We do currently have restrictions on who can maintain IT0024. The trouble is that when a user is granted maintenance privileges over that data, they can assign or remove any value. What I'm looking for is a way to further limit which values of IT0024 a user is permitted to maintain.

We use structural authorizations to restrict users to the subset of employee records that they are permitted to view/maintain. I've never heard IT1017 used in the context of this functionality though.. I set up profiles using transaction OOSP and assign them to users with OOSB.

Does that answer your question? If this sounds like a novice answer, it's because I am in fact a novice.

Thanks

How do you determine the subset of employees? In the role, have you restricted it via personnel areas/employee group or subgroup? In the PD profile, have you specified the correct object id and evaluation path for object type Q or QK?

Many users in our system are limited in which employees they can maintain by org unit (using structured authorizations, object type "O"). The users who currently maintain qualifications have access to all org units.

If I understand where you're going with this.. I would have to remove the "*" on object type Q and QK in their existing profiles, then create more restrictive profiles to assign each of the users based on the qualification or qualification groups they should be able to maintain. Is this correct?

You are right.If you want users to have access to all org units but have restricted "maintain" access for Q,QK then remove * from object id's. For object type QK, specify the required catalog ids.

Hope this helps.

Great, that helps! Thanks