Excessive Access to Infotypes.
Hi all, greatly appreciate if someone can advice on a situation i encounter.
Setup. I have setup a role with Access to Employee Group 1-3 (excluding 0).
I then assign this role to a User A.
User A tries to access Employee ZZ whereby Employee ZZ has the following records in IT0001 (Org Assignment).
01.01.1999 to 31.12.2003 (Employee Group = 3)
01.01.2004 to 31.03.2009 (Employee Group = 3)
01.04.2009 to 31.12.9999 (Employee Group = 0)
As you can see, the latest record points to EE group 0, which User A does not have access to.
Now User A tries to access a Customised Infotype 9xxx of this Employee ZZ with the following records;
01.01.2009 to 31.03.2009
01.04.2009 to 31.12.9999
My problem here is that based on IT0001 record, User A should not have access to employee ZZ based on the latest Org Assignment, and therefore should not be able to access IT9xxx of this employee ZZ. However User A is able to access BOTH records.
I then did a test, such that if i remove '3' from the role (meaning it's left with 1-2 EE group access), User A will then be restricted from viewing the record.
Is there any setting i can do to prevent such access? My understanding is that at the very most, User A should see only the earlier record of 9XXX but why is the latest record (01042009 to 31129999) showing as well ?
Baffled about, this. Hope someone can enoighten.