HR Master data display control.

Former Member · ‎08-14-2008

Hi All,

I have set up an HR admin with access such that he should not be able to view pay info of some users. However, when i tested it the user is able to partly view the pay info of a user A. However, he cannot view pay info of user B. The confusion is that both the user A & B belong to same personnel area, employee group, sub group etc..they are under same pay admin..I am confused why user is able to partly view pay info of A when he cannot view pay info of user B. Although, when he tries to view infotype 0008 for user A, he gets a message "few records skipped" for which below are the SU53 values. But still 0008 is visible...

Authorization level R

Infotype 0001

Payroll Administrator ' '

Administrator for HR Master Data 015

Administrator for Time Recording ' '

Administrator Group XYZ

Subtype ' '

I checked the configuration of P_ORGIN & P_ORGXX...totally confused..

Any help would be appreciated..

Former Member · ‎08-14-2008

Hi,

Could you be more specific when you say "not be able to view pay info of some users." ??

What is your differentiating criteria for such "some users".

Also..I'm totally confused when you say " partly view the pay info of a user A."

If you observe a few records skipped message, the best way is to run a trace to identify all the infotypes that are getting skipped. Also, if you are running a report, having no access to P_ABAP will return such a message.

In txcode OOAC, what values do you have for ORGIN & ORGXX?

Former Member · ‎08-14-2008

when i said some users i meant employee sub group (PERSK) & pay admin (SACHA)..the users A & B belong to same employee sub group E4 & Pay admin hence the HR admin should not be able to view pay info of these 2 users given the roles assigned but still he can partly view pay info 0008 of user A..partly means immediately after entering the personnel # of A, HR admin gets a green check mark for infotype 0008..when he selects 0008 and hits the display button, he gets a message "few records skipped"..

When HR admin enters personnel # is B, he does not get a green check for 0008, which is correct..

I want to know why this discrepancy for the users A & B that belong to same Employee sub group & Pay admin etc..

In OOAC, ORGIN & ORGXX value is 1

Former Member · ‎08-14-2008

I don't think this is a security issue but I could be wrong. A quick check would be to run a trace for the user that is not getting the error message and note down all the infotypes that are getting processed when you view his pay data. Once you have this list jotted down, run a trace for the user that is getting "skipped.." message. compare the Infotypes and check if master data has been maintained in all the skipped infotypes.

Maybe when the admin hired the employee A, he did not enter all the infotypes for him. It is a for HR to decide what mandatory infotypes need to be maintained when creating basic pay info.

Unless this is a show stopper, I would say you can skip this issue as long as your HR admin is still able to view the basic pay infotype 0008

diwheeler · ‎08-15-2008

Hi there,

do you use structural authorisations in your organisation? two users with identical access rights in SU01, but it is possible for them that if they are identical, but have different structural authorisation assignments they will see different information.

An authorisation trace will run successfully and not necessarily show any failures, but if the structural authorisation check fails, you will see a message that says something like "unable to display 123 records due to insufficient authorizations". That's typical of structural auths.

The ways to check it: go to transaction OOSB - see if both your user IDs are in the table. If they are, you can see the HR objects that are accessible to that user by clicking on the "Information" button (blue I) next to their name.

If a user has OOSB with an expired entry, then they won't be able to see any HR info.

Depending on what active struct auth they have assigned, and/or where they sit, they will have different values assigned them.

If a user has no entry in OOSB they will see everything, same as if a user has an 'all' entry in OOSB.

I'm unaware if there is a trace that will actively show you structural authorisation checks.

Well, maybe this will help you out.

Good luck,

Cheers,

Di

Former Member · ‎08-22-2008

Thanks guys for your responses..points awarded.I would definitely keep you guys updated about the progress on this issue..

Former Member · ‎08-22-2008

I just checked Structural authorization settings. The users access is not affected by structural auth..may be its not a security issue..any other thoughts/ideas are welcome..

Former Member · ‎08-22-2008

It is NOT a structural issue, if it was structural then you would skip the pernr record completely, if you are skipping master data records it could be the way master data is setup. ST01 should help confirm if it is even security related issue.

diwheeler · ‎08-26-2008

Hi there,

Sorry, didn't mean to lead you up the garden path with my previous suggestion! I did think about this some more thoguh and I was just wondering what the history of user A was - if at any point in time they were in a group where your administrator would have been able to manage them & view IT0008?

Just curious - if it's a time based thing you know?

Cheers,

Dianne