06-19-2008 3:57 PM
Hello All, I'm trying to restrict HR users to change their own salary by using PA30 and PA40. I limited E under P_PERNER and it works if the user login as regular user. But it doesn't work if the user login as HR user. Does it relate to any of these objects below? What field value should be restrict? Many thanks
INFTY, SUBTY, AUTHC, PERSA, PERSG, PERSK, VDSK1
06-19-2008 7:16 PM
I think what you are trying to do is not allow HR Admin chnage his data.
This can be implemented by using Double Verification Principle for Personnel Adminstration.
This process controls access to infotypes by stipulating that two users are always required to create or change infotype data.
http://help.sap.com/erp2005_ehp_03/helpdata/EN/ab/4bba3b3bf00152e10000000a114084/frameset.htm
hope this will help .
06-20-2008 3:05 PM
Hi there, thanks for your info. I did read the article about how to restrict HR Admins to change their own data. Should I just restrict to "read" for all infotype related to salary and "E" for P_PERNER?
06-20-2008 8:35 AM
hi rachel,
what exactly have you entered in the fields in P_PERNR?
furthermore, is the same person using two different user ID's? because when using P_PERNR, the user ID should have a connection to a personnel number (in IT0105) and only one user ID can be used per PERNR..
good luck!
06-20-2008 3:08 PM
Hi there, thanks for your reply. I put "E" under P_PERNR, and the HR user with user ID HXXXX still can change their salary.
What is IT0105? Thanks
06-20-2008 5:27 PM
Hi Rachel,
IT0105 is basically a communication type infotype which is used to link the personnel number with a user ID.
Thanks,
Neeraj
06-22-2008 7:02 PM
I'm not sure what values you entered in the P_PERNR object, but you say you used 'E' (exclude). in that case you have to exclude write access to IT0008.
using P_PERNR will only be useful when there's a connection between a user ID (HXXXX) and a personnel number. this is done in IT0105 (subtype 0001). you can only enter one user ID per PERNR.
I hope I was able to clarify things a little for you.
06-23-2008 2:32 PM
I'm not sure what is one user ID per PERNR. Below is the auth. object under P_PERNR, please let me know if something wrong in it. fyi, there are 2 PERNR
1ST:
AUTHORIZATION LEVEL M, R
INFO TYPE 0000, 0001, 0002, 0006, 0007, 0009, 0021, 0022, 0023, 0041, 0105, 0185, 0395
INTERPRETATION OF ASSIGNED PERSONAL NUMBER E
SUBTYPE 0001
2ND:
AUTHORIZATION LEVEL M, R
INFO TYPE 0008, 0014
INTERPRETATION OF ASSIGNED PERSONAL NUMBER E
SUBTYPE 0001
06-24-2008 9:26 AM
rachel,
in you two P_PERNR objects above, you have excluded read access for the following infotypes:
INFOTYPE 0000, 0001, 0002, 0006, 0007, 0009, 0021, 0022, 0023, 0041, 0105, 0185, 0395
INFO TYPE 0008, 0014
and for all of the above infotypes, you have excluded read access for subtypes 0001. this is not what you aim to achieve.
you want to exclude write access (W, D, E, S) for infotypes 0008 and 0014 and so P_PERNR should look something like this:
P_PERNR nr. 1:
AUTHORIZATION LEVEL W, D, E, S
INFO TYPE 0008, 0014
INTERPRETATION OF ASSIGNED PERSONAL NUMBER E
SUBTYPE *
if you want to include read access for the infotypes in you mentioned in your example, it should look similar to this:
P_PERNR nr. 2:
AUTHORIZATION LEVEL M, R
INFO TYPE 0000, 0001, 0002, 0006, 0007, 0009, 0021, 0022, 0023, 0041, 0105, 0185, 0395
INTERPRETATION OF ASSIGNED PERSONAL NUMBER I
SUBTYPE *
the above will only work if the personnel number has a valid infotype 0105 subtype 0001 (System user name (SY-UNAME)) record. please look that up in PA30 and create that record with HXXXX if it is missing.