09-18-2013 10:37 AM
Hi,
We are using Structural Profile using P_ORGINCON. I have two user ids
User Id A --> * and Profile A for P_ORGINCON for PROFL field
User Id B -->ALL and Profile A for P_ORGINCON for PROFL field
Profile A - PD Profile with Access to some particular org unit
We are using RHBAS00_GET_PROFL BADI to automatically get the structural authroization. So T77UA will not be updated.
Now, When I login with User Id A
- I can see Org Unit based on Profile A only. Means restricted structural Profile is overridding * value
- But I could see all employees in PA30
Now when I login with User Id B
- I can see whole org strucutre. Now value "ALL" is overridding any other value
- But I have limited access in PA30. I get authorization error message for some employees.
I am unable to understand the difference between maintianing "*" and "ALL" value in P_ORGINCON.
Please let me know if anyone of you have experienced this.
Kind Regards,
Sheenam Singla
09-18-2013 3:11 PM
Hi Sheenam,
There are several possible explanations for this behaviour.
The most likely explanation would be that you're not using the standard (SAP example code) implementation for HRBAS00_GET_PROFL. While this is usually a good sign, it's possible that the developer didn't include the translation of "*" to "ALL" in the code or is pulling off some advanced logic that is causing these results. Would you mind sharing your code for this BAdI and the exact contents of profile A?
The less likely explanation is that your authorization switch DFCON is set to 1 (or 0) and the employee you are trying to display with user B is not integrated in the current time interval (i.e. on the default position). This means SAP can't figure out what to do with it in a context scenario and when your switch is set to 1 (or 0) will refuse to give you access. Not an issue for user A as he has value "*" for PROFL (and assuming also for PERSA/PERSG/PERSK if your switch is 1) which is another one of those undocumented exception scenario's (like the undocumented value 0). See note 647278 for more information on what the switch values actually stand for.
As for the difference between * and ALL, it depends on your implementation of HRBAS00_GET_PROFL:
1) No implemtation: ALL means profile ALL and "*" means "any profile assigned in T77UA"
2) Implementation that assigns ALL when you encounter a "*": ALL and "*" both mean the same because "*" gets replaced anyway
3) Implementation that doesn't assign ALL when you encounter a "*": ALL means profile ALL and "*" means "any profile assigned through the BAdI or T77UA"
On a side note, you can always run transaction RE_RHAUTH00 to get a view on the structural authorizations of user A and B. It gives a nice overview of which objects are accessible and where (which profile) the access is coming from. Comparing these results may already indicate what is causing the difference.
Hope that clears things up a bit.
Brent
09-18-2013 3:11 PM
Hi Sheenam,
There are several possible explanations for this behaviour.
The most likely explanation would be that you're not using the standard (SAP example code) implementation for HRBAS00_GET_PROFL. While this is usually a good sign, it's possible that the developer didn't include the translation of "*" to "ALL" in the code or is pulling off some advanced logic that is causing these results. Would you mind sharing your code for this BAdI and the exact contents of profile A?
The less likely explanation is that your authorization switch DFCON is set to 1 (or 0) and the employee you are trying to display with user B is not integrated in the current time interval (i.e. on the default position). This means SAP can't figure out what to do with it in a context scenario and when your switch is set to 1 (or 0) will refuse to give you access. Not an issue for user A as he has value "*" for PROFL (and assuming also for PERSA/PERSG/PERSK if your switch is 1) which is another one of those undocumented exception scenario's (like the undocumented value 0). See note 647278 for more information on what the switch values actually stand for.
As for the difference between * and ALL, it depends on your implementation of HRBAS00_GET_PROFL:
1) No implemtation: ALL means profile ALL and "*" means "any profile assigned in T77UA"
2) Implementation that assigns ALL when you encounter a "*": ALL and "*" both mean the same because "*" gets replaced anyway
3) Implementation that doesn't assign ALL when you encounter a "*": ALL means profile ALL and "*" means "any profile assigned through the BAdI or T77UA"
On a side note, you can always run transaction RE_RHAUTH00 to get a view on the structural authorizations of user A and B. It gives a nice overview of which objects are accessible and where (which profile) the access is coming from. Comparing these results may already indicate what is causing the difference.
Hope that clears things up a bit.
Brent
09-23-2013 11:45 AM
Hi Brent,
It took a while for me to understand your answer
Yes, Now I can co relate it.
Difference between * and ALL
- Both are same on organization structure display wise (i.e. PPOSE)
- However, if DEFCON is on,
1) With "ALL" , you can view employees who are mapped to organization structure using PA30
2) With "*", you can view all emplyees even for those Org unit is 0 and default position is 999999
Thank you so much.