P_ABAP (HR: Reporting) (SAP Library - Personnel Administration (PA-PA))

P_ABAP (HR: Reporting)

Definition

Authorization object that is used during the authorization check for HR Reports.

Use

This authorization object is used to:

Run reports in HR Reporting (with reports that are based on the logical databases SAPDBPNP or SAPDBPAP)
Evaluate logged changes in infotype data
Process person-related data using payment medium programs from Accounting

Structure

The P_ABAP authorization object contains the following fields, which are tested during an authorization check:

Authorization Field	Long Text
COARS	Degree of Simplification of the Authorization Check
REPID	ABAP Report Name

More Information About the Fields

Using P_ABAP in HR Reporting:

You can use the relevant authorizations for this object to control how the objects P_ORGIN, P_ORGXX, and the customer-specific authorization object P_NNNNN are used in the specified reports to check the authorization of HR infotypes. You can also use reports to control the infotype authorization check. This can be useful for functional reasons or to improve performance at runtime of the corresponding reports.

For this object, enter the report name(s) in the REPID field and the degree of simplification to be used for the authorization check in the COARS field.

The following degrees of simplification are possible:

Authorization using COARS = <BLANK> or no authorization. The authorization checks are to be processed as in

Authorization using COARS = 1.The authorization checks for the infotype/subtype combination and for organizational assignment are to be checked separately. This means that a user is authorized to read a personnel number when he or she has a read authorization for all the infotypes (subtypes) requested by the program and that the user has a read authorization for the organizational assignment of the personnel number.

Authorization using COARS = 2. The authorization check is inactive.

Note

Note that an ABAP authorization for report SAPDBPNP with COARS = 2 means that all HR reports based on the logical databases PNP or PAP (nearly all reports) cannot perform any more authorization checks. In general, you will only want to deactivate the authorization checks for a very small number of Reports. In case of doubt, do not assign your users authorizations for the P_ABAP object.

Furthermore, note that this authorization object differs from the object S_PROGRAM (ABAP: Program Run Checks). The latter is used for general program authorization checks. In HR reports, these checks are carried out in addition to the HR infotype authorization check. HR Reporting, however, overrides the HR infotype authorization check for selected reports, with the result that the authorization checks are weakened or completely switched off.

Examples:

In your company, the authorization for infotypes is set up independently of the authorization for specific organizational units. For example, an administrator is authorized to access address, personal, and education data and is responsible only for personnel area 0101. This does mean that the administrator would be authorized to access addresses in personnel area 0101 and persona data in personnel area 0102. If you enter 1 in the COARS (Degree of Simplification) field, the authorization check takes account of how the authorization has been set up by reading the Reports entered in the REPID ( Report Name) field, and the authorization check for a user with this authorization runs more quickly.

If certain HR reports are not critical (telephone lists and so on) and authorization protection is not required, enter the report name and * in the Degree of Simplification field. The system then checks the specified reports to see whether the user is authorized to start the report (S_PROGRAM (ABAP: Program Run Checks) authorization object), but perform no other authorization checks.

In your company, one user has access to all HR infotype data. Assign this user an additional authorization for the existing object by entering* in the REPID and COARS fields Consequently, the system only checks if this user is authorized to start the report. It does not check whether this user is authorized to display the requested HR infotype data. The fact that the user has unlimited authorization does not change the results of the authorization check, but does affect the runtime required to produce the result is authorized to. The reports are processed more quickly.

A time administrator carries out time evaluations using the RPTIME00 report (HR: Time - Time Evaluation) for employees assigned the organizational key 0001TIMEXXX. To obtain certain additional information that is required internally and that the program user cannot see or can see only partially, the system must read the Basic Pay (0008) infotype, amongst others, during time evaluation. To be able to carry out time evaluation, the time administrator must have a display authorization for the Basic Pay (0008) infotype. On the other hand, the user should not have general display authorization for the Basic Pay (0008) infotype. To restrict the read authorization for the Basic Pay (0008) infotype for employees with the 0001TIMEXXX organizational key in the RPTIME00 report, use the following authorizations:

P_ORGIN (HR: Master Data) – two authorizations:

INFTY = 0008

SUBTY = *

AUTHC = R

VDSK1 = <Blank>

...

INFTY = <Blank>

SUBTY = <Blank>

AUTHC = <Blank>

VDSK1 = 0001TIMEXXX

...

P_ABAP (HR: Reporting):

REPID = RPTIME00

COARS = 1

A simple check is carried out for the infotype authorization check in conjunction with the RPTIME00 report (HR: Time – Time Evaluation): The system independently checks infotype, subtype, and level on the one hand, and organizational assignment (in the example, the VDSK1 field (Organizational Key)) according to degree of simplification 1. The Basic Pay (0008) infotype can also be read in the RPTIME00 report (HR: Time – Time Evaluation).

However, if the check is not in conjunction with the RPTIME00 report (HR: Time – Time Evaluation), all fields of the object P_ORGIN (HR: Master Data) are checked together. This check does not result in read authorization for the Basic Pay (0008) infotype.

Using P_ABAP to evaluate logged changes in infotype data:

Evaluations of the logged changes in infotype data are subject to infotype authorization checks. The person who starts this kind of evaluation normally has extensive infotype authorizations. In this case, it makes more sense to assign the user a global authorization using the RPUAUD00 report (Logged Changes to Information Types Data) rather than to check individual data. To do so, use an authorization for the existing object that has the value RPUAUD00 in the REPID field (ABAP – Report Names) and the value 2 in the COARS field (Degree of Simplification).

Using P_ABAP to process personal data using payment medium programs in Accounting:

The payment medium programs in Accounting specifically process extremely sensitive personal data. As an additional security measure, the system checks whether the user has a corresponding authorization for the existing object and checks whether the user is authorized to start the program. You must enter the name of the payment medium program in the REPID field (ABAP – Report Names) and the value 2 (or *) in the COARS field (Degree of Simplification).