Show TOC

Background documentationAuthorization Locate this document in the navigation structure

 

An authorization allows a user to perform a specific action on a specific object. You can define authorization checks to be performed for the nodes in a business object by adding authorization objects to the node. In this way, you can configure that only authorized users can access the data in search results or reporting.

To assign an authorization object to a PFCG role:

  1. Go to transaction PFCG, enter the role name and choose Change.

  2. In the Authorization tab, assign the authorization object in Maintain Authorization Data and Generate Profiles.

In GRC, the following types of authorization objects are available:

Authorization Object

Description

GRFN_ODP

Authorization check for HR objects based on entity and object ID

GRFN_ODP_C

Authorization check for special HR objects with complex IDs

GRFN_ODP_E

Entity level authorization check for non-HR objects

GRFN_ODP_R

Authorization check for regulation specific entities

GRFN_ODPRC

Authorization check for complex ID and regulation specific entities

Note Note

Ad-hoc Issue and Policy use role-user assignment authorization. The assignment information is stored in table GRFNROLEASSNMT.

End of the note.
Special HR Objects with Complex ID

Some objects contain special entity IDs that cover two HR object types. In such cases, the object ID length of these entities are extended to 9, allowing one extra character for identification. These objects use the special complex ID authorization check GRFN_AUTH_C. The following is a list of special HR objects that uses complex ID authorization check.

Object Type

Object ID Format

Example

Description

Activity

8 digit number + S

50****01S

Activities mapped from subprocess

8 digit number

50****01

Newly created activities

Activity Category

8 digit number + X

50****01X

Activity categories mapped from subprocess

8 digit number

50****01

Newly created activity categories

Control

L + 8 digit number

L50****01

Local change allowed controls

8 digit number

50****01

Local change not allowed controls

Risk

8 digit number + X

50****01X

Risk template

8 digit number

50****01

Local risk