Default Authorization object P_ABAP for PA20

Former Member · ‎12-27-2011

Dear colleagues!

After SP implementation roles werу adjusted and new authorization check for P_ABAP was added for transaction PA* (PA20, PA30...).

Where is hr-reporting checks in these transactions? It's critical for personnel data maintenance or used only for sub-menu reports?

Trace for PA20 shows the following values for P_ABAP check (PA20-Goto-Planning Data-...):

P_ABAP RC=12 REPID=SAPMP50A;COARS=2;

P_ABAP RC=12 REPID=SAPDBPNP;COARS=2;

SAP Release ERP 6.0 EHP4 (10 stack)

Regards,

A.M.

Former Member · ‎12-27-2011

Hi,

The values mentioned for P_ABAP here is not necessary to be added in a role. SAPDBPNP is a logical database and providing P_ABAP with degree of simplification (COARS) = 2 is very dangerous, as it will bypass any authorization check while executing reports related to that logical database.

Providing such values will disturb your entire authorization design as even though you might restrict an user on few Infotypes in P_ORGINCON, but with this value, it actually bypasses any report using this logical database to check for Infotype authorization or structural auth restriction.

To suggest a possible solution, I would like to know exact activities intended to be done with PA20 and level to access provided in P_ORGINCON. Please can you share that here?

Thanks,

Deb

Former Member · ‎01-01-2012

Dear AM,

If you analyze SU24 for the tcode PA20, you will find the that SAP proposed P_ABAP though it's in no-check status.

So there are some functionality within the PA20 for which P_ABAP is checked.

The scenario, you have mentioned is basically running some reports and therefore system is cheking P_ABAP.

As Debmalya mentioned it's dangerous to maintain value 2 since it bypasses standard infotype check. So maintain accordingly.

Thanks

Aktar