03-02-2009 1:58 PM
Hello security experts,
In our system, both P_ORGIN and P_ORGXX security checks are turned on. We want to restrict the access to personnel in the PA30 transaction by Personnel Area - unfortunately I am able to display personnel in more personnel areas than I have assigned in P_ORGIN. Can you tell me what I am doing wrong here?
Here are the current settings:
security object : authorization field - authorization value
P_ORGIN : AUTHC (Auth level) - D, M, R, W
P_ORGIN : INFTY (Infotype) - 0315
P_ORGIN : PERSA (Pers area) - 0083
P_ORGIN : PERSG (pers grp) - *
P_ORGIN : PERSK (emp sub grp) - *
P_ORGIN : SUBTY (subty) - *
P_ORGIN : VDSKI (org key) - *
P_ORGIN : AUTHC (Auth level) - E, M, R
P_ORGIN : INFTY (Infotype) - 0000-0001, 0007, 0328
P_ORGIN : PERSA (Pers area) - 0083
P_ORGIN : PERSG (pers grp) - *
P_ORGIN : PERSK (emp sub grp) - *
P_ORGIN : SUBTY (subty) - *
P_ORGIN : VDSKI (org key) - *
P_ORGXX : AUTHC (Auth level) - D, M, R, W
P_ORGXX : INFTY (Infotype) - 0315
P_ORGXX : SACHA (Pay admin) - ' '
P_ORGXX : SACHP (HR admin) - ' '
P_ORGXX : SACHZ (Time admin) - 996
P_ORGXX : SBMOD (Admin grp) - *
P_ORGXX : SUBTY (subtype) - *
P_ORGXX : AUTHC (Auth level) - E, M, R
P_ORGXX : INFTY (Infotype) - 0000-0001, 0007, 0328
P_ORGXX : SACHA (Pay admin) - ' '
P_ORGXX : SACHP (HR admin) - ' '
P_ORGXX : SACHZ (Time admin) - 996
P_ORGXX : SBMOD (Admin grp) - *
P_ORGXX : SUBTY (subtype) - *
Any insight is much appreciated
03-02-2009 7:59 PM
Hi Steven,
Is that the only role assigned to the user you are looking at ? Since you said "i was able to.." , i would recommend setting up a test ID with the restricted role you have created and try using that to test the restriction to the personnel ares.
The role design seems to be restricted to 0083 Personnel Area.
May be you have other roles (or profiles) assigned your ID which is allowing you to do that.
Cheers !!
Zaheer Kazi
03-02-2009 9:50 PM
There was another role with PLOG
These are the settings:
PLOG : INFOTYP - *
PLOG : ISTAT - *
PLOG : OTYP - C, O, P, Q, S
PLOG : *
PLOG : *
PLOG : *
We have since inactivated the PLOG objected, and the problem still exists: I am able to access personnel in other personnel areas.
Any ideas?
03-02-2009 10:06 PM
So, the ID with which you are testing doesn't have any other role than the one you created with restricted P_ORGIN and P_ORGXX... check for any additional profiles assigned to this user ID with you are doing testing.
Run report, RHUSERRELATIONS, enter the user ID and select the radio button for "Display HR Authorization" and run the report to see what all P_ORGIN this user ID has... may be this will tell you from where it is getting the required authorization.
Cheers !!
Zaheer
03-03-2009 4:07 PM
Figured it out, turns out there was a reference role for additional rights that had read access to many infotypes, and full authorization on the personnel area field.
Thanks for your suggestions