Difference between sturctural Authorization and Role Authorization
What is the difference between sturctural Authorization and Role Authorization. In what situation we need to maintain the Structural Authorization? For Role Authorization, we maintain it in PFCG. Where and how do we maintain Structural Authorization?
The role authorisation is used for regular authorisation. for example Transaction codes : PA20, PR20, CAT2,CADO, PPMDT, PR05 - It is done based on role assigned by Basis group.
Related: PFCG Roles and Authorization Concept
The user id mentioned in IT 0105 is assigned to the TC PFCG
The structural authorisation is typically belongs to HR module. It has both benefits of positive and negative tests.
Steps to do Structural Authorisation:
Step1 : TC OOAC
Activate the Structural Authorisation switch
Step 2 : TC OOSP
Create Structural Authorisation profiles
Step 3 : Assign Structural Authorisation profile to user Id
TC : SE38 and assign report RHRPROFL0 enter object id for example ( Org unit )
Assign regular Role authorisation..
Role Authorization can be set on all Master Data Infotypes i.e. HR/Planning/Payroll/Tcode etc.
Structural Authorizations can be set for the administrator who is involved in different evaluations/accessing structures whether in OM/PD/TE etc. Ex ; Creating, Maintaining, delecting objects in structures. You have to run Report RHPROFL0 to generate Structural Authorizations and they are stored in PD Profile IT i.e. 1017.
If you are manually maintaning more than one S.Authorization profile for a position, you can use 1016 IT also.
For customization see IMG under OM-> Structural authorization. There are many criterias to be considered while creating Structural Authorization profile.
I noticed that in IT1016, we are assign the profile > at the position or org unit level while in PFCG, we assign it at the person level..the the user ID. Does that mean that in Structural Authorization, anyone that hold the position will have the same authorization? Can Structural Authorization stand alone without any role authorization?
Role authorisation is only for ITs access. Same way Structural authorization is only for Structures access..
Ex. An administrator who is supposed to access all employees in own department, role authorization will not help because Org Unit is an Object correct, so you need to use structural authorization...
Ex. If the same administrator is supposed to access all employees based on Ent.Strucutre/Pers.Stru. criterias, role authorization alone sufficient.
Ex. If the same administrator is supposed to access all employees in his own department but not managerial level, then you need both authorizations i.e. role and structural...
An administrator can be assigned both authorizations to access ITs and Objects...
Authorizations (both)can be assigned directly to the position (which is called Indrect Role Assignment) so that they will be assigned to the User automatically whoever occupies.. we donot need to generate each and everytime the user changes..