If your company runs its human resources on SAP ERP Human Capital Management (SAP ERP HCM), you need a firm grasp of several HR security concepts to ensure that private data is kept private. According to Greg Robinette, executive director of ERP solutions and Mission Assurance at Lentech, Inc., failure to understand these concepts can cost your company dearly down the road.

“A lot of project managers don’t require the incorporation of security steps and roles early in the project blueprinting. They push it back as a technical exercise. That will cost more money and will usually be unsuccessful,” he says.

SAP ERP HCM is integrated with other applications in an SAP system, meaning sensitive data can be inadvertently exposed. Security flaws may be discovered during the testing phase or after go-live — too late to retrace your steps back to the early stages of the project. At that stage, many companies are forced hire expert consultants to come in and untangle the mess.

Proper security planning will not only help you avoid this expense, but can also protect you against auditing agencies. Robinette says one manufacturing company’s lack of HR security planning caused a government auditing agency to prohibit the company from billing the government for millions of dollars. That could have been avoided if the company had planned its security practices from the earliest stages with the government audit in mind.

Five HR Security Concepts

Safeguarding data in SAP ERP HCM requires a slightly different approach than some other SAP applications, says Robinette. This is because transactions in SAP ERP HCM are not designed to flow down a linear path that can be secured end-to-end. Instead, SAP ERP HCM transactions pull data from several types of datasets, all of which require their own rules governing access.

For example, transaction PA20 (display HR master data) pulls an employee’s banking information, salary, family and personal information, and benefits from separate datasets. Your company’s policies will determine which of those datasets are made available to employees and managers

“That one transaction has all of these layers underneath that need to be protected. You can’t just say ‘give me all or give me none’ like you can on the finance side,” says Robinette.

While there are dozens of concepts that can be applied to safeguard SAP ERP HCM data, Robinette lists five that project managers should comprehend before beginning any project:

1. P_ORGIN

Because SAP ERP HCM is integrated with other SAP applications in an SAP system, it is crucial to consider how personal data is accessed across the entire system and take steps to protect it. P_ORGIN is an authorization object that allows access to HR master data. It is the most important data object for project managers to understand, says Robinette.

“There are several objects that allocate who can see what, and P_ORGIN is the most important because all of the infotypes that support HR master data can be explicitly controlled by it,” says Robinette.

For example, if a shop floor supervisor is altering or implementing workflow within a material master record, he will need to see which employees are eligible. Depending on how P_ORGIN is set up, that supervisor could see salary information, Social Security numbers, and other data alongside the names of employees he’s searching for. Project managers should understand P_ORGIN because securing employee data cuts across multiple technologies.

“From a project perspective, this is key because you’ve got to be able to know where everyone is going to be accessing personal information — regardless of whether you’re thinking of it as HR or not — and how they’re going to be accessing it. That should be mapped out when you’re looking at what functionality should be included in the application. That goes for any situation in which a person’s name is going to be accessed,” says Robinette.

2. PLOG

PLOG controls access to Organizational Management (OM) infotypes, allowing users to view or change data based on the organizational unit in which they are placed. Companies often fail to break down organizations based on how their specific business processes work, instead allowing everyone access to organizational data.

Unfortunately, this can provide what Robinette calls a “back door” to personal data. For example, if two work center managers within the same cost center are asked to provide costing information, they each may gain access to salary information for the entire cost center. Depending on your company’s policies, this may not be an appropriate authorization, says Robinette.

“Is the Organizational Management design wrong in this situation? No. But is it adequate to be able to deliver services properly? No,” he says.

Many of the most recent SAP applications include functionality that uses OM objects for authorization. Project managers should be aware of this, says Robinette, so they can work with the HR team to ensure that the company’s OM structure is consistent with actual business processes.

“These are the objects that really need to be considered. Unfortunately that requires making decisions that a lot of organizations aren’t ready to make,” he says. “Many HR managers look at a company’s standard organizational chart, but that’s not typically how the company runs.”

3. P_PERNR

The authorization object P_PERNR allows you to restrict a user’s access to data based on the specific employee. For example, in a self-service scenario, you could allow a user to view and change personal master data while preventing that user from accessing data from other users. Conversely, HR employees can be authorized to see or alter data for everyone other than themselves.

“Good segregation of duties rules say I shouldn’t be able to change my own salary. I should have to collude with someone else to break the system,” says Robinette.

P_PERNR is an important concept for project managers to understand because of the increasing use of portals for employee self-service, says Robinette. Whereas roles in an SAP environment determine what users are allowed to access, roles in a portal represent sets of content. 

“Those concepts oppose each other, and if a project manager doesn’t understand that, you can run into some issues. You have to have a good plan for harmonizing the portal and the SAP system,” says Robinette.

Robinette says infotype 0105 (Communication) is necessary to link a user ID in the portal with the appropriate employee record.

4. P_PCLX (and more)

Several objects in SAP ERP HCM control a user’s access to payroll information. P_PCLX controls a user’s access to time, payroll, and other areas. Other related objects include:

• P_PCR (authorization object for the payroll control record)
• P_PYEVRUN (authorization object for posting runs)
• P_PYEVDOC (authorization object for actions on posting documents)
• P_TCODE (HR transaction code authorization object)

Most payroll teams either have full access to this information or none at all, says Robinette. Project managers should be aware of these objects in the event that access to particular information is incorrectly granted or denied.

“If you have troubleshooting issues where someone forgot to add them to a role, you’ll be able to figure it out based on the issue and add the object,” says Robinette.

5. Structural Authorizations

Structural authorizations (SA) are a mechanism through which organizational relationships are linked to SAP ERP HCM authorizations and roles. Figure 1 illustrates a scenario in which two managers are both given access to salary data (P_ORGIN infotype 8). Structural authorizations allow a project manager or SAP ERP HCM team to restrict each manager to the salary information in his organizational unit only.

Figure 1

A simple structural authorizations organizational chart

“If there are two sales organizations in the same company that compete with each other, one manager shouldn’t be able to see what the other group’s people are paid. There are technical pieces that you set up in SA so the roles that include infotype 8 will be restricted to just one organizational unit,” says Robinette.

In order for SA to work, the company’s organizational structure must be designed properly and there must be a proper link between the desired authorizations and organizational units.

“Because SAP doesn’t always deliver organizational structures that account for everything in your business, you may need to create custom objects to link structural authorizations to provide the proper access. There’s a lot of flexibility, so you need to plan carefully or else you’ll make a mess,” he says.

Project managers should be aware of the critical link between the organizational management in the SAP ERP HCM system and the security of personal data across an SAP system.

“Usually the financials and HR people get together and define everything as cost centers, because that costing linkage is important for allocating payroll and everything else. At the same time, you may have a manager who is tasked with deploying time sheets, but he can’t approve them because they flow to two bosses above him instead of him — that’s now a project issue, not just an HR issue. Good project managers get involved and spot things that aren’t directly related to an integration but will be affected by extension, and deal with them early on,” says Robinette.

Many people confuse SA with indirect role assignments, a process through which authorizations are automatically granted via roles by position — such as when a new employee is hired to replace someone. The new employee would be granted the same authorizations as the person he or she replaced, sparing the HR team from having to manually grant those authorizations to the new employee.

There are several ways for SAP ERP HCM professionals to restrict access to data more granularly than described in this article, but the five concepts listed here should give project managers a good start toward understanding how SAP ERP HCM security functionality can be used to safeguard data in any project or implementation.

Davin Wilfrid

Davin Wilfrid was a writer and editor for SAPinsider and SAP Experts. He contributed case studies and research projects aimed at helping the SAP ecosystem get the most out of their existing technology investments.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.