What is the difference between sturctural Authorization and Role
Authorization. In what situation we need to maintain the Structural
Authorization? For Role Authorization, we maintain it in PFCG. Where and how do
we maintain Structural Authorization?
The role authorisation is used for regular authorisation. for example
Transaction codes : PA20, PR20, CAT2,CADO, PPMDT, PR05 - It is done based on
role assigned by Basis group.
The user id mentioned in IT 0105 is assigned to the TC PFCG
The structural authorisation is typically belongs to HR module. It has both
benefits of positive and negative tests.
Steps to do Structural Authorisation:
Step1 : TC OOAC
Activate the Structural Authorisation switch
Step 3 : Assign Structural Authorisation profile to user Id
TC : SE38 and assign report RHRPROFL0 enter object id for example ( Org unit )
Assign regular Role authorisation..
SAP HR Tips by: Karthik
Role Authorization can be set on all Master Data Infotypes i.e.
Structural Authorizations can be set for the administrator who is involved in
different evaluations/accessing structures whether in OM/PD/TE etc. Ex ;
Creating, Maintaining, delecting objects in structures. You have to run Report
RHPROFL0 to generate Structural Authorizations and they are stored in PD Profile
IT i.e. 1017.
If you are manually maintaning more than one S.Authorization profile for a
position, you can use 1016 IT also.
For customization see IMG under OM-> Structural authorization. There are many
criterias to be considered while creating Structural Authorization profile.
I noticed that in IT1016, we are assign the profile > at the position or
org unit level while in PFCG, we assign it at the person level..the the user
ID. Does that mean that in Structural Authorization, anyone that hold the
position will have the same authorization? Can Structural Authorization stand
alone without any role authorization?
Role authorisation is only for ITs access. Same way Structural authorization
is only for Structures access..
Ex. An administrator who is supposed to access all employees in own
department, role authorization will not help because Org Unit is an Object
correct, so you need to use structural authorization...
Ex. If the same administrator is supposed to access all employees based on
Ent.Strucutre/Pers.Stru. criterias, role authorization alone sufficient.
Ex. If the same administrator is supposed to access all employees in his own
department but not managerial level, then you need both authorizations i.e. role
An administrator can be assigned both authorizations to access ITs and
Authorizations (both)can be assigned directly to the position (which is
called Indrect Role Assignment) so that they will be assigned to the User
automatically whoever occupies.. we donot need to generate each and everytime
the user changes..