HR Basics
SAP HR deals with private employee data much of which might be of sensitive nature. As a result the HR security is typically more stringent that security for the other SAP modules. In a lot of non HR applications, security is more geared towards prevention of wrongful entry of data into the system. However, in the case of HR, even the display of private data might lead to non compliance with prevailing laws and regulations.
Other than the overtly sensitive nature of HR data,another reason of separating it out into its own category on this site is to emphasize two unique provisions in HR.
- Firstly, most of SAP security is based on positive authorization, i.e presence of a particular authorization in the user buffer gives access to new functionality. HR is one area where negative authorization can also be used in addition to the existing positive authorizations. Negative authorization in this case prevents an user from accessing some application due to the presence of a certain authorization in his user buffer.
- Secondly, HR uses structural authorizations to restrict HR access to a certain hierarchy within an authorization independent to the general authorizations assigned through roles.
Hello Aninda
Do you know the use of parameter UGR value 10 and why we have to make sure it is not abused? Should we not assign SU3 to users so as to prevent them from updating this parameter?
The UGR parameter is meant for default HR user group for a person. The user group is used as part of config entries to control the user interfaces (for example the infotype entries or number of tabs) in standard SAP HR transactions like PA20, PA30, etc. Also, this parameter just controls the user interface. So security will always be checked in the backend and there are ways to display infotypes even if they are not in the default interface. I am not aware how user group 10 has been used in your landscape as this is totally dependent on configuration.
Please check with the functional HR guys about the ways in which user group is being used in your system. As you mention any user with access to SU3 will be able to change the default values for UGR maintained in their user master. I don’t believe taking away SU3 is the solution in this case as this might have other implications for maintenance. However someone ( a process owner) has to take a call about the sensitivity of users changing their UGR parameters.
Hello Aninda,
Normally we do assign below parameters in SAP HR system :-
CATS_APPR_PROF ESH_LINE
CVR Z_ESHER
MOL 45
Can you please let me know why do we have to assign them in SAP.
Hi Shanker,
User Parameters in general are used to provide default values for various transactions/applications
CVR is used to provide the default time entry profile in CAT2
MOL is MOLGA or the default country grouping
CATS_APPR_PROF is the default for the CATS approval profile used by Time Approvers.
Regards,
Aninda
Hello Anida,
Can you explain more deeply about structural authorization, what its differences from general authorization ?
Thank you
Please read through the other posts in the HCM Security section. There’s lots of info already there.