Weigh Your Options for Implementing Overall Authorizations
- by Tero Tukiainen, SAP Authorizations Consultant, SAPORT Consulting
- January 14, 2010
Learn the basic information for building an overall authorizations concept including specifications and examples for each different type of role as well as structural authorizations use. Also, see some examples of bad role design and specific actions to avoid.
General authorizations (or roles) can be described by the answers to two questions: "What can the user do in the SAP system?" and "To what part of the organizational structures does the user have access?" For example, listing all the transactions the user starts or the reports the user runs answers the first question. Roles can be described by all the tasks that the user completes according to his business responsibilities. Showing all the personnel planning (organizational management, personnel development, training and event management, and learning solutions management) and related time-dependent objects to which the user has authorizations answers the second question.
The decision to implement a combination of general authorizations (roles) and structural authorizations (structural profiles) should always be based on real business processes and needs. According to standard SAP functionality, you should implement both general authorizations and structural authorizations to enable and restrict users' authorizations. This requires the use of organizational structures and a link between Personnel Administration (PA) master data and Personnel Development (PD).
You basically can implement general authorizations alone because you can restrict the user's authorizations within the roles. This means you can use organizational levels, such as personnel area as a restriction. However, if you need to restrict the authorization to organizational structures, then you need to implement structural authorizations as well. You cannot implement the structural authorizations alone, because all authorizations to HR-specific data are within roles. If you need to use
the context solution, you need to implement the structural authorization as part of the overall authorizations concept.
You have different options for the use of overall authorizations, including roles (general authorizations) and structural authorizations (structural profiles). I point out the pros and cons of using each type of role for general authorizations. In addition, I explain when and where to use structural authorizations.
Would you like to see this full item?