Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Structural Authorizations Issue

Former Member
0 Kudos

Hi All,

I have a scenario where a User in a specific position should be able to maintain only employees in his department. I want to create one SA profile which can be valid all the users to maintain employees in their  department only.

I am using the FM RH_GET_MANAGER_ASSIGNMENT with Object O evaluation path as MANASS.  I have also  maintained the user as manager in the OM but when I check the  information tab in OOSP for that profile I get a blank screen. Is there anything else that I am missing.

Also if I don't want to make this person as the manager in the OM will the function module  RH_GET_ORG_ASSIGNMENT ( Object O and Evaluation path ORGASS) help me in restricting users in his own department.

Any help will be appreciated.

Best Regards,

Mohammed Sharfuddin

15 REPLIES 15

Former Member
0 Kudos

Hi Mohammed,

In case the user is the manager for the org unit then you'll be able to use the standard function module available (RH_GET_MANAGER_ASSIGMENT). Depending on whether you want to provide access to only that Org Unit or also to the Org Units below, you would use either evaluation path O-P or O-S-P.

In case you don't want to make this user the manager of the Org Unit, you can indeed substitute RH_GET_MANAGER_ASSIGMENT with RH_GET_ORG_ASSIGNMENT and use the same evaluation paths as in above example.

On the OOSP part I'm not too sure but I think it won't show you anything because the result isn't a constant. The best way to test it would be to assign it to a user and use transaction RE_RHAUTH00 (program RHAUTH00) or alternatively you could run the individual steps manually (function module followed by RH_STRUC_GET for the evaluation path).

Hope this helps,

Brent

0 Kudos

as a side-note, you can also use transaction HRAUTH (report: RHANALYSIS_TOOL) to conveniently see all authorized objects for a specific user.

Former Member
0 Kudos

Thank You Brent & Dimitri for your response can you kindly clarify me if I can use different evaluation path in OOSP other then MANASS. Wanted to know as MANASS is hardcoded in the FM RH_GET_MANAGER_ASSIGMENT

I am checking on the other reports you have suggested me and will update you if this resolves the issue.

Best Regards,

Mohammed Sharfuddin

0 Kudos

yes you can use any evaluation path that suits you.  the simple O-O-S-P path suits many needs as well. I use it frequently myself.

if you run into issues with the structural profile you've created, just show the profile in here so we can have a look at it. 

0 Kudos

Hi Mohammed,

I believe you are confusing two fields in your structural profile. In your example the field "Function Module" would contain RH_GET_MANAGER_ASSIGNMENT (which uses the evaluation path MANASS).

When Dimitri and I are refering to evaluation paths O-O-S-P and O-P, we mean this to be used in the field "Eval. Path" in transaction OOSP.

The function module is used to retrieve the starting point (the Org Unit that the user is the manager for) and then the evaluation path (O-O-S-P or O-P) is used to collect the objects that we give the user access to in this structural profile (i.e. every O, S and P below the starting Org Unit).

I hope this clears things up. If not then please post your structural profile like Dimitri suggested.

Brent

Former Member
0 Kudos

Thank you Brent & Dimitri for the clear solution. I have pasted screenshot documents I apologize if am taking more time of yours.

 

Here when I login to test id and maintain the user it is giving me an authorization error

Former Member
0 Kudos

I even face the same error when I don't use FM. The example below is for another profile to the same user

In the two profile assigned to the user one is to display all students and other is to maintain students in their department. Just to add one more info earlier the BADI HRBAS00_STRUAUTH was active but now we have deactivated the BADI

New Profile

0 Kudos

Hi Mohammed,

For sanity's sake, could you trace your actions when maintaining students with user TESTGPC (use transaction STAUTHTRACE).

I would just like to verify whether we are seeing a structural authorization error or whether it's simply 'standard' authorization that's messing with us here.

Also, when you're maintaining the student in your example above and the error message turns up. Is this student's object ID visible in the authorization view at all? (report RHAUTH00 or in t-code HRAUTH).


0 Kudos

Hello Dimtiri,

I have checked the authorization trace and it is not failing for any standard authorizations.

Also as you said the student object id is not visible in the authorization view. I am getting the student id for the object id 00000004.

Thank you for all the help

Best Regards,

Mohammed Sharfuddin

0 Kudos

Hi again Mohammed,

Can you show me an overview of all relations the ST object for student 5000004001 has including the corresponding validity periods?

I'm wondering whether it has something to do with the fact that the P object (100480) has only been assigned to its position since 24.11.2013.  that could conflict with the ST object he is trying to maintain. seeing the relations of the ST object will clarify this.

also, what have you set the period indicator to in your structural profile?  is it empty? empty would be the correct value (at least for now).

for more info on periods of responsibilities and structural authorizations have a look here.


from what I understand, the student (5000004001) does show up in transaction PIQST00, it is only when trying to maintain it you are receiving the error, right?

0 Kudos

Hello Dimitri,

yes I am the student does show up in the t-code PIQST00 the error comes when I want to change or delete  the advisor.

In the SA period field is empty.I have attached screenshot of for your reference. The error is same for all students

Regards,

Mohammed Sharfuddin

0 Kudos

Good morning Mohammed,

the fact that you can access the student info in PIQST00 would indicate that the structural profile is defined correctly. however, maintain access is denied.

this can be caused by either of the following ways:

  • the maintenance indicator in the structural profile is unchecked. (from your example above, we see that it is in fact checked).
  • the PLOG object in the 'standard' authorization has insufficient maintain authorizations for ST objects.

Can you show me all values of the PLOG object(s) the user TESTGPC has assigned?

0 Kudos

Hello Dimtri,

Appreciate you taking so much time to help me with the issue. I already anticipated PLOG values and maintained it as * . I even tried giving SAP_ALL and it didn't work.

I then removed SAP_ALL assignment and assigned a profile ALL in OOSB  which has * in plan version and object type with maintained checked. With this profile I am able to maintain the Advisor for the student. So somewhere the SA is not providing access in the structure. Can we in any where check where is it failing.

Thank you again for all the help

Best Regards,

Mohammed Sharfuddin

0 Kudos

in the first structural profile you used the RH_GET_MANAGER_ASSIGNMENT FM to determine what org. unit the user is managing.  in the second you hard-coded the position of the user as a starting point for the structural profile.

I'd suggest making the structural profile ZCUST_DYN with the O as starting point (as before) and use the ZSTADVIS evaluation path instead of the O_S_P one you used before.

Former Member
0 Kudos

Hello Dimitri,

Thank you for all the help. I am able to maintain the students using context SA profile. But for some students when I try to change them I get an error Object Not Found. Can this be because that the evaluation path does not have any relation on the assigned advisors.

I wanted to post a screenshot but attach image icon is greyed out.

Best Regards,

Mohammed Sharfuddin