Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Bypass P_orgin auth check for standard MSS reporting

Former Member

‎08-05-2008 1:20 PM

0 Kudos

Hi SAPers,

on my HR system, I have 2 types of users : ESS/MSS users (via portal) and backend users (via sapgui).

ESS/MSS role does not contain any P_ORGIN authorization because it should be added to their authorizations if they are also backend users.

The problem is coming from standard MSS reports : the "time statement overview" among other report needs P_ORGIN (IT 0, 1, 2, 7, 8, ...) !

Is there a way to bypass the standard authorization check for MSS reports ?

Thanks in advance,

Olivier.

8 REPLIES 8

jurjen_heeck
Active Contributor

‎08-05-2008 1:36 PM

0 Kudos

> ESS/MSS role does not contain any P_ORGIN authorization because it should be added to their authorizations if they are also backend users.

Please tell us more about this statement. I do not understand what you mean here. Why can't your portal users have a P_ORGIN authorization in their role/profile?

Former Member

‎08-05-2008 1:52 PM

0 Kudos

Example :

Portal Role for ESS user contains P_ORGIN for IT 0006 (Address)

Backend Role for backend user contains P_ORGIN for IT 0002 (Personal data) ... and S_TCODE for PA30 of course.

The backend user, who is also an ESS user, can manage IT 0006, which is not foreseen in the backend role.

I use P_PERNR for the portal role to manage access to infotype.

jurjen_heeck
Active Contributor
In response to Former Member

‎08-05-2008 2:03 PM

0 Kudos

Ah, I see. Unfortunately my knowledge about HR authorizations falls short here. Let's hope someone else can help you out.

Former Member
In response to Former Member

‎08-05-2008 4:40 PM

0 Kudos

> 

> Example :
> 
> Portal Role for ESS user contains P_ORGIN for IT 0006 (Address)
> 
> Backend Role for backend user contains P_ORGIN for IT 0002 (Personal data) ... and S_TCODE for PA30 of course.
> 
> The backend user, who is also an ESS user, can manage IT 0006, which is not foreseen in the backend role.
> 
> I use P_PERNR for the portal role to manage access to infotype.

I see two issues here:

1. ESS is NOT setup correctly.

- You don't need P_ORGIN for ESS. You only need P_PERNR. The trace might even show an error looking for P_ORGIN but you do not need it. This is an example of a role I have using ESS services for addresses. I don't have P_ORGIN, P_ORGINCON or P_ORIGXXCON. Do NOT use PA30, for ESS, that is very dangerous. The ESS services can be added to a role and should be use for ESS.

Here is an example of what I have:

Manually HR: Master Data - Personnel Number Check P_PERNR

Manually Address Change - Permanent and Emergency

Authorization level D, E, M, S, W AUTHC

Infotype 0006 INFTY

Interpretation of assigned per I PSIGN

Subtype * SUBTY

2. MSS - I can't find the service for the report you are looking for. If you provide the MSS service I can run some traces and probably help you isolate your problem. Example of an MSS service (sap.com/mss~pla/PlanningPrimaryCosts).

I hope I didn't sound too harsh; I am just trying to help.

Regards,

-John N.

Edited by: John Navarro on Aug 5, 2008 5:46 PM

Former Member

‎08-05-2008 4:21 PM

0 Kudos

Could you just create an IVIEW to PA30 and give them P_ORGIN in R/3 without giving them their password.

Former Member
In response to Former Member

‎08-05-2008 4:45 PM

0 Kudos

> 

> Could you just create an IVIEW to PA30 and give them P_ORGIN in  R/3 without giving them their password.

Do NOT use PA30 for ESS. Use the External Service "WEBDYNPRO" for ESS services in the SAPGUI role generation. We are running ECC 6.0.

Former Member

‎08-06-2008 9:02 AM

0 Kudos

I don't use PA30 for ESS role, only for HR admin roles (what I have called 'backend role').

The problem is that HR admin users are also ESS users and both authorizations are combined.

I use only P_PERNR for my ESS role and it worked perfectly.

The problem comes from a new report for manager (MSS) that works only with P_ORGIN.

But I have detected where the problem come from. I thought that it was a standard MSS service, that was my mistake.

To give an answer to John Navarro, I have search the name of the service and found that it was a copy of an ESS service, modified to be used by manager. It has to read the time statements for the members of his team and that's now evident that it needs P_ORGIN.

The problem is now back on the developper's desk !

Thank you all for your help.

Former Member
In response to Former Member

‎08-06-2008 3:34 PM

0 Kudos

> 

> I don't use PA30 for ESS role, only for HR admin roles (what I have called 'backend role').
> 
> But I have detected where the problem come from. I thought that it was a standard MSS service, that was my mistake.
> To give an answer to John Navarro, I have search the name of the service and found that it was a copy of an ESS service, modified to be used by manager. It has to read the time statements for the members of his team and that's now evident that it needs P_ORGIN.
> 
> The problem is now back on the developper's desk !
> 
> Thank you all for your help.

PA30 on HR admin role and a modified ESS service, that explains it! Good Luck!