The authorizations checks in Campus Management consist of the basic authorization and the structural HR authorization.

The basic authorization determines whether the user is allowed to execute a certain function, while the structural authorization determines the objects for which the user is allowed to execute this function. In other words, the basic authorization defines what function the user is allowed to use, and the structural authorization defines for which objects the user is allowed to use this function.

For example, the basic authorization can define that the user is allowed to perform the create module booking activity. With the structural authorization you can restrict this activity only to modules offered by the faculty of Mathematics, for example. (The user can then access these modules whenever required; see also Structural Authorization).

Basic Authorization

In release CM 4.64, three authorization objects are used in Campus Management:

At the first level is the transaction code check. The system performs this check each time the user starts a transaction using the menu or command line. For this check to be successful, the user requires an authorization for the relevant transaction code in the authorization object S_TCODE.

At the second level, the Campus Management function is divided into two parts. The first part includes activities such as create request, create registration, create re-registration, cancel module booking, and so on. The second part covers master data like student master data and a major part of the academic structure.

When checking the authorizations for master data, the system uses the HR authorization object PLOG for master data authorization checks. A new authorization object (P_CM_PROC) has been implemented for activities in release CM 4.64. The system now only checks whether the user is authorized to use the activity. It no longer checks if the user is authorized to read or change the data in this activity. The new authorization concept has the following advantages:

• It simplifies authorization assignment. The system no longer uses the comprehensive data model with its many objects and object interrelationships as the basis for the activity authorization (authorization assignment via authorization object PLOG);
• Changes in the data model have no effects on the authorization checks for activities;
• It is now possible to distinguish between create and change operations, for example in re-registrations;
• You can now distinguish between re-registrations and leaves of absence.

The table T7PIQPROCESS (Activities) contains all Campus Management activities. The system performs authorization checks for all activities with the exception of the ones listed below.

Authorization checkes are not performed for the following activities:

• AC10 (Send Reminder for Outstanding Payments)
• HSMA (Create Status Indicator Manually)
• PR11 (Create Applicability List Automatically)

These activities do not contain any activity-related authorization checks.

In the standard system, the authorization check for activities is independent of the objects for which the activities are performed, and of their attributes. (The structural authorization only restricts the objects which the user can then process irrespective of the activity.). If you require additional checks, you can use the business add-in HRPIQ00AUTHORITY.

Structural Authorization

The structural authorization enables you to define the set of objects the user is authorized to process. You determine these objects using evaluation paths. You can define whether the user should only be given a display authorization for these objects or a maintenance authorization as well.

You cannot combine the structural authorization with the basic authorization. The user is therefore authorized to process the assigned set of objects irrespective of the function (s)he is currently using.

Further notes

As functions from other applications areas (Training and Event Management, Notification Processing) and from Student Accounting are integrated in Campus Management, users also need authorizations from these areas.

Campus Management contains a number of roles which you can combine with the roles of other application areas to create composite roles. You can either assign a composite role or individual roles to users.

Component    Prefix of the roles provided

Campus Management    SAP_CM_

Training and Event Management    SAP_HR_PE

Notification processing    SAP_CA_NO_NOTIF

Student Accounting    SAP_FI_CA_

You create the business partner authorizations in separate IMG activities which you can find in Customizing for Campus Management in Campus Management Master Data -> Students -> Students as Business Partners -> Basic Business Partner Settings -> SAP Business Partner -> Business Partner -> Basic Settings -> Authorization Management.

In the SAP Reference IMG under Basis Components -> System Administration -> Users and Authorizations, you can find more IMG activities in which you can make general settings for authorizations.