Restrict access for HR t-code PC00_M01_CEDT

Former Member · ‎09-08-2016

Dear All,

I need help to fix below issue in HCM system.

There is one role for user having transaction code PC00_M01_CEDT for remuneration statement. User is able to see the data for required employees but including himself. However, it is required that user need not to see the data for own user id in this transaction code.

Authorization switch for auth object P_ERNR is set as 0 in system. After looking at the role, i noticed that the COARS field in authorization object P_ABAP is set as "*" for the report which is executed by this t-code.

Before heading for any role changes, i would like to know if authorization object P_ABAP with field value "*" for COARS is causing the issue? Or is there any other solution to restrict the user from looking in to own user data?

Thanks in advance.

Santosh

Former Member · ‎09-12-2016

Hello Santosh,

I think you have object superpostion in this case, you can see that this user have 2 or more roles with that same object P_ERNR, and sap buffers the objects:

Role 1

Transaction VA02

object V_VBAK_AAT

fields ACTVT 03 "view"

AUART Z491 "document type"

Role 2

Transaction VA02

object V_VBAK_AAT

fields ACTVT 02 "modify"

AUART * "document type"

Below is the access of the user when he has the role 1 and 2.

Transaction VA02

object V_VBAK_AAT

fields ACTVT 02 03

AUART *

In this case the user can modify the document Z491 even when only have the activity 3 in the role 1, because in the role 2 the user have permission to modify all kinds of documents through the ACTVT *.

Regards

Rajesh_Naik · ‎10-03-2016

Hi Santosh,

Authorization using COARS = 2. The authorization check is inactive.

The * value in the COARS field would allow the user to skip the authorization check. Guess you could deactivate P_ABAP for the program RPCEDTD0 related to this tcode and let the user try again. You might face some authorization issues, but it would be all sorted out at the end of it.

Thanks,

Rajesh