Hey Guys,

I have a requirement. For an example, I would like to restrict IT 0001 access for write access. A Manager should have read and write access to IT 0001 only for personnel#s under his org unit (for which he has a 'chief' position). For other personnel#s, he should have only read access for IT 0001.

We would like to use Context Solution (P_ORGINCON authorization object). I have created a PD profile with O-S-P evaluation path and RH_GET_MANAGER_ASSIGNMENT as function module.

In role, authorization object P_ORGINCON would be having following values (which gives read and write access to IT 0001 for Manager's org unit):

Authorization Level - R, M, W, E, D, S

Infotype - 0001

Personnel Area - *

Employee Group - *

Employee Subgroup - *

Subtype - *

Organizational Key - *

Authorization Profile - PD_PROFILE_1

PD profile (PD_PROFILE_1) is restricted by RH_GET_MANAGER_ASSIGNMENT function module and so it gives list of personnel#s, a Manager is authorized for his org unit.

My questions:

1: For my requirement, what values should be in second authorization object, to have read only access for IT 0001 for all personnel#s? Do I have to use P_ORGINCON authorization object with Authorization Profile as '*'?

2: At the time of turning on HR switch (transaction OOAC, table T77S0) for INCON (HR: Master Data (Context)) to 1, do we have to turn off switch for ORGIN (HR: Master Data)?

3: If yes to question 2, do we have to update all transactions in SU24 to reflect P_ORGINCON for check/maintain instead of P_ORGIN? So, whenever we enter transaction code in a role thru PGCF, P_ORGINCON would be entered in authorization or it is not required.

Thanks,

Karan.