05-19-2014 5:54 AM
Hi Experts,
I've built a structural authorisation profile which utilises the FM RH_GET_ORG_ASSINGMENT, as outlined below:
When assigned directly to a user (via OOSB), the user is restricted to their own org unit - as expected.
When I assign the profile to the default record SAP*:
Users get the following message when trying to access objects:
When I assign SAP* a profile with an explictily defined OBJID, it works nicely.
Is it by design that SAP doesnt allow SAP* to have a profile with a FM?
If not, what step am I missing in this process?
Cheers,
Sam Hardman
05-19-2014 8:39 AM
Hi Sam,
Most likely the SAP* user is not connected with a PERNR in IT105
That's why the FM will not find a reference point to give access to part of the OM structure.
May I ask why you'f want to assign a restricted structural profile to SAP* instead of actual users? Are you trying to assign a structural profile to all users by restricing SAP*'s profile?
Good luck!
Dimitri
05-19-2014 8:39 AM
Hi Sam,
Most likely the SAP* user is not connected with a PERNR in IT105
That's why the FM will not find a reference point to give access to part of the OM structure.
May I ask why you'f want to assign a restricted structural profile to SAP* instead of actual users? Are you trying to assign a structural profile to all users by restricing SAP*'s profile?
Good luck!
Dimitri
05-19-2014 12:42 PM
Hi Dimitri,
Thanks for your response.
From the documentation I had read, any user who is not explicitly assigned a profile will inherit the profile assigned to SAP*.
Yes, I'd like to have a default profile which is given to all users.
Cheers,
Sam
05-19-2014 1:05 PM
I'm sorry for my confusing previous post: you surely aren't using the SAP* user itself for your tests.
Then again, when a structural profile is assigned indirectly through this construction, it may be that determining the correct starting point for the FM is indeed the culprit.
It could be that the T77UA table is taken into account while determining the required US<-->P relationship.
If this is the case, it makes sense that no objects are found since SAP* does not have a related P-object and therefore cannot find a starting point for the FM.
I think you could easily check that and assign SAP* to a PERNR to see if you do see objects then
05-19-2014 11:26 PM
Hi Dimitri,
Thanks for your help on this.
From your comments, and the posts below - the best solution going forward (correct me if I'm wrong) would be:
Cheers,
Sam
05-20-2014 7:55 AM
Hi Sam,
If the goal is to 'assign' a general structural profile to users that do not have a PERNR, You can create a profile that limits access to certain parts of the org. structure. you cannot use a function module for this profile since the function will not be able to get a starting point from which to determine access to begin with. (no PERNR -> no position -> no knowledge of the whereabouts within the structure)
If this will not get you the desired results, using the contextual approach could be helpful, in conjunction with BAdI HRBAS00_GET_PROFL, to automatically assign structural profiles to your users.
The context solution requires substantially more effort so I hope the first approach will be sufficient.
If you need any additional info just let us know.
Good luck!
Dimitri.
05-20-2014 7:59 AM
just as a reminder:
you may find that by using the exclusion flag in the structural profile assignment (table T77UA or T-code OOSB), you can achieve your requirement easier than by including all allowed parts of the org. structure.
as a bonus you will gain a performance increase by doing so.
05-22-2014 6:07 AM
Hi Dimitri,
Thanks for your responses.
Having spent the last day or so working my way through all the options, most of what the business wants can be achieved without the use of context-dependant auths.
I have one hurdle still to jump...
I've assigned the basic structural profile to the top node of our structure via PP01. When using program RHPROFLO to distribute the profile to all users, it is only assigning to users who have a direct relationship with the top node.
What steps are required to enable the profile to be inherited down the entire depth of the org structure?
Cheers,
Sam
05-22-2014 9:52 AM
Hi Sam,
This is a common issue for which I don't think there's a clear solution for. Maybe it's SAP telling us not to assign profiles/roles to top level org. units because of possible performance issues
For this requirement, the context solution would have had some benefits.
This way you can even use the reference user concept and assign the general access role with the basic structural profile defined in a P_ORGINCON object.
From a performance as well as a maintenance perspective this is a preferable approach.
But that 's academic now..
For a 'quick' resolution of your issue I'd simply go for a manual assignment in the T77UA table, or assign the structural profile to subordinate org. units as well.
Good luck!
Dimitri
05-22-2014 10:53 PM
05-19-2014 7:19 PM
Samuel,
First of all hats off for such a ingenious idea, that is really a smart idea. However, as mentioned by D Heuman above there can be several reason for it not to work. One very apparent reason is if you open ALL profile (assigned to SAP*) and compare it to any limited profile (USERS). ALL profile has all objects , all plan version and no FM, with all objects assigned, I don't think it really needs a FM.
Solution to your problem is use contextual structural authorizations and then assign USERS through ESS role or the basic role.
Regards,
Shivraj Singh
05-19-2014 9:22 PM
You should only assign a dummy profile to SAP* -> for those users which do not have a structural profile as they have no 0105 record.
SAP* profile is inherited to them as they are not found.
If externals etc without 0105 need a profile, you must assign it via PFCG authorization objects or suppress it as they are not in the org. structure anyway and if they dont have a personell number then then it is not an option for reporting unless you suppress the check via P_ABAP.
Read D. van Heumen's answer carefully!
Cheers,
Julius