Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

HR related queries

Former Member
0 Kudos

Hello Security Experts,

I have a few queries on some HR security topics. any help is highly appreciated.

If a manager has MSS access is there a SAP standard way or best practice to restrict PA20 access to the people the user manages and not be able to view anyone else in R/3? (MSS uses the A12 relationship to restrict the view access)

Can you help us with a SAP best practice/standard way if someone is set up with structural authorizations (SA) and they are not in an org they have SA to how do they get access in ESS to view/edit their own PERNR ?

In structural authorizations (OOSB) when we use exclude, what are the steps which are triggered in the background ? I mean what are the tables updated or whats fields are flagged for exclude ? Does it actually delete the excluded pernrs (orgs) from a table, if so what table ?

Thanks,

Raghav

1 REPLY 1

Former Member
0 Kudos

> If a manager has MSS access is there a SAP standard way or best practice to restrict PA20 access to the people the user manages and not be able to view anyone else in R/3? (MSS uses the A12 relationship to restrict the view access)

You can create structural profile which has dynamic determination of start object id. Check documentation of creating structural authorisations using OOSP and function module RH_GET_MANAGER_ASSIGNMENT.

Example of OOSP profile could be:

ZMSS | 1 | 01 | O | <blank> | X | O-S-P | 12 | | | P | RH_GET_MANAGER_ASSIGNMENT

This means that function module RH_GET_MANAGER_ASSIGNMENT will be run to determine the start object id (which is <blank>) for each manager when structural authorisations are determined. This requires that you have to have maintained user id and pernr linkage in infotype 0105 subtype 0001.

> Can you help us with a SAP best practice/standard way if someone is set up with structural authorizations (SA) and they are not in an org they have SA to how do they get access in ESS to view/edit their own PERNR ?

Check documentation of P_PERNR. If user id is assigned to pernr (IT 0105/0001) and I am accessing that pernr with that user id (my own data) authorisation checks are done against object P_PERNR (not P_ORGIN or P_ORGXX).

> In structural authorizations (OOSB) when we use exclude, what are the steps which are triggered in the background ? I mean what are the tables updated or whats fields are flagged for exclude ? Does it actually delete the excluded pernrs (orgs) from a table, if so what table ?

Structural authorisations are determined in the runtime. Structural authorisation profile has following fields:

Plan Version | Object Type | Start Date | End Date | Maintenance | Auth Profile | Exclusion

01 | P | 12345 | 01.01.2011 | 31.12.9999 | X | ZMSS | |

01 | P | 66666 | 01.01.2010 | 31.12.9999 | X | ZEXC | X |

So if you give manager above ZMSS profile it will read all employees (and positions and org units under manager org unit) and give access to those objects. This would show in authorisation profile like the line one in my example. If I also assign ZEXC profile and tick it for the exclusion it only creates the entry to the profile as per structural profile ZEXC in OOSP but with X on exclusion column. So when for example PA20 is run and I try to enter pernr 66666 it will not be allowed since that pernr is excluded in my structural profile. So nothing is deleted. You can check users structural profile easily using tcode RE_RHAUTH00.

's