
For more information, see the Implementation Guide for Personnel Management under
. Note: If you have implemented the BAdI HRPAD00AUTH_CHECK (IMG Activity
BAdI: Set Up Customer-Specific Authorization Check
) it is run for
HCM Processes and Forms
.
Caution
Note also that changes made to the authorization main switches have implications for the authorization checks in all HR applications. It is strongly recommended that you only change the settings after careful consideration of the consequences for other applications in SAP Human Capital Management.
You can use this method to check access to various process contents. Examples of such contents are certain forms that are used in processes. You can use the authorization object at the level of the following process types to specify which activities a user is allowed to perform on the objects:
Processes
Attachments that the system displays through the
Digital Personnel File
(DPF) or the
Process Browser
Form scenarios
For more information, see Contexts for Checking Authorizations .
The authorization object contains a simplified check for personnel numbers that are accessible by users. You therefore do not need to specify which personnel numbers or organizational units need to be assigned authorizations to read, write, and so on. Only the following options are possible:
Authorization only for the user's own personnel number
Authorization for all personnel numbers, excluding the user's own number
Authorizations for all personnel numbers
Note
For more information, see the documentation for the authorization object P_ASRCONT.
Note that these authorizations for personnel numbers can only be processed in connection with the processes in
HCM Processes and Forms
. They have no effect on the access authorizations for employee data in the backend system.
Advantages of the Method
You can control access to the process contents.
You do not need to change the existing HR authorizations.
If you create new processes, forms and so on, you only need to adjust the authorization objects if you have set them up for the new process or form groups (content types) in Customizing.
Disadvantages of the Method
You must add the authorization object to the profiles of the roles or users .
In this method you use the traditional HR authorizations that you can activate using the HR authorization main switches. You can also use this method to check the authorizations for the forms that the system uses in the processes. The forms are linked to the authorization checks for the HR infotypes. If the user has no authorization for the data displayed in the form, the form is displayed without content and with an appropriate error message.
Advantages of the Method
You do not have to change the existing authorization profiles for the users or roles.
You can use the HR authorization profiles to control access to the data and personnel numbers used in the process.
Disadvantages of the Method
You cannot control access to the following objects with these authorizations:
Start application
Process data
Forms
Attachments
These missing checks can result in users being able to gain unauthorized access to process data and attachments at the start of an application if they have the specified authorizations for the personnel number and the transaction.
You must adjust the authorization profile for every new process that you set up if new infotypes have been introduced that you did not list previously in the profiles.
The authorizations that you assign here also apply to access to data in the backend system. It can therefore occur that employees with a user in the backend system can gain unauthorized access to data in the backend system (in Reporting, for example).
This is the safest method that you can use. It is therefore recommended that you use this method. In this way, you can combine the advantages of the authorization object P_ASRCONT with those of the traditional HR authorizations.
Advantages of the Method
The system checks access to the application objects as well as the contents contained in them. You can thus fully protect the data and avoid users accessing processes and data for which they have no authorization.
Disadvantage of the Method
You must add the authorization object P_ASRCONT and the traditional HR authorizations to the authorization profiles of the users and roles for the employees that use
HR Administrative Services
.
Note
Note that you can protect the infotype data in the backend system with settings in the workflow. You can specify in the individual workflow steps who can save data in the infotypes of the backend system.
You can avoid this disadvantage by setting up your authorizations and processes in the following way:
Only HR administrators receive authorizations for reading and updating backend data. You set up these authorizations using the traditional HR authorization objects.
Other persons involved in the processes, such as employees and managers, only receive authorization for processes and forms using the authorization object P_ASRCONT.
When setting up the workflow, you use a standard task that saves data in the backend system. You assign a (virtual) processor that has the relevant HR authorizations to this standard task.
The system saves the data in a background step in the backend system. HR administrators only receive work items for postprocessing data if an error occurs.
For more information, see Standard Task TS17900100: Edit Form and Standard Task TS17900108: Save Form Data .
The following settings are recommended:
Use the authorization object P_ASRCONT to protect process and attachment data from unauthorized access. Use the following
Activities
characteristics in the authorization object P_ASRCONT for your employees:
S –
Start Process/Form
R –
Read
P –
Process Form
D –
Withdraw Process
In addition, add the activity A -
Approve Form
for your managers and the activity X -
Save Application Data During a Process
for your HR administrators.
Set up further authorization checks for processes that process particularly sensitive data.