Authorization in SAP HR

Q. What is double verification principle ?

• All critical data is protected
• Authorization to access specific data has to be given

Q. Authorization in SAP?

A. Authorizations control system users’ access to system data and are therefore a fundamental prerequisite for the implementation of business software. There are two main ways to set up authorizations for SAP Human Resources:

• General Authorizations - determines which object data (infotype, subtype) and which access mode (Read, Write ...) the user has an access.
• Single Role       - Individual authorizations either  to screens, infotypes, etc.,
• Composite Role- Group of Single Roles clubbed together and called as composite role

• Structural Authorization: determines to which object/objects in the organizational structure the user has an access. It describes the special authorizations that you can define in Personnel Planning and Development in addition to the basic access authorizations

Q. What is a role and what is it made up of? / How are the authorizations in a role maintained?

A. Role is the way how authorizations are granted in SAP or the activities which are performed by an individual are restricted. A role consists of all the duties performed by an individual in the organization. For e.g., the clerk or the manager or buyer or dispatcher etc.. Two managers of same cadre have same type of duties. Technically a role contains all the items(transactions or tcodes, reports, links) which are needed by an individual in particular position.

In a  role-based authorization system the structure of organization is well defined, the activities performed by each individual are defined clearly and the users are assigned to generic roles (technical)  which contains tcodes necessary for performing the job. There are three types of roles.

• Single roles
• Composite roles
• Derived roles

Q. Composite Role

A. A composite role has many single roles. No authorization data can be maintained in a composite role.  You can enter some menu entries like links to websites, reports only. Tcodes cannot be added. The authorization data has to be maintained only in the single roles.

When you attach a composite roles to a user all the single roles gets attached to him. In the change documents it shows the single profiles that belongs to single roles gets attached to them. Suppose a composite role has 3 single roles. When you attach this composite role to a user then 3 authorizations profiles will get attached to him. The change count  in SUIM will be 3.

Q. Derived Role

A. These roles are derived from already existing roles.The derived roles inherit the menu structure and functions (including transactions etc…) of the referred role.

Q. What is Profile Generator?

A. The Profile Generator tool allows authorization administrators to automatically generate and assign authorization profiles. 

Q. What are the main advantages of the Profile Generator?

A. The Profile Generator tool is used to:

• Select transactions from the company menu
• Retrieve all authorization objects to transactions selected (Via Check ID Tables)
• Generate authorizations once field restrictions have been entered for each authorization object
• Group authorizations in auto-generated profiles

The administrator has only to configure customer-specific settings such as:

• The Company Menu enables transactions available for customer
• The Check ID tables 1) assign the authorization objects that are relevant to a transaction, and 2) assign default values for authorization objects
• Once the configuration is complete, the profile generator will then be capable of managing all tasks, such as selecting the relevant authorization objects for transactions selected.

Q. Are authorization objects or profiles assigned to users?

A. A user's authorizations for the various objects in the SAP R/3 System are determined by authorization
profiles that are assigned in the user master record.

An authorization object is made up of a maximum of 10 authorization fields. For the sake of clarity, the authorization objects are grouped according to applications. 

Authorization profiles are lists of authorization objects and the corresponding authorizations.

Reporting in HRM - QnAs

Q. Logical Databases

A. For every SAP HR consultant it is important to understand HR logical databases in SAP HR. A layer above the physical database lies the HR logical databases called PNP, PCH and PAP. Logical databases contain data tables from sub-modules of SAP HR.

Logical Database	Infotypes	Logical Area
PNP	0000-0999, 2000 to 2999	HR Master Data & Time
PAP	4000-4999	Recruitment
PCH		Infotypes of specified object type else all infotypes

 

Note : You should know when to choose between the PNP and the PCH logical databases when building your report or query and the key is whether you want the primary key for selection to be the personnel number or the object type. If the primary key is to be the PERNR (personnel number) then you should select the PNP logical database and if you want it to be any object type like O – org unit, S- position, C- job, L- Business Event Group, D- Business Event Type E- Business Even etc, then you should select the PCH logical database. And PAP when the primary key must be the applicant number.

This means if you want to query by employee the business events attended, you choose PNP, and if you want to know for certain specific business events who are the attendees, you choose PCH logical database to build your query, program or reports.

Q. Is the Business Information Warehouse (BIW) part of the SAP R/3 system?

A. BIW is independent of SAP R/3 system. It integrates state-of-the-art data warehouse technologies with SAP business know-how

A data warehouse is an independent application environment with its own database that retrieves information from various data sources and is designed to perform queries and analyses.

Q. Can customer-specific reports be incorporated in the Managers Desktop?

A. Yes. Manager's Desktop is tailored to the daily needs of managers - line managers, for example - by helping them to perform their administrative, organizational, and strategic tasks and make Human Resource decisions with the help of swift access to required HR data of directly and indirectly subordinate employees. It then enables them to report on this data.

Managers can also execute cross-application functions: for example, they can execute workflow tasks (work items) or start reports from Controlling. Manager's Desktop can be used to execute a wide range of standard reports from Human Resources and Controlling, as well as customer reports. Its web browser integration means that Manager's Desktop enables managers to display intranet and Internet pages.

Q. Where do you find standard reports in HR?
A. You can search for standard reports in individual applications, or across several applications. Application-specific standard reports are available in the info systems of individual HR components. In addition, standard HR reports are grouped together in comprehensive info systems in the SAP Easy Access menu.

Info systems for components: All of the reports for a specific HR component are grouped together by content in that component’s info system. To access the info system of individual HR components, choose the following:

• Human Resources ® <component> ® Info system ® Reports
• Human Resources ® Payroll ® <continent> ® <country> ® Info system
• Human Resources ® Time Management ® <component> ® Info system

HR Information System: The HR Information System contains the reporting tools and all HR-specific reports. To access the HR Information System, choose the following:

• Human Resources ® Information system ® Reports

SAP info system: By far the largest collection of standard reports is contained in the SAP info system. The standard HR reports can be accessed in one of two ways:

• Info systems ® Human Resources ® Reports ® <component>
• Info systems ® General report selection ® Human Resources ® <component>

If you require a report that is not included in the standard system, you can use the HR reporting tools to create reports yourself. Depending on the data you want to report on, you can use the following reporting tools in Human Resources:

• InfoSet Query
• SAP Query
• The Business Information Warehouse

If the HR reporting tools do not enable you to create the report you require without having to program, you can consider undertaking your own customer development.

Q. What is a user group, what is an infoset and how are the two related?
A. User Group: To set up an appropriate working environment for end users, the system administrator maintains user groups. Users who work in the same application are grouped together in user groups.

• It does not matter which users within a user group actually defined its queries. They can be executed by every user assigned to this user group.
• However, users assigned to a user group can only change and redefine queries if they have the appropriate authorization to do so.
• Queries that belong to other user groups cannot be changed, but it is possible for them to be copied and executed.
• Every user can be assigned to more than one user group.

InfoSets are special views of logical databases. An InfoSet determines which fields of a logical database can be reported on by queries. InfoSets are assigned to user groups. InfoSets are structured according to field groups. An InfoSet can only be based on one logical database. For this reason, you can only select one logical database to create an InfoSet.

Q. What is a field group? Give examples from HR.
A. Field groups in HR correspond to infotypes.Eg. Personal data (first name, last name etc)

Q. What can an Ad Hoc Query be used for?
A. Ad Hoc Query is a simple and efficient tool for selecting and processing HR data.

• Ad Hoc Query is the tool that is best suited to line item (flat) reporting.
• Ad Hoc Query has the following advantages:
• Report definition is simple using Drag&Drop
• You can report on data from Personnel Administration, Organizational Management, Training and Event Management, Recruitment, and Personnel Development
• You can select selection and output fields as required.
• There are numerous report design options. 
• The resulting set is displayed before output 
• Real data is selected and output – it is a one-screen application 
• Results are determined very quickly because the database is accessed directly 
• Logs