Context Authorization Check

Problem with Structural Authorizations

Assigning General and Structural authorization profiles to a user can cause context problem. This happens when a user has more than one role to perform and he needs different structural authorization profiles. This results in overriding the authorizations as the resultant authorizations are a sum of the individual general authorizations using authorization object P_ORGIN applied to all structural profiles (from table T77UA). You can visit this example to understand this in detail. There is one work around and that is to create a different user for every different role but that way there will be so many users.

Context-sensitive Structural Authorizations

There was introduced the concept of context-sensitive authorizations for HR master data. Using this, overriding the authorizations in the above mentioned scenario can be avoided (without creating user for every different role). It requires the technical settings of the Context Authorization Objects P_ORGINCON (Master data with context) and/or P_ORGXXCON (Extended check with context and/or P_NNNNNCON (customer-specific authorization with context). Then there is a central system switch table T77S0 in which the following switches require settings (can be done using transaction OOAC) : AUTSW INCON, AUTSW XXCON, AUTSW NNCON and AUTSW DFCON. This is the part of the procedure requiring great caution as using contextual authorization check is major decision and has its effect on the existing setup. Once the context solution is in place, we have general authorizations P_ORGINCON or P_ORGXXCON (instead of P_ORGIN earlier) specific to a Structural profile. The new authorization object/s have one additional field : PROFL, where you can enter the relevant structural profile. You can visit this example from SAP help to understand context-solution for the HR authorization problem in context of different roles in more detail.

The structural profiles for User Authorizations should be defined and assigned to your users in question in the table T77UA. You just need structural profiles from the PROFL field (Authorization profile) for maintenance of the user master record.

BAdI HRBAS00_GET_PROFL

In the light of the availability of Context-solution, several customers want to avoid maintaining the T77UA table, which can be done by implementing the HRBAS00_GET_PROFL (BAdI: Assigned Structural Profiles) Business Add-In (BAdI). This enables them to define structural profiles differently by having the system define the structural profiles from the user master record (context authorization objects).