11-15-2007 6:48 PM
Hi All,
Can you please let me know the best way to restrict HR users to process or view data specfic to a country. A HR user or manager in US should only be able to see data of US employees, and similaryly for all other countries.
I know I can use the Personnel Areas (which are country specific) in P_ORGIN to do this restriction, but this will end up in creating huge number of roles (approx 75 countries). If we have 10 roles and each role has to be country specific then we will end up with 750 roles which is a maintenance nightmare.
Can you please suggest any alternate approaches?
Thank you,
Jay
11-16-2007 3:43 PM
I feel you will have to create the desired no. of roles.
Only thing you can do is to create a global(GL) role., e.g. ZtestGL role which contains all the authorizations which have to be present with other 75 roles. Only difference can be the org level values which can be '*' for this role.
Create rest of the other country's role(affiliate roles) by deriving from this GL role. Only thing you need to change is org level values in the country's role keeping the other authorizations common.
In all you may have to create 10 GL roles, and it won't take too much of time in creating other roles by deriving them from the GL role.
Don't give GL role to any country. Keep it for reference and for further creation of other country roles(in future).
Hope it helps. Points are welcome!!
11-16-2007 4:09 PM
Hi Jayaroop,
This requirement is just what structural authorisations are designed for
11-17-2007 12:17 AM
Alex,
How would the structural auths help in country specific restriction. Is it not businness unit specif restiction where in we give access to the org unit and its tree? If a buiness unit is spread accross different different counries then how can we restrict based on country using structural authorizations?
Thanks,
Jay
11-17-2007 1:46 AM
ah, I see. Your expansion of the problem complicates things a bit - I will have to defer to someone with more knowledge of SA's I'm afraid. It sounds like the org structure you have in place with BU above country makes it more difficult.
11-18-2007 8:09 AM
11-19-2007 10:45 AM
hi jayaroop,
I think the suggestion offered by Catastrophe is probably the best way to go.
by using derived roles you only have to build roles for the required functionality once. since the only variable in these roles will be organizational values such as personnel area etc. you can use the derivation principle for this with the variables being the required organizational levels.
good luck,
dimitri