Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Revoke Structural Profiles assignement not working

Former Member
0 Kudos

Friends,

I assgined he PD profile to postion (4000161) by following below steps.

1. PO 13 updated the position 4000161 with PD profile ZHRPD and saved it.

2. SA38 ->.> executed RHPROFL0 for 4000161 position by selecting check box "Generating Auth Profiles for PD authorization"

3. T77UA did get populated with ZTRAIN70 ID for new user

Tested the profile assignement, it is working fine for OU.

However, I am not sure how can I revoke this by running the RHPROFL0 report.

I ran the report RHPROFL0 again by selecting Delete Mannually maitained Auth profiles and selecting

PD authorization checkbox only BUT it did not remove or revoke anything for ZTRAIN70 user and his position 4000161

Can someone please guide me how can I revoke or unassign the PD profile for this user?

Thanks,

From

Pranav

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Pranav,

If you manually maintain a T77UA entry for a user via OOSB, and if you want to delete that entry and only maintain the PD assignment through Position (or ORG, if maintained), then you should check the PD profile under 'Delete Manually Maintained Authorization'. This option only works when the PD profile is also checked under "generate authorization profiles'.

Hope this clarifies

Abhishek

7 REPLIES 7

Former Member
0 Kudos

This message was moderated.

0 Kudos

Hi Pranav,

Remove the PD profile from the position and run RHPROFL0 for the position with only 'generate authorization profiles' with PD authorizations checked. This will remove the PD profile from T77UA

Thanks

Abhishek

0 Kudos

Hi Abhishek

Do I need to check anything for Delete Manually Maintained Authorization?

Please let me know.

From

Pranav

Former Member
0 Kudos

Hi Pranav,

If you manually maintain a T77UA entry for a user via OOSB, and if you want to delete that entry and only maintain the PD assignment through Position (or ORG, if maintained), then you should check the PD profile under 'Delete Manually Maintained Authorization'. This option only works when the PD profile is also checked under "generate authorization profiles'.

Hope this clarifies

Abhishek

0 Kudos

Thanks, as per log it did work. Now ZTRAIN70 does not exists in T77UA.

Just a quick check-

We are trying to implment the Structural Auth for Performance Manangment module ( PM)ONLY.

As per SAP Document, it is only requesting to add ZHRPD ( PD profile) to P_HAP_DOC auth object in the Role and

have User Added to T77UA table.

My question is -

Do I have to attach PD profile for Position in PO13? Can I just add user directly to the table T77UA mannually?

Woud that work? We are position based security but the document does not mention any thing about it.

Pleaes advise.

Thanks again.

From,

Pranav

0 Kudos

Technically, an entry in T77UA would do the trick, be it coming from Position or be it a manual entry in the table. I think T77UA is a table which allows update when the client setting is set to production. So, access to OOSB should suffice.

Assigning at the position helps the overhead of PD profile maintenance on a position change for any user, as they will inherit the role and PD profile through RHPROFL0. Manually maintaining it will just need an extra step.

Likewise, if you get users who are not part of the ORG and need a PD profile, a manual entry might be needed in such cases

Just remember, no entry in T77UA defaults a users PD profile to user SAP*

Cheers

Abhishek

0 Kudos

> Just remember, no entry in T77UA defaults a users PD profile to user SAP*

To tweak the comment a bit: it defaults to the PD profile of SAP* if none is found for the employee themselves, which might also include contractors maintained in HCM.... SAP* does not have to have * type structural authorization access. It only means that if you activate it and don't maintain any PD profiles, you are not impacted.

It is a little bit like like SAP* & SAP_ALL in the normal authorization concept - you can modify the authorizations behind the profile as well if you want to, or disable the user completely.

Cheers,

Julius