06-28-2010 8:30 AM
I'm trying to identify all authorizations required to execute PC00_M06_CEDT (report RPCEDTF0: french payslip) properly.
Currently I have the following:
S_TCODE: PC00_M06_CEDT
S_PROGRAM: SUBMIT / VARIANT for RP
P_PCLX: R for CU / RF
To make it finally work, there are two possibilities:
- P_ABAP: 2 for RPCEDTF0
- P_ORGIN / P_ORGINCON.
Here's the problem: The role will be assigned to different employees whereas each employee is allowed to see a different population of PERNR. Therefore, P_ABAP isn't a solution.
Now I'm trying to identify all infotypes for P_ORGIN so that the report executes properly. I've done that via a system trace and the list of infotypes is 0000, 0001, 0002, 0006, 0007, 0008, 0016, 0032, 0041, 0064, 0128, 0217, 0272, 0429. However, I'm not sure if this list is somehow dynamical. Do I have to include more infotypes?
And as a second question (less important right now): Is it possible to allow infotype access for this report but not for PA20?
Thank you in advance.
06-28-2010 7:03 PM
Hi ,
I went through a similar issue in my Project
Now I built a role based on your problem
Standard HR: Master Data P_ORGIN
Standard HR: Master Data T-ES32004700
Authorization level M, R AUTHC
Infotype 0000-0009, 0011, 0014-0017, 0021, 0026-0027, 0032, 0037, 0041, 0052, 0<...> INFTY
Personnel Area PERSA
Employee Group PERSG
Employee Subgroup PERSK
Subtype SUBTY
Organizational Key VDSK1
Standard HR: Clusters P_PCLX
Standard HR: Clusters T-ES32004700
Authorization level R AUTHC
Area identifier for cluster in CU, RF RELID
Manually HR: Master Data - Personnel Number Check P_PERNR
Manually HR: Master Data - Personnel Number Check T-ES32004700
Authorization level AUTHC
Infotype INFTY
Interpretation of assigned per PSIGN
Subtype SUBTY
Now what you need to do is check to see in all of the roles assigned to employees
The AUTHC and INFTY have similar authorizations
I would suggest you find out what is common among all the employees before you do this.
You can use table AGR_1251 to take the outputs on EXCEL and then do a little study on what will be the best options
If you simply populate the infotype it might result in over or underauthorization. This needs a lot of mathematical and critical thinking.
In the above role I built for you the user will have authorization to all infotypes.
hope this helps
A.Franklin Jayasim
Principal Architect
SAP Security/GRC/IDM
06-29-2010 6:01 AM
Hi markus,
What ever markus has define in his query. you have framed them using auth object. I dont find any solution in it.
Best talk with your Hr developers.they might provide solution or wait for some more time,you might get a solution.
However, I'm not sure if this list is somehow dynamical. Do I have to include more infotypes?
Sit with user and find it out what infotypes are needed.
or
you can add infotypes on case to case revirew
Thanks,
Sri
06-29-2010 8:31 AM
Franklin,
thank you for your answer. Based on which criteria did you select the infotypes mentioned in your answer? (by the way, the list is inclomplete at the end: <...>)
06-29-2010 4:59 PM
Hi Marcus,
I am Architecting Security for a client here.
I just randomly created role test your need , put some infotypes to explain that if you put * for (Inftype) your activity will be perfect.
those infotypes are based on my project here.
What I was trying to tell is you will have to sort, mix and match your infotype based on the HR business analyst need.
Edited by: Franklin Jayasim on Jun 29, 2010 6:00 PM
06-29-2010 11:33 PM
Hi markus,
Best solution is to go on case to case review.
I know question is still incomplete.
Be open for strange and variaty of answer which are not relevant at all.
Thanks,
Sri
06-30-2010 12:33 AM
Hi Marcus,
Let me walk you through the steps of what I did to test your scenario at my clients place
Build a test role with the Transaction(report name )and transaction
PC00_M06_CEDT(RPCEDTF0) & PA20:
When we add both this transaction these two object will be in the authorization data among all other authorization data
P_origin
P_pernr ( due to PA20)
If you populated Infotype for P_origin with lets 1000, 1001, 1002 etc........
and for P_PERNR leave infotype as * in your case I am thinking you will get authorization to all infotypes.
I am doing a similar activity for the HR business Analyst,its a lot critical thinking here because you have roles for employees with infotypes specified probably a discussion over the phone will help, I am going to resolve the similar issue around 11:00PM
MST, if you want I can explain over the phone how I resolved it.
In a real enterprise project if you have crossed realization phase HR teams will not be happy to review/revisit/revise
I am sure that a little thinking and your available data from roles should do the trick especially for your scenario.
Cheers
Edited by: Franklin Jayasim on Jun 30, 2010 1:34 AM
06-30-2010 8:54 AM
Just to give you a little more information on the whole thing:
I have different business functions. Each of them gets a functional role (composite role / access for transactions and so on) and a competence role (with authorizations for infotypes based on their needs). The competenece roles are derived from a mother role. The assignment of organziational keys is done in the derived role.
Now there's a new requriement: Four of the functions should receive access to PC00_M06_CEDT. Therefore I created a new functional role with the authorization objects mentioned in my first post except for P_ORGIN / P_PCLX.
As a next step I've assigned the functional role to the composite role of the business functions that should get access to this transaction. I then picked one of them and assigned it to a testuser for which I activated the system trace. Finally I've executed the transaction and added all the infotypes requested to the competence role of this business function (as shown in ST01).
My initial expectation was to get an answer like: "Yes, the list of infotypes is dynamical and it's based on ...". However, I think that I can't get this answer so I'll try to go with what I have so far and see if it's working for all cases of payslips.
It would be really helpful to have infotype access authorizations based on the report :-).
Thank you for your help.