Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP HR Security: restrict access for HR personnel

Former Member
0 Kudos

Hello, I have a requirement where HR staff have should have access to update all infotypes except for on their own master data record. In other words, one cannot change/maintain their own data. They can continue to have display access though. I was hoping there was something within auth object P_ORGIN, but no such luck. If you have come across a similar requirement, please advise.

1 ACCEPTED SOLUTION

sreekanth_sunkara
Active Participant
0 Kudos

Hi,

use P_PERNR in addtion to P_ORGIN and maintain IT0105 Subtype 0001 for this to work.

Thanks,

SS

Edited by: sun on Sep 9, 2010 3:32 PM

7 REPLIES 7

Former Member
0 Kudos

auth object P_ORGIN,

Use the above with P_PERNR

look at the below SAP example: I is for own, E is for all others except administrator(own data)

1. A personnel administrator, who processes the basic pay for all employees, should be able to display, but not maintain his or her own pay. For the HR: Master data - Personnel number check object (P_PERNR), you assign an authorization with the following specifications:

Authorization level: W,S,D,E

Interpretation of assignment

User - personnel number E

Infotype: 0008

Subtype: *

sreekanth_sunkara
Active Participant
0 Kudos

Hi,

use P_PERNR in addtion to P_ORGIN and maintain IT0105 Subtype 0001 for this to work.

Thanks,

SS

Edited by: sun on Sep 9, 2010 3:32 PM

0 Kudos

Hi, it's me again. The solutions provided work for the most part, however I am still able to 'create' on my own master data record. I cannot change any infotypes and I can display all infotypes which is what I want. We have PA30 and PA40 contained in the same security role so auth object P_PERNR should apply for both tcodes shouldn't it? Can somebody please advise on what should be added/removed? I'm using the following for P_PERNR:

Auth level: D, E, S, W

Infotype: *

PSIGN: E

Subtype: *

Thanks so much!

0 Kudos

Check if multiple entries of P_PERNR

AND P_ORGIN are in

post the values of each of those objects/object to evaluate

Regards

0 Kudos

You can use SU56 transaction to check the buffered authorisation per user/authorisation object. Check all P_PERNR objects of the test user.

I would try following P_PERNR settings:

Auth level: R, M

Infotype: *

PSIGN: I

Subtype: *

Auth level: D, E, S, W

Infotype: *

PSIGN: E

Subtype: *

Quite often P_ORGIN and P_PERNR require at least one object with Auth. level R. Good rule to remember how PSIGN works is to think that 'I' means include and 'E' exclude. So with I you include read access to all infotypes and with E you exclude all write options to all infotypes. Level M means that search helps have access to data (for example if you want to give access to search employee number by last name of employee but you don't want to give access to read Personal Data you can give M access only to infotype 0002).

Make also sure that PERNR authorisation switch (tcode: OOAC) has been switched on.

Hope this helps.

Saku

0 Kudos

Hi,

As i told you before did you link P_PERNR to the user ID? in IT0105 Subtype 0001 or table V_T513A. if you don't maintain this then your restrcition in P_PERNR won't work.

Thanks,

SS

0 Kudos

Thanks to all. The settings that SaQ provided in his post for P_PERNR is what worked for me.