06-09-2009 10:09 AM
hello Experts,
Hello experts,
Normally, the difference between a Parent role and its derived roles is in terms of organization levels.
I heard that there is a method workflow to do restriction without use derived roles:
- it uses only the simple parent roles with authorization objects and without organization levels
- it affects this roles to users then it affects the users to organizational units which are the old concept (organization levels).
- So the actions mentioned by the authorization objects of a role assigned to a user X, takes place only on organizational units authorized for user X.
there is someone witch has some informations about that? how to do that? what are the transactions witch can do that? It is possible to do that with the transaction PPOMW?
Please help me.
Best regards.
Edited by: Habilitaion on Jun 9, 2009 11:10 AM
06-09-2009 2:07 PM
Hi,
In release 4.0 SAP implemented an authorization concept that differentiated between functions and organizational area. But since 4.6 this concept was switched to derivation of roles.
HR comes with structural authorizations that can be used in addition to the standard authorizations. This kind of authorization secures HR data only. It cannot be used for financial or logistics data. The access is calculated at runtime via the organizational structure defined in HR. It is possible to restrict the access to personnel data of your own organizational unit.
Here is the help regarding structural authorizations:
http://help.sap.com/erp2005_ehp_04/helpdata/EN/c2/936f3ee3c33f7ce10000000a114084/frameset.htm
Hopefully I understood your question. Otherwise ignore my post
Regards
Rainer
06-09-2009 7:46 PM
There is such a thing as "workflow", where scenarios can be used to process data from end user applications and the authority checks are performed within the workflow engines.
You can use this for different scenarios of various types - but you cannot feasibly run a whole system on it and avoid maintaining all org levels that way.. In comparison, learning English will be much much easier...
Basically, you send workitems into the engine and based on processing rules it has it will do that which you have instructed it to do, including wait for further approvals etc.
Cheers,
Julius