01-16-2015 6:09 PM
I have created one role for HR Admin and one structural profile for the same,and assigned both to one HR Admin (test user- which is hired in PA40 and maintained IT 0105,Subtype 0001).
Purpose of role and Strutural profile : HR Admin should be able to edit,display,change IT 0001,0002,0006,0008 for all emps in the organization which are mentioned in strutural profile( i have mentioned 3 Org Units in the structural profile, for each org unit one position is there and each position occupied by one person.)
So totally this HR Admin should be able to modify the data for only 3 emps.But in this case HR Admin cna bale to modify one more emp data who is not comes under any orgunit which is mentioned in the structural profile.
And In the role i have given below values.
P_ORGIN
Authorization level :E,R,S,W
Infotype :0001,0002,0006
Personnel Area : US01
Employee Group :1
Employee Subgroup :U4
Subtype 😘
Organizational Key :CA04-CA05,US01
P_PERNR
auth1 :
Authorization level R, W
Infotype 0002, 0006
Interpretation of assigned per I
Subtype *
auth2 :
Authorization level E, S, W
Infotype 0001, 0008
Interpretation of assigned per E
Subtype *
auth3:
Authorization level M, R
Infotype 0008
Interpretation of assigned per : I
Subtype *
My Ques is GR Admin user is able to modify other emp data whos orgunit is not comes under any org unit which is mentioned in Strutural profile , which is assigned to HR Admin.
And i observed one thing here, the extra emp personal area, sub area,emp grp,sub grp,org key is covered in the above access but in the strutural profile the org unit is not there.
Please suggest how HR Admin can able to modify HR master data of that employee.
Regards,
Venu.
01-20-2015 8:18 AM
Venu,
From your screenshots , I assume that you are using P_ORGIN in your design so no context solution has been invoked in your design.
Hence , ORGPD should have been switched on for enabling structural authorizations instead DFCON.
If perner 8 must have been isolated - not integerated in OM structure (default position), set the required value (1,2,3,4) for ORGPD and switch off DFCON.
Possible Values for ORGPD/ DFCON and their meaning
1 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, deny authorization to the person.
2 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Deny access to all these persons.
3 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, give authorization to the person.
4 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Give access to all these persons.
Thanks,Krishna
01-19-2015 8:31 AM
Further help can only be provided if you attach the settings/switches for HR authorizations and the user specific objects. Please have a look at HRAUTH for a list of the switches and the user-specific data in the dedicated tab. Additionally you have to describe your structural profile, there can be so many reasons for this that any hints are just rough guesses for usual errors.
01-19-2015 10:56 AM
Hi Peter,
Thank you. I will attach the required details soon.
Regards,
Venu.
01-19-2015 7:11 PM
Please find the attached Doc for Auth switches and mentioned in structural profile as well as
Switches in OOAC :
And in the images attached the description as below
Image 1)User HR Auth objects in HRAUTH
Image 2) Switches in HRAUTH and same in OOAC also.
Image 3: Structural profile of the user in HRAUTH
Image 4: OOSP defined
Image5 :
the Actual Structural profile in OOSB or OOSP: here we can see only the hr user can able to access perners 7 ( his own pernr),10,11,12,13.
But my ques is the HR admin user can able to modify other pernr (pernr num 😎 which are not populated in the Structural profile
Image 6 :T77UA entries for user
What I observed that the extra user pernr HR Mater data ( personal area, emp grp, sub grp, org key) num which the hr admin can able to access, is covered in role which assigned to the HR admin .
But the extra perner num is not comes under any of the org units mentioned in the structural profile.
Please suggest how to proceed further
Regards,
Venu.
01-20-2015 8:18 AM
Venu,
From your screenshots , I assume that you are using P_ORGIN in your design so no context solution has been invoked in your design.
Hence , ORGPD should have been switched on for enabling structural authorizations instead DFCON.
If perner 8 must have been isolated - not integerated in OM structure (default position), set the required value (1,2,3,4) for ORGPD and switch off DFCON.
Possible Values for ORGPD/ DFCON and their meaning
1 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, deny authorization to the person.
2 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Deny access to all these persons.
3 = Check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. if no values are maintained in IT 0001, give authorization to the person.
4 = Do not check access to Org Unit maintained in IT 0001 for persons not linked to the OM structure. Give access to all these persons.
Thanks,Krishna
01-20-2015 4:48 PM
As replied by Krishna please activate AUTSW.ORGPD for structural authorizations checking.
Additionally if it still does not work please provide us with some information on personnel number 8 (Area, Group, Subgroup, organizational position and so on.)
From a general point of view I can only advise you to restart/rethink the main switches as a useful context solution with P_ORGINCON is IMHO a better approach than only P_ORGIN (for example).
01-20-2015 6:08 PM
Hi Peter/Krishna,
The perner 8 is assigned to position and the org unit, not a default position.
@Krishna,
Q1 )Do you mean ,if any person not assigned to OM Structure (default position :99999999)do we need to switch ON the AUTSW ORGPD to (1,2,3,4) or we just need to switch ON if we want to use structural auth concept ?
Q2) What are the default settings in OOAC ,if we want to implement both general authorization and structural auth concept.
Please suggest on this.
Q3) Possible Values for and their meaning : from this can i understand that this settings required when any user is not linked in OM Structure. Please correct me ,if i am wrong.
And if the person is linked to OM Structure what is the default values for ORGPD/ DFCON
Q4)Can we use P_ORGINCON instead of P_ORGIN (as all the fields of this auth object covered
in P_ORGINCON) and we need to make sure that structural profile is included in the role (in P_ORGINCON) as well as assign the same to the user in OOSB.
to user P_ORGINCON needed to switch on AUTSW INCON to "1"?
Regards,
Venu.
01-20-2015 8:32 PM
01:19:48
Hi ,
As suggested i tried below ways.
Case1 Task A : Maintained the Switches in OOAC as below.
AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check
AUTSW APPRO 0 HR: Test Procedures
AUTSW DFCON 0 HR: Default Position (Context)
AUTSW INCON 0 HR: Master Data (Context)
AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)
AUTSW NNNNN 0 HR: Customer-Specific Authorization Check
AUTSW ORGIN 1 HR: Master Data
AUTSW ORGPD 1 HR: Structural Authorization Check
AUTSW ORGXX 0 HR: Master Data - Extended Check
AUTSW PERNR 1 HR: Master Data - Personnel Number Check
AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)
Just switched P_ORGIN , P_PERNR and ORGPD.
In this case the pernr number (8-is assigned to OM Struture).
As per the above settings i am able to restrict the HR Admin from doing any activity on pernr ( 8 ) data .
Task B: I have removed the structural profile to the HR Admin and tried to modify the data of other emps. HR Admin was not
able to view (even though the personal area,sub area etc covered in the role authorizations) any emps data except his own
data.
Reason what i assume is in OOAC the structural auth check (ORGPD) activated,hence its checking whether structural profile is assigned to user or not ?. Please correct me,if i am wrong.
Case 2 : I have changed the settings in OOAC and maintained as mentioned below. ( switched off ORGPD and switched on
P_ORGINCON)
AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check
AUTSW APPRO 0 HR: Test Procedures
AUTSW DFCON 0 HR: Default Position (Context)
AUTSW INCON 1 HR: Master Data (Context)
AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)
AUTSW NNNNN 0 HR: Customer-Specific Authorization Check
AUTSW ORGIN 1 HR: Master Data
AUTSW ORGPD 0 HR: Structural Authorization Check
AUTSW ORGXX 0 HR: Master Data - Extended Check
AUTSW PERNR 1 HR: Master Data - Personnel Number Check
AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)
And added P_ORGINCON manually in the role , maintained auth values and strutual profile in it.
As per the settings above i am able to restrict the HR Admin from doing any activity on pernr (8) data .
Hence my assumption is settings in Task1 (CASE 1) and in CASE2 gives the same results as expected.
Conclusion :
If we dont want to use P_ORGINCON (contains Structural profile as field) we can go for OOAC settings as mentioned in TASK1
.Otherwise we can go for Case2 seetings.
Please correct me ,if i am wrong.
Case 3 : I have Defined Strutual profile as below in OOSP.
Profile No. PV OT RootObType ObjectID Maintained
HRADMIN_US 1 1 O 50000113 O-S-P
HRADMIN_US 2 1 O 50000116 O-S-P X
HRADMIN_US 3 1 O 50000117 O-S-P X
There are totally 3 org units. for the last 2 Org units i have given maintenance activity (X).
The HR Admin comes user The first Org Unit (50000113) for which the Maintenance activity not given.
Under this HR Admin Org unit (50000113) ,2 positions are there, One is occupied by this HR Admin (pernr 7) and other is by
Assistant HR Admin (pernr 11).
But this HR Admin not able to edit the Assistant HR Admin data . Does this bcz we did not check the maintenance button for
this org unit in Structural profile ???( even though we give Write/Edit Access in the role) ?
Please correct me ,if i am wrong. And how the HR Admin can able to edit his own data (does P_PERNR is by passing all these
auth checks?).
Regards,
Venu.
01-21-2015 7:24 AM
Venu,
Q1) ORGPD & DFCON both are for enabling structural authorization .
ORGPD - Plain structural authorization
DFCON - Context solution
Q2) You have to switch on either of the above switch to enable structurla authorization concept.
Q3) Yes , You are right
Q4) While using Context solution , AUTSW INCON should be "1" and you can avoid manual maintenance on OOSB.
The PD_Profiles that are assigned to user via P_ORGINCON will get assigned in OOSB table (automatically through standard BADI if you implemented it)
Case 1 & 2 : Your conclusion is right for case 1 -OOAC setting
But if you use P_ORGINCON then switch off P_ORGIN , ORGPD and activateDFCON.
Case 3:P_PERNR with 'I' value will authorize user to access his own records though he doesn't have respective PD profile.
But it is not true with P_PERNR with 'E'.
general authorization( Write access in role) and sturcutual authorization(maintenance should be checked) to enable the write access.
Thanks,Krishna
01-27-2015 11:53 AM
Hi Krisha,
I have doubt on Q4) While using Context solution , AUTSW INCON should be "1" and you can avoid manual maintenance on OOSB.
The PD_Profiles that are assigned to user via P_ORGINCON will get assigned in OOSB table (automatically through standard BADI if you implemented it)
does it means we no need to assign the strutural profile to the user id in OOSB ,if we user P_ORGINCON ? and we no need to assign the S.P to the position (PO13- PD profile) ?
And if we want to use P_ORGINCON auth object we need to avtvate INCON and what is the default values DFCON (consider the case where the users not assigned to org struture ) value 3?
Regards,
Venu.
01-27-2015 1:54 PM
There are multiple strategies are available on assiignment of structural authorizations to user.
Few as follows
- Assigning PD profiles to posisiton/Org Unit/OM data(1017 IT) - RHPROFL0 will have to run and update the respective pd profiles to user in OOSB table.
- Assigning PD profile via P_ORGINCON object thorugh pfcg role ,then you can automate the assignment of pd profile ro users in OOSB using std BADI
If you are using P_ORGINCON , yes you need to activate
INCON - to switch on P_ORGINCON
DFCON - to manage how the default positions should be managed (refer 1,2,3,4 values & its explanations)
ignore ORGPD
Thanks,Krishna