PD Profiles – Assignment
PD profiles can be assigned to users in two basic ways
- Transaction OOSB can be used to assign one or more PD profiles directly to users. Adding entries to the T77UA table through SM30/SM31 has the same effect.
- PD profiles can also be assigned to OM objects like positions through infotype 1017 (through transactions like PP01/PP03).
Also note that an user without an entry in the T77UA table would by default have the PD profile access which is assigned to the SAP* user in the table. SAP provides a standard program RHPROFL0, to read the PD profile values from IT 1017 for a position and create an entry in the T77UA table for the user assigned to the position. For SAP installations using indirect assignment of profiles, this program is generally scheduled to run in batch every night. A screen with the various options available for this program is shown below.
- Assigning the PD profiles to the position instead of direct assignment in the T77UA table can potentially save a lot of effort in manual maintenance of profile entries and is the recommended practice.
On Infotype 1017 do yuo know what the exclusion coloumn is all about ?
We thougt that if you had a large Structural authoeisation and there was a request for a user to have access for all but one org unit the coloumn was ticked which seemed to work for PA20.Oa30 access but not for trainign and events as it prevented the training catatlogue from being diplayed
I have read somewhere eles that it is for the exclusion of branch structures from struct auths, but need abit more info
can you provide any ?
thanks
Debbie
Hi Debbie,
PD profiles as you probably already know are used to restrict users to a certain set of OM objects (positions, org units, persons, jobs, etc). The exclusion flag in T77UA table or OOSB or in IT1017, all serve the same purpose. Once checked, the user with this particular PD profile has access to all objects which are not part of the PD profile. Hope this helps!
Regards,
Aninda
I wanted to find out if there is a way of mass removing the PD profiles from the users. We have 200 users that we are trying to remove and going into OOSB and doing it one at a time would be probably a day’s work. Can you please suggest an easier and less painful way of doing it?
I don’t believe there is a transaction for mass removal but you can use any of the existing tools for mass action for removing profiles. Thus either of SECATT, LSMSW or SHDB will work. This blog already has another post on how to use LSMW for mass user creation. Creating a script for PD profile removal will follow the same general steps.
Hello Aninda
I wanted to find out what is the best way to approach this issue. We have multiple time keepers in the company. would the best way be that for all the time keepers I create one role and make personnel area as an org level and assign them the personnel area they are responsible for and assign them each a PD profile with the correct evaluation path they are supposed to access or is there another approach I should take?
Thanks in advance
Hi Aaina,
My personal view to use structural authorization only in those cases where, general authorizations would not be enough to meet requirements. In your case, if timekeepers are responsible for all individuals in personnel areas, a general authorization solution should be enough. In the case, where timekeepers are only responsible for certain people in a personnel area, only then should you be thinking of setting up structural authorizations.
Regards,
Aninda
Hi,
I think the Tcode used to assign PD profiles to users is OOSB where as OOAC is used to maintain auth switches.
If I am correct, please correct this in the above topic
You are correct. Its a typo from my side. Guess not enough proof reading being done: -)
Hi,
Can you kindly explain the process of assigning PD profiles to OM objects like positions?
I am not able to navigate to the screen which you have shown above in the example through PP01/PP03.
Kindly explain with some more detailed steps to get to the above screen.
Thanks in Advance
Venkat
PP03 allows you to modify positions. To add PD profiles select the position in PP03, select the position id in the initial screen, scroll down and highlight PD profiles at the bottom of the screen, and create the new entries for PD profiles. Its this screen that’s copied in the above article. On saving the entries, the PD profile is attached to the position. The same process can be used in PP01 as well.
Hello Structural Authorisations experts. I hope someone has the answer for me on this question. How do you deal with multiple employees seeing their own payslips. The problem is that we have managers who are ME’s They are a manager within one Org unit and a normal employee in another org unit. With structural Auths they can see their own Org unit and staff. But to display their payslip via the portal the program determines that they need to see their second (third etc) job to which they do not have authorisations to see that employee. Even though it is their own second record. It has got me stumped.
Hi Fred,
First of all, this is first time I am hearing the exact term “Multiple Employees”. Do you mean employees who have more than one active pernrs using the concept of Concurrent Employment?
How do you identify the different pernrs linked to a ME? Once you find the answer to this question you need to write a function module (it will follow similar logic to the RH_GET_MANAGER_ASSIGNMENT function module supplied by SAP ) which will dynamically take the user id of a person and identify the different pernrs assigned to him. This Function Module should be used as a new line in the existing PD profile for managers.
Hope this helps!
Regards,
Aninda
Hi Aninda,
Thanks for sharing the knowledge on HR/HCM concepts. I would like to understand this from a Blue print perspective in regards to HCM- What I have at the moment is BPML from the Functional team as a base template to start off..But i’m puzzled how to start off with the requirements gathering-how would I know a specific task/activity to group it under a Business Role? Is this Functional team driven or Security driven? Since the workshops between Functional team and the Client happened without involving security team. How would I best approach it? Please share your thoughts..thanks- Deepak
The job of determining business roles should be owned by the clients as the business roles are really unique responsibilities of their business users. Start with a meeting where business reps, functional consultants and security folks are all involved. A simple breakup involves determing the unique teams working in their company. For HR, you will might have different teams for recruitment, benefits, compensation, staffing, organisation management, payroll, time entry etc. Some teams might have subteams as well – external, internal and flexible staffing come to mind.
Once the teams are identified, you can start by building roles and use the SAP* template roles provided by SAP as guides. Add/ remove tcodes depending on feedback from users and funcational teams.
If you are using GRC, run a risk analysis for your roles to see which all hav einherent conflicts and need to be adjusted.
Thanks for the reply Aninda. We are miles away to start with the role build. What I’m trying to understand is- let’s say the Business processes are defined and the functional folks are updating the process maps accordingly. Based on the process maps how best can I build a Role specification matrix? Usually, it’s the functional team? Please correct me from wrong.
I’m sorry.I mean usually it’s the functional team who start with the Transactions and Business role definitions and as Security consultant we chip in to sort them into Single/Composite roles..?
The functional team will certainly be the first point of contact to determine the business roles and map transactions to them. However, its beneficial if the security team is involved even at this stage. A security consultant with enough experience in SAP controls can look at the business roles and check if there are any obvious segragation of duties risks in the business roles. Fixing these if the business roles are already signed off is common pain point later on during the implementation.
Thanks for the reply Aninda
Hello Team,
Greetings for Year 2013.. Good info available.Keep posting.
Thanks.
Regards,
Anwar
Hi Anwar,
Thanks for your wishes. Happy new year to you as well. I do certainly intend to keep on posting.
Aninda
Hello,
In our HR system, We are using
1)Context based sloution (P_ORGINCON) – Profile name is addedd to PROF field of P_ORGINCON. T77UA is not updated.
2) BADI HRBAS00_GET_PROFILE (for automatic profile assignment) – Does not updae table T77UA
3) Two functional modules –
FM 1- Standard – RH_GET_MANAGER_ASSIGNMENT for managers
FM2 – Cusomt – ZFM…. – For Central HR Professionals which provides access to Org units based on Contract value in IT0001.
Now, we are pulling ECC/HR data to BW system using 0PA_DS03.
Issue – I found everything seems to be working fine (BADI, Standard FM and P_ORGINCON) in ecc side (RSA3 and on BW side.
However, Custom FM works perfectly on ECC side (diplaying data in PPOSE etc.). But it does not show up any records when checked in RSA3. So data which is going to BW is also not correct.
How and where is the problem. any help on this will be appreciated.
Remember that this is a standard extractor delivered as part of the business content and you might need to tweak the logic to make it work for you. Since, your structural security is working properly on ECC the matter would be better investigated by one with more experience with extractors. Also check that the id you are using for RSA3 or running the extraction has full general and structural authorizations.
Hi,
Please tell me the difference between normal mode & expert mode.
Using the expert mode allows you to re-read the SU24 check indicator values and defaults during role maintenance. You can chose to merge these values with the existing values in the role. The normal mode will not give this option.
Hi,
I have a PD that I wish to distribute to all users on the org structure. I have attached the PD at the top node of the structure via PP01, and am running program RHPROFL0 to distribute the assignment.
This will only assign it to users who hold a position direclty assigned to that org unit and none below.
What steps are required to achieve such a model?
Regards,
Sam
I am not confident that what you want to achieve can be done via standard RHPROFL0. All the use cases that I have seen for RHPROFL0 use PD profiles assigned to positions.