Date: 17 Aug 2009
By Mark Wade.
The role of the HR department continues to evolve. Organisations are expecting more from their HR teams without increasing headcount. For many organisations the role of the HR practitioner is in the process of transition from an administrative role to a strategic facilitator, who can add real value in strengthening the capabilities of the organisation by implementing improvements to their human resource performance, so to compete better in the marketplace.
The shift in the HR department's focus has introduced the need to decentralise many of the HR administrative functions out into the workforce, to line managers, team administrators and to the employees themselves. This approach is of course supported by SAP, typically via Employee Self Service and Manager Self Service. One of the challenges is to ensure that the visibility of employee related data and associated transaction processing is contained and only available to those with proper authorisation.
Any SAP HR related project where employee information will become available to non HR department users immediately triggers concerns, particularly for IT Managers and the SAP Support team responsible for SAP user administration, especially if they have limited exposure to the SAP HR application. Any breach of data confidentiality can undermine the system completely, not to mention any impact a breach may have to the individual concerned and to the organisation. Some organisations will need to comply with both internal audit reviews and external e.g. Sarbanes Oxley Act to prove the security of data and HR transactions on an ongoing basis.
SAP HR authorisations can be split into two components:
In earlier releases of SAP segregating SAP authorisation based on the role of an individual user could be complex. Take the example of an Accounts Manager who uses SAP to report salary cost at summary level for most, but not all of the organisation. Their SAP structural authorisation would be established for a large subset of the organisational hierarchy. A subsequent project is implemented for Managers Desktop or Manager Self Service where the Accounts Manager should be structurally bound to view and maintain data pertaining to the employees within their own team. Applying this restriction will adversely affect their access to the salary cost report, because the new structural authorisation restriction with take precedence. Of course there are ways around this problem, (customer authorisation objects; implementing an authorisation BAdi) however these can create unforeseen issues that result in additional build, support and regression testing effort.
SAP has addressed the complexity from release 4.7 with the introduction of HR Context Sensitive Authorisation (application for earlier SAP releases may be possible, but would require SAP support). Implementing this solution facilitates the option of ‘embedding' structural authorisation control within a general authorisation check. For example a user with a Manager Self Service role is structurally bound based on the Organisational Units, Positions and People they manage giving confidential access only to those employees that sit in the manager's hierarchy. The same user can be assigned an authorisation for generic employee personal data such as name, address etc across the whole or different sub-set of the organisation using another general authorisation with a different structural profile. The two general authorisations are completely independent of each other and apply the structural control at the generic authorisation object level e.g. infotype, subtype etc.
The context solution can open up new opportunities in the way SAP HR authorisations are managed and assigned. Creating new relationships between HR objects can reduce the number of SAP authorisations by using these relationships within the configuration of the structural profiles. For example a customer relationship between Position to Organisational Unit for a time administrator could be created and that evaluation built in the structural profile. This could greatly reduce the number of SAP authorisation profiles that an organisation may have set up using a restriction based on other non structural objects such as the employee Organisational Key, Personnel Area and Sub Area etc.
Assigning authorisations/user roles at Position rather than user level can greatly contribute to the efficiencies of SAP user administration. Such an approach can empower the HR team to assign employees to Positions knowing that the employee will inherit the relevant authorisations from the Position and automatically be structurally bound from the Position relationships within the Organisational Hierarchy. This can remove the manual intervention of the SAP Support team having to re-assign user roles at the request of HR each time an individual moves from one Position to another. The HR team can also assign to the employee's Position new object relationships that can also instigate a change to structural access, again without the need to engage with their SAP Support Team.
This article has only scratched the surface of the options surrounding HR authorisations, the benefits and controls that can be achieved. Many of these may be considered non-tangible over the short term and can be difficult to include in a business case for a project. However, the system integrity is of upmost importance especially considering the confidential nature of HR data. With the ongoing drive for decentralised HR administration these considerations should always be at the forefront of any HR project.
Contact Us for more information on HR Authorisations