- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- User Level Authorization in Position Based Securit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
User Level Authorization in Position Based Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:27 AM
Hi Geeks,
I'm facing a problem in restricting a user accessing from another users data.
Let me give you a picture of my issue.
I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
Can you please let me know how to restrict this.
<removed_by_moderator>
Thanks
Venkat
Edited by: Julius Bussche on Jun 4, 2009 8:44 AM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:38 AM
Venkat, can you be more specific ?
Roles may be assigned to position but that itself wouldn't restrict the access, it is the authorization within the role that gives access to data.
Cheers !!
Zaheer
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:38 AM
Venkat, can you be more specific ?
Roles may be assigned to position but that itself wouldn't restrict the access, it is the authorization within the role that gives access to data.
Cheers !!
Zaheer
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:58 AM
Zaheer, thanks for the quick reply,
here it goes. my client implemented SAP TV, & user X logs his expenses, while other users do.
but when User X is accessing his data (Expenses) he is also able to see the expenses of User Y.
I have used the Auth Obj, F_TRAVL_RW, TV_CREAT, TV_EVSIM, also assigned a T.Code KSB1/KOB1.
Let me know if u need more details.
Thanks,
Venkat
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 6:55 AM
Hi Venkat,
Try restricting on P_PERNR, i don't have an HR system to check in, though i recall, P_PERNR should be able to restrict users on their own personnel numbers for the expense infotypes.
Cheers !!
Zaheer
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 4:23 PM
Hi Venkat
If user X is able to view data for another user it is probably the P_PERNR object. Try Interpretation of assigned personnel number (I) which allows users to view data for his own records. Structural auth will control the Org assignment however accessing Infotypes or data will be controlled by P_ORGIN /P_PERNR.
Let us know
thanks
santosh
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:09 PM
> If user X is able to view data for another user it is probably the P_PERNR object.
That is the exact opposite of what P_PERNR does...
Probably P_ORGIN is proving the access via some other role assignment, or indirectly via a reference user.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:19 PM
thanks Julius
I meant to convey P_PERNR controls to update persons own data. like user cannot update his own basic pay. you are correct it is P_ORGIN ...my bad on the P_PERNR
thanks
santosh
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 3:33 PM
Venkata, are you using Structural Authorization? You may want to look in to assigning structural authorization using PD Profiles.
Maintain Evaluation Path
Maintain Structural profiles
- rh_get_manager_assginment
- rh_get_org_assignment
"while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users."
Sapsec-HB
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:37 PM
Here is my understanding...
p_orgin providing access to infotyes with this object automatically gives access to both own user's reocord and the other employee records.
p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
Sapsec-HB
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:49 PM
> p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
Stated like that it could still be misleading.
E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2009 5:51 PM
Thanks a bunch, Guyz, will mark it solved, once I try with the solution given.
Regards,
Venkat
- SAP Managed Tags:
- Security
