Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How does SAP evaluate (PFCG) Authorizations when used in conjunction with other single role(s)?

Former Member
0 Kudos

I have created a new SAP Authorization role (Role-1) via PFCG, which allows the user only to View/ Display all countries’ data of 3 InfoTypes only (Actions (0000), Org Assignment (0001), Pers. Data(0002)). The user also has an Existing role (Role-2) which allows him to access and CHANGE all records including Basic Pay records of UK only.

While testing when I use Role-1 on its own, it works perfectly (Displays only IT 0000, 0001, 0002 data, Basic pay data is not displayed in any SAP reports). When I use it in conjunction with Role-2, it works well under PA screens (displays Basic Pay records of UK only).

However when I run SAP reports, Basic pay records of not only UK but all countries are pulled through.

Also, under PPOME, the user is able to delete some Non-UK positions, OrgUnits and relationships if there are no employees assigned to them.

The Authorizations of both the roles are as below:

Role-1:

HR: Master Data

Authorization level            M, R

Company Code                   *

Infotype                          0000, 0001, 0002

Personnel Area                   *

Employee Group                 *

Employee Subgroup            *

Subtype                             *

Organizational Key              *

Role-2 (Existing):

HR: Master Data

Authorization level            *

Company Code                 UK

Infotype                           *

Personnel Area                 UK

Employee Group               *

Employee Subgroup          *

Subtype                           *

Organizational Key            *

I would ideally want the user not to be able to view any non-UK Basic Pay records and also not be able to touch the Non-UK OrgStructure at all. How does SAP evaluate these roles, when used together?

Is there a hierarchy which is followed to evaluate the user’s access rights? Or is there a different Authorization that needs to be used for SAP reports? Or am I missing something?

Many Thanks,

Desma

5 REPLIES 5

Former Member
0 Kudos

What is the output of SU56 for the P_ORGIN authorization object for the user with Role-1 and Role-2?

0 Kudos

Thank you Joshua, for responding!

The output of SU56 for P_Origin is as follows:


Role - 1
Authorization Field AUTHC Authorization level
                                                                                           M, R
Authorization Field BTRTL Personnel Subarea
                                                                                           *
Authorization Field BUKRS Company Code
                                                                                           *
Authorization Field INFTY Infotype
                                                                                           0000, 0001, 0002
Authorization Field PERSA Personnel Area
                                                                                           *
Authorization Field PERSG Employee Group
                                                                                           *
Authorization Field PERSK Employee Subgroup
                                                                                           *
Authorization Field SUBTY Subtype
                                                                                           *
Authorization Field VDSK1 Organizational Key
                                                                                           *

Role - 2
Authorization Field AUTHC Authorization level
                                                                                           *
Authorization Field BTRTL Personnel Subarea
                                                                                           *
Authorization Field BUKRS Company Code
                                                                                           UK
Authorization Field INFTY Infotype
                                                                                           *
Authorization Field PERSA Personnel Area
                                                                                           UK
Authorization Field PERSG Employee Group
                                                                                           *
Authorization Field PERSK Employee Subgroup
                                                                                           *
Authorization Field SUBTY Subtype
                                                                                           *
Authorization Field VDSK1 Organizational Key
                                                                                           *

Please could you help further?

Regards,

Desma

Message was edited by: Desma Rebello

Former Member
0 Kudos

Could someone please help me with this one. It's really urgent!

0 Kudos

Hello Desma,

you need to know, how the application (HR) checks the authorizations. ST01 is a good tool for that task.

If the standard kernel functionality 'authority check' is used, you can forget about your roles, as the Kernel checks only based on authorizations, no matter through which profiles that authorizations have been assinged, i.e. through which roles that profiles have been assigned.

If the applicaiton does not check the required authorizations  (means object+required field combinations with values) you will need to add your own checks in the worst case.

b.rgds, Bernhard

0 Kudos

Thanks Bernhard!

I shall try this option.

Regards,

Desma