Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PA30 Restricted by Personnel Area

Former Member

‎03-02-2009 1:58 PM

0 Kudos

Hello security experts,

In our system, both P_ORGIN and P_ORGXX security checks are turned on. We want to restrict the access to personnel in the PA30 transaction by Personnel Area - unfortunately I am able to display personnel in more personnel areas than I have assigned in P_ORGIN. Can you tell me what I am doing wrong here?

Here are the current settings:

security object : authorization field - authorization value

P_ORGIN : AUTHC (Auth level) - D, M, R, W

P_ORGIN : INFTY (Infotype) - 0315

P_ORGIN : PERSA (Pers area) - 0083

P_ORGIN : PERSG (pers grp) - *

P_ORGIN : PERSK (emp sub grp) - *

P_ORGIN : SUBTY (subty) - *

P_ORGIN : VDSKI (org key) - *

P_ORGIN : AUTHC (Auth level) - E, M, R

P_ORGIN : INFTY (Infotype) - 0000-0001, 0007, 0328

P_ORGIN : PERSA (Pers area) - 0083

P_ORGIN : PERSG (pers grp) - *

P_ORGIN : PERSK (emp sub grp) - *

P_ORGIN : SUBTY (subty) - *

P_ORGIN : VDSKI (org key) - *

P_ORGXX : AUTHC (Auth level) - D, M, R, W

P_ORGXX : INFTY (Infotype) - 0315

P_ORGXX : SACHA (Pay admin) - ' '

P_ORGXX : SACHP (HR admin) - ' '

P_ORGXX : SACHZ (Time admin) - 996

P_ORGXX : SBMOD (Admin grp) - *

P_ORGXX : SUBTY (subtype) - *

P_ORGXX : AUTHC (Auth level) - E, M, R

P_ORGXX : INFTY (Infotype) - 0000-0001, 0007, 0328

P_ORGXX : SACHA (Pay admin) - ' '

P_ORGXX : SACHP (HR admin) - ' '

P_ORGXX : SACHZ (Time admin) - 996

P_ORGXX : SBMOD (Admin grp) - *

P_ORGXX : SUBTY (subtype) - *

Any insight is much appreciated

4 REPLIES 4

Former Member

‎03-02-2009 7:59 PM

0 Kudos

Hi Steven,

Is that the only role assigned to the user you are looking at ? Since you said "i was able to.." , i would recommend setting up a test ID with the restricted role you have created and try using that to test the restriction to the personnel ares.

The role design seems to be restricted to 0083 Personnel Area.

May be you have other roles (or profiles) assigned your ID which is allowing you to do that.

Cheers !!

Zaheer Kazi

Former Member
In response to Former Member

‎03-02-2009 9:50 PM

0 Kudos

There was another role with PLOG

These are the settings:

PLOG : INFOTYP - *

PLOG : ISTAT - *

PLOG : OTYP - C, O, P, Q, S

PLOG : *

PLOG : *

PLOG : *

We have since inactivated the PLOG objected, and the problem still exists: I am able to access personnel in other personnel areas.

Any ideas?

Former Member
In response to Former Member

‎03-02-2009 10:06 PM

0 Kudos

So, the ID with which you are testing doesn't have any other role than the one you created with restricted P_ORGIN and P_ORGXX... check for any additional profiles assigned to this user ID with you are doing testing.

Run report, RHUSERRELATIONS, enter the user ID and select the radio button for "Display HR Authorization" and run the report to see what all P_ORGIN this user ID has... may be this will tell you from where it is getting the required authorization.

Cheers !!

Zaheer

Former Member
In response to Former Member

‎03-03-2009 4:07 PM

0 Kudos

Figured it out, turns out there was a reference role for additional rights that had read access to many infotypes, and full authorization on the personnel area field.

Thanks for your suggestions