Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Training and events with MSS issue

Former Member

‎02-17-2009 7:06 PM

0 Kudos

Hello Security Gurus,

I am having an issue with managers having MSS role and TEM role with PA20/30. Since managers have to access data for their direct reports, Infotype 0008,0001 etc have been provided in MSS role. But having PA20/PA30 access with TEM roles ( which are mandatory for TEM roles) they can view data for anybody on the ECC system. But these users are not supposed to view other peoples data.

I know 2 solutions for this 1. Provide seperate IDs ( one each for TEM and for the rest of access)

2. Structural authorizations and Context authorizations

Does anyone know any other solution since Business decision is against both of these ?

Thanks in advance,

Bhanu Reddy

3 REPLIES 3

Former Member

‎02-17-2009 10:56 PM

0 Kudos

Personally I find seperate ID's a very ugly solution, but what does the management have against context authorizations?

I can understand that the OM data is a challenge, but using MSS without reliable OM data is also questionable (or perhaps they are wanting to use the MSS to clean up the data, in which case the PA30 user will not see more than that which they could have via the portal as well when they finally get to the data quality needed?)

Other options / ideas:

- There are BADIs and depending on your release you could look into enhancement points.

- Possibly you could consider a workflow scenario for the TEM (Training and Event Management) or the MSS (Manager Self Service) to remove the conflict or the 2 incompatable requirements.

- Check the P_ORGIN subtypes to see whether you can restrict it there (for PA30).

- Check the MSS whether the required data can be displayed with more granular authority without providing the conflicting access to PA30.

- Even if not using structural authorizations, check that SAP* does not have full access in OOSB (users without profiles, inherit the authority of SAP*) and whether someone activated it anyway (although you dont use it...)

Just some ideas for you.

Cheers,

Julius

Former Member
In response to Former Member

‎02-18-2009 9:45 PM

0 Kudos

Julius,

Thanks for your suggestions. Due to my tight time lines, I have convinced the business to segregate TEM people duties so that PA20/30 has been removed from TEM roles as a quick solution. However, I have recommended for structural/context authorizations to be implemented moving forward.

I am closing the thread.

Thanks,

Bhanu

Former Member
In response to Former Member

‎02-18-2009 10:02 PM

0 Kudos

Often but not always it is sad to see that an organization or processes are turned up-side-down or made less efficient because of apparent software limitations.

Hopefully your customer does not blame SAP because of their insufficient data or strategy to get there.

This is a very interesting question (in my opinion). Please follow up on it as it would be usefull for others to know how things pan out "in the wild"...

Cheers,

Julius