Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security on Qualification Object

Former Member

‎06-17-2010 10:18 PM

0 Kudos

I have a requirement to set up security for qualifications such that all qualifications (Q) within a particular qualification group (QK) be visible to the employee who holds the qualification so that they can add, modify and delete qualifications in this group through ESS. That part is standard. The tricky part is that managers should NOT be able to see that their employees hold qualificaitons from this qualification group. Managers must be able to see all other qualificaitons the employee holds, just not any from that qualification group. All other qualification groups must function as normal where a manager may view, update, modify and delete their employees qualifications through MSS.

More information that may or may not be useful. We are deploying the standard delivered qualification managed tools through ESS and MSS that allow an employee to add, modify and delete their own qualifications and also allows managers to do the same. Qualification groupings (QK) are objects stored in HRP1000 and they are related to employees through HRP1001. Also, I am almost completely unfamiliar with how security is done in SAP. Thank you I appreciate any help that can be provided.

Whitney

3 REPLIES 3

Former Member

‎06-21-2010 11:01 PM

0 Kudos

Hi Whitney,

Make sure to create qualification tasks in such a way that it does not get included in the Qualification catalog before creating the profile which will be assigned to the Employees Manager.

Former Member

‎06-22-2010 12:01 AM

0 Kudos

Whitney,

Let say you have User1 to User3.

Qualigication: Q1 to Q20

Qualification group: group1 to group5

Group1 : Q1 to Q5

Group2 : Q6 to Q7

group3: Q8 to Q14

Let stay

User 1 will be able to see group1

User 2 will be able to see group2

user 3 will be able to see group3

Now manger will be able to see

Manager will be able to see : Q15 to Q20

So you can restrict on P_ORGIN

User 1 will get group1 access:

Infotype : Enter your infotype

Subtype: Subtype

Authorization Level : W

Personnel Area

Employee Group: group1

Employee Subgroup

Organizational Key

Manager will get:

Manager will get access to Q15 to Q20:

Infotype : Enter your infotype

Subtype: Subtype

Authorization Level : W

Personnel Area

Employee Group: Q15 to Q20

Employee Subgroup

Organizational Key

Thanks,

Sri

Former Member

‎09-16-2010 5:44 AM

0 Kudos

Hi,

Use context sensitive authorisations P_ORGINCON (switch on in tcode OOAC).

AUTSW INCON 1

Create structural profile (OOSP) which returns employees of manager and all Q objects what manager should see from his/her subordinates. nnnnnnnn refers to the Qualification Group (QK) which has the qualifications manager should be able to see. Make also sure that all employees and managers have their infotype 0105 subtype 0001 mapped to their user id.

<your manager profile>|10|01|O | |X|O-O-S-P |12| | |D|RH_GET_MANAGER_ASSIGNMENT

<your manager profile>|20|01|QK|nnnnnnnn| |QUALCATA|12| | | |

Then assign that to manager user-id (OOSB) and add this object P_ORGINCON to manager role (PFCG):

AUTHC: R

INFTY: 0024

PERSA: *

PERSG: *

PERSK: *

SUBTY: *

VDSK1: *

PROFL: <your manager profile>

99% of the companies use the "new" assignement of qualifications to employee using relationships (infotype 1001 between objects Q and P). But still authorisation to see which qualifications can be seen is depending on infotype 0024 authorisations. In the future also PLOG_CON object can be used to achieve this but it is not currently supported...

Regards,

Saku