Hi,

Since P_ORGIN is not activated in your system, the user either would have or would not have access to data under thier own personnel number only based on values of field PSIGN in object P_PERNR.

For all other personnel numbers P_ORGIN(CON) is required. So in case you want users to access data under other personnel number except his own, check for P_ORGIN (or P_ORGINCON in case if context based structural authorization) has to be activated.

In your case P_PERNR is not working as expected at the first place( according to your earlier post) when you tried testing with your user id. Can you check if the user id you used is attached to a valid personnel number via IT0105 subtyp 0001? Because without that, P_PERNR check won't work as expected.

Thanks

Sandipan

Can you also verify if your id has access to PSIGN=* in object P_PERNR from any role assigned to your id?

Please note value '*' is equivalent to value 'I' and it overrides value

'E' i.e you get access for infotypes maintained under your own personnel number.

Sonali wrote:

I have 'I" instead of "*" in PSOGN in object P_PERNR.

Well then P_PERNR is working as expected, PSIGN=I will show you data stored under your personnel number.

However, your first post on this thread said:

 I created a role with P_PERNR auth object and allowed it access to several Infotypes like address 0006 and allowed it to have Interpretation to be "E" and assigned it to my user id. I thought if I run a simple report which basically looks up data like address, I will not be able to view my own data but can see other's addresses. But that did not happen, I could see everyone's addresses including mine

So you don't really have PSIGN= E in roles assigned to your user ID. Am I right?

Then I thought if I cahnge PSIGN to be "E", may be I can view only others data, but I can view everone's data.

If its the same role in which you changed the PSIGN value (I suspect you did that instantaneously during testing) from I to E, did you run user comparison on that role or reset the buffer of your user id with SU56 or by simply logging off and logging back again?

Can you please double check? There is a possibility that user's buffer still contained the value PSIGN=I when you were expecting it to exclude your personnel number.

Thanks

Sandipan

Thanks for confirming:) I suspect your custom code doesnot has any authority check defined for P_PERNR or even if it does the logic has used the values of P_PERNR incorrectly.

My 2 cents

Sandipan

Hi Julius,

Thanks for your reply and feedback. So here is real question and I will make sure to ask the detailed question next time the first time.

In our HR system, we mostly used standard SAP transactions and had no issues with data security. But recently we implemented Web services and custom function modules. Unfortunately there is no authorization object being checked when the function modules were written by developers. Hence we found out that the users can access the data that they should not.

What is the best approach in this case ? Should we ask the developers to perform authorization checks in their code and rewrite all the code ? Is there any way as security admins we can still restrict the access to the data even if the developers do not check the authorization object in their code ?

Some of the code is already in Production and your answer will be very helpful.

Thanks,

Sonali