SAP HCM: Context-sensitive authorizations

One employee, several responsibilities in different areas of the company? You can use context-sensitive authorizations to map this without employees needing a separate SAP user for each area of responsibility. Today we explain how to use context-sensitive authorizations, which objects you need and what you need to pay attention to.

It’s a typical example: an employee in the HR department is responsible for recording working hours for the entire company. At the same time, as team leader, she needs access to the salary data of her team members, but should not be able to see that of all other employees in the company for data protection reasons.

With “normal” and even structural authorizations, you will reach your limits here. The authorizations would add up. This means that if you were to grant the employee access to the salary data of her team and the working time data of all other employees, the employee would end up being able to view the salary data of all employees. To solve this, you would have to assign two users to the employee to separate the tasks. However, this is not only error-prone, but also very cumbersome in everyday working life. This is where context-sensitive authorizations come into play.

Context-sensitive authorizations: Prerequisites and procedure

Context-dependent authorizations allow you to define roles in a more differentiated way. However, this only works if you:

  • have a well-maintained org management and
  • already work with structural profiles.

If these requirements are met, you must:

  • replace the conventional authorization objects in the relevant roles with context-dependent objects,
  • deactivate the conventional objects in the relevant authorization main switches and activate the context-sensitive objects,
  • Assign structural authorization profiles to all users (if not already done) and integrate these into the context-sensitive objects in the roles.

Context-sensitive authorization objects

You can recognize context-dependent authorization objects by the ending “CON”. They replace the corresponding objects without this ending. These are the following objects (and the associated authorization main switches):

not context-sensitive objectcontext-sensitive objectMain switch for context authorizations

Context-sensitive and non-context-sensitive objects only differ in a single field: CON objects also have the Authorization profile field. Furthermore, all of the above-mentioned objects allow the fields to be defined:

  • Authorization level
  • Infotype
  • Personnel area
  • Employee group
  • Employee subgroup
  • Subtype
  • Organizational key

Use the authorization profile field

Enter the respective structural profiles in the Authorization profile field. It is important that you also assign these profiles to the respective users. This can be done either via transaction OOSB or via the Business AdIN (BADI) HRBAS00_GET_PROFL.

Please note: There is no predefined order for the structural profiles in the standard system. This can quickly become confusing. You should therefore ensure that the profiles are named as clearly as possible. You use the profiles to assign the authorization depending on the organ unit, e.g. a department, a team, etc.

Good to know: You always use context-sensitive authorization objects to authorize infotypes or subtypes. You cannot use them to define authorizations according to transactions, for example.

For our example, the employee could have two authorization profiles: ZB_EIGEN for her own team and Z_GESAMT for the entire company. To differentiate the authorizations for both areas of responsibility, define the P_ORGINCON object twice in the role.

The first variant allows the team leader to view the salary data (infotype 0008) of her own team. The second variant authorizes her to edit certain working time data (infotypes 2001 – 2004) of all employees in the company. This prevents unwanted overlaps.

Activate main authorization switch for context-sensitive authorizations

If you want to switch from structural to context-sensitive authorizations in SAP HCM, it is recommended that you first equip all roles with context-sensitive objects and transfer the field values from the conventional objects.

Leave the conventional objects in the roles. If an error occurs during the changeover to context-sensitive authorizations, you can quickly switch to the old version and your employees will remain able to work.

To activate context-sensitive authorization objects, go to the overview of authorization main switches in the HR system via transaction OOAC.

Find the relevant main switches for your objects here and set them to the value “1”. Save the selection. This activates the context-sensitive authorization objects. Do not forget to set the main authorization switches for the conventional objects to “0” to deactivate them.

Leave a Reply

Your email address will not be published. Required fields are marked *