cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict Infotype Access - SAP HR Authorization Check

Former Member

on ‎02-22-2012 5:19 PM

0 Kudos

Hello everyone,

I need to restrict access to infotipe 9003 to different users, for example user A, user B, user C, user D and user E . Only users A,B,C,D,E access PA20 Infotype 9003 and for all company employees.

The problem is I have several profiles (too many) that give access to infotype 9003. Furthermore those profiles are assigned to other users.

I dont find eficcient to modify all these profiles and get 9003 out of the authorized infotypes. Even because, I cant prevent that a new profile is created with 9003 and, then all the acess security is turned off.

So, how can I define some kind of second-level Authorization Check, that checks if the user in system corresponds to user A, B, C, D, E? Even If user Z has access through a profiles, he cant access infty 9003 because does not belong to my special list?

Is there any other standard solution for this problem?

I hope I´ve made myself understood.

Thanks in advance.

Regards,

Carla Sousa

Edited by: Carla João de Sousa on Feb 22, 2012 6:28 PM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎02-24-2012 1:56 PM
0 Kudos

I guess I will have to correct all roles.

Thanks!

Kind regards,

Carla Sousa

Show replies
Show replies
Former Member
‎02-23-2012 6:16 PM
0 Kudos

Hi Raghu C,

The problem is that there are other roles giving access to 9003 (actually there are too many roles which makes it difficult to mantain).. My problem is not about giving access to users A,B,C,D,E. It is to guarantee that no other users accesses this infotype.

So because I have so much roles that are already giving access to 9003, I wanted to know if I can add a second-level authorization. I mean if user Z has a role that gives access to 9003, because it does not passes on this "second level", he wont access it.

I know that there's a lot about SAP HR Authorizations, beyond roles, like structural authorizations or context-solution authorizations. But I dont know if any solve this type of scenario, and how to apply it.

Is there anyone to help me please?

Thanks!

Carla Sousa

Edited by: Carla João de Sousa on Feb 23, 2012 7:16 PM

Show replies
Show replies
raghu_c
Active Contributor
‎02-23-2012 6:29 PM
0 Kudos

Hi Carla,

As far as my knowledge of authorizations goes, once an infotype is given access in one of the roles, it would not be possible to restrict it to certain users only unless the infotype is removed from other profiles. However, kindly post this in the BASIS forum to get more responses.

Raghu

Matt_Fraser
Active Contributor
‎02-23-2012 7:49 PM
0 Kudos

Carla,

You might be able to do this by including an AUTHORITY-CHECK statement somewhere in the MP900300 module pool, along with a custom authorization object. Assign the object to a new role, and put only your selected users in that role. However, it's not clear whether this would end up being more work (especially for ongoing maintenance) than just biting the bullet and editing your other roles to remove the 9003 authorization. You should be able to quickly identify which roles will need editing using transaction SUIM.

--Matt

Former Member
‎02-23-2012 2:46 PM
0 Kudos

Hi Rajdeepk,

I didnt understand your answer.

Do you mean I should use structural authorizations? If that's your mean, I think it does not solve my problem.

Does anyone can help me on this?

Thanks!

Carla Sousa

Show replies
Show replies
raghu_c
Active Contributor
‎02-23-2012 6:04 PM
0 Kudos

create a new single role and add t-code pa20, in the P_orgin object, give read authorization to infotype 9003. Assign this role to the five users you have mentioned.

Raghu

Former Member
‎02-23-2012 4:16 AM
0 Kudos

Hi

I think it is worth looking @ Org Key in infotype 1

Thanks

RAjdeep

Show replies
Show replies
Former Member
‎02-23-2012 4:12 AM
0 Kudos

Hi

look @ the Org key in infotype 1

Thanks

Rajdeep

Show replies
Show replies
Ask a Question