12-04-2007 11:04 PM
Hi Experts,
I am trying to set up authorizations in R/3 for accessing Employee Self Service applications on Portal.
"Record working time" application is working fine for employees if I add the P_ORGIN to the Z-ESS role and put * in all the fields.
Does the role really need P_ORGIN. I am thinking P_PERNR should take care of all write/read access to HR Infotypes.
I can not really distinguish between these objects. Could you throw some light on this.
Thanks!
minisapG
12-05-2007 8:37 AM
for ESS you'll only need P_PERNR. using P_ORGIN with * values for all fields will make any HR security person's hair stand up straight ) even though it can't do much harm in an ESS scenario, it may eventually cause conflicts when implementing further scenario's.
P_PERNR should take care of just what you want specifying the right infotypes and using the <b>I</b>nclude or <b>E</b>xclude function.
for your understanding, P_PERNR is used for access to an employee's <i>own</i> data. this in contrast of P_ORGIN which is generally for all HR master data.
if you want to know more, let me know!
12-05-2007 8:37 AM
for ESS you'll only need P_PERNR. using P_ORGIN with * values for all fields will make any HR security person's hair stand up straight ) even though it can't do much harm in an ESS scenario, it may eventually cause conflicts when implementing further scenario's.
P_PERNR should take care of just what you want specifying the right infotypes and using the <b>I</b>nclude or <b>E</b>xclude function.
for your understanding, P_PERNR is used for access to an employee's <i>own</i> data. this in contrast of P_ORGIN which is generally for all HR master data.
if you want to know more, let me know!
12-05-2007 3:17 PM
I had some problems with P_PERNR object. Because this object was looking for IT 0316 and with authorization level *. I figured this from the trace ST01. Now it is working fine without P_ORGIN. I do not know why P_PERNR needs it 0316 for CATS web dynpro application.
Can you please let me know what is this Infotype.
Thanks for your help.
12-05-2007 5:23 PM
OMG! I have to agree with Dimitri.
If your HR functional folks cannot give you the correct P_ORGIN info types, trace, trace, trace... Do the right thing!
12-05-2007 5:54 PM
12-05-2007 5:39 PM
12-21-2007 3:47 AM
This is at
http://help.sap.com/saphelp_47x200/helpdata/en/64/40050c470211d189720000e8322d00/frameset.htm
concerning Infotype 0316:
"Using dummy infotypes
The HR authorizations required to display and maintain personal data are supplemented by two other types of authorizations for the Time Sheet, for
Displaying and entering data in the time sheet
Displaying and approving data using time sheet reports
Time sheet data is represented in dummy infotypes for this purpose.
Dummy infotypes
Infotype 0316 represents the authorization for data entry profiles. The subtypes of this infotype are the profile authorization groups.
Dummy infotype 0328
Infotype 0328 represents the authorization for reporting and approval.
It is very important to note that these infotypes do not actually exist in the system. They are only used to access the HR authorization concept in order to assign authorizations to read, change, or approve time sheet data.
For more information, see the Implementation Guide for the Time Sheet. Choose Time Sheet ® Authorizations."