Human Resources Authorization Check 

Definition

Fundamental part of the General Authorization Check.

The following authorization objects are available in the Human Resources component:

Use

The system checks the authorizations stored in user master data and determines whether a user is permitted to carry out an action or not each time you attempt to execute a business transaction or report.

Structure

The authorization objects in the Human Resources component contain (just like the general authorization objects) up to ten fields that are checked by the system during an authorization check.

The HR: master data object contains the following fields in the standard system:

INFTY: Infotype number

SUBTY: Subtype number

AUTHC: Authorization level

WERKS: Personnel area

PERSG: Employee group

PERSK: Employee subgroup

VDSK1: Organizational key

You can, therefore, assign authorizations for personnel data in HR infotypes at the infotype/subtype level according to the employee’s personnel area, employee group, employee subgroup and organizational key.

Authorization Level Field (AUTHC)

All authorization objects in Human Resources contain the field Authorization Level (AUTHC). You enter the employee’s authorization type in this field.

The authorization level can have the following values:

If a user has write authorization, he/she should also have the corresponding read authorization. In other words, if a user has authorization level E , D , or W , he/she should also have the relevant authorizations for level R .

Double Verification Principle:

By using specifications E and D , you can implement the "double verification principle". This means that at least two users must be involved in writing active records to the database.

Infotype records, except for the records in Actions (0000), Organizational Assignment (0001), Personal Data (0002), Payroll Status (0003), Reference Personnel Number (0031) infotypes, can have a lock indicator. It is displayed when infotype data is edited. The system ignores all data records that have a lock indicator during an evaluation. Records with a lock indicator are described in this documentation as "locked", and those without a lock indicator as "active".

For the "double verification principle" to take effect, one of the users must have the specification E in the Authorization level field and another user must have the specification D . Specification E permits the user to edit and create locked records, D permits the user to edit the lock indicator (delete or set), that is, a user with specification D can change active records into locked records or visa versa. Active data records can only be written to the database or changed if both users are involved in the processing procedure.

When creating authorizations, make sure that levels E and D are always used in conjunction with level R. The authorizations are not in any specific hierarchical order (only * includes all authorization level values). This becomes clear in a variety of situations.

When you start a personnel administration transaction, the system checks that you have at least a read authorization, i.e. value R or *.

You must have an R authorization so that an E or D authorization for the past (just like a write authorization) becomes a read authorization for data records that are valid in the past period specified.

You must have an R authorization to display infotype data in reporting (the * authorization includes the R authorization).

Interpretation of Assigned Personnel Number Field (PSIGN)

The authorization object HR: Master data - Check personnel number (P_PERNR) relates to the personnel number of an employee. This has an effect on the authorization. The authorization object HR: Master data - Check personnel number (P_PERNR) also includes the Interpretation of assigned personnel numbers (PSIGN) field. In this field you enter how the system should interpret the assignment user - personnel number.

The field has two possible specifications:

SAP does not support the specification * and the combination of E and I for this field. You should also not use the ‘ ‘ (Space) specification. Use either E or I , or do not enter an authorization at all.