Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

HR Failed Authorizaiton shows wrong personnel no. in SU53

Former Member
0 Kudos

Hello all:

When I run an HR report that is based on PNPCE logical database I get the list but when I green arrow back it shows ' insufficient authorization, no. skipped personnel nos.: 1'. I understand that it means I do not have org. authorization for 1 employee. But the problem is when I do SU53 it shows around 20 personnel no.s in the list of section 'Failed HR Structure Authorizations' with each having 4 records with DISP and INSEC actions. As a matter of fact I have access to all of these employees and the employee I am missing is not even in this list. I was able to figure out who I missed with binary search for the employees I ran the report for and it is just one. If I exclude that one user from my selection I can run report with no message.

I searched the SAP Notes and forum to see if this was a bug, I could not find anything.

Can somebody explain if this is normal behavior in HR authorization failure? I appreciate expert advice/input.

Thanks in advance,

NT

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi,

I would recommend you try ST01 auth check trace result. In case of HR, SU53 may not always help you.

Regards,

Zaheer

9 REPLIES 9

Former Member
0 Kudos

Hi,

I would recommend you try ST01 auth check trace result. In case of HR, SU53 may not always help you.

Regards,

Zaheer

Former Member
0 Kudos

Looks like this is related to how your PD profile is pulling out the org/person information.

Check out report RHUSERRELATIONS for your user id and compare to what you observe in SU53.

0 Kudos

Hi Phoenix and Kiran:

Thank you both for your prompt responses. Phoenix, I had tried ST01 but ST01 result does not show any structural authorization check unless I am not doing something right.

Kiran, I ran the report with option structural authorization and also with org units. It shows the profiles and org unit as we are using O-S-P evaluation path.

I am still not able to figure out exactly why SU53 is not showing the correct individuals. In many other cases SU53 shows the correct individuals.

Thanks again,

NT

0 Kudos

Hi

Have you had a look at the object P_ABAP for HR reporting and how this is being maintained?

Regards

Charmaine

diwheeler
Explorer
0 Kudos

Hi there,

I'm more than happy to be corrected if I'm wrong, but I'm pretty sure that your SU53/ST01 results won't show the failure for your user. If you think of it as two parts for HR auths, you will first run your check for the infotype access against person/area of your business, and then you'll have an additional check for your structural authorisation.

If you go to transaction OOSB, find the user ID you're logged on with and click on the 'info' button, you will see all the objects you have access to. I would bet that if you looked on that list, you will see all the users you have access to come up, but you won't see that single individual come up. If you need to see them, then it's a matter of reviewing your structural auths.

Another way to check or verify this is to give the user ID 'all' in the structural auths field (if you can) or remove all entries for the user. Run the report again and your user ID should see all values - so then I'd imagine you'd re-evaluate the structural auth design and see if it's correct. (This isn't something you should keep as a permanent thing though!!)

It is normal behaviour infact - if you had your ST01 log you should be able to trace back the check for that particular user as a pass there. Those checks work and the structural auth check is like an additional piece. If you like, go online and search for the HR authorisations security guide. This explains probably better than I could about the two checks. Unfortunately, I don't know of any trace that would be able to show the structural auth failure.

Of course, depending on your security policies, you should probably test this out in Acceptance if you're unsure or nervous about it all.

Good luck with it.

Cheers,

Dianne

Former Member
0 Kudos

Charmaine and Dianne, Thank you for your input.

It works if I put P_ABAP with coars 2 but does not with 1. I am reluctant to use P_ABAP with 2 as it ignores all authorization check for the report.

Also If I expand the structural authorization to higher level of the org structure, it works with no error.

The employee it skips has transferred to another company in my selection period, that is why the report skips. But what I want user to be able display when that employee was in previous unit.

Please let me know if I am not clear.

Thanks again,

NT

Former Member
0 Kudos

NT,

Your function module(FM) determines the objects and users that you have access to view/maintain. So, I think when you are running this report, your FM is calculating the list of users that you should have access to and you are missing this skipped user because he does not exist in this result set.

Probably one of the reasons you see this user when you move to a higher level org is because the users new org unit might be under the higher level org unit.

I really don't know how you can view an employee when he was in the previous org unit. Maybe there is a feature in Actions IT 0000 that you can use in your report to deduce employee history and display appropriate results.

However, since this is only a report, does it really hurt if you had P_ABAP with coars 2 for just this report?

Edited by: Kiran S on Aug 4, 2008 7:09 PM

Former Member
0 Kudos

Hi Dear

First i would like to appreciate you because what ever you said in this case that is very informative and usefull to resolve this issue.

Regards

sreenivas.

Former Member
0 Kudos

This message was moderated.