Solved: User in hr can able to create records in PA30.But ...

Former Member · ‎03-02-2015

Hi Team,

I have created one test role in HR. It will give Read access to all info types.

But user can able to create Info type records in PA30. Please find the P_ORGIN values below.

Authorization level R

Infotype *

Personnel Area US

Employee Group 1

Employee Subgroup U*

Subtype *

Organizational Key *

OOAC values.

AUTSW ADAYS 15

AUTSW APPRO 0

AUTSW DFCON 4

AUTSW INCON 0

AUTSW NNCON 0

AUTSW NNNNN 0

AUTSW ORGIN 1

AUTSW ORGPD 4

AUTSW ORGXX 0

AUTSW PERNR 1

AUTSW XXCON 0

Note : user does not have access to any structural profile.

I suspect is this bcz, if any user has proper 0105 and 0001 in HR master data can able to create records.Bcz user will be assigned to default sap structural profile "ALL" in OOSB ?

I can see user was not assigned to "ALL" profile in OOSB or in T77UA. and user cant able to write or change infotype data in pa30.

Please suggest how the user can able to create inftotype records in PA30.(Info :0002 for example)

Appreciate Quick response.

Regards,

Venu.

Former Member · ‎03-04-2015

Hi Van,

Thank you for your reply. Yes i agree structural profile will not grant read or write access to info types. But we give write/change access to particular object (lets take Org unit(O) in PLOG) we need to select the check box for the corresponding Object id as maintained in OOSP right ?

And i checked no ref user is assigned and no profile is assigned.

Or is it bcz user has access to PA30 (sap standard tcode which will give create/change access to infotype by default) ? Since maintaining R as authorization level but it will overwrite and adapts write W functionality ?

Please suggest on this.

Regards,

Venu.

former_member74904 · ‎03-03-2015

Hi Venu,

All users not assigned to any structural profile will normally be assigned to "ALL". This does not appear in T77UA though.

But keep in mind that a structural profile never grants read or write access to infotypes. This means that in your case something else is granting your user access to writing infotypes.

Does the user perhaps have any other role or profile assigned? Maybe a reference user?

Good luck!

Dimitri.

Former Member · ‎03-04-2015

Hi Van,

Thank you for your reply. Yes i agree structural profile will not grant read or write access to info types. But we give write/change access to particular object (lets take Org unit(O) in PLOG) we need to select the check box for the corresponding Object id as maintained in OOSP right ?

And i checked no ref user is assigned and no profile is assigned.

Or is it bcz user has access to PA30 (sap standard tcode which will give create/change access to infotype by default) ? Since maintaining R as authorization level but it will overwrite and adapts write W functionality ?

Please suggest on this.

Regards,

Venu.

former_member74904 · ‎03-05-2015

Hi again Venu,

The maintain flag in the structural profile does not relate to any maintenance authorization in PA. It only affects the OM objects authorized by the structural profile. For example the user may be able to delimit a position. It will never grant any write authorization for any PA infotype.

By assigning T-code PA30, a user does not get any write authorization for infotypes either. These need to be manually maintained. Can you please check the role assigned to this user and maybe share a screenshot of all P_ORGIN objects within this role?

Also, since the PERNR switch is activated in T77S0, is the user trying to maintain its own IT2? In that case, please also check the P_PERNR values in your test role as well.

If you attach some screenshots to your reply it'll be easier to visualize what and where it's going wrong.

Good luck!

Dimitri

Former Member · ‎03-05-2015

Sorry did not get the below comment.

"The maintain flag in the structural profile does not relate to any maintenance authorization in PA. It only affects the OM objects authorized by the structural profile. For example the user may be able to delimit a position. It will never grant any write authorization for any PA infotype "

Do you mean , suppose if we give Org unit and evaluation path like attached screen ,user will get access to only the ORG UNIT as its object type (can able to perform activities as mentioned in the role PLOG ) but cant perform any activity like address infotype change on the person (P) (as mentioned in P_ORGIN) who comes under the org unit mentioned in Structural profile ?

My understanding is that i believe user total auth is an intersection of general +structural authorization.lets take HR admin wanted to change 0002 data for some imps in org.We need to give access to that particular org to which the emps belongs to (through structural auth) and SHOULD CHECK the maintenance box in strucural auth and will access change access via role.

And user cant able to edit his own data.

Please find the Screens as requested. Please let me know if my understanding is correct or not ?

Regards,

venu.

former_member74904 · ‎03-05-2015

Yes the total authorization concept is an intersection of structural and general authorizations. The difference however, is that you could think of it the following way:

Structural authorization provides the authorization for whom (i.e. the population of employees) you can change data, whereas general authorization provides authorization for what data can actually be changed.

Of course, general authorization also provides for a distinction of which groups of employees you can change/display data for, so you should think of structural authorizations as an additional tool to authorize for specific groups of employees.

The maintenance flag (checkbox) only influences which objects returned via the structural profile & evaluation path can be maintained. It's competely unrelated to infotypes in PA30.

In short and simplified:

Structural authorization determine WHO you can make changes for.

General authorizations determine WHAT you can change.

Now onto your issue. If this is the only role with the P_ORGIN object assigned to your testuser, then it should not be possible that this user has any write authorization at all.

The P_PERNR object as you have created it, only excludes this user from changing his own IT0008 records. So there should be additional authorizations assigned to this user one way or another...

Are there any other infotypes that this user is allowed to maintain?

Hang in there, we will figure this one out

Regards,

Dimitri

Former Member · ‎03-21-2015

Hi,,

There is no other info types in the role with maintenance activity. I checked it, there is no extra roles assigned to him .

Regards,

venu

former_member74904 · ‎03-23-2015

Hi Venu,

There's no way that in a standard system a user receives authorization for infotypes 'for free'.

Could it be that there are some system settings interfering with the standard authorization check mechanism?

Have a look at the following parameters (in RZ11):

auth/no_check_in_some_cases &

auth/object_disabling_active

In transaction AUTH_SWITCH_OBJECTS it is possible to deactivate specific authorization objects. Can you check whether perhaps the check for P_ORGIN is deactivated?

Goodluck!

Dimitri.

User in hr can able to create records in PA30.But will give read only access for all infotypes