Authorization object that is used during the authorization check for HR Reports.
This authorization object is used to:
Run reports in HR Reporting (with reports that are based on the logical databases SAPDBPNP or SAPDBPAP)
Evaluate logged changes in infotype data
Process person-related data using payment medium programs from Accounting
The P_ABAP authorization object contains the following fields, which are tested during an authorization check:
Authorization Field |
Long Text |
COARS |
Degree of Simplification of the Authorization Check |
REPID |
ABAP Report Name |
More Information About the Fields
Using P_ABAP in HR Reporting:
You can use the relevant authorizations for this object to control how the objects P_ORGIN, P_ORGXX, and the customer-specific authorization object P_NNNNN are used in the specified reports to check the authorization of HR infotypes. You can also use reports to control the infotype authorization check. This can be useful for functional reasons or to improve performance at runtime of the corresponding reports.
For this object, enter the report name(s) in the REPID field and the degree of simplification to be used for the authorization check in the COARS field.
The following degrees of simplification are possible:
Authorization using COARS = <BLANK> or no authorization. The authorization checks are to be processed as in
Authorization using COARS = 1 . The authorization checks for the infotype/subtype combination and for organizational assignment are to be checked separately. This means that a user is authorized to read a personnel number when he or she has a read authorization for all the infotypes (subtypes) requested by the program and that the user has a read authorization for the organizational assignment of the personnel number.
Authorization using COARS = 2. The authorization check is inactive.
Note
Note that an ABAP authorization for report SAPDBPNP with COARS = 2 means that all HR reports based on the logical databases PNP or PAP (nearly all reports) cannot perform any more authorization checks. In general, you will only want to deactivate the authorization checks for a very small number of Reports. In case of doubt, do not assign your users authorizations for the P_ABAP object.
Furthermore, note that this authorization object differs from the object S_PROGRAM (
ABAP: Program Run Checks
). The latter is used for general program authorization checks. In HR reports, these checks are carried out in addition to the HR infotype authorization check. HR Reporting, however, overrides the HR infotype authorization check for selected reports, with the result that the authorization checks are weakened or completely switched off.
Examples:
In your company, the authorization for infotypes is set up independently of the authorization for specific organizational units. For example, an administrator is authorized to access address, personal, and education data and is responsible only for personnel area
0101
. This does mean that the administrator would be authorized to access addresses in personnel area
0101
and persona data in personnel area
0102
. If you enter 1 in the COARS (
Degree of Simplification
) field, the authorization check takes account of how the authorization has been set up by reading the Reports entered in the REPID (
Report Name
) field, and the authorization check for a user with this authorization runs more quickly.
If certain HR reports are not critical (telephone lists and so on) and authorization protection is not required, enter the report name and * in the
Degree of Simplification
field. The system then checks the specified reports to see whether the user is authorized to start the report (S_PROGRAM (
ABAP: Program Run Checks
) authorization object), but perform no other authorization checks.
In your company, one user has access to all HR infotype data. Assign this user an additional authorization for the existing object by entering* in the REPID and COARS fields Consequently, the system only checks if this user is authorized to start the report. It does not check whether this user is authorized to display the requested HR infotype data. The fact that the user has unlimited authorization does not change the results of the authorization check, but does affect the runtime required to produce the result
is authorized to
. The reports are processed more quickly.
A time administrator carries out time evaluations using the RPTIME00 report (
HR: Time - Time Evaluation
) for employees assigned the organizational key
0001TIMEXXX
. To obtain certain additional information that is required internally and that the program user cannot see or can see only partially, the system must read the
Basic Pay
(0008) infotype, amongst others, during time evaluation. To be able to carry out time evaluation, the time administrator must have a display authorization for the
Basic Pay
(0008) infotype. On the other hand, the user should not have general display authorization for the
Basic Pay
(0008) infotype. To restrict the read authorization for the
Basic Pay
(0008) infotype for employees with the
0001TIMEXXX
organizational key in the RPTIME00 report, use the following authorizations:
P_ORGIN (
HR: Master Data
) – two authorizations:
INFTY = 0008
SUBTY = *
AUTHC = R
VDSK1 = <Blank>
INFTY = <Blank>
SUBTY = <Blank>
AUTHC = <Blank>
VDSK1 = 0001TIMEXXX
P_ABAP (
HR: Reporting
):
REPID = RPTIME00
COARS = 1
A simple check is carried out for the infotype authorization check in conjunction with the RPTIME00 report (
HR: Time – Time Evaluation
): The system independently checks infotype, subtype, and level on the one hand, and organizational assignment (in the example, the VDSK1 field (
Organizational Key
)) according to degree of simplification
1
. The
Basic Pay
(0008) infotype can also be read in the RPTIME00 report (
HR: Time – Time Evaluation
).
However, if the check is not in conjunction with the RPTIME00 report (
HR: Time – Time Evaluation
), all fields of the object P_ORGIN (
HR: Master Data
) are checked together. This check does not result in read authorization for the
Basic Pay
(0008) infotype.
Using P_ABAP to evaluate logged changes in infotype data:
Evaluations of the logged changes in infotype data are subject to infotype authorization checks. The person who starts this kind of evaluation normally has extensive infotype authorizations. In this case, it makes more sense to assign the user a global authorization using the RPUAUD00 report (
Logged Changes to Information Types Data
) rather than to check individual data. To do so, use an authorization for the existing object that has the value
RPUAUD00
in the REPID field (
ABAP – Report Names
) and the value
2
in the COARS field (
Degree of Simplification
).
Using P_ABAP to process personal data using payment medium programs in Accounting:
The payment medium programs in Accounting specifically process extremely sensitive personal data. As an additional security measure, the system checks whether the user has a corresponding authorization for the existing object and checks whether the user is authorized to start the program. You must enter the name of the payment medium program in the REPID field (
ABAP – Report Names
) and the value
2
(or * ) in the COARS field (
Degree of Simplification
).