Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HR Auth Question

Go to solution
Former Member

‎08-11-2008 12:02 PM

0 Kudos

I want to build a role which have display authorisation to all infotype except some 3 -4 infotype .Is there any other way then maintaining ranges skiiping the 4 infotypes .Will there be any performance issue if i maintain ranges .

1 ACCEPTED SOLUTION

Go to solution
jurjen_heeck
Active Contributor

‎08-11-2008 12:17 PM

0 Kudos

There is no performance penalty for maintaining ranges.

For audit and maintenance purposes however, I advise you to put each allowed infotype into the role separately. Basically SAP authorization design is about giving people what they need and not about giving people everything and then taking away what they shouldn't have.

Initially it's more work but it will pay back during audits, maintenance and upgrades.

An example in this case would be introducing a new infotype which almost no-one is allowed to see or manipulate.

With ranges this introduction of an infotype will force you to review all your roles and amend the ranges. With named infotypes a non-existent one is not in your roles yet so it'll be safe from the beginning .....

Jurjen

1 REPLY 1

Go to solution
jurjen_heeck
Active Contributor

‎08-11-2008 12:17 PM

0 Kudos

There is no performance penalty for maintaining ranges.

For audit and maintenance purposes however, I advise you to put each allowed infotype into the role separately. Basically SAP authorization design is about giving people what they need and not about giving people everything and then taking away what they shouldn't have.

Initially it's more work but it will pay back during audits, maintenance and upgrades.

An example in this case would be introducing a new infotype which almost no-one is allowed to see or manipulate.

With ranges this introduction of an infotype will force you to review all your roles and amend the ranges. With named infotypes a non-existent one is not in your roles yet so it'll be safe from the beginning .....

Jurjen