HR security is becoming more complex as companies implement structural security to complement their traditional role- based authorizations. Auditing a user’s access to HR data becomes complicated when you have more than just traditional roles assigned to the user ID.

While managers and auditors commonly use other authorization tools such as the User Information System report tree (transaction SUIM) for monitoring user access levels, the display user assignments report (program RHUSERRELATIONS) is designed solely for HR user security reporting. This report, which was released as part of SAP HR Support Package 46, is the only R/3 report that can check both traditional and structural HR security. Because it was not part of a general upgrade or version release, I’ve found that many users don’t know it exists.

Report RHUSERRELATIONS

Standard R/3 report RHUSERRELATIONS displays all HR authorization access for a given user ID. The report consists of a selection screen (Figure 1) where you can specify a user ID and select from various reporting options covering both structural access and traditional roles.

Figure 1

Selection screen for report RHUSERRELATIONS

Note the two buttons at the top of the selection screen on the report’s function bar. The first, Display Authorization Switch, displays the current values for all the HR authorization main switches normally maintained in table T77S0. The values of these switches represent system-wide settings and are not user-specific. The authorization main switch output shown in the RHUSERRELATIONS report is for display purposes only, but it allows you to quickly view the client-dependent switch values. This output is also helpful if you or your users need to view the switch values but do not have access to the IMG step for authorization switches or to the table maintenance transaction normally used to view the table.

Next to the display authorization switch button is the Assigned Persons (Infotype 0105) button. This button gives you a quick output of all HR master data records that contain the user ID (specified on the report selection screen) in communications infotype 0105, subtype 0001 (SY-UNAME), in Personnel Administration.

Below the function bar buttons, you can choose from four primary options for running the RHUSERRELATIONS report. These buttons return specific authorization-related information relative to the user you specify in the User Name field on the report selection screen:

• Related Organizational Units: If you select this option and execute the report for a given user ID, then the report provides output showing any organizational units to which the user belongs or manages. Evaluation path ORGASS is used by default to determine a user’s organizational unit assignment. To identify which units, if any, the user manages, the program uses evaluation path MANASS. Figure 2 shows a sample output for this option. Table 1 displays the definition of these two evaluation paths. As a reference, you can find evaluation path configuration table T77AW via transaction code OOAW (IMG menu path Personnel Management>Personnel Development>Basic Settings>Maintain Evaluation Paths).
  
  
• Structural Profiles: If you select this button and click on Execute, then the report assesses tables T77PR (structural profiles) and T77UA (structural user assignment), as shown in Figure 3. Table T77PR stores structural authorization profiles (IMG menu path Personnel Management>Organizational Management>Basic Settings>Authorization Management>Structural Authorization>Maintain Structural Profiles). Profile configuration in this table defines how objects and structures are read for structural authorization purposes. Table T77UA (IMG menu path Personnel Management>Organizational Management>Basic Settings>Authorization Management>Structural Authorization>Assign Structural Authorization) stores profile assignments to specific SAP user IDs, along with effective dates for the security assignment.
  
  The top of the output for the Structural Profiles option has two buttons. If you highlight a profile in the report and click on Show Profile View, then you receive a list of all objects that are within the authorization range for that profile. If you select Display User View, then all allowable objects for that particular user appear.
  
  
• Roles and Standard Profiles: If you select this option and click on Execute, then the report provides a listing of all standard authorization roles assigned directly to the specified user ID. You also get any standard roles that are assigned to this user via the relationship to position or organizational unit and any 007 relationships described to the role object type.
  
  
• Display HR Authorizations: The final option in the selection screen allows you to run a report and see which access a user has in several critical HR authorization objects. Select the Display HR Authorizations button, choose one or more of the authorization objects listed beneath, and execute the report. The output shows all active role assignments that contain access to the objects you selected.

Figure 2

Output of Related Organizational Units for a given user

Figure 3

Output for Structural Profiles option

A.J. Whalen

A.J. Whalen has successfully combined more than two decades of global business expertise with in-depth experience in the strategic development, management, and delivery of large-scale projects and education for SAP ERP HCM. Prior to his current role as SAP Marketing Director at Velocity Technology Solutions, he served as lead consultant for several global SAP implementations and engagements as well as an SAP Conference Producer for Wellesley Information Services. A.J. has been invited to speak at nine annual SAP educational events and holds an MBA degree from the Stern School of Business at New York University.

You may contact the author at whalen.aj@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.