Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict HR admin from viewing another HR admins infotypes

Former Member

‎06-28-2008 5:23 AM

0 Kudos

Hi

How can I restrict one HR admin from viewing the basic pay of his college? Should I implement an user exit so everytime a pa30 is executed, i remove all pernrs from my org unit? Please help...

Thanks

5 REPLIES 5

former_member74904
Contributor

‎06-28-2008 9:18 AM

0 Kudos

should the HR admin be able to view the basic pay of others than his colleague?

if he's only allowed to see his own and not for anyone else, you should exclude infotype 8 from all P_ORGIN objects and only use P_PERNR like this:

 
AUTHC = M, R
PSIGN = I
INFTY = 0008
SUBTY = *

Edited by: Dimitri van Heumen on Jun 28, 2008 10:19 AM

Former Member
In response to former_member74904

‎06-28-2008 5:45 PM

0 Kudos

Hi Dimitri,

Thanks for the update, however, being an HR admin, I can view/edit basic pay (0008) for all employees in my company. The challenge is to not being able to view my teams pay details.

The solution provided by you prevents me from viewing all employees details.

Is there a way to achieve this without implementing structural authorizations? Please advise.

former_member74904
Contributor
In response to former_member74904

‎06-29-2008 9:29 AM

0 Kudos

in order to avoid using structural authorizations, I would suggest restricting access through the enterprise structure. perhaps it is possible to differentiate between all employees and your team using the organizational key (VDSK1) in P_ORGIN?

in this case you could include the position number for example into the org. key and through this exclude them from access without delimiting the edit/view functionality for other employees.

Former Member

‎07-31-2008 5:49 AM

0 Kudos

Hi Dimitri,

Looked around and tried a few options, nothing really solves the problem without structural auths. Using orgkey, I will end up building a role for each hr admin. sounds like fun..eh.

diwheeler
Explorer

‎08-04-2008 3:10 AM

0 Kudos

Hi there,

I saw you have closed this post, but I thought I'd see if I could add to it anyway.

One I've seen implemented is to have a user exit that, every time a transaction that checks HR info is run, checks the value of field PA0001-SACHA. If the field is populated, then the user exit is called and depending on the values, will or will not show HR related information. e.g.

HR manager has H1, HR team have H2, regular employee has blank.

If the HR team goes to look at an employee, it checks to see if the employee has anything populated. If there's nothing, it goes ahead. If the field has something in it (H1 or H2) then the check looks to see what the HR team member has. If that member has H2, it will fail.

then...

If the HR manager goes to look at an employee the checks pass for the employee, if it looks at another HR team member, then there is a check to see if the field is populated. If the field is, it checks what the HR manager has against their personnel record (H2). users with H2 can see the values.

I've also read something once where they solved this using structural authorisations and wrote a structural auth function module that, after running and building the structural authorisation listings, it completes a removal of specific (HR team related) objects from the lists via the customised FM.

http://sap.ittoolbox.com/groups/technical-functional/sap-security/view-the-whole-org-but-not-hr-9129... is where I read about this.

I know you can also use context sensitive HR auths depending on your SAP version.

Good luck,

Cheers,

Dianne