06-28-2008 5:23 AM
Hi
How can I restrict one HR admin from viewing the basic pay of his college? Should I implement an user exit so everytime a pa30 is executed, i remove all pernrs from my org unit? Please help...
Thanks
06-28-2008 9:18 AM
should the HR admin be able to view the basic pay of others than his colleague?
if he's only allowed to see his own and not for anyone else, you should exclude infotype 8 from all P_ORGIN objects and only use P_PERNR like this:
AUTHC = M, R
PSIGN = I
INFTY = 0008
SUBTY = *
Edited by: Dimitri van Heumen on Jun 28, 2008 10:19 AM
06-28-2008 5:45 PM
Hi Dimitri,
Thanks for the update, however, being an HR admin, I can view/edit basic pay (0008) for all employees in my company. The challenge is to not being able to view my teams pay details.
The solution provided by you prevents me from viewing all employees details.
Is there a way to achieve this without implementing structural authorizations? Please advise.
06-29-2008 9:29 AM
in order to avoid using structural authorizations, I would suggest restricting access through the enterprise structure. perhaps it is possible to differentiate between all employees and your team using the organizational key (VDSK1) in P_ORGIN?
in this case you could include the position number for example into the org. key and through this exclude them from access without delimiting the edit/view functionality for other employees.
07-31-2008 5:49 AM
Hi Dimitri,
Looked around and tried a few options, nothing really solves the problem without structural auths. Using orgkey, I will end up building a role for each hr admin. sounds like fun..eh.
08-04-2008 3:10 AM
Hi there,
I saw you have closed this post, but I thought I'd see if I could add to it anyway.
One I've seen implemented is to have a user exit that, every time a transaction that checks HR info is run, checks the value of field PA0001-SACHA. If the field is populated, then the user exit is called and depending on the values, will or will not show HR related information. e.g.
HR manager has H1, HR team have H2, regular employee has blank.
If the HR team goes to look at an employee, it checks to see if the employee has anything populated. If there's nothing, it goes ahead. If the field has something in it (H1 or H2) then the check looks to see what the HR team member has. If that member has H2, it will fail.
then...
If the HR manager goes to look at an employee the checks pass for the employee, if it looks at another HR team member, then there is a check to see if the field is populated. If the field is, it checks what the HR manager has against their personnel record (H2). users with H2 can see the values.
I've also read something once where they solved this using structural authorisations and wrote a structural auth function module that, after running and building the structural authorisation listings, it completes a removal of specific (HR team related) objects from the lists via the customised FM.
http://sap.ittoolbox.com/groups/technical-functional/sap-security/view-the-whole-org-but-not-hr-9129... is where I read about this.
I know you can also use context sensitive HR auths depending on your SAP version.
Good luck,
Cheers,
Dianne