HR Security

What is HR System ?
HR System deals with Company Data,Employee data and Payroll Data much of which might be of
sensitive nature.
Ex: After joining a employee into the Organization,every employee maintain some personal,company
and payroll data,so HR system maintain all these data into the system.

HR Data divided into three main Categories.

Company Data :- Organization Hierarchy,Branches,Polices etc.

Employee Data :- Personal Data and Professional Details.
Payroll Data :- Payroll one of the category,either fall under the company or fall under the
employee here we can taken Payroll as a separate category because its very important to any
companys growth

Note: Payroll is very crucial factor in companys and important part of the HR System.

HR Security : HR security concept is used to restrict Confidential & Private data,HR security define two
Level of security

HR Security
Level

Level 1

Level 2
Public data
Confidential & Private data

Structural Authorization

Level 1 HR Security
Level 1 security is possible through Standard Authorization Concept - T-code & Authorization

Level 2 HR Security
Restriction based on Designation or Location or Department is not possible with Standard Authorization
Concept.

Hence we go for Structural Authorization.

Level 1 HR Security
1st Level of security can be done through the help of Standard authorization Concept, in SAP HR the
concept of Infotype.
Infotypes : - Information type which represent all information like related to company or employee or
payroll etc anything is represent in form of Infotype. In general infotypes are structures to stores related
HR data.
Its represented by 4 digit 0000 to 9999
For example, address of an employee is stored in an unique infotype 0006. Similarly we have different
infotypes storing personal data (0002), bank details (0009) , basic salary (0008), etc. Some infotypes
are further sub-divided into subtypes, an example being the address infotype. An address entry can
belong to the subtype permanent residence, temporary residence, emergency address, mailing
address, etc. Infotypes are relevant from a security standpoint as SAP provides standard authorization
objects which allow us to secure infotype, subtype combinations for users.

0000 0999 Personnel Administration (PA)

1000 1999 Personnel Planning (PP)

2000 2999 Time Management (PA)

4000 4999 Recruitment (PA)

9000 9999 Customer Specific (Can store either PA or PP information depending on infotype
configuration.

How to provide or restrict access these infotype ?

Ans : This is possible with the help of info type access restrictions through Auth object. So these are
the following objects.
PA Data (Employee Data) : PA data can be restricted by following authorization objects.
P_ORGIN : HR Master Data
P_ORGXX : HR Master Data Extended Check
P_PERNR : HR Master Data Personal Number Check
P_APPL : HR Applicants
PD/OM/PP Data (Company Data): its can be controlled by one object.
PLOG : HR Personal Planning

Payroll Data :
P_PCLX : HR Clusters

T-Codes
PA20 : Display HR Master Data (Employee Data)
PA30 : Maintain HR Master data (Employee Data)
PO13 : Maintain Position (Company Data)
PO10 : Maintain ORG Unit (Company Data)
Note : As a Security Consultant we dont create HR Master Record only HR Master Record are
created by HR Functional consultant.

What is difference between UMR and HR Record?

Su01- SAP Access
PA20 Employee Record
Communication Info type(0105) :- Thats the link between SU01 and PA20.

Indirect Role assignment : In direct role assignment we are not assigning a role directly to the user,we
are assigning position to the user. We will go for two types of indirect role assignment.

Position Based
Org Unit Based

Sales Manager (Position)

100096 Person No

Communication info type

Role

Bell3
(User_Id)

What is Organization Hierarchy ?

In every Organization several departments and departments are finally ultimately report to some other
departments of the higher level,the structure to top level to the bottom level whos going to report to which
department and whos going to handle the position for ex: the head of the department in order to
segregate those department.
So Organization Hierarchy is one of the most important part of HR System.

Organization

Sales Department

Manager

Clerk

Finance
Department

Manager

HR
Department

Clerk

Manager

Clerk

Structural Authorizations
Structural Authorizations as the name suggests are used to restrict access to a certain organizational
structure. As such they are only used while accessing HR data. In general, structural authorizations serve
two purposes

Restrict access to certain OM objects like Org Units, Jobs, Tasks, Qualification Catalogs etc.

In interaction with the access to authorization objects for PA master data, they can restrict access
to certain set of persons in the enterprise.

While using structural authorizations, its important to note that

A persons total authorization is a result of the interaction between his general authorizations
(through roles) and his structural authorizations (through PD profiles).

Secondly, structural authorizations are always used to restrict access. You can never use
structural authorizations to grant access. It can only be used to restrict access to a smaller set of
objects or people than is already given though a general authorizations.

While using structural authorizations to restrict access, we need to ensure to add access to the
corresponding objects are also added to the users roles through PLOG.

PD Profile: PD profile to limit access in structural authorization

Role

Sales Manager

100096 Person No

Bell2 (User_id)

Sales PD
Profile

PD Profile T-codes

OOAC
OOSP
OOSB

OOAC : Activate the structural authorization switch.

OOSP : PD profiles are created through the OOSP transaction. SAP provides a few standard profiles but
to a large extent, PD profiles are created by individual customer depending on their requirements.
OOSB :Transaction OOSB can be used to assign one or more PD profiles directly to users