Solved: question about structural authorization

Former Member · ‎11-14-2007

Dear colleagues,

we have security issues and your help would be appreciated.

each department administrator can manipulate students who belong to his/her organization. i know i must use structural authorization.

here is my question.

1) how can i apply this structural authorization for batch that i develop.

it means, when i search for Org structure only my department must appear.

2) do we have any sample for structural authorization that i can apply for student file and master data.

regards,

jin dal

Former Member · ‎12-12-2007

Hello All,

I am still testing with structural authorization and how do you do in following case.

Three Org unit.

Org A Program A1

Program A2

-. in Org A there are 10 students

Org B Program B1

Program B2

-. In Org B there are 10 students

Org C Program C1

Program C2

-. In Org C there are 10 students.

In am responsible for Org A and all of my students can register to Program B and program C.

if i give highest structure authorization to Org A and i got an error becuase my students are booked to Org B and Org C.

I wander how to you solve in this case. I have authority ( update and display that belong to Org A) but some of my students are registered to Org B and Org C.

in order to solve this issues, i gave following option to my authority.

profile B O ( not in the evaluation but to profile itself) but in this case PIQ_stru* sceen, some function shows all the organization.

as you know, PIQ_stru* screen, there is four function.

1) by organization

2) by program of study

3) by module group

4) by module and in this case, by module give me the hifgest org unit as Org A but such as by org. by program and ny module group give as top org unit as highest,

somebody's help would be appreciated.

regards,

jin dal

View solution in original post

former_member583013 · ‎11-14-2007

Jin Dal,

In this case you must create your structural profile with reference to a function module (rather than a specific Org Unit ID) which dynamically finds the user's organization unit. It would be too much work to have to build a different profile for each possible organization unit. One function module you could use for this is RH_GET_ORG_ASSIGNMENT.

Michael

Former Member · ‎11-15-2007

Hi ,

For one Org .Unit there are 2 Departments A and B , 100 students under A and 50 students under B .

Assuming that Depatment A belongs to you , you are maintaining the data for those 100 students but dont want to see the data of student belonging to Department B ??

I want to know in the scenario where module is shared between both departments , this functional module RH_GET_ORG_ASSIGNMENT will work ??

Where all the students will be displayed under the particular module or it will work fine only for Department A batch ? Not only for modules , what will be the effect for Events ?

Thanks !!

Regards

Gajalakshmi

former_member583013 · ‎11-15-2007

Let me try to explain further. Hopefully this will address your question about modules and events.

The Structural Profile I mentioned in my last post determines the STARTING OBJECT for your authorized object list. This is where the FM RH_GET_ORG_ASSIGNMENT is useful. It will dynamically look at the User ID and find the Person to whom it is assigned - finally checking the P relationship to an Org. Unit. Great. This is just where we start!

You will see in the Structural Profile you must also mention an Evaluation Path. The Evaluation Path will determine, if you start from the main object, what other objects you should be authorized for. So, for example from O -> O, O -> SM, and/or SM -> D -> E.

In Gajalakshmi's example, Department A and Department B are both 'O' objects, reproting to the higher 'O' object (such as 'College Y'). If I start my Structural Profile at College Y, I will have access to everything under Departments A and B. Similarly, if I start just at Department A, I will only see students, modules, and events that have some relationship to Department A. Now, which students exactly 'belong' to Department A? That is up to you to define via an evaluation path, based on your requirements.

It could be something like:

O -> O (to make sure I also get student's assigned to lower-level orgs)

O -> ST (where a student is directly assigned to the O)

O -> SC

SC -> CS

CS -> ST (This combines with the previous two lines to get all students registered in a program of study that is offered by one of my departments.)

O -> SM

SM -> ST (This combines with above to get all students booked in any course offered by one of my O objects)

O -> S (positions)

S -> P

P -> ST (Perhaps to get any student that is advised by any employee of my org unit).

You get the idea. It is too much to go through all the possibilities of Structural Authorizations here, of course, but this should certainly get you started. (It also gives me an idea for a new cookbook...)

Michael

Former Member · ‎11-16-2007

Hi Michael ,

Thanks a lot...for the explanations !!! Yes as you said in the forum already I have set the same in customizing and not in the function module .

Now I hope while writing the report , if we include the logic of Reqistration to the <b>Program of Study + Booking to modules</b> .....

uniqueness / combinations , this will solve the problem of the Department A students for SM ---> ST . It also depends how we are going to use the structural authorization . This might also help Jindal's problem .

Thanks !!!

Regards

Gajalakshmi

Former Member · ‎11-16-2007

Thanks for your help and let me ask you a little more.

If i want to develop some report program and i want to adapt structural authorization what code is necessary. i am not a developer but i want to give some advice to developers.

currently, all the developers are not understand structural authorization and if you give me some sample program source it would be helpful very much.

best regards,

jin dal

former_member583013 · ‎11-16-2007

There is a Function Module you can use to check the Structural Authority for an object. It is 'HRIQ_STRU_AUTHORITY_CHECK'.

If you would like to see how it is called in some other program, take a look at the program we offer that helps you test a Selection Method: RHIQSELMETHODS_TEST_01

Good luck!

Michael

Former Member · ‎11-21-2007

It will be possible that Administrator have authority that inquire all the student in the university but have update authority in his/her own organization.

in this case can i use structural authorization or do we have any BADI that can implement above reqrirements.

regards,

jin dal

former_member583013 · ‎11-21-2007

You can still use structural authorization for that. Just assign two structural profiles. In one profile, provide 'Write' access. In the other, make it read-only.

Michael

Former Member · ‎11-22-2007

Hello Michael,

Thanks for your advice and for my previous question i am think different ways.

If i can add security using BADI it would be happy.

for example)

Admin A have authority that can inquire whole student

but have update authority for his own org unit.

Can i implement above requirement just add BADI function in the security.

regards,

jin dal

Former Member · ‎11-22-2007

Hello Michael,

Thanks for your advice and for my previous question i am think different ways.

If i can add security using BADI it would be happy.

for example)

Admin A have authority that can inquire whole student

but have update authority for his own org unit.

Can i implement above requirement just add BADI function in the security.

regards,

jin dal

Former Member · ‎12-12-2007

Hello All,

I am still testing with structural authorization and how do you do in following case.

Three Org unit.

Org A Program A1

Program A2

-. in Org A there are 10 students

Org B Program B1

Program B2

-. In Org B there are 10 students

Org C Program C1

Program C2

-. In Org C there are 10 students.

In am responsible for Org A and all of my students can register to Program B and program C.

if i give highest structure authorization to Org A and i got an error becuase my students are booked to Org B and Org C.

I wander how to you solve in this case. I have authority ( update and display that belong to Org A) but some of my students are registered to Org B and Org C.

in order to solve this issues, i gave following option to my authority.

profile B O ( not in the evaluation but to profile itself) but in this case PIQ_stru* sceen, some function shows all the organization.

as you know, PIQ_stru* screen, there is four function.

1) by organization

2) by program of study

3) by module group

4) by module and in this case, by module give me the hifgest org unit as Org A but such as by org. by program and ny module group give as top org unit as highest,

somebody's help would be appreciated.

regards,

jin dal

former_member583013 · ‎12-12-2007

Jin Dal,

Perhaps you can be a little more precise about what you mean when you say you get an error. Do you mean that when you try to access the student using a particular user, you get an error that the student is not found, for example? It is hard for me to help you without that kind of information.

Michael

Former Member · ‎12-13-2007

Hi Jindal ,

Explain with an example and scenario which you are doing...so it will be helpful .....

Regards

Gajalakshmi

Former Member · ‎12-13-2007

1) i defined structural for certain Org. unit.

for example, History org. unit as highest

2) i assinged this profile to administrator of history.

only history org. unit was appeared in the PIQ_ACSTRUC screen.

3) but student A registered to program of Org. unit B.

for example student registered to graduate courses.

4) in this case, it is issues becuase i do not have authority

becuase org. unit is not lower level of Org. unit.

it is same level with Org. unit A.

5) so i gave "COLLEGE_B 9 01 O" in the authorization profile

and there was no errors but the problem is in the PIQ_ACSTRUC screen

all org unit are displayed.

6) can i adjust PIQ_ACSTRUC that Org. unit A is displayed as highest org unit.

regards,

jin dal

if you give me mail id, i can send screen dump.

Former Member · ‎12-13-2007

Hi Jin dal,

Your objective to get the list of students for Org .unit / Program ?

To my understanding of your question ,

1) Why the students of Org unit gets registers to A , but takes the program of B which belongs to Org.unit B .

2) If the students gets registered to both , he will be displayed in both of the programs ..... one more thing is if Org unit is the basic control in structural authorization , the relationships belonging to the O will be displayed ..

3)Always the authorization will be toppest level ,,,,,it will depends how u look up the things and design

4)One more thing is link Org . unit A and Org. unit B with O-O relation .

5)Roles and Profiles (Role assigned to particular profiles (authorizations) ) .

6) One more point to help you is there is a filter submenu under <b>View Menu</b> , check that out in PIQ_ACSTRUC .

Regards

Gajalakshmi

Message was edited by:

Gajalakshmi Kannappan

former_member583013 · ‎12-13-2007

Jindal,

I still am trying to read into your issue here. You have not explicitly stated what it is you are trying to do when you get the error! I will guess:

1) You have a student assigned to Org A. You have no problem with your user seeing this student record at all.

2) The student needs to register for a program and/or module in Org B. When you try to do this, you get an authorization error (naturally).

Is this correct? If so, here are two simple options.

Option 1: For each structural profile, just add a line for each object type you need to grant access to (regardless of its org unit, etc.). For example, if you need to provide access to all programs of study to all users, just add a line in the profile for object type 'SC', with starting object value of '*". You could do the same for 'SM', and so on.

Option 2: Create another evalualtion path that does everything your original one does, but eliminate all items that point to the ST object. Now, in your structural profile, just assign this eval path with a starting object of your 'HIORG' org unit, which I assume sits above all your other org units.

Both of these options will achieve the same thing. You will have access to all 'non-student' academic objects in the system, but only have access to ST objects that are part of your org unit.

Michael