Evaluation PathsHCM Security

Evaluation Paths

An Evaluation Path is a chain of relationships between related OM objects in the Organizational Hierarchy. Different evaluation paths can be used to return different sets of OM objects even when all of the individual paths start from the same start object. As such, evaluation paths are used in a lot in OM reports and in structural authorizations.

Evaluation Paths are created/maintained through the transaction OOAW shown below. The standard SAP system ships with a number of pre-defined evaluation paths. Since the standard evaluation paths can only use the standard relationships and objects defined in SAP, it stands to reason that we need to create new evaluation paths to use our own relationships/OM objects.

OOAW - View for Evaluation Paths
OOAW - View for Evaluation Paths

As an example we select the evaluation path PERSON and see how its defined

OOAW - Define Evaluation Path
OOAW - Define Evaluation Path

The PERSON evaluation path is meant to return the OM objects used in staffing along a standard organizational hierarchy. As such it can be used to evaluate the reportees of a line supervisor and is used as such in the MANAGER structural profile. The definition of the evaluation path starts with an org unit. The path returns all positions (S) assigned to the start org unit (O) and the persons (P) linked to the said positions. Finally to build the entire org hierarchy the path continues to evaluate the sub-ordinate org units and positions (lines 30 and 40).

Once defined, the evaluation path can be used to return a particular view of the org hierarchy through the PPST transaction.

PPST - Evaluation Options
PPST - Evaluation Options

The report output shows the evaluated objects.

PPST - Report Display
PPST - Report Display

In the next article, we explore the use of evaluation paths in defining structural authorizations or PD profiles

11 thoughts on “Evaluation Paths

  • Hey Aninda

    After reading the documents on your site I have kinda gotten an idea of HR Security but still have a doubt as to how everything fits in together…how are the hr objects, structural authorizations,evaluation paths and org structures interconnected in a SAP System. Its like for any system to work what are the steps that need to be followed..i dont necessarily want to know how things are done but just an outline as to what all should be in place for the smooth functioning of the HR piece in SAP. Thank you so much for all your help and guidance

    Reply
    • Hi Aina,

      As far as general authorizations (roles) are concerned, there is not a whole lot of difference between HR and other functional areas. So you basically analyse the current business processes to arrive at a suitable user-role-tcode matrix, build your roles, test the roles and move them to production during go-live.

      For structural authorizations to work, there are quite a few steps which need to be configured correctly. The key thing to understand is to ensure that all the steps have been accounted for rather than follow a set sequence of steps. I would try to follow the following sequence but other sequences would probably work just well. Also remember that a lot of the following steps would typically be performed by the HR consultants.

      – Start with setting the authorization switches, the integration between PA and OM should also be on (check with the HR team for this step)
      – Build the org hierarchy
      – Determine if new object types and/or relationships are needed. If needed configure these in SPRO.
      – Adjust existing evaluation paths or create new ones.
      – Create PD profiles. Use static assignment of objects, evaluation paths or function modules depending on requirements
      – Decide on an assignment strategy for PD profiles (direct assignment or assignment via IT 1017 to positions/jobs/ etc)

      .Always remember, that the sequence will change as you keep working on your project. New requirements will come which need to be incorporated into your design. Hope this helps…..and Best of luck!

      Regards,
      Aninda

      Reply
  • Greetings Aninda,
    I assigned a PERNR(person) to a position in the ORG structure using T-CODE PPOSE. I then run the reports RHBAUS02/01/00 for the user assigned the PD profile for which the ORG unit(that incorportes the position assigned to the PERNR), is the root object. I noticed that T77UA updated the new entries in SAP memory and I was able to see the new PERNR in OOSB.However, when I execute PPST, I do not see the new PERNR(person) that I had assigned in PPOSE although I can see the ORG UNIT and the other PERNRS. Why did PPST not update to return all newly added objects? Is there a report that need to run first in order for this update? Infotype 0001 also updated right away for the PERNR after the assignment in PPOSE. OM is a little confusing as different views show the hierachies differently. Which hierachy is reliable for building PD profiles? PPOME, PPOSE OR PPST? I know that without a reliable picture of the ORG structure, it is impossible to build PD profile with a start object that incorporates several org units.
    Thanks
    Atta

    Reply
    • What is the evaluation path in the PD profile which is returning the pernr? Ideally this evaluation path with the same start object should return the same hierarchial tree in PPST. I normally use the evaluation o-o-s-p in returning the org structure of a company while building PD profiles.

      Reply
  • venugopal talla

    Hi All,

    I am venu. working as a SAP Security consultant-supporting. Rescently i have faced one problem.I got one issue,but not able to resolve.please suggest any one on this.

    Issue : HR Admin is trying to recruit (Hiring process )(Tcode:PA40,Infotype 0000,action type 1B-Hiring )one employee to particular position whos position is will active from 01.09.2012. but Hr admin getting error saying “your are not autho to the position “XXXXXX” “.
    Here my doubt is user cant hire a person until the position will active . I mean until it is available in ORG STRUCTURE (T77UA)?then only he/she can able to perform hiring actions ? means we can hire a person on that date when the posotion is active ?

    Reply
    • Aninda

      How is T77UA related to org structure?

      A lot of things might be happening. Start by running a security trace and check that you have all the different auth objects being checked. Then start looking at structural authorizations.

      Are you trying to hire to a default position (99999….)? Then check auth switches DFCON or ORGPD as applicable in your setup.

      Reply
  • Hi Aninda,

    hope this thread is still active. anyway, i set up a structural authorization in OOSP to restrict the view of a person to a specific org unit only (in PPOSE, PPOME). It’s working well, but the person can’t seem to view and create jobs in PPOME. can u help me determine which evaluation path in OOSP i should give the user access to?

    thanks in advance =)

    Miguel

    Reply
    • Aninda

      Hi Miguel,

      This is more complicated than you think as different evaluation paths return different objects depending on requirements. Do you need to restrict view for any jobs? If not a single entry in your PD profile for the object type without specifying any object id or evaluation path will give access to all jobs. If you need specific jobs, get in touch with your HR team for guidance.

      Thanks,
      Aninda

      Reply
  • Hello Aninda,

    I have a question after going thru your posts on Structural Authorization. As far as I understand, the Object Id if made dynamic – is determined by the Function Module and this is considered as the root for an Evaluation path. Say suppose, you are determining the Org id using a function module – the evaluation path will consider this as the root and fetches the Objects and populates them in T77UA for the user. This works well when the user is under an org unit (say A) which is constant and he will have access to the objects defines in the evaluation path. Say suppose there is an HR, who will need access to the same data of users under different org units – B, C and D. How is this dynamically obtained using a Function module? Is it the right approach to create a relationship A741, making the HR ‘responsible’ for Org units B, C and D and then use a function module to gather the objects under these Org units?

    Reply
    • Your approach will work. You will have to write a new Function Module to use the relationship in determining the start objects. The standard FM will not be enough

      Reply
  • harish

    Hi Aninda

    Thanks for good article.

    Iam getting bit confused..

    To create a evaluation path

    1 – OOAW & then please can you explain with detailed screen shots.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *