roles and authorisations?

Former Member · ‎12-01-2008

Hi All,

I have created a new authorization object "ZP_ORGIN" which is exactly same as the standard authorization object "P_ORGIN".

I have created a role using this object("Given '*'for all the authorisation fields) and assigned it to my new user.

Then this user tested by using PA30 transaction.

But he couldn't able to read or edit any of the infotype.

When i went and checked the authorisation in T.code SU53 it is showing authorisation object "p_orgin" is not assigned.

Can anyone tell me why my authorization object is not working?

jurjen_heeck · ‎12-01-2008

> Can anyone tell me why my authorization object is not working?

Well, I think it is because there are no checks in the sourcecode behind PA30 which check your object instead of the original. The ABAP statement AUTHORITY-CHECK in the source code is always leading. What is it exactly you want to achieve with your actions?

Former Member · ‎12-01-2008

Hi Jurjen,

The standard "p_orgin" doesn't have authorization field "Pernr"(personnel number).

I want to create an authorization object including this field so that i can use this field in my profile.

Reason behind this is that " i want to assign a role to my user :HR admin and they should see only the payroll data of the employees and not to see the data of the management people"

By using the pernr field i can avoid the personnel number of the management in the profile.

Why it is asking for the standard authorisation object and not the new one.

Please suggest.

Former Member · ‎12-01-2008

You should use the object P_PERNR for that. It is already checked in the coding...

...but remember that P_PERNR is normally intended for personal exceptions to the concept.

Cheers,

Julius

Edited by: Julius Bussche on Dec 1, 2008 12:11 PM

Former Member · ‎12-01-2008

Hi Julius,

I think the p_pernr object can restrict/authorize only for the person to whom the this object is assigned.

My problem is to restrict the payroll data of management persons?

can you suggest me another solution?

Former Member · ‎12-01-2008

I think you should speak to your functional people about personell areas and what your options are to protect the data.

You should not try to do this on your own without knowing the data.

Good luck,

Julius

Former Member · ‎12-01-2008

Hi,

If you create any new customized authorization object , then u need to maintain check in SU24 tcode for specific tcode.

Regards,

Sneha

Former Member · ‎12-01-2008

Hi sneha,

I have maintained the check in su24. but still my authorisation object is not working.

Former Member · ‎12-01-2008

Maintaining SU24 will do nothign if the checks are not in the coding.

Former Member · ‎12-01-2008

What coding should i have to maintain?

what is the function of it?

jurjen_heeck · ‎12-01-2008

> If you create any new customized authorization object , then u need to maintain check in SU24 tcode for specific tcode.

This is a wrong answer. AUTHORITY-CHECK statements work perfectly even when the corresponding object/transaction combination is not maintained in SU24. If you want to disable an existing check you need to maintain SU24 but then still restrictions apply.

Former Member · ‎12-01-2008

Hi SCM,

I presume that you must have completed the required steps of Custom Authorization.

1. Creation of Authorization in Su21

2. Run Report RPUACG00 to update the HR Authority check programs to check for the custom Auth Obj

(Transaction code OOAC)

3. Assign the Auth Object to SU24 of transaction code

4. Set the NNNNN authorization main switch to 1

PS : I haven't read thru the whole thread, however replying on your initial question.

Cheer !!

Zaheer

Former Member · ‎12-02-2008

Hi Zaheer,

I tried what you have mentioned but still i don't have authorisations.

Again p_orgin is missing it is showing.

jurjen_heeck · ‎12-02-2008

What you are trying to do will not work unless you have an abaper change the program's actual code. I assure you, that is not a route you want to go.

As Julius suggested earlier:

>I think you should speak to your functional people about personell areas and what your options are to protect the data.

Jurjen

Former Member · ‎12-02-2008

Hi Jurjen,

Actually there are a few special cases where changing "customizing" or adding "settings" or as in this case "additional checks" will change the standard coding automatically or when told to be regenerated.

Some programs even have the ability to upgrade themselves, or check for updates everytime they are submitted.

There are even some which contain parts of the coding itself (and not just the customizing settings) in table fields which have special views which make additional checks.

Of course this needs to be treated with caution and the additional checks are important, otherwise someone can get arbitrary coding of their own into the system.

> I think you should speak to your functional people about personell areas and what your options are to protect the data.

In HR the functional folks should know about this as well as what is possible from the data itself, so again another reason to go to them.

Cheers,

Julius

jurjen_heeck · ‎12-02-2008

> Actually there are a few special cases where changing "customizing" or adding "settings" or as in this case "additional checks" will change the standard coding automatically or when told to be regenerated.

All right, I stand corrected. Have you got an example for me?

Former Member · ‎12-02-2008

> All right, I stand corrected.

Generally, I think you are correct - but there are some exceptions and SAP offers some techniques to add own coding or self-correct itself when other (expected) changes arise, some of which are less intrusive than others.

> Have you got an example for me?

Transaction WP3R is one such example which has a little bit of everything in it.

Cheers,

Julius

Former Member · ‎12-02-2008

Hi Julius,

I have tried another method but still the authorization object is not working.

I kept P_orgin as it is and I have created new authorisation object Zp_orgin with following fields

pernr

actvity

but still this authorisation object is not working?

What could be the reason?

Former Member · ‎12-02-2008

Just creating a new authorization object is not enough. How does the system know where and how to use it?

You need to provide more information about what you have done and how you are introducing this object to the PA transactions... otherwise your z-object might as well be a tree in the woods, and our efforts to answer like a mime in a forest...;-)

Please clarify,

Julius

jurjen_heeck · ‎12-02-2008

From what I've read so far I think you did the following (in non-SAP language):

1- Created a new doorlock in your mind.

2- Actually made keys to match the imaginary doorlock

3- Gave out keys

4- Stand surprised as the keys fitting the imaginary lock do not fit the real lock and the door doesn't open for the people holding the keys you gave them.....

This is where we advised you repeatedly to get a locksmith and have your imaginary lock both constructed and built into the door replacing the original one (or should I say P_ORGINal?).

Why do you keep insisting that it should work? Please share your thoughts with us about how an SAP program is supposed to guess which extra checks you want the software to perform instead of it's original checks.

Former Member · ‎12-02-2008

Are you sure you have done this step :

2. Run Report RPUACG00 to update the HR Authority check programs to check for the custom Auth Obj

(Transaction code OOAC)

And i remember that there are requirements for the custom HR authorization to have minimum of infotype, subtype, authorization level... whereas you have only included pernr.

By the way, what are you trying to achieve with the custom authorization object with pernr and activity !!

Cheers !!

Zaheer