- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Restrict Access to IT 0008
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Restrict Access to IT 0008
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2008 2:57 AM
Hi All,
I am building a role for Talent Manager and they should be able to execute a custom report to get
talent review information. This report internally reads data from IT 0008. So to execute this report
successfully, talent managers would need 'Read' access to this infotype. Is there a workaround to
execute the report without giving the read access to IT 0008 via PA20?
Any suggestions?
Regards,
Pavana
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2008 4:57 AM
Hi Pavana,
Does the custom report calls the PA20 transaction code internally ?
In case, if the report is reading the infotype IT 0008 without calling PA20 (which i think should be the case), then you need to make sure that you have read (R) for the P_ORGIN in the role.
PS: PA30 is read only
Regards,
Zaheer
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2008 5:40 AM
Thanks for the reply.
The custom report is reading IT 0008 info without calling PA20.
To enable the user to execute the report, auth object P_ORGINCON needs to be set up like this.
Authorization level M, R
Infotype 0000, 0001, 0002, 0008,0024
Personnel Area Q001-Q025
Employee Group *
Employee Subgroup *
Authorization Profile *
Subtype *
Organizational Key *
P_ABAP as:
Degree of simplification for a 1
ABAP Program Name ZRHPD0008
With this user is able to execute the report. But can display it0008 via PA20, which i don't want. I tried to use the example explained for time administrator on SAP Help:
http://help.sap.com/erp2005_ehp_03/helpdata/EN/f0/bcb83b5b831f3be10000000a114084/frameset.htm
Regards,
Pavana
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2008 6:16 AM
Hi Pavana,
I don't think in standard SAP you can achieve this - you either do or do not have access to an infotype so if the report calls it, then you're stuck.
What you could do though - is talk with your programmers and get them to remove the check to P_ORGIN and bypass it - effectively turning it off.
I'd say that this would need to be seriously considered because of course you want it to check infotypes, so perhaps instead of not checking anything or running a P_TCODE check at the very least,
maybe what you'd want to do instead is consider creating a customised auth object...
say built the same as P_ORGIN (maybe called ZP_ORGIN?), but with an additional field for tcode, and get your programmers to check that instead of a P_ORGIN check.
A bit more work around to achieve that, get it working and keep it maintained successfully, but if you're producing a report with info that is sensitive, and that should be limited, then you could try that.
Sorry it's not the best answer in the world - I'd be interested to know if someone else has a better solution!!
Cheers,
Di
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2008 5:36 AM
Thanks Zaheer and Dianne.
I have discussed this issue with other team members and no one could come up with a better
solution. Looks like we will be changing the program to remove the check on this infotype.
I will leave this thread open for few more days to see if anyone has got a different approach to resolve this issue.
Regards,
Pavana
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2008 4:27 PM
H Pavana,
You can maintain the P_ABAP object directly as below and not maintain the P_ORGIN in the role.
P_ABAP
Degree of simplification for a 2 ( 2 denotes report will be run without checks)
ABAP Program Name ZRHPD0008 ( report name which you want to run without checks)
I am not sure if the report will still ask for access to the LDB but this is certainly worth a try.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2008 5:55 PM
>
> Thanks for the reply.
>
> The custom report is reading IT 0008 info without calling PA20.
>
> To enable the user to execute the report, auth object P_ORGINCON needs to be set up like this.
>
>
> Authorization level M, R
> Infotype 0000, 0001, 0002, 0008,0024
> Personnel Area Q001-Q025
> Employee Group *
> Employee Subgroup *
> Authorization Profile *
> Subtype *
> Organizational Key *
>
> P_ABAP as:
> Degree of simplification for a 1
> ABAP Program Name ZRHPD0008
>
> With this user is able to execute the report. But can display it0008 via PA20, which i don't want. I tried to use the example explained for time administrator on SAP Help:
>
> http://help.sap.com/erp2005_ehp_03/helpdata/EN/f0/bcb83b5b831f3be10000000a114084/frameset.htm
>
>
> Regards,
> Pavana
Pavana,
Your design is correct, you just need to change something minor. Remove PA20 for the recruiter role since they will have no need to PA20. Second go to SU24->ZRHPD0008 and add auth object P_ORGINCON. Regenerate the role on expert mode read new and merge with old.
Final outcome: People assign to the role will be able to run ZRHPD0008 and not PA20.
Good Luck!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2008 5:00 AM
Thanks for the replies.
As per the security design matrix, I cannot remove PA20 from the role as it is required to display other IT such as 0000,0001,0002, 0024. I want users assigned to this role to be able to execute the report but unable to display 0008 via PA20.
Regards,
Pavana
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2008 5:06 PM
Pavana,
Questions that I would ask myself in a situation like this:
1. Do Talent managers have access to PA20?
2. Do Talant managers have access to view IT 0008 currently?
3. Does your report display sensitive info related to 0008?
If you have answered yes to all three of the above, then I don't see anything wrong with the way your report is built.
If your answer is No, in P_ABAP enter a value of * for the report and do not enter any values in P_ORGINCON.
Hope this helps!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2008 5:21 AM
Our functional and business people have decided to assign this role to key people who would have access
to view IT 0008. So I am continuing with the original design.
Thanks for all the inputs.
Regards,
Pavana
- SAP Managed Tags:
- Security
