on 05-25-2011 3:07 PM
Hi Experts,
We have a requirement to implement structural authorization.
Requirement :
We have two org structure(old and new) within the same plan version (current).
Currently there are roles giving maintenance access to all the OM objects.
Now we have to create a structural profile to give display access to all objects in the new structure except job ; Also, all the maintenance access to old structure should still exist.
1. We still are not sure if the structural profile would work if the current roles are not amended accordingly. Is there any work around.
2. we need to give access to job object. if we restrict maintain access to all other objects is it possible to create relationship between job and position
Please advise
Brinda
Hi
You are right, we need to create two profiles one giving access to existing structure and other other giving display access to the new profile.
Currently the new structure isnt there in production. But would be in prod soon.
I want to know how the structural profile will behave when it is assigned to a role which is already having * access.
Will the * access override this role.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Brinda,
I would strongly advise against putting this second org structure into Production on the same Plan Version as your production org structure. Apart from the structural authorization issues there are other issues that can occur. Plan Versions were created for such uses so you should persuade your client to use the correct method. This will then remove your structural authorization issue in the Production client plus any other issues (Company Codes, Pers Areas/Subreas, EE groups etc).
Best regards,
Luke
Thanks Luke,
We are going to have the new org structure in the same plan version.
Now, my doubt is, 1, what will happen when a general authorization and structural authorization intersects.
2. If I restrict maintain access to all objects except job, can i maintain relationship between job and position.
Also what evaluation path i should use for job.
regards,
brinda
Hi Brinda,
It will be very difficult to get your described authorisations working correctly without different plan versions. Main reason would be that PD structures do not support context solution (PLOG object has also PLOG_CON version but it is not working).
If you would have two different plan versions you might be able to fulfil your requirement even without structural authorisations. You may also endup creating very heavy structural authorisation which will lead to performance issues. There is standard reports to buffer authorisations but drawback is that your users will not have upto date access if changes has happend after buffering.
Regarding your question about structurals and general authorisations intersecting and if you want to give authorisation to only display jobs but allow assigning jobs to positions: you need to give maintain access to jobs in structural profile. Then you have to limit the maintain access using PLOG object in general authorisation to objects C and S and infotype 1001 and subtypes A007 and B007. Display access to everything else.
So it maybe possible to implement the scenario what you said but I would strongly recommend what Luke said in the first place: try to pursue the team to use alternate plan version.
Cheers,
Saku
Hi Brinda,
I hope this isn't in Production! The user of Plan Versions to create your current org structure and in the active plan version (e.g. 01) and then any other structures in another plan version.
I can't see how structual authorizations can work on both structures - maybe you need 2 sets of authorizations, one for each structure. Have you investigated this?
Best regards,
Luke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
108 | |
12 | |
11 | |
6 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.