Home TORC: The OneRoleConcept TORC and IdM SAP HCM Security SAP HCM Solutions About KNUZEN Contact Information
KNUZEN   SAP HCM SECURITY
SAP HCM authorizations and system performance Split HCM from the ERP system. Reduce the Number of authorization objects. Keep the structural authorizations fit for fight.
SAP HCM Authorizations and performance  Tips and Tricks The authorizations will always consume performance, but with a few tips and tricks you can avoid the most common performance obstacles. I will give some advice based on many years of experience and correspondance with SAP Walldorf. First section is focusing on the normal SAP HCM authorizations and then the last section will cover the structural authorizations.   Role based authorizations For “normal” authorizations you will have a few simple rules to follow for keeping up a good performance.   Split the HCM system from the FI/CO/Logistic system so the HCM application works on it’s own system and the finance and logistic applications works on another system. The HCM data will always be used by other applications such as workflows, electronic invoicing, projects, travel, sales responsible and each time another application is requesting access, the authorization checks will start and performance is affected. By separating the two environments from each other we will have a reduced load on our SAP HCM data and the user roles will be simpler to handle because we can focus on access for HCM data only. We will also avoid the complex handling of users with mixed FI/CO, LO and HCM roles where we easily can end up with a violation of segregation of duty.   The SAP HCM applications can make use of several authorization objects, but rule of thump is to use as few authorization objects as possible, because this will reduce the number of authorization checks. Most PA/OM authorization needs can be fulfilled with PLOG, (P_ORGIN/ P_ORGINCON) and P_PERNR. Please notice that activation of additional authorization objects for accessing employee data will not only be relevant for pure SAP HCM roles but for ALL roles. This is off course only the case when SAP HCM applications are together with FI/CO and logistic in one system.   The last rule is common sense. Have as few roles/profiles as possible for your users. When you are setting up your authorizations concept you can design your roles so they match your business processes. For SAP HCM this is rarely a problem because the SAP HCM application covers full processes more or less. You will be able to set up authorizations separate for the sub areas: PA, OM, PD; PT and PY und so weiter. These roles should be created with a slim fit focus and the profiles in the roles should be designed with no redundant entries. Please have a concept for which roles grants access to what. E.G. Access for handling personnel events such as hiring, organisational reassignment and terminations is granted through e.g. the PA role and not through additional other roles.     The structural authorizations The structural authorizations are based on several building blocks and all can have their part in reducing performance. It is therefore important not to focus on a single part when you whiz to improve the overall performance of structural authorizations. You must do it on several areas like the once mentioned below:   1. Evaluation paths used in structural authorizations. 2. Structural authorizations in use and how to structure them. 3. Creation of SAP buffer for users also know as structural indexation. 4. SAP* use. 5. Use of HRBAUS00_STRUAUTH.   1) Evaluation paths for structural authorizations Evaluation paths used in structural authorizations must be structured so we differentiate between accesses for object types where access can be granted without considering the object ID and which object types we need to grant access to base on a structural basis. To deliver the access on a structural basis we will have to use evaluation paths drill down which is performance consuming. The evaluation paths must be as simple as possible and please consider a split of evaluation paths so they only grant access to those object types which is needed. E.g. we will have some evaluation paths which are used for LSO some for e-recruiting and some for OM and some for qualifications and Performance management.   On the other side we must also seek to reduce the amount of lines in our structural profiles and splitting up the existing profiles with new evaluation paths will generate new lines. Extra lines within an evaluation path used in a profile will be equal to an extra drill down in our HRP1001 table which is time consuming. So for optimising the construction of our evaluation paths used in the structural profiles we should do some trials with different evaluation paths and analyse who has the best performance. This is especially true for those profiles which is used for ESS and MSS because they normally sums up for more than half of all assigned structural profiles.   2 Structural authorizations and how to build them. The structural authorizations are used all around the system and they need to be structured so they deliver the access to objects once. E.G access to display all jobs and tasks should only be granted through ESS and not twice through ESS and then through a MSS profile. The access should again be granted mainly on object types without evaluation paths if possible. The use of the structural profiles can also be optimized by using skip flags. The skip flags can be used where we need the structures for granting access to the objects in the end but don’t have any interest in the objects used for building the structure. In this case we can skip the objects in between and can therefore reduce the build views.   3 The creation of the SAP Buffer/ indexation. The SAP Buffer is created for users who needs access to many objects and when we have created the SAP buffer for the active users the run time for e.g. portal applications can be up to 10 times as fast as without a buffer. But even the SAP buffer has its limitations and we must therefore always seek to reduce the amount of objects granted in. For optimizing the use of structural authorization you can use the OneRoleConcepts auto assignment tools for keeping the T77UA table fit for fight. You can also see the page related to indexation of structural profiles on this link: SAP_HCM_STRUCTURAL_PROFILES_INDEXING.   4. Use of SAP* user The use of the SAP* user for users who haven’t been assigned a structural profile is also an opportunity. The SAP* user is a fall back for users who have not been assigned a structural profile. When this user is in use you will always have a fallback but avoid the access to structural profile ALL because it gives structural maintain access to all object types and this is not the proper way from a risk and compliance view.   5) BADI HRBAS00_STRUAUTH, but it is not the holy grail. This Business Add-In implements customer-specific authorization checks. The use of this BAdI must be done with care and if you can not grant access to objects with some simpler rules than those used by evaluation paths. If you just build up a logic as evaluation paths or even use evaluation paths in the BAdI then you gain no optimization compared to the standard way of granting access through structural profiles. To implement the BAdI, you must process all the interface methods:   · CHECK_AUTHORITY_VIEW (Check structural authorization of an object) · FILL_DATE_VIEW (Fill table of authorization ranges for an object) · FILL_HYPER_VIEW (Fill table of authorization relationships ) · CHECK_AUTH_PLAN1 (Check personnel authorization) · CHECK_AUTHORITY_SEARCH (Search function - check hit list) · GET_PROFILES(Determine structural profile of an object)
1: home
2: knuzen_curriculum_vitae
3: The SAP HCM Authorization concept: The OneRoleConcept
4: RCAT: The RootCauseAnalysisTools related to the OneRoleConcept
5: contact.htm
6: SAP_HCM_OVERVIEW
7: Business Control with OneRoleConcept
8: The Details of the OneRoleConcept
9: SAP_HCM_SECURITY_AND_PERFORMANCE
10: The OneRoleConcept Business benefits
11: SAP HCM transit position in Om as DMZ for transfer activity
12: SAP HR structural authorization for multiple parts of the organisation.
13: LSO and PD Catalogue control
14: Knuzen Substitute/ Deputy solution for line managers
15: Enterprice, personnel and organisational structures in SAP HCM
16: sap_enterprise_structures_revisited
17: Clean up SAP Organisational Management
18: Consistency check of SAP OM and PD tables
19: SAP HCM combined with personnel development functionality
20: Optimize the System Performance with indexing structural authorizations: RHBAUS00
21: Identity management with the use of SAP HCM attributes
22: organizational_key_vdsk1
23: master_derived_composite_sap_roles.htm
24: Standard tools for identifying SAP HCM authorization issues
25: Enhance the layout of PPOME and PPOSE the organisational structure
26: Enhance the existing PD model and use it for personnel development
27: To be structural restricted or not to be... thats the question
28: Automate your SAP solution and avoid errors and business break downs
29: SAP HCM Authorizations and performance
30: design_support_organisations_1.htm
31: design_support_organisation_2.htm
32: design_support_organisation_3.htm
33: Upload Documents on your employees
34: Upload Documents on your employees
35: Upload Documents on your employees
36: The role assignment can be used for compliance check and license control.
37: Upload Documents on your employees
38: Upload Documents on your employees
39: Upload Documents on your employees
40: Upload Documents on your employees
41: Data Model for E-ercruiting and Tips & Tricks
42: Upload Documents on your employees
43: Upload Documents on your employees