Context Problems in HR Authorizations
Problem Description
The technical separation of general and structural authorization profiles can cause context problems for users who perform different roles in a company (see graphic). This is due to the fact that you cannot simply add any number of structural and general authorization profiles required for different tasks (in different contexts) without overriding something.
Example
A user (referred to as manager 1 in this example) is the manager of a team and should be allowed to edit infotypes 0000 – 0007 for the employees in his or her team.
Manager 1 is also Payroll Manager for another organizational structure. In this second role, manager 1 has access to all payroll-relevant infotypes (0008 and 0015) for the employees in this organizational structure.
The business requirements of the roles Manager and Payroll Manager are represented again in the following overview table:
Business overall profile of the role Manager:
Objects |
Type of Authorization |
All employees in the manager’s team |
Full read and write authorization for infotypes 0000 to 0007 |
Business overall profile of the role Payroll Manager:
Objects |
Type of Authorization |
Employees in the organizational structure |
Full read and write authorization for infotypes 0008 to 0015 |
This cannot be illustrated without the
Context Solution because there is no relationship of any kind between an individual structural profile and an individual basis authorization. This leads to overriding.You cannot create an assignment between a user’s specific structural profile (here, for example, structural profile 2) and a specific general profile (profile with P_ORGIN).
What in fact happens is that the structural profiles (that is, the set of objects) and the general profiles are added (in this case, using P_ORGIN) to give the overall profile. Consequently, the following effect occurs in the above example: Manager 1 has complete read and write authorization for all objects in both structural profiles. When the authorization profiles are added together, the following overall profile is produced:
Objects |
Type of Authorization |
All employees in the manager’s team and organizational structure |
Full read and write authorization for infotypes 0000 to 0008 and for 0015 |
Workaround
If you use a separate user for each context, it is easier to map different contexts (roles) with the correct authorization.
For example, if Manager 1 wants to perform his activities as Manager of his team, he simply uses his user name. As soon as he wants to perform his role as Payroll Manager, he needs a second system user (with the respective authorization as in the above example).
The problem is that you will need many users to map the user-specific contexts in your company. This is why the context solution has been developed for HR Master Data.
See also:
Context Solution