cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict access to transaction PA20 via transaction OAAD

former_member188032
Participant
0 Kudos

Our FI link resolvers user transactions OAAD and OAM1 to delete links, correct barcodes, etc. They are able to get to transaction PA20 thru both of these transactions and therefore see confidential HR information in the various infotypes. How do we restrict their access so that they can't get to transaction PA20? We have looked at authorization object S_WFAR_OBJ and not allow access to object type 'PREL' but that has not resolved the issue.

Accepted Solutions (0)

Answers (5)

Answers (5)

0 Kudos

I am having issues regarding my access to infotypes from PA20 and PA30.

Once personnel number is inputted in either PA20 and PA30, infotypes are not being displayed.

Do you have any idea why this is happening to my access?

former_member188032
Participant
0 Kudos

Jaycee,

I am not a Security person but my guess is that you have some missing authorizations.  Have your Security people do a trace for you and have them check your authorizations.

former_member188032
Participant
0 Kudos

Authorization object X-WFAR_OBJ has been configured for the FI link resolver so that she only has access to specific object types (does not include PREL). As a further precaution, we have also limited access to specific document types (does not include any HR document types). If she tries to access PREL objects (has to enter an employee number in the key field entry popup screen and selects enter), she gets stopped. However, if she selects the 'display object/business object button in the key field entry popup screen, she is taken directly to transaction PA20.

She is still able to get to transaction PA20 thru transaction OAM1. We also applied SAP NOTE 1289290. This corrects a problem where the user could enter any transaction in the OK Code field and go directly to that transaction with no authorization checks. However, we have not been able to stop her from pulling up PREL entries in the Internal Barcodes functionality and then getting to PA20.

Any advice on what else needs to be done to stop the PA20 access would be greatly appreciated.

former_member188032
Participant
0 Kudos

Abhishek ,

The FI user does not have authorization for transaction PA20 in any of her roles or authorization objects. Although we are concerned that she can view scanned confidentail images, our bigger concern is that she can launch transaction PA20 via OAAD and then go to any of the infotypes and view any confidential data stored in the infotype itself. If access to PA20 is restricted then she will not be able to view HR attachments since she won't be able to get to the infotypes to start with. We are not sure why SAP is not enforcing the authorization check for transaction PA20 via the OAAD path.

Kiran,

Our Security group is looking at authorization object S_WFAR_OBJ to see if they can restrict her access to specific object types (not PREL) and document types. Part of the problem is that the user has more than one role with authorization object S_WFAR_OBJ and the authorization object has different values in each role. I'm not sure how the system evaluates the same authorization object when it is assigned multiple times because of several roles.

Former Member
0 Kudos

Joyce

in SAP even though you may restrict PA20 it by-passes the auth check when you are navigating from another tcode for the documents I had faced similar problem if you go from initial screen the authorization will work fine but if you are trying to navigate the link from another tcode the authorizations are by passed. So it is recommended that you create a separate role for the user with necessary tcodes and auth objects and remove all the existing ones in this case. Or raise a support message to SAP.

Kiran

Former Member
0 Kudos

Hi,

You can try a different approach .. create a transaction variant for OAAD using the t_code SHD0 and in that disable all the options from which a user can navigate to PA20. Once done assign this variant transaction for OAAD to all such users and remove the access for original OAAD transaction.

To know how to create a varian transation follow the below link

http://www.saptechnical.com/Tutorials/ABAP/TransactionVariant/Create.htm

http://wiki.sdn.sap.com/wiki/display/Snippets/TransactionVariant-AStepbyStepGuidefor+Creation

This should solve your problem.

Regards

Abhishek Aynipully

Former Member
0 Kudos

Hi,

Apart from tcode check if the user is is having object class - HR is assigned to any role for this user and If any role or profile which allows the user to access PA20. Even if the user is able to access PA20 you can disable all auth. objects under HR class so the user cannot view the details. Inform your basis admin.

Kiran

Former Member
0 Kudos

Hi,

Just ensure that these users don't have PA20 mentioned in the Authorization object S_TCODE on any of the roles assigned to their user id.

Regards

Abhishek