04-19-2008 8:18 AM
Dear gurus,
Considering the following scenario in OM:
Company XYZ O 50000000
>Org-unit A O 50000001
>Org-unit B O 50000002 <- HR Manager sitting in this unit B
>Org-unit C O 50000003
The authorisation requirements are so that, this HR Manager is allowed to have full maintenance access for all the employees under Company XYZ, except she cannot see the salaries of the people under org-unit B.
Can I maintain the authorisations in such way that I give the HR Manager two structural profiles:
profile 1) 50000000 with evaluation path O-O, 50000001 and 50000003 with evaluation path O-S-P, assign this to a PFCG role with full PA access to master data
Profile 2) 50000002 with evaluation path O-S-P, assign to a role with all infotypes, except IT0008
Will it work that way? Or does anyone have a better suggestion for this?
I thought of utilizing the PersAdmin field in IT0001, but it won't work due to the workflows implementation.
Thanks for your time!
-BT
04-21-2008 7:57 AM
Hi,
You would be able to use structural auths for this, have you implemented context senstive authorisations?
If you haven't then I don't see how you could achieve this - you can take a look at this link for the documentation:
With auth object P_ORGINCON you could create two authorisations, one auth including 0008 with profile1 and another auth excluding 0008 with profile 2.
Regards
06-28-2008 10:50 PM
Using this scenario how would one link structural authorisation to roles in PFCG? The who posted this orginally was talking of linking it roles in PFCG is that possible at all or not?
06-29-2008 10:36 AM
fi you use contextual authorizations (e.g. P_ORGINCON) and also implement the BAdI GET_PROFL, the assigned structural profiles in the P_ORGINCON object(s) are automatically read from the PFCG role and put into table T77UA/T77UU.
if you do not use this approach, it is not possible to assign structural profiles through PFCG.