Julius, I have played around with P_PERNR in every way imaginable and still cannot get it to work. As I stated, everything works as required when transaction CAPS is used but not when CATS_APPR_LITE. I even started from scratch and built a new role with just CATS_APPR_LITE contained within it - and no other P_ORGIN or P_PERNR auth object settings anywhere else in the user account - and still can not get it to work. As soon as I get all the settings right to allow the user to approve staff time, it then allows them to approve their own time.

Hi,

Please check whether the 2 transactions have the Check Maintained option common in su24. I dont think its same for both the transactions. Hence you are facing the problem related to CATS_APPR_LITE trying to restrict it the same as CAPS. Instead of controlling it via p_pernr its better to use object p_orgin in this issue. But how to restrict and in which value can be determined by running a trace against CAPS. It should show p_orgin. Check the values and objects it is checking and then implement the same in su24 for CATS_APPR_LITE. It should work.

Regards

Aveek.

I am relatively new to SAP security and am not very familiar with SU24 yet. Here is what shows for transaction CAPS:

P_ABAP HR: Reporting Check NO

P_ORGIN HR: Master Data Check YS

P_PCLX HR: Clusters Check NO

P_PERNR HR: Master Data - Personnel Number Check Check NO

S_ALV_LAYO ALV Standard Layout Check NO

S_CTS_ADMI Administration Functions in Change and Transport System Check NO

S_DATASET Authorization for file access Check NO

S_DEVELOP ABAP Workbench Check NO

S_GUI Authorization for GUI activities Check NO

S_OC_DOC SAPoffice: Authorization for an Activity with Documents Check NO

S_OC_ROLE SAPoffice: Office User Attribute Check NO

S_OC_SEND Authorization Object for Sending Check NO

S_OLE_CALL OLE calls from ABAP programs Check NO

S_TCODE Transaction Code Check at Transaction Start Check NO

And here is what shows for transaction CATS_APPR_LITE:

K_VRGNG CO: Bus. Trans., Actual Postings and Plan/act. Allocations Check NO

P_ABAP HR: Reporting Check NO

P_CATSXT HR: Time Sheet for Service Providers Type/ Level Check Check NO

P_ORGIN HR: Master Data Check NO

P_ORGINCON HR: Master Data with Context Check NO

P_PCLX HR: Clusters Check NO

P_PERNR HR: Master Data - Personnel Number Check Check NO

P_TRAVL Travel Expenses Check NO

PLOG Personnel Planning Check NO

S_ALV_LAYO ALV Standard Layout Check NO

S_BDS_DS BC-SRV-KPR-BDS: Authorizations for Document Set Check NO

S_BTCH_ADM Background Processing: Background Administrator Check NO

S_BTCH_JOB Background Processing: Operations on Background Jobs Check NO

S_CTS_ADMI Administration Functions in Change and Transport System Check NO

S_DATASET Authorization for file access Check NO

S_DEVELOP ABAP Workbench Check NO

S_DOKU_AUT SE61 Documentation Maintenance Authorization Check NO

S_GUI Authorization for GUI activities Check NO

S_OC_DOC SAPoffice: Authorization for an Activity with Documents Check NO

S_OC_ROLE SAPoffice: Office User Attribute Check NO

S_OC_SEND Authorization Object for Sending Check NO

S_PRO_AUTH IMG: New authorizations for projects Check NO

S_RFC Authorization Check for RFC Access Check NO

S_SPO_DEV Spool: Device authorizations Check NO

S_TABU_DIS Table Maintenance (via standard tools such as SM30) Check NO

S_TCODE Transaction Code Check at Transaction Start Check NO

S_TRANSLAT Translation environment authorization object Check NO

S_TRANSPRT Transport Organizer Check NO

It looks like both P_ORGIN and P_PERNR are being checked in both transactions. Am I reading this right?

Hi,

The list is long enough but if we view it discreetely we find there is no "Yes" so i guess none of the fields for this transaction are check maintained. Hence its not behaving the way like CAPS. For CAPS i guess there you will find at least one Yes (my guess p_orgin or p_pernr). It wont be wise to make the p_orgin Yes for CATS_APPR_LITE and function as CAPS as its not a customised T-code. Hence try to provide same values to p_orgin or p_pernr for CATS_APPR_LITE as in CAPS and check the output using ST01 trace.

1. Check su24 for CAPS

2. Find the auth object that is Yes.

3. Check the values for that object against CAPS.

4. Use the same values in CATS_APPR_LITE.

There is a possibility it wont work as all auth objects are NO for CATS_APPR_LITE in ur su24.

Let me know if u understand my above details.

Regards

Aveek.

Aveek,

My apologies on the formatting of my previous post. I could not figure out how to format it so it was more readable. I actually included the SU24 settings for both CAPS and CATS_APPR_LITE in the previous post. In CAPS, P_ORGIN is set to "Check / Yes", while in CATS_APPR_LITE it is set to "Check / No". I'm not sure what you mean by step 3 - "Check the values for that object against CAPS". I have both of these tcodes included in the same role - is that what you mean?

Hi,

So my guess that it should be Yes for P_Orgin was at par with ur settings :-). Now to make CATS_APPR_LITE behave the same way in su24 you need to make it Yes. Since both the txns are in same role after you make CATS_APPR_LITE -Yes in su24 you need to include the txn again in the role after removing it to make the su24 changes effective. In su24 you will need to give the transport number for Work Bench Request. It will automatically pop up when u make the change in su24 and then remove the txn CATS_APPR_LITE and add again in Dev System. Test whether it is working as you need. If not please let me know.

Regards

Aveek.

Aveek,

I followed your instructions per your last post. However, even though CAPS prevents me from approving my own time, CATS_APPR_LITE still allows it. Any further suggestions?

I created a new role that just contains CATS_APPR_LITE. I've removed all other P_PERNR and P_ORGIN access from my user account except for what is contained within this newly created role. In fact, I have no P_PERNR access at all and only the following P_ORGIN access in the new role. It still allows me to approve my own time. Could it be simply a matter of the fact that I am in the same organizational key as the people I need to approve, and since I've given myself the ability to approve their time, by default I have the ability to approve my time? FYI, I'm using the same logic for transaction CAPS and it works as desired - I can approve other people's time but not my own. Is my organizational key logic what's causing the issue? If so, I do not know of any other way to set everything up so that all employees can enter their own time, but only select employees can enter and approve their subordinates time, but cannot approve their own time.

-

AUTHC <FLD> Authorization level

D

INFTY <FLD> Infotype

0328

PERSA <FLD> Personnel Area

PERSG <FLD> Employee Group

*

PERSK <FLD> Employee Subgroup

SUBTY <FLD> Subtype

' '

VDSK1 <FLD> Organizational Key

10000000004141

10000000004142

10000000004143

10000000004144

20000000004141

30000000004141

40000000004141

50000000004141

60000000004141

___________________________________________________________

AUTHC <FLD> Authorization level

R

INFTY <FLD> Infotype

0000

0001

0002

PERSA <FLD> Personnel Area

PERSG <FLD> Employee Group

PERSK <FLD> Employee Subgroup

SUBTY <FLD> Subtype

' '

VDSK1 <FLD> Organizational Key

10000000004141

10000000004142

10000000004143

10000000004144

20000000004141

30000000004141

40000000004141

50000000004141

60000000004141

Hi,

See the Organization stucture and the position mapping can be referred to po13. But one thing can be done here is that we need to run a trace for CAPS. Find out the authorization objects that the coming starting with p* eg (p_orgin, p_pernr) etc.Find out the values it refers to in the fields like Infotype, subtype etc. Get into the role which only have CATS* txn and give the same values.

Regards

Aveek.

I ran traces for both CAPS and CATS_APPR_LITE while trying to approve my own time. For CAPS, there appears to be several more auth checks performed than with CATS_APPR_LITE. I'm not sure I understand the significance of lines with RC=0 versus RC=4. Are RC=4 lines auth checks that failed? How do I determine which auth values to include?

Here is the trace results for CAPS:

P_ABAP RC=4 REPID=RCATSC01;COARS=2;

P_ABAP RC=0 REPID=SAPDBPNP;COARS=2;

P_PERNR RC=4 AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=4 AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';

P_ORGIN RC=4 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';

P_ORGIN RC=4 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';

P_ORGIN RC=4 INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';

P_ORGIN RC=4 INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';

P_PCLX RC=0 RELID=B2;AUTHC=R;

P_PCLX RC=0 RELID=B2;AUTHC=R;

P_PCLX RC=0 RELID=B2;AUTHC=R;

P_PCLX RC=0 RELID=B2;AUTHC=R;

S_ALV_LAYO RC=0 ACTVT=23;

S_GUI RC=0 ACTVT=61;

S_GUI RC=0 ACTVT=61;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=1000;PERSG=2;PERSK=01;VDSK1=10000000004141;

P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=2000;PERSG=2;PERSK=01;VDSK1=10000000004141;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;

P_PERNR RC=0 AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;

P_PERNR RC=0 AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;

P_ORGIN RC=0 INFTY=2002;SUBTY=0800;AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;

P_PERNR RC=0 AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;

Here is the trace for CATS_APPR_LITE:

P_ABAP RC=4 REPID=RCATS_APPROVE_ACTIVITIES;COARS=2;

P_ABAP RC=0 REPID=SAPDBPNP;COARS=2;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';

P_ORGIN RC=4 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';

P_ORGIN RC=4 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';

P_ORGIN RC=4 INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';

P_ORGIN RC=4 INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';

P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;

P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';

P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';

P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=1000;PERSG=2;PERSK=01;VDSK1=10000000004141;

P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=2000;PERSG=2;PERSK=01;VDSK1=10000000004141;

S_ALV_LAYO RC=0 ACTVT=23;

S_ALV_LAYO RC=0 ACTVT=23;

S_GUI RC=0 ACTVT=61;

Hi,

Your settings should match the value

P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

You need to restrict the role containing CATS* transaction and remove values "R" (Authc)from it in p_orgin to get it restricted. Check it and let me know.

Regards

Aveek.

I'm still not sure I understand what needs to be done. In comparing the traces between CAPS and CATS_APPR_LITE, it appears there are 4 auth checks that are being executed in CAPS that aren't even being checked in CATS_APPR_LITE.

P_PERNR AUTHC=R; PSIGN=*; INFTY=0328; SUBTY=' '

P_PERNR AUTHC=R; PSIGN=E; INFTY=0328; SUBTY=' '

P_ORGIN AUTHC=R; INFTY=0328; PERSA=; PERSG=; PERSK=; SUBTY=' '; VDSK1=

P_PERNR AUTHC=D; PSIGN=*; INFTY=2002; SUBTY=0800

All of the other auth checks in CAPS with RC=4 are behaving the same in CATS_APPR_LITE. It's actually the 4th auth check shown above that I'm wondering is the culprit as this is one of the last checks done before I get the "not authorized" pop-up within CAPS.

FYI, I ran traces against CATS_APPR_LITE for both approving my own time and for approving someone else's time. I found it interesting that the trace showed about a dozen additional auth checks that were done for approving someone else's time versus approving my own time. Why would that be? I would think there would be more checks for trying to approve your own time. I'll admit I'm thoroughly confused on this whole issue now.

Hi,

Please copy the values of p-orgin and p_pernr or other common p* objects of the role which is having CAPS txn into the role for CATS*.

1. Check the p* objects in role which has CAPS.

2. Find out the p* objects in role for CATS*

3. Insert the same values which CAPS role has in p* objects.

Regards

Aveek.

Aveek,

The issue I have is that both of these transactions - CAPS and CATS_APPR_LITE - are already in the same role, so they already share common values for all p* objects, and it still does not work.

Hi,

I was thinking to separate the CATS* transaction to a new role and asking to check all these traces and authorizations actually.In the same role it will be difficult as both CAPS and CATS* have different coding.

Regards

Aveek.

Sorry, I should have clarified my previous post. I ran the traces for each while they were in separate roles to get the differences but since all of the auth checks were the same except for the extra ones when tracing CAPS, there didn't seem to be a need to make any changes in the separate CATS* role.