09-21-2011 8:50 AM
Experts...
We have a scenario where we have to provide authorization to a HR ADMIN, so that he/she can view all the details of all employee exists in company except the view access of BASIS PAY(0008) for few higher positions.
HR Admin should view & perform action on other details of those higher positions.
Any suggestion How we can acheive this security requirement ?
<removed by moderator>
Thanks in advance
Indu
Edited by: Julius Bussche on Oct 13, 2011 7:03 PM
Please read the forum rules about "asap" and using meaningful subject titles...
Also you must perform a basic search yourself before launching a question...
09-21-2011 10:36 AM
Hi Indu,
You have a concept in HR called as Structural authorization using which you can restrict the authorization to InfoType 0008. However, you need to have the organization structure defined to restrict access at a specific level. How well your Organization structure is maintained??
Regards,
Raghu
09-21-2011 2:57 PM
Hi Raghu
If we already have structural authorization then how it would help us to restrict few employees data only?
Scenario is :
There is one team to be able to
1. View all employees data including Sr Management
2. But should view only few infotypes data such as IT0008(basic Pay) of few people not SR management data
General authorizations and structural authorizations combination can restrict the any HR data in the roles in such a way they can able to see few employee which are allowed using PD profiles.
But using the same roles to be restricted to get view to some employees data but not few employees
How?
Edited by: Hari Krishna Prasad kantipudi on Sep 21, 2011 3:57 PM
09-22-2011 12:24 AM
I can see two options:
1. Playing around with General Authorisations
Does senior management have anything in infotype 0001 which could be used to differentiate them from others? If senior management has own employee subgroup it would be easy to do even using P_ORGIN object. However I assume that is not the case? Another option would be to to use somehow organisational key field or administrator fields and P_ORGXX object. If there is a field in infotype 0001 what differentiates senior management from others but it is not used in either P_ORGIN or P_ORGXX then it is possible to create the [customer-specific object|http://help.sap.com/erp2005_ehp_02/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/frameset.htm]
2. Context solution
Context solution allows to link general authorisations to structural authorisations. P_ORGIN will become P_ORGINCON etc. New field PROFL will link the infotype access to specific structural authorisation. This option requires little bit more planning but it's worth the effort. More about Context Solution in [help.sap.com|http://help.sap.com/erp2005_ehp_02/helpdata/en/7f/1a7d3c8015d10ee10000000a11405a/frameset.htm]
10-13-2011 2:24 PM
Hi
One more easy appoach.
1. Assign the personnel adminstrator for the Higher Management in IT0001
2. Create 2 role using the object P_ORGXX for the IT0008
-- HR personnel admins could be *
-- for others it could be all personnel admin execpt Higher management admistrotor
(Structural authorization can be added if you wanted to have only based on OM Structure)
Best Regards
Vikas
10-13-2011 4:14 PM
09-21-2011 7:40 PM