CATS_APPR_LITE - restricting ability to approve own time
I have a question regarding transaction CATS_APPR_LITE. Is this transaction intended to be used only by "master" time administrators?
My reason for asking is that I cannot find a way to restrict a user who has access to this transaction from approving their own time. I can restrict this capability when they use CAPS, but the same P_PERNR and/or P_ORGIN authorization objects restrictions don't seem to work in CATS_APPR_LITE. To give you some more background, I've created three levels of security around time entry/approval. The first level restricts the user to only enter their own time. This role is assigned to all users. The second level allows a user to enter time for another employee in the same organizational key. This role is assigned to all managers and admin assistants (in addition to the first level role mentioned previously). The third level allows a user to approve time within their organizational key. This role is assigned to department managers (in addition to the two previously mentioned roles) so they can approve their staff's time but not their own (at least when they use CAPS to approve time). However, we also have CATS_APPR_LITE included in this role so users have an option between the two time approval transactions. Should we just disallow using CATS_APPR_LITE or am I missing something in my authorization object restrictions? I would think these two time approval transactions would perform identical authority checks but they obviously don't. Does anyone have any suggestions?