Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Difference between * and ALL in P_ORGINCON for PROFL field

Go to solution
Former Member

‎09-18-2013 10:37 AM

0 Kudos

Hi,

We are using Structural Profile using P_ORGINCON.  I have two user ids

User Id A --> * and Profile A for P_ORGINCON for PROFL field

User Id B -->ALL and  Profile A for P_ORGINCON for PROFL field

Profile A - PD Profile with Access to some particular org unit

We are using RHBAS00_GET_PROFL BADI to automatically get the structural authroization. So T77UA will not be updated.

Now, When I login with User Id A

- I can see Org Unit based on Profile A only. Means restricted structural Profile is overridding * value

- But I could see all employees in PA30

Now when I login with User Id B

- I can see whole org strucutre. Now value "ALL" is overridding any other value

- But I have limited access in PA30. I get authorization error message for some employees.

I am unable to understand the difference between maintianing "*" and "ALL" value in P_ORGINCON.

Please let me know if anyone of you have experienced this.

Kind Regards,

Sheenam Singla

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-18-2013 3:11 PM

0 Kudos

Hi Sheenam,

There are several possible explanations for this behaviour.

The most likely explanation would be that you're not using the standard (SAP example code) implementation for HRBAS00_GET_PROFL. While this is usually a good sign, it's possible that the developer didn't include the translation of "*" to "ALL" in the code or is pulling off some advanced logic that is causing these results. Would you mind sharing your code for this BAdI and the exact contents of profile A?

The less likely explanation is that your authorization switch DFCON is set to 1 (or 0) and the employee you are trying to display with user B is not integrated in the current time interval (i.e. on the default position). This means SAP can't figure out what to do with it in a context scenario and when your switch is set to 1 (or 0) will refuse to give you access. Not an issue for user A as he has value "*" for PROFL (and assuming also for PERSA/PERSG/PERSK if your switch is 1) which is another one of those undocumented exception scenario's (like the undocumented value 0). See note 647278 for more information on what the switch values actually stand for.

As for the difference between * and ALL, it depends on your implementation of HRBAS00_GET_PROFL:
1) No implemtation: ALL means profile ALL and "*" means "any profile assigned in T77UA"
2) Implementation that assigns ALL when you encounter a "*": ALL and "*" both mean the same because "*" gets replaced anyway
3) Implementation that doesn't assign ALL when you encounter a "*": ALL means profile ALL and "*" means "any profile assigned through the BAdI or T77UA"


On a side note, you can always run transaction RE_RHAUTH00 to get a view on the structural authorizations of user A and B. It gives a nice overview of which objects are accessible and where (which profile) the access is coming from. Comparing these results may already indicate what is causing the difference.


Hope that clears things up a bit.

Brent

2 REPLIES 2

Go to solution
Former Member

‎09-18-2013 3:11 PM

0 Kudos

Hi Sheenam,

There are several possible explanations for this behaviour.

The most likely explanation would be that you're not using the standard (SAP example code) implementation for HRBAS00_GET_PROFL. While this is usually a good sign, it's possible that the developer didn't include the translation of "*" to "ALL" in the code or is pulling off some advanced logic that is causing these results. Would you mind sharing your code for this BAdI and the exact contents of profile A?

The less likely explanation is that your authorization switch DFCON is set to 1 (or 0) and the employee you are trying to display with user B is not integrated in the current time interval (i.e. on the default position). This means SAP can't figure out what to do with it in a context scenario and when your switch is set to 1 (or 0) will refuse to give you access. Not an issue for user A as he has value "*" for PROFL (and assuming also for PERSA/PERSG/PERSK if your switch is 1) which is another one of those undocumented exception scenario's (like the undocumented value 0). See note 647278 for more information on what the switch values actually stand for.

As for the difference between * and ALL, it depends on your implementation of HRBAS00_GET_PROFL:
1) No implemtation: ALL means profile ALL and "*" means "any profile assigned in T77UA"
2) Implementation that assigns ALL when you encounter a "*": ALL and "*" both mean the same because "*" gets replaced anyway
3) Implementation that doesn't assign ALL when you encounter a "*": ALL means profile ALL and "*" means "any profile assigned through the BAdI or T77UA"


On a side note, you can always run transaction RE_RHAUTH00 to get a view on the structural authorizations of user A and B. It gives a nice overview of which objects are accessible and where (which profile) the access is coming from. Comparing these results may already indicate what is causing the difference.


Hope that clears things up a bit.

Brent

Go to solution
Former Member
In response to Former Member

‎09-23-2013 11:45 AM

0 Kudos

Hi Brent,

It took a while for me to understand your answer

Yes, Now I can co relate it.

Difference between * and ALL

- Both are same on organization structure display wise (i.e. PPOSE)

- However, if DEFCON is on,

     1) With "ALL" , you can view employees who are mapped to organization structure using PA30

     2) With "*", you can view all emplyees even for those Org unit is 0 and default position is 999999

Thank you so much.