on 06-19-2015 3:53 AM
Scenario:
Structural authorizations have been set for Resource Management in PPM.
The standard switches that are being used:
AUTSW | ADAYS | 0 | HR: Tolerance Time for Authorization Check |
AUTSW | APPRO | 0 | HR: Test Procedures |
AUTSW | DFCON | 0 | HR: Default Position (Context) |
AUTSW | INCON | 0 | HR: Master Data (Context) |
AUTSW | NNCON | 0 | HR:Customer-Specific Authorization Check (Context) |
AUTSW | NNNNN | 0 | HR: Customer-Specific Authorization Check |
AUTSW | ORGIN | 1 | HR: Master Data |
AUTSW | ORGPD | 0 | HR: Structural Authorization Check |
AUTSW | ORGXX | 0 | HR: Master Data - Extended Check |
AUTSW | PERNR | 1 | HR: Master Data - Personnel Number Check |
AUTSW | XXCON | 0 | HR: Master Data - Enhanced Check (Context) |
By default, authorization profiles are assigned to all positions (this is a requirement from PPM).
The issue is structural authorization is restricting users from accessing any object which doesn't have an evaluation path.
For example, it is preventing users from creating work centers (Object Type = A).
Work Centers are not connected to HR structure here and should not be failing structural authorization checks.
Is there any way to prevent this - either by changing the switch values or defining some generic evaluation paths (evaluation path with object value = *). So far all our attempts to use a generic evaluation path has failed.
Any advice on this will be greatly appreciated.
- B
Thanks Sven for your help.
The issue has now been resolved. It was done through a change in the combination of switches and change in the structural authorization profile.
Switch settings:
AUTSW | ADAYS | 0 | HR: Tolerance Time for Authorization Check |
AUTSW | APPRO | 0 | HR: Test Procedures |
AUTSW | DFCON | 0 | HR: Default Position (Context) |
AUTSW | INCON | 0 | HR: Master Data (Context) |
AUTSW | NNCON | 0 | HR:Customer-Specific Authorization Check (Context) |
AUTSW | NNNNN | 0 | HR: Customer-Specific Authorization Check |
AUTSW | ORGIN | 1 | HR: Master Data |
AUTSW | ORGPD | 0 | HR: Structural Authorization Check |
AUTSW | ORGXX | 0 | HR: Master Data - Extended Check |
AUTSW | PERNR | 1 | HR: Master Data - Personnel Number Check |
AUTSW | XXCON | 0 | HR: Master Data - Enhanced Check (Context) |
Authorization profile settings:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Per default, all users have the same profile as SAP*, if they are not assigned in T77ua. Per default again, that's "ALL".
If it's not ALL, but you want all users to have access to all objects of type A (if they have access in auth object PLOG), then you have to
- assign a profile with objtype A abd * to SAP*
- assign the same profile to all users, who have something else assigned in t77ua
Even if you use ALL for SAP*, you still need the second step, because in that case, as soon as you assign anything to a user in t77ua, they lose everything else they had before per default.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
107 | |
12 | |
11 | |
6 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.