All authorizations-related switches in most cases are specified either for the standard authorization check or the context authorization check. With the first implementation of the authorizations concept, all switches are set to inactive. Basically it’s a question of either/or: Either the SAP standard solution is activated or the context solution is activated. Note that in a very special case, you can specify the switches for a combination of both the standard and the context authorization check. Although I explain how to do that, I do not advise it.

In my previous article, “Weigh Your Options for Implementing Overall Authorizations,” I explained the steps for the implementation of both general and structural authorizations. I showed examples of bad role design and specifics to avoid. I described the different types of roles and using them with the structural authorization profiles. In this article, I explain the options for the implementation of different authorization main switches and the importance of basing the authorization main switches on the real business requirements, which guarantees a solid implementation of the authorizations concept.

Illustrations of Main Switches 

With the selection between the standard authorization check and the context solution check, the specific check for structural authorizations (in the same table as the switch for roles) needs to be implemented accordingly. The authorization main switches stored in table T77S0 under the group AUTSW can be used to tailor the behavior of the authorization check on SAP ERP HCM infotypes according to the requirements. Storing the authorization main switches in the T77S0 table is advantageous because the switches can be defined differently at the client level.

Since the authorizations concept should always be based on real business requirements, it is very helpful to understand the options related to the authorization main switches. Many problems can be avoided if the values for the switches are chosen according to the business requirements. The basic information can be found at help.sap.com, but it does not go deep enough to make a real selection possible. This article shows the different options for each authorization switch based on the chosen authorizations concept implementation. Each switch is specified in detail and the purpose of each one of them is described as part of the common authorizations concept. Each switch plays its own part in the common concept, and each one of them needs to be implemented according to that concept. Although this article is mainly intended for SAP security teams that maintain the authorization concepts, it is also beneficial for HR teams to better understand the importance of the choice of settings.

I will now explain the maintenance of the authorizations concept, describing each switch and highlighting its purpose.

AUTSW ORGIN (HR: master data)

• Authorization main switch that controls whether the P_ORGIN authorization object should be used in the authorization check
• If this needs to be activated, set it to 1

AUTSW ORGXX (HR: master data – extended check)

• Authorization main switch that controls whether the P_ORGXX authorization object should be used in the authorization check.
• If this check needs to be activated, set it to 1

AUTSW NNNNN (HR: customer-specific authorization check)

• Authorization main switch that controls whether a customer-specific authorization object should be used in the authorization check
• Set this to 1 if you need the check activated
• Carry out the steps to create a customer-specific authorization object before activating this check (for more information on creating this object, see  https://help.sap.com/erp2005_ehp_04/helpdata/EN/4e/74ba3bd14a6a6ae10000000a114084/content.htm or https://help.sap.com/erp2005_ehp_04/helpdata/EN/9e/74ba3bd14a6a6ae10000000a114084/content.htm)

AUTSW ADAYS (tolerance time for authorization check)

• Authorization main switch that is used to specify the time of the authorization check in the event of an organizational change
• This switch can be used to set up how long an administrator has access to the data he or she has created as long as this employee already has an organizational assignment outside his or her own authorization
• The tolerance time of time logic for master data infotypes is entered in calendar days
• In the standard system this switch is set to 15
• If this switch is active (e.g., it contains a value greater than zero), the organizational changes that cause users to lose authorization are delayed significantly by the tolerance time

AUTSW PERNR (HR: master data – personnel number check)

• Authorization main switch that controls whether the  P_PERNR authorization object should be used in the authorization check
• If the authorization checks on the personnel number assigned to a user need to be deactivated, set the value to 0

AUTSW APPRO (HR: test procedures)

• Authorization main switch that controls whether test procedures should be used
• Test procedures can be used if certain entries are to be checked centrally and should not be changeable after the check without further action
• If this needs to be activated, set the switch to 1

AUTSW ORGPD (HR: structural authorization check)

• Authorization main switch that controls whether the organizational structure should also be included in the authorization check in Personnel Administration
• If this needs to be activated, the possible values are 1, 2, 3, and 4
• If the organizational unit exists, and it needs to be evaluated (data stored in the organizational assignment infotype) for these personnel numbers, set the main switch to either 1 or 3
  • If the organizational unit should never be evaluated for these personnel numbers, set the main switch to 2 or 4
  • The different switch settings specify how the system should react to personnel numbers that are not linked to the organizational structure (that is, personnel numbers that have position entered as default position in the organizational assignment infotype)
• If the person is assigned the default position and either no organizational unit is specified in the organizational assignment infotype or it should not be evaluated, no authorization check by organizational assignment can take place. In this case you need to specify whether the system should either grant or deny the authorization by default. If the authorization needs to be denied by default, set the switch to either 1 or 2. Otherwise set it to 3 or 4.

Table 1 shows the possible combinations for switch settings. It highlights the options for the authorization main switch AUTSW ORGPD.

Table 1

Authorization main switch options for terminated employees in default position

Let me explain these options.

Choose value 1 if:

• The user’s authorizations to terminated employees in default position always need to be evaluated according to the user’s structural authorization profile assignment only
• This requires that all terminated employees always keep the organizational unit assignment they had when they were still active
• The user never gets authorization to any other terminated employees but only the ones to whom he had access according to the structural profile assignment

Choose value 2 if:

• You never give any users authorization to terminated employees in default position

Choose value 3 if:

• The user’s authorization to terminated employees is first evaluated according to the structural authorizations. This enables the user to get access only to terminated employees within the user’s structural authorizations. This is particularly good with running reports as the user does not get an extra number of terminated employees in the result. On the other hand, since the authorization is also granted by default, the user can get authorization to all terminated employees if, for example, the selection criteria are not applied according to the specific organizational structures in the report.

Choose value 4 if:

• The user’s authorizations to terminated employees are always granted by default. This means that all users always get access to all terminated employees and that when you run a report, the selection criteria are not chosen according to real requirements. The user sees all terminated employees in the result (which is probably not required).

AUTSW INCON (HR: master data context)

• Authorization main switch that controls whether the P_ORGINCON authorization object should be used in the authorization check
• If this needs to be activated, set the switch to 1

AUTSW XXCON (HR: master data extended check context)

• Authorization main switch that controls whether the P_ORGXXCON authorization object should be used in the authorization check
• If this needs to be activated, set the switch to 1

AUTSW NNCON (customer specific authorization object context)

• Authorization main switch that controls whether the customer-specific authorization object P_NNNNNCON should be used in the authorization check
• If this needs to be activated, set the switch to 1

AUTSW DFCON (authorization check for a person with default position)

• Authorization main switch that controls how the system should react (if the context solution is set up) to personnel numbers that are not linked to the organizational structure. That refers to personnel numbers that have their position entered as a default position in the organizational assignment infotype. You can set this switch to 1, 2, 3, or 4.
  • If the organizational unit assignment exists, set the switch to 1 or 3. Otherwise it should set to 2 or 4.
  • If the authorizations need to be denied by default, set the switch to 1 or 2
  • If the authorizations need to be granted by default, set the switch to 3 or 4
• If the person is assigned the default position and no organizational unit is specified in the organizational assignment infotype or it should not be evaluated, no check by organizational assignment can take place. In this case, the authorization can be specified by whether the system should grant or deny the authorizations by default.

Refer to Table 1 to see the combinations possible for the context solution (the setting for a non-context solution can be made with the AUTSW ORGPD switch). It shows the options for the authorization main switch AUTSW DFCON. The same specifications, as already specified, can be applied here.

Examples of Main Switches for Standard and Context Solution

There are always two options for SAP ERP HCM authorization main switches – either the standard or the context solution. The authorization main switches need to be implemented accordingly. Only one of them can be active, and the main switches are also activated accordingly.

Standard solution refers to the use of the standard SAP ERP HCM master data option. It includes the use of authorization objects P_ORGIN, P_ORGXX, P_NNNNN, and P_PERNR. If structural authorizations are also implemented, the authorization main switch ORGPD also needs to be activated. The possible options for main switches on the standard solution are:

• ORGIN: Switch set to 1 (active)
• ORGXX: Switch set to either 0 (inactive) or 1 (active) depending on whether object P_ORGXX is included in the roles
• NNNNN: If a customer-specific object has been created, set the switch to 1. Otherwise set it to 0.
• ORGPD: If the structural authorizations need to be used, the switch needs to be activated (1, 2, 3, or 4). Depending on the evaluation of the personnel numbers having been assigned a default position, the correct value needs to be set accordingly (according to the business processes and requirements).
• INCON: If the standard solution is activated, the context solution needs to be inactivated. Set the switch needs to 0.
• DFCON: If the standard solution is activated, set the check with context solution on default position to 0 (inactive)
• XXCON: If the standard solution is activated, the context solution needs to be inactivated. Set the switch to 0.
• NNCON: If the standard solution is activated, the context solution needs to be inactivated. Set the switch to 0.
• PERNR: If the person’s authorizations to his or her own records need to be checked in addition to other authorization checks, set the switch to 1. Remember that the P_PERNR object overrules the authorizations in other authorization objects.
• APPRO: If the test procedures need to be activated, set the switch to 1
• ADAYS: In the standard system this switch is set to 15. If the switch needs to be activated, set the value to anything but 0.

The possible options for main switches on the context solution are:

• ORGIN: If the context solution is activated, set this switch to 0 (inactive)
• ORGXX: If the context solution is activated fully, set this switch needs to 0 (inactive)
• NNNNN: If the context solution is activated fully, set this switch to 0 (inactive)
• ORGPD: If the context solution is activated fully, set this switch to 0 (inactive)
• INCON: Activate this switch by defining the value as 1
• DFCON: Since the structural authorizations need to be implemented with the context solution, the switch needs to be activated (1, 2, 3 or 4). Depending on the evaluation of the personnel numbers assigned a default position, the correct value needs to be set according to business processes and requirements.
• XXCON: With the implementation of the context solution and the use of authorization object P_ORGXX in the roles, set this switch to 1 (active)
• NNCON: With the implementation of the context solution and a customer-specific authorization object created and used, set this switch to 1 (active)
• PERNR: If the person’s authorizations to his/her own records need to be checked in addition to other authorization checks, set the switch to 1
• APPRO: If the test procedures need to be activated, set the switch to 1
• ADAYS: In the standard system this switch is set to 15. If the switch needs to be activated, set the value to anything but 0.

Main Switches: A Combination of Standard and Context Solutions

The combination of standard and context solutions is something that SAP provides only as an option. If for some reason a company wants to implement the context solution for SAP ERP HCM master data and the standard solution for SAP ERP HCM master data extended check at the same time, then it would be possible to have them both at the same time. This could happen if a company has first implemented the standard solution, and then decides to start using the context solution. However, this is something that would probably happen very rarely, and I do not recommend it. Implementing it requires maintaining two different solutions at the same time, and all the roles would need to include the contents of both solutions.

If both are implemented, then you can only activate P_ORGINCON. The switch on P_ORGINCON (the context solution on SAP ERP HCM master data) has to be activated (and the switch on P_ORGIN = standard solution on SAP ERP HCM master data has to be inactivated). This is the first priority. You also need to activate SAP ERP HCM master data extended check (standard solution) and inactivate the SAP ERP HCM master data extended check (context solution). This guarantees that both solutions are implemented at the same time.

This means that if you need to implement both solutions at the same time, you must activate the SAP ERP HCM master data check on the context solution. In addition, either SAP ERP HCM master data extended check (ORGXX) or SAP ERP HCM master data company-specific check (NNNNN) need to be activated as a standard check. With the use of both standard and the context solution at the same time, the possible switches are:

• ORGIN: Set this switch to 0 (inactive)
• ORGXX: Set this switch to 1 (active)
• NNNNN: Set this switch needs to either 1 (active) or 0 (inactive)
• ORGPD: Set this switch to active (1, 2, 3, or 4) according to the business processes and requirements
• INCON: Activate this switch by defining the value as 1
• DFCON: Set the switch to activated (1, 2, 3, or 4). Depending on the evaluation of the personnel numbers having been assigned a default position, the correct value needs to be set according to business processes and requirements. The value has to be the same as with ORGPD.
• XXCON: If both solutions are used, set this switch to 0 (inactive)
• NNCON: If both the standard and the context solution are used, set this switch to either 1 (active) or 0 (inactive) according to the selection made with the NNNNN. If the NNNNN is activated, this switch needs to be inactivated. The selection can also be made the other way around.
• PERNR: If the person’s authorizations to his or her own records need to be checked in addition to other authorization checks, set the switch to 1
• APPRO: To activate the test procedures, set the switch to 1
• ADAYS: In the standard system this switch is set to 15. If the switch needs to be activated, the value needs to be anything else but 0.