Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem with PA20 and PERSA

Former Member

‎03-06-2012 11:52 AM

0 Kudos

Hi

I am in a situation where users have access to PA20 from role A and * in PERSA in P_ORGIN from role B. With the combination of these two roles the users are able to view the basic pay all the users in company. Can we use Structural authorization to restrict. Role B is a MSS role and is assigned to all the managers.

Thanks,

Adi

7 REPLIES 7

Former Member

‎03-06-2012 12:00 PM

0 Kudos

What is the purpose of * in Role B ?,If its decided tht managers can view all the areas then why you are worrying about restriction.

If you want to restrict then you have to take the * away

Former Member
In response to Former Member

‎03-06-2012 12:59 PM

0 Kudos

Hi,

If you give access to a transaction then it counts for all the authorization objects that can be matched with that transaction. so if you have permission to other authorizations in other roles that match with this transaction the world is brother than you expected.

If you have permission to a transaction this will start abap and in the abap the question(s) is asked if you have authorization for the objects programmed in the abap.

have fun

Bye

Jan van Roest

Former Member

‎03-06-2012 11:15 PM

0 Kudos 
Can we use Structural authorization to restrict. Role B is a MSS role and is assigned to all the managers.

Yes. I would recommend you find information about structural authorisations and context solution. That will fix issues where manager's MSS role gives too much access in PA20.

SaQ

Former Member
In response to Former Member

‎03-07-2012 3:12 AM

0 Kudos

Hi SAQ,

Can we use functional module GET_MANAGER_ASSIGMNET to restirct through structrual

Thanks,

Adi

Former Member
In response to Former Member

‎03-08-2012 2:38 AM

0 Kudos 
> Can we use functional module GET_MANAGER_ASSIGMNET to restirct through structrual

Yes. RH_GET_MANAGER_ASSIGNMENT can be used to fill the object id for organisational unit of manager. Remember to link each user id to employee using infotype 0105 subtype 0001.

's

Former Member
In response to Former Member

‎03-08-2012 6:53 AM

0 Kudos

Hi SaQ,

I have created a structure like below.

TEST_AA1 10 1 O O_S_P 12 99 R H_GET_MANAGER_ASSIGNMENT

I didn't mentioned anything in object.

Still the manager is able to see all the employees.

Thanks,

Adi

Former Member
In response to Former Member

‎03-09-2012 1:06 AM

0 Kudos 
> Still the manager is able to see all the employees.

Check following:

- Have you linked the user id to to the manager's employee number using infotype 0105-0001

- Have you assigned the structural profile to the manager (tcode OOSB)

- Test running tcode RE_RHAUTH00 what objects manager can see with the structural profile.

If still issues exist check organisational chart. Sometimes test systems have funny relationships because it's test system.

's