Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HR Security on specific additional infotype fields

Former Member

‎03-07-2011 10:30 AM

0 Kudos

Hello,

We have a scenario where we are supposed to restrict HR security on the listed 8 fields (BU Code, Sub BU Code, Location Code, CTP, Actions for Compensation, Bands for Compensation, Actions for Non Compensation, Bands for Non Compensation)

Whenever a HR user tried to view the data of another user through PA30 or any other similar transaction code these 8 fields should be checked before displaying any data.

If we try to follow Master Derived approach by making all the 8 fields as organizational level fields we will end up in making multiple single roles as the permutation and combination of these 8 fields are quite high.

is there any standard sap practice to implement such scenario.

Edited by: Julius Bussche on Mar 7, 2011 2:05 PM

Please use meaningful subject titles

5 REPLIES 5

jurjen_heeck
Active Contributor

‎03-07-2011 10:40 AM

0 Kudos 
If we try to follow Master Derived approach by making all the 8 fields as organizational level fields we will end up in making multiple single roles as the permutation and combination of these 8 fields are quite high.

Ik think you are heading for a fall here. Are you sure all possible combinations are needed? If not, why build roles that will never be used?

Former Member
In response to jurjen_heeck

‎03-07-2011 10:46 AM

0 Kudos

Yes we have a discussion with business team and per them all the eight fields are required.also access requirement for users are different so we dont have the option to ignore the combinations that really exists.

Former Member

‎03-07-2011 12:59 PM

0 Kudos 
Whenever a HR user tried to view the data of another user through PA30 or any other similar transaction code these 8 fields should be checked before displaying any data.

I am wondering how do you plan to put the authority checks on the 8 fields in programs of PA30, etc. Implementing BAPIs or user exits could be one of the approaches but considering the complexity of HR programs and usage of logical databases, I am not too sure on the feasibility.

Is it access to any specific infotype data for which these fields are required to be checked for users? Can you ellaborate it a little bit to help me understand the scenerio accurately.

You may also want to try utilizing field organizational key (Combination of Personnel area and Cost Centre) to restrict user's access via object P_ORGIN (CON) if those eight parameters (BU Code, Sub BU Code, Location Code, CTP, Actions for Compensation, Bands for Compensation, Actions for Non Compensation, Bands for Non Compensation) are specific to company codes or personnel areas or cost centers, etc.

Thanks

Sandipan

Former Member

‎03-07-2011 11:16 PM

0 Kudos

Hi,

I see only one possibility here. Adding all those fields as custom fields to infotype 0001 and then either using organizational key (configure in SPRO -> Reference IMG -> Personnell Management -> Personnel Administration -> Organizational Data -> Organizational Assignment -> Set up organizational key) or activating customer object (OOAC: AUTSW NNNNN - see [help.sap.com|http://help.sap.com/saphelp_erp2004/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm])

That is not an easy request to accommodate so good luck!

Cheers,

Saku

Former Member
In response to Former Member

‎03-08-2011 7:24 AM

0 Kudos

> I see only one possibility here. Adding all those fields as custom fields to infotype 0001 and then either using organizational key (configure in SPRO -> Reference IMG -> Personnell Management -> Personnel Administration -> Organizational Data -> Organizational Assignment -> Set up organizational key) or activating customer object (OOAC: AUTSW NNNNN - see [help.sap.com|http://help.sap.com/saphelp_erp2004/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm])

> That is not an easy request to accommodate so good luck!

Thanks Saku for your response. Let me explain the scenario to you.

As per the client requirement 8 custom fields were created and maintained in IT0001 as suggested by you. A custom Infotype IT9234 is also created and maintained only for HR users which will contain the information of all the permutation & combinations of 8 fields(as mentioned by Suman in the initial post) for which HR users should be authorized.

Now HR Users need to be restricted to view/change the data of emplyee for the values maintained in IT9234. I assume that the solution mentioned by you with reference to create Org key could be one solution. Can you elaborate further on activating customer object part.

Note: As per business requirement all 8 fields should be checked before authorizing any HR user to view the employee data.

Business is currently developing a custom ehancement spot to be called by both standard & custom reports to apply a check on values maintained in IT9234 before authorizing HR users to view/change employee data. Doesnt seem to me as a good solution though as restriction is applied on reports rather than users.

Your sugegstions and comments will be appreciated.

Thank you.

Anjan Pandey