Qualifications in PA20

Former Member · ‎12-20-2010

Hiu2026

At my client access to Qualifications in PA20 is suppose to be restricted with structural authorizations, but users are still able to see qualifications for a person beyond end date.

The user can see qualifications with start date 01.12.2010, which he is not suppose to. The user can correctly not see similar new bank data from 01.12.2010.

Via an authorization profile the user only has access to this particular person for object type P has an end date 30.04.2010. Does it have to be object type Q?

I have testes with and without PLOG (OTYPE=Q) and P_ORGINCON (AUTHC=W, INFTY=0024), but it applies to all the users, also within the structural authorizations.

Regards

vitofava

Former Member · ‎12-20-2010

but users are still able to see qualifications for a person beyond end date

As I understand, you want the authorization of users to be restricted via validity period of the structure (qualification in your case). In that case, you can specify the "period" for the Auth profiles via OOSP tcode.

For example, if you select D in "Period" field, the authorization is limited to Structures valid on current day, P would limit authorization for Past data only or structures which were valid in the past (i.e < Current date) and F would restrict access to Present and Future data only (i.e >= Current date). A blank in "Period" field gives authorization to user to access all data (PastCurrentFuture validity of structures).

Hope this helps!

Sandipan

Former Member · ‎12-20-2010

No..... I don't think this is it. By "end date" I mean the date for which the person is assigned to the manager (user). Once the person is moved to another manager, the first manager is not suppose to see the new qualifications.

/vitofava

Former Member · ‎12-20-2010

Once the person is moved to another manager, the first manager is not suppose to see the new qualifications.

Did you check if the first manager has any direct or dotted line relationship to the user's new manager's organizational unit?..I mean say previous manager belongs to ORG unit A, and new manager of user belongs to ORG B and if B reports to A then previous manager would automatically have access to see users qualification even when he has moved to a new manager. You can view the Org hierarchy and relationships via PPOSE.

Also make sure you run reports RSBAUS02 and RSBAUS00 for the manager so as to regenerate the structural buffering in INDX table.

Let me know if that solves the issue. thanks

Sandipan

Former Member · ‎12-21-2010

Hello,

A few steps that you can replicate to troubleshoot.

1. Execute report RHAUTH01 for the manager to check if he still has access to the old employee. If the personnel number still shows up in the report output, you can understand that some combination of structural authorizations is still giving access to the old employee.

2. Can the manager access only IT 0024 or to other infotypes as well?If its just IT 0024 and not other infotypes chck the value of the "Access Auth" field for IT 0024 in view V_T582A. This needs to be checked for the system to evaluate time logic to determine period of responsibilty for access to the infotypes

3. If the manager can still access the person, we come to the problem of sorting out why the manager still has access to the old report. There might be a number of causes for the access.

Firstly check, the value of AUTSW-ADAYS parameter in transaction OOAC. This gives the tolerance time for days, when an old administrator can still access the old report.

In case this value also doesn't give access to the person, you need to look at the definition of the PD profiles assigned to the manager. You can us transaction OOSB for profile assignment and OOSP for profile definition.

Hope this helps!

Regards,

Aninda