06-19-2015 3:22 PM
I have created a new SAP Authorization role (Role-1) via PFCG, which allows the user only to View/ Display all countries’ data of 3 InfoTypes only (Actions (0000), Org Assignment (0001), Pers. Data(0002)). The user also has an Existing role (Role-2) which allows him to access and CHANGE all records including Basic Pay records of UK only.
While testing when I use Role-1 on its own, it works perfectly (Displays only IT 0000, 0001, 0002 data, Basic pay data is not displayed in any SAP reports). When I use it in conjunction with Role-2, it works well under PA screens (displays Basic Pay records of UK only).
However when I run SAP reports, Basic pay records of not only UK but all countries are pulled through.
Also, under PPOME, the user is able to delete some Non-UK positions, OrgUnits and relationships if there are no employees assigned to them.
The Authorizations of both the roles are as below:
Role-1:
HR: Master Data
Authorization level M, R
Company Code *
Infotype 0000, 0001, 0002
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
Role-2 (Existing):
HR: Master Data
Authorization level *
Company Code UK
Infotype *
Personnel Area UK
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
I would ideally want the user not to be able to view any non-UK Basic Pay records and also not be able to touch the Non-UK OrgStructure at all. How does SAP evaluate these roles, when used together?
Is there a hierarchy which is followed to evaluate the user’s access rights? Or is there a different Authorization that needs to be used for SAP reports? Or am I missing something?
Many Thanks,
Desma
06-19-2015 7:24 PM
What is the output of SU56 for the P_ORGIN authorization object for the user with Role-1 and Role-2?
06-22-2015 10:00 AM
Thank you Joshua, for responding!
The output of SU56 for P_Origin is as follows:
Role - 1
Authorization Field AUTHC Authorization level
M, R
Authorization Field BTRTL Personnel Subarea
*
Authorization Field BUKRS Company Code
*
Authorization Field INFTY Infotype
0000, 0001, 0002
Authorization Field PERSA Personnel Area
*
Authorization Field PERSG Employee Group
*
Authorization Field PERSK Employee Subgroup
*
Authorization Field SUBTY Subtype
*
Authorization Field VDSK1 Organizational Key
*
Role - 2
Authorization Field AUTHC Authorization level
*
Authorization Field BTRTL Personnel Subarea
*
Authorization Field BUKRS Company Code
UK
Authorization Field INFTY Infotype
*
Authorization Field PERSA Personnel Area
UK
Authorization Field PERSG Employee Group
*
Authorization Field PERSK Employee Subgroup
*
Authorization Field SUBTY Subtype
*
Authorization Field VDSK1 Organizational Key
*
Please could you help further?
Regards,
Desma
Message was edited by: Desma Rebello
06-22-2015 10:47 AM
06-24-2015 8:19 AM
Hello Desma,
you need to know, how the application (HR) checks the authorizations. ST01 is a good tool for that task.
If the standard kernel functionality 'authority check' is used, you can forget about your roles, as the Kernel checks only based on authorizations, no matter through which profiles that authorizations have been assinged, i.e. through which roles that profiles have been assigned.
If the applicaiton does not check the required authorizations (means object+required field combinations with values) you will need to add your own checks in the worst case.
b.rgds, Bernhard
06-24-2015 11:46 AM