Roles and Authorizations in

Human Resources (HR)


Natuvion provides consulting about:


  • The Creation and Maintenance of HCM Authorization Concepts

The creation of authorization concepts in the area of human resources is extensive and complex. Profit from the longstanding experience of our experts, combining years of expertise in both development and operation, and not only on the part of the consulting firms involved. Define the authorization objects, authorization switches, and implementations to be used in cooperation with Natuvion.

We set the framework for role creation using the authorization concept, which is one of the main points on the way to privacy compliance and data protection conformity.


  • Setting up the Authorization Counters

Use the know-how of our experts after the creation of the authorization concept. Customizing the authorization switches for controlling authorization checks is a central module for implementing compliance and data protection requirements.


  • The Allocation of Authorizations and Access to Personal data to implement the Need-to-know Principle (minimum principle)

By creating a comprehensive authorization concept in cooperation with our customers, we determine not only general access authorizations, but also exactly who may read, change, delete, or send certain data.

In a first step, we check exactly which data individual employees need for their daily work. Afterwards, access authorizations are assigned according to the need-to-know principle only for this data (BSI IT-Grundschutz catalogues, point M 2.8: Assigning of access rights). For this purpose, it makes sense to use the respective job description and functions in order to restrict authorizations to individual areas or departments, such as controlling or HR, at an early stage. Under no circumstances may authorizations be assigned only on the basis of a certain hierarchy level.

In a second step, more extensive authorizations must be defined, and a distinction should be made, for example, between read and write authorizations.

This also applies to authorizations for evaluations. Extensive authorizations should not be assigned to "named users," but should be handled by "technical users." Particular attention should be paid to ensure that data cannot be erased without authorization.


  • Structural Authorizations

Structural authorizations enable context-sensitive authorization checks and thus regulated access to data in time-dependent structures. The assignment of these authorizations can be controlled for different object types (for example: O(rganizationobject), P(osition), P(erson) via structural profiles, for the organizational structures of the respective user in the area of responsibility. When you use the SAP authorizations mentioned above, you must take interactions into account. The data protected by structural authorization must be hierarchically structured in one of the Personnel Development components, such as Organizational Management or Personnel Development. This allows access, for example for read and write operations, to be controlled with regard to the respective root object within the hierarchical structures.


  • Tolerance times

If people change position within an organization, the person that bears responsibility for them could lose access to their data. However, not all necessary activities might be completed at the time of the change. The so-called tolerance time is able to introduce a "waiting time" during this process.

Another option is to set up a temporary authorization for the person that was responsible before that allows you to work on certain tasks (e.g. Correction of working hours, writing Evaluations, etc.)


  • The Introduction of a 4-eye Principle

Within the framework of current and future data protection, such as the Californian CCPA or the European GDPR, activities in the areas of blocking, correction and deletion in particular will increase.

Not only the non-existent functionalities/processes of these specifications but also the faulty or misdirected execution constitutes a violation of these regulations. Especially the deletion of data in SAP HCM trough SAP Information Lifecycle Management (ILM) is irreversible. Therefore, all activities that have such a high criticality should in principle only be carried out according to the four-eyes principle.


  •  The Segregation of Duties

Many activities in SAP HCM must not be performed by one person alone. For example, settings, higher groupings, etc. There is always a risk that, for example, payments are accepted without a basis, or worse, that employees deliberately redirect these salary payments to themselves. There is always a risk of payments being accepted without a basis, or worse, employees deliberately redirecting salary payments to themselves. Also look into our service in the field of Fraud Protection. The technical introduction of an appropriate functional separation offers reliable protection against both negligent errors and intentional actions.



Questions, Suggestions, or Feedback? We look forward to it!