Authorizations
Personnel Management uses the authorization provided by SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Personnel Management.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user management console for SAP Web AS Java.
Standard Roles
The following table shows the standard roles that are used by Personnel Management.
Standard Roles
Function |
Description |
SAP_HR_BN* |
Roles assigned to component PA-BN (Benefits) |
SAP_HR_CM*
|
Roles assigned to component PA-CM (Compensation Management) |
SAP_HR_CP*
|
Roles assigned to component PA-CM-CP (Personnel Cost Planning) |
SAP_ESSUSER_ERP05 |
Role with all non country-specific functions for Employee Self-Service. For more
information, see the Security Guide for
|
SAP_EMPLOYEE_ERP05_xx |
Roles related to the Employee Self-Service country versions |
SAP_HR_OS*
|
Roles assigned to component PA-OS (Organizational Management) |
SAP_HR_PA_xx_* |
Roles related to international and country versions of the component PA-PA (Personnel Administration) |
SAP_HR_PA_XF*
|
Roles assigned to the component CA-GTF-XF (SAP Expert Finder) |
SAP_HR_PA_PF_xx_*
|
Roles assigned to component PA-PF (Pension Fund) |
SAP_HR_PD* |
Roles assigned to component PA-PD (Personnel Development) |
SAP_HR_RC*
|
Roles assigned to component PA-RC (Recruitment) |
SAP_HR_REPORTING |
Role for Human Resources Analyst |
SAP_AUDITOR_TAX_HR
|
This role is relevant for Germany only. Role HR-DE Steuerprüfung § 147 AO (Muster) assigned to the component PA-PA-DE (Personnel Administration Germany). |
SAP_ASR_EMPLOYEE |
Enhancement of the role SAP_ESSUSER_ERP05 for the employees that use the functions of the component PA-AS (HR Administrative Services) |
SAP_ASR_MANAGER |
Enhancement of the role SAP_ESSUSER_ERP05 with functions for the persons with personnel responsibility that use the functions of the component PA-AS (HR Administrative Services) |
SAP_ASR_ADMINISTRATOR |
Enhancement of the role SAP_HR_PA_xx_* for the HR administrators that use the functions of the component PA-AS (HR Administrative Services) |
For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with “xx”, where “xx” represents the SAP country key, various roles exist for each of the country versions.
Standard Authorization Objects
The following table shows the most important central security-relevant authorization objects used by Personnel Management.
For more
information about Personnel Management authorizations, see SAP Library under
ERP Central
Component ® Human Resources ®Personnel
Management ® Personnel Administration ® Technical Processes in Personnel
Administration ®
Authorizations for Human
Resources.
Most Important Standard Authorization Objects
Authorization Object |
Field |
Value |
Description |
P_ORGIN |
HR Master Data |
|
Used when checking authorizations for HR infotypes. The check takes place when HR infotypes are edited or read. |
P_ORGINCON
|
HR Master Data with Context |
|
This authorization object consists of the same fields as the authorization object P_ORGIN, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data. |
P_ORGXX
|
HR Master Data – Extended Check |
|
With this object you can determine whether other fields are also to be checked. You can determine whether this check is to be performed in addition to or instead of the HR Master Data authorization check. |
P_P_ORGXXCON
|
HR Master Data – Extended Check with Context |
|
This authorization object consists of the same fields as the authorization object P_ORGXX, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data. |
P_TCODE |
HR: Transaction Code |
|
This authorization object checks certain specific transactions in SAP Human Resources Management. |
PLOG
|
Personnel Planning |
|
Used to indicate the types of information processing a user is authorized to perform. |
PLOG_CON
|
Personnel Planning with Context |
|
This authorization object consists of the same fields as the object PLOG, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data. |
P_ASRCONT |
Authorization for Process Content |
|
The Authorization
for Process Content object is used by the authorization check for HR Administrative Services. It checks the authorization for
access to various process contents and also runs through the authorization
objects that you have specified in Customizing in T77S0 (see note below). For
more information, see
|
In Customizing, you can determine whether specific authorization objects are to be checked. All central switches and settings for the Human Resourcesauthorization check are summarized in table T77S0 in the Group for semantic short text for PD Plan AUTSW. Note that changes to the settings severely affect your authorization concept.
For more information about changing the main authorization switch, see the Implementation Guide (IMG) for Personnel Administration under Tools ® Authorization Management.