- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Coexistence of org key and structural authorisatio...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Coexistence of org key and structural authorisation restrictions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2009 1:53 AM
Hi All,
We are doing prototype on structural authorisations to check the coexistence of org key
(currently,used in all HR/Payroll roles) and structural profiles(to be implemented only for LSO roles).
Initial testing failed as structural authorisation is overriding org key restriction.In the test scenario,
Payroll Manager who is also a LMS Manager is not able to access any employees outside the org unit specified
in structural authorisation restriction.
To overcome this limitation, I guess we will have to activate context sensitive auth object P_ORGINCON.
Has anyone come across this scenario before? If we activate P_ORGINCON, do we have to update this object to
include the values contained in P_ORGIN(which is currently utilised in HR/Payroll roles)?
Any ideas are appreciated.
Regards,
Pavana
Edited by: Pavana Mallavaram on Dec 4, 2009 11:55 AM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2009 10:30 AM
Hi,
If you are using context dependent authorization you also have to change some settings with transaction OOAC(T77SO). You have to activate incon (value 1) and deactivate orgin (value 0). In the role you have to copy the P_ORGIN values to P_ORGINCON and in the field PROFL you put in your structural authorization(T77PQ, T77PR). The structural authorization should also be in T77UA so I read, but that I have to verify. There are some more questions asked about this in this forum, so try a search.
Have fun
Bye Jan van Roest
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2009 10:30 AM
Hi,
If you are using context dependent authorization you also have to change some settings with transaction OOAC(T77SO). You have to activate incon (value 1) and deactivate orgin (value 0). In the role you have to copy the P_ORGIN values to P_ORGINCON and in the field PROFL you put in your structural authorization(T77PQ, T77PR). The structural authorization should also be in T77UA so I read, but that I have to verify. There are some more questions asked about this in this forum, so try a search.
Have fun
Bye Jan van Roest
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2009 6:36 AM
Thanks for the reply.
We are not going to follow the context sensitive authorisation approach as all the exisitng HR/Payroll roles(>10,000) have to be modified. We are looking at other options such as using bypass BADI's to exclude structural restriction for some users on specific transaction codes.
Has anyone used this approach?
Regards,
Pavana
- SAP Managed Tags:
- Security
