Perform Authorizations Properly by Defining Authorization Main Switches

  • by Tero Tukiainen, SAP Authorizations Consultant, SAPORT Consulting
  • February 19, 2010
Whether a company is implementing the SAP standard authorizations concept or the context-specific authorizations concept, some specific switches need to be applied. Learn about the importance of the main switches for SAP ERP HCM authorizations as well as specifications for employees in a default position.
Key Concept
Authorization main switches can be used to tailor the behavior of an authorization check on SAP ERP HCM infotypes according to specific requirements. They are stored in table T77S0 under the group name AUTSW. Storing the authorization main switches in the T77S0 table is advantageous because the switches can be defined differently at the client level. Authorization main switches are defined by a specific number in the specific field in table T77S0. With authorization main switches you define the way your SAP system makes the main authorization checks like the one on SAP ERP HCM master data. For example, to have SAP ERP HCM master data (without context) switched on, you need to change the switch from 0 (standard value) to 1. You maintain all the other switches the same way. For most of the switches you need to choose 0 (inactive) or 1 (active). For terminated employees in a default position you need to choose between 0 (inactive) and 1, 2, 3, or 4 depending on how you’d like the system to check the authorizations for the terminated employees. For tolerance time for authorization check, the SAP default value is set to 15. With the implementation of the SAP authorizations concept, this value can be set to anything including zero.

All authorizations-related switches in most cases are specified either for the standard authorization check or the context authorization check. With the first implementation of the authorizations concept, all switches are set to inactive. Basically it’s a question of either/or: Either the SAP standard solution is activated or the context solution is activated. Note that in a very special case, you can specify the switches for a combination of both the standard and the context authorization check. Although I explain how to do that, I do not advise it.

In my previous article, “Weigh Your Options for Implementing Overall Authorizations,” I explained the steps for the implementation of both general and structural authorizations. I showed examples of bad role design and specifics to avoid. I described the different types of roles and using them with the structural authorization profiles. In this article, I explain the options for the implementation of different authorization main switches and the importance of basing the authorization main switches on the real business requirements, which guarantees a solid implementation of the authorizations concept.

Tero Tukiainen

Tero Tukiainen is the managing partner of SAPORT Consulting Inc, which he founded in 2009. He is an SAP HR-certified consultant who has specialized in SAP security and authorizations since 2000. Tero has spoken at SAP HR conferences in both Europe and the US since 2005.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.