For me this sounds like you need structural authorisations. Normally MSS user has lot of read access to all employees under him/her in the org. structure. If same user gets access to PA20/PA30 in the backend you need to restrict the read access still to the group of employees under the MSS user. This is where structural authorisations come in place. With them you can specify which employees from organisational structure you should be able to view. Then you can use P_ORGINCON authorisation object to say which infotype access you want to give for with organisational part.

Quick run through for steps would be following (please google more):

1. Set authorisation switches for Structural authorisations and Context solution on - Tcode OOAC

- AUTSW-INCON =1

- AUTSW-ORGPD = 1

2. Create structural profile for Manager - Tcode OOSP

- Create Auth. profile (for example ZMSS)

- Maintain profile parameters something like this: ZMSS | 1 | 01 | O | | X | O-S-P | 12 | | | P | RH_GET_MANAGER_ASSIGNMENT

3. Assign structural profile to you test user - Tcode OOSB

- Assign structural profile ZMSS to your user with valid dates

- Assign also structural profile ALL to you user also to test PA20 access in context

4. Amend your MSS role to include P_ORGINCON object - PFCG

- Add object P_ORGINCON and copy all values what you have currently in P_ORGIN for MSS role

- To the new field PROFL add ZMSS

5. Add another P_ORGINCON object to the role to work with PA20

- First make sure your user has access to PA20

- Copy the P_ORGINCON you created earlier but change PROFL to all and infotypes to 0001 and 0002 only.

6. Now you user should be able to view same information about his/her own employees as he can see in MSS right now and only infotype 0001 and 0002 for all other employees.