Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP ECC - Authorizations tcode PA20/PA30

pedro_carvalho2097
Explorer

‎07-21-2015 3:09 PM

0 Kudos

Hi all,

I have a doubt about how the system identifies the values associate to PA20 and PA30 transactions in a role with this two transactions.

Both transaction have the object P_ORGIN but when keep this both transactions in a role the system create different profiles bellow this object.

I know that one is for PA20 (because have R value in field  AUTHC) and another is for PA30 (because have W value in field  AUTHC) but my doubt is how the system validate the correct values to PA20 or PA30 when a user access to this transactions.

Thanks

Regards

7 REPLIES 7

Former Member

‎07-21-2015 5:04 PM

0 Kudos

Hello Pedro,

If you check navigation path from easy menu you will be able differntiate.

PA20-->SAP Menu->Human Resources->Personnel Management->Administration->HR Master Data->Display

PA30--->SAP Menu->Human Resources->Personnel Management->Administration->HR Master Data->Maintain

Similarly even if they have common authorization object based on restriction ...they will routed two two different views.

Regards

Anand

pedro_carvalho2097
Explorer
In response to Former Member

‎07-21-2015 5:13 PM

0 Kudos

Thanks Anand,

More doubt is more technically. I want understand the logical behind the way the system uses to validate what fields it will read in case of a PA20 or PA30 transaction.

In a role with this two transactions we have only one P_ORGIN object but we have the double of fields.

How the system knows what fields go for PA20 or PA30?

Regards

Private_Member_69416
Active Participant
In response to Former Member

‎07-22-2015 7:36 AM

0 Kudos

Hi

When you build role by transaction assigning, system gives you only authorization objects set in configuration as "proposal" (SU24).

For PA20 it can be P_ORGIN-AUTHC=R with all other fields empty.

Technically in ABAP programs authorization check code is placed for specific authorization object values.

If user have any role with P_ORGIN-AUTHC=W the system lets you go forward in PA30, if not - authorization error - no access.

Regards

Przemek

Former Member
In response to Former Member

‎07-22-2015 2:12 PM

0 Kudos

Hi Pedro,

If both the instances of P_ORGIN are assigned in 1 user, then both the set of values will be applicable to both the t-codes. So, you can use one instance, instead of 2. 

Therefore, you need to exclude W(write authorizations) in P_PERNR.

Generally,  For the Infotypes, for which you would need Maintain access, you would also need Display access, for the same.

Regards

Plaban

pedro_carvalho2097
Explorer
In response to Former Member

‎07-22-2015 3:16 PM

0 Kudos

Thanks for the reply Pablan,

But in that case, if the system uses both set of values for the same object, how can I have restrictions for PA30 (for example, some infotypes can be modify) and other restriction for PA20 (can display all infotypes per example)?

Regards

Colleen
Advisor
Advisor
In response to Former Member

‎07-27-2015 3:10 PM

0 Kudos

Hi Pedro

Both PA20 and PA30 are using the same shared program but different screen layouts - and buttons. So it's the same authorisation object P_ORGIN

To allow some to be change vs some display, you need to have two P_ORGIN authorisations. In one you would specify the AUTHC = R (and M for matchcode search) with the infotypes you want to allow read only to (i.e. use in PA20 or only allow display option in PA30).

in the second authorisation you would allow the AUTHC = W for the infotypes you want to allow create, change, delete, etc to. Note, you would more than likely include display as well. Therefore, these infotypes could be displayed in PA20 but edited in PA30

For example, you want to allow display only to IT0000 through to 0003 but update to 0105 (common security piece I have to do).

So you would have Auth1 is R, M for 0000 to 0003 and Auth2 would be R, M, E for 0105. In transaction PA20, you could access 0000, 0001, 0002, 0003 and 0105 in display. In transaction PA30 you could also display the 4 infotypes but you could only edit 0105.

Regards

Colleen

shivshankarthonte
Explorer

‎07-22-2015 3:33 PM

0 Kudos

Hi Pedro,

Mainly the screen which appears for PA20 is display only and PA30 with maintenance access this is because the functionalities are hard coded in ABAP program. To answer your question, PA20 won't give you possibility to maintain though you have access maintained as AUTHC = W due the standard SAP code, whereas in PA30 you will get access to maintain and then it checks for AUTHC = W/R in later stage.

Hope this answers your question.

Thanks,

Shiv