08-12-2011 5:46 PM
Hi ,
Our users have Time Entry access (by cost centre). We are finding that eventhough they do not have access to tcode CAT2_ISCR, they are still able to modify time entry history (which they should not be able to do) by using tcode CATS_DA which launches the CAT2_ISCR transaction if you highlight a row where the time is for a date in the past and edit. Unfortunately I'm not very familiar with HR security (infotypes etc) so I'm wondering if someone can point me in the right direction to figure out how to restrict access to CAT2_ISCR thru the CATS_DA tcode - or if it even has anything to do with the infotypes?
As always, I appreciate the help.
Thanks,
Sharon
08-12-2011 7:34 PM
Hi Sharon,
CAT2_ISCR transaction code access is not required to execute CATS_DA. I just tested this in my sandbox and yes, it is calling CAT2_ISCR when any row is selected.
My recommendation would be:
1. To make sure that the CAT2_ISCR tcode doesn't exist in any other role.
2. To make authorization object P_CATSXT as check maintain in SU24 and give only 03 activity to restrict it to display.
This should restrict the users from editing the time sheets.
Regards,
Raghu
08-12-2011 8:19 PM
Thanks for the quick reply Raghu. I'll try this out on Monday and let you know how I make out.
08-16-2011 8:37 PM
Hi Raghu,
1.) CAT2_ISCR does not exist on the Menu in any role.........however it does exist in some roles (project roles) in S_TCODE auth object.
2.) Auth object P_CATSXT does not exist in any role currently. Should I be adding this to the CATS_DA tcode in SU24 - so that anyone with access to this transaction is only allowed to display the history? If that is the case, am I still able then to add the CATS_ISCR tcode to another role to make sure the Payroll Manager has access to modify time entry history?
08-17-2011 10:48 AM
Hi Sharon,
Auth object P_CATSXT does not exist in any role currently. Should I be adding this to the CATS_DA tcode in SU24 - so that anyone with access to this transaction is only allowed to display the history?
As mentioned earlier, the authorization object P_CATSXT should be changed to check maintain in SU24 and maintained with only 03 activity to restrict it to display.
If that is the case, am I still able then to add the CATS_ISCR tcode to another role to make sure the Payroll Manager has access to modify time entry history?
Yes. In the other role that has CATS_ISCR transction code, you need to give authroization to other activities too to the authorization object P_CATSXT.
The supported activities are:
01 - Add (currently not used)
02 - Change (edit or copy data from the history)
03 - Display (reporting evaluations)
06 - Delete (delete data from history)
71 - Evaluate (currently not used)
Best Regards,
Raghu
12-19-2012 3:29 PM
I was able to restrict all from using CAT2_ISCR via CATS_DA using SE97. In SE97 I changed the check ind to YES and this stopped all from running CATS_DA selecting a line and selecting the change data icon. All received message “you are not authorised to use CAT2_ISC”.