on 02-22-2012 5:19 PM
Hello everyone,
I need to restrict access to infotipe 9003 to different users, for example user A, user B, user C, user D and user E . Only users A,B,C,D,E access PA20 Infotype 9003 and for all company employees.
The problem is I have several profiles (too many) that give access to infotype 9003. Furthermore those profiles are assigned to other users.
I dont find eficcient to modify all these profiles and get 9003 out of the authorized infotypes. Even because, I cant prevent that a new profile is created with 9003 and, then all the acess security is turned off.
So, how can I define some kind of second-level Authorization Check, that checks if the user in system corresponds to user A, B, C, D, E? Even If user Z has access through a profiles, he cant access infty 9003 because does not belong to my special list?
Is there any other standard solution for this problem?
I hope I´ve made myself understood.
Thanks in advance.
Regards,
Carla Sousa
Edited by: Carla João de Sousa on Feb 22, 2012 6:28 PM
I guess I will have to correct all roles.
Thanks!
Kind regards,
Carla Sousa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raghu C,
The problem is that there are other roles giving access to 9003 (actually there are too many roles which makes it difficult to mantain).. My problem is not about giving access to users A,B,C,D,E. It is to guarantee that no other users accesses this infotype.
So because I have so much roles that are already giving access to 9003, I wanted to know if I can add a second-level authorization. I mean if user Z has a role that gives access to 9003, because it does not passes on this "second level", he wont access it.
I know that there's a lot about SAP HR Authorizations, beyond roles, like structural authorizations or context-solution authorizations. But I dont know if any solve this type of scenario, and how to apply it.
Is there anyone to help me please?
Thanks!
Carla Sousa
Edited by: Carla João de Sousa on Feb 23, 2012 7:16 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Carla,
As far as my knowledge of authorizations goes, once an infotype is given access in one of the roles, it would not be possible to restrict it to certain users only unless the infotype is removed from other profiles. However, kindly post this in the BASIS forum to get more responses.
Raghu
Carla,
You might be able to do this by including an AUTHORITY-CHECK statement somewhere in the MP900300 module pool, along with a custom authorization object. Assign the object to a new role, and put only your selected users in that role. However, it's not clear whether this would end up being more work (especially for ongoing maintenance) than just biting the bullet and editing your other roles to remove the 9003 authorization. You should be able to quickly identify which roles will need editing using transaction SUIM.
--Matt
Hi Rajdeepk,
I didnt understand your answer.
Do you mean I should use structural authorizations? If that's your mean, I think it does not solve my problem.
Does anyone can help me on this?
Thanks!
Carla Sousa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
I think it is worth looking @ Org Key in infotype 1
Thanks
RAjdeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
look @ the Org key in infotype 1
Thanks
Rajdeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
9 | |
7 | |
6 | |
5 | |
4 | |
3 | |
3 | |
3 | |
2 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.