06-04-2009 6:22 PM
Hello,
We use SAP for HR, Benefits,Payroll and (ESS) Employee Self Services. We limit the users in ESS to their own data using P_PERNR.
I've recently been asked if we can secure and restrict users from viewing/maintaining data for Peers?
Does anyone have any experience or documentation for limiting a users access to exclude their Peers?
Thanks in adavance for any suggestions.
Penny
06-04-2009 7:05 PM
By using a combination of p_orgin (N/A) and p_pernr (infotype 0008) and ( I ), if we are talking about not seeing peers pay.
Sapsec-HB
06-04-2009 7:05 PM
By using a combination of p_orgin (N/A) and p_pernr (infotype 0008) and ( I ), if we are talking about not seeing peers pay.
Sapsec-HB
07-17-2009 8:50 PM
Thank you for the response. I am pretty familiar with P_ORGIN and P_PERNR objects and I guess I need HR to define Peer's. I believe they want users to be able to view and mainatin 'some' people's pay, but not someone in their department??
I'll get clarification before seeing further information.
Thank you.
Penny
07-20-2009 11:27 PM
> I've recently been asked if we can secure and restrict users from viewing/maintaining data for Peers?
Are you refering specifically to the PA Department?
If there is no valid reason to view anything, use p_pernr for themselves.
Perhaps you could explain your question more clearly?
Cheers,
Julius
07-21-2009 8:39 PM
When asking HR folks for more specific information on their request, they stated that this is not a concern at this time and I need not spend any more time on this.
Thank you all who participated. I'll be more thorough next time.
07-21-2009 10:15 PM
Perhaps this was a precursor in the direction of SoDOff (Segrgation of Department Offices) ?
I guess they realized that they would need an organizational restructuring to make this possible...
My recommendation would be to look for compensating controls. There are many tools for this in HR, and you don't need to paralyze your processes to be compliant with some potential risks.
Generally, if you make your processes very efficient and also largely automated, then the possibilty for human intervention (and their access) can be restricted further as well at the application layer (if the user is restricted to that).
A good example is provisioning of data, in the stead of manually entering it.
Cheers,
Julius
Edited by: Julius Bussche on Jul 21, 2009 11:16 PM