20 Replies Latest reply: Jun 17, 2009 3:50 PM by Michael Chohrach RSS

CATS_APPR_LITE - restricting ability to approve own time

Michael Chohrach
Currently Being Moderated

I have a question regarding transaction CATS_APPR_LITE.  Is this transaction intended to be used only by "master" time administrators?

My reason for asking is that I cannot find a way to restrict a user who has access to this transaction from approving their own time.  I can restrict this capability when they use CAPS, but the same P_PERNR and/or P_ORGIN authorization objects restrictions don't seem to work in CATS_APPR_LITE.  To give you some more background, I've created three levels of security around time entry/approval.  The first level restricts the user to only enter their own time.  This role is assigned to all users.  The second level allows a user to enter time for another employee in the same organizational key.  This role is assigned to all managers and admin assistants (in addition to the first level role mentioned previously).  The third level allows a user to approve time within their organizational key.  This role is assigned to department managers (in addition to the two previously mentioned roles) so they can approve their staff's time but not their own (at least when they use CAPS to approve time).  However, we also have CATS_APPR_LITE included in this role so users have an option between the two time approval transactions.  Should we just disallow using CATS_APPR_LITE or am I missing something in my authorization object restrictions?  I would think these two time approval transactions would perform identical authority checks but they obviously don't.  Does anyone have any suggestions?

  • Re: CATS_APPR_LITE - restricting ability to approve own time
    Julius von dem Bussche
    Currently Being Moderated

    Sorry, I did not read your question carefully. Please ignore first answer...

     

    2nd attempt: Run an ST01 trace for both. Click on the P_PERNR check and in the top left corner there is a little "jump to source code" button.

     

    Compare the coding of how the authority checks are made and any comments (or referenced SAP notes).

     

    Cheers,

    Julius

     

    Edited by: Julius Bussche on Jun 12, 2009 3:38 PM

     

    Edited by: Julius Bussche on Jun 12, 2009 3:40 PM

    • Re: CATS_APPR_LITE - restricting ability to approve own time
      Michael Chohrach
      Currently Being Moderated

      Julius, I have played around with P_PERNR in every way imaginable and still cannot get it to work.  As I stated, everything works as required when transaction CAPS is used but not when CATS_APPR_LITE.  I even started from scratch and built a new role with just CATS_APPR_LITE contained within it - and no other P_ORGIN or P_PERNR auth object settings anywhere else in the user account - and still can not get it to work.  As soon as I get all the settings right to allow the user to approve staff time, it then allows them to approve their own time.

      • Re: CATS_APPR_LITE - restricting ability to approve own time
        Aveek Basu
        Currently Being Moderated

        Hi,

         

        Please check whether the 2 transactions have the Check Maintained option common in su24. I dont think its same for both the transactions. Hence you are facing the problem related to CATS_APPR_LITE trying to restrict it the same as CAPS. Instead of controlling it via p_pernr its better to use object p_orgin in this issue. But how to restrict and in which value can be determined by running a trace against CAPS. It should show p_orgin. Check the values and objects it is checking and then implement the same in su24 for CATS_APPR_LITE. It should work.

         

        Regards

        Aveek.

        • Re: CATS_APPR_LITE - restricting ability to approve own time
          Michael Chohrach
          Currently Being Moderated

          I am relatively new to SAP security and am not very familiar with SU24 yet.  Here is what shows for transaction CAPS:

          P_ABAP                     HR: Reporting                                                                 Check     NO

          P_ORGIN                     HR: Master Data                                                                 Check     YS

          P_PCLX                     HR: Clusters                                                                 Check     NO

          P_PERNR                     HR: Master Data - Personnel Number Check                 Check     NO

          S_ALV_LAYO           ALV Standard Layout                                                                 Check     NO

          S_CTS_ADMI     Administration Functions in Change and Transport System       Check     NO

          S_DATASET     Authorization for file access                                                 Check     NO

          S_DEVELOP     ABAP Workbench                                                                 Check     NO

          S_GUI                     Authorization for GUI activities                                                 Check     NO

          S_OC_DOC     SAPoffice: Authorization for an Activity with Documents            Check     NO

          S_OC_ROLE     SAPoffice: Office User Attribute                                                 Check     NO

          S_OC_SEND     Authorization Object for Sending                                                 Check     NO

          S_OLE_CALL     OLE calls from ABAP programs                                                 Check     NO

          S_TCODE                     Transaction Code Check at Transaction Start                           Check     NO

           

          And here is what shows for transaction CATS_APPR_LITE:

          K_VRGNG                     CO: Bus. Trans., Actual Postings and Plan/act. Allocations      Check     NO

          P_ABAP                     HR: Reporting                                                                 Check     NO

          P_CATSXT     HR: Time Sheet for Service Providers Type/ Level Check           Check     NO

          P_ORGIN                     HR: Master Data                                                                 Check     NO

          P_ORGINCON     HR: Master Data with Context                                                 Check     NO

          P_PCLX                     HR: Clusters                                                                 Check     NO

          P_PERNR                     HR: Master Data - Personnel Number Check                 Check     NO

          P_TRAVL                     Travel Expenses                                                                 Check     NO

          PLOG                     Personnel Planning                                                                 Check     NO

          S_ALV_LAYO     ALV Standard Layout                                                                 Check     NO

          S_BDS_DS     BC-SRV-KPR-BDS: Authorizations for Document Set                 Check     NO

          S_BTCH_ADM     Background Processing: Background Administrator                 Check     NO

          S_BTCH_JOB     Background Processing: Operations on Background Jobs          Check     NO

          S_CTS_ADMI     Administration Functions in Change and Transport System        Check     NO

          S_DATASET     Authorization for file access                                                 Check     NO

          S_DEVELOP     ABAP Workbench                                                                 Check     NO

          S_DOKU_AUT     SE61 Documentation Maintenance Authorization                 Check     NO

          S_GUI                     Authorization for GUI activities                                                 Check     NO

          S_OC_DOC     SAPoffice: Authorization for an Activity with Documents            Check     NO

          S_OC_ROLE     SAPoffice: Office User Attribute                                                 Check     NO

          S_OC_SEND     Authorization Object for Sending                                                 Check     NO

          S_PRO_AUTH     IMG: New authorizations for projects                                 Check     NO

          S_RFC                     Authorization Check for RFC Access                                 Check     NO

          S_SPO_DEV     Spool: Device authorizations                                                 Check     NO

          S_TABU_DIS     Table Maintenance (via standard tools such as SM30)                 Check     NO

          S_TCODE                     Transaction Code Check at Transaction Start                 Check     NO

          S_TRANSLAT     Translation environment authorization object                                 Check     NO

          S_TRANSPRT     Transport Organizer                                                                 Check     NO

           

          It looks like both P_ORGIN and P_PERNR are being checked in both transactions.  Am I reading this right?

          • Re: CATS_APPR_LITE - restricting ability to approve own time
            Aveek Basu
            Currently Being Moderated

            Hi,

             

            The list is long enough but if we view it discreetely we find there is no "Yes" so i guess none of the fields for this transaction are check maintained. Hence its not behaving the way like CAPS. For CAPS i guess there you will find at least one Yes (my guess p_orgin or p_pernr). It wont be wise to make the p_orgin Yes for CATS_APPR_LITE and function as CAPS as its not a customised T-code. Hence try to provide same values to p_orgin or p_pernr for CATS_APPR_LITE as in CAPS and check the output using ST01 trace.

             

            1. Check su24 for CAPS

            2. Find the auth object that is Yes.

            3. Check the values for that object against CAPS.

            4. Use the same values in CATS_APPR_LITE.

             

            There is a possibility it wont work as all auth objects are NO for CATS_APPR_LITE in ur su24.

            Let me know if u understand my above details.

             

            Regards

            Aveek.

            • Re: CATS_APPR_LITE - restricting ability to approve own time
              Michael Chohrach
              Currently Being Moderated

              Aveek,

               

              My apologies on the formatting of my previous post.  I could not figure out how to format it so it was more readable.  I actually included the SU24 settings for both CAPS and CATS_APPR_LITE in the previous post.  In CAPS, P_ORGIN is set to "Check / Yes", while in CATS_APPR_LITE it is set to "Check / No".  I'm not sure what you mean by step 3 - "Check the values for that object against CAPS".  I have both of these tcodes included in the same role - is that what you mean?

              • Re: CATS_APPR_LITE - restricting ability to approve own time
                Aveek Basu
                Currently Being Moderated

                Hi,

                 

                So my guess that it should be Yes for P_Orgin was at par with ur settings :-). Now to make CATS_APPR_LITE behave the same way in su24 you need to make it Yes. Since both the txns are in same role after you make CATS_APPR_LITE -Yes in su24 you need to include the txn again in the role after removing it to make the su24 changes effective. In su24 you will need to give the transport number for Work Bench Request. It will automatically pop up when u make the change in su24 and then remove the txn CATS_APPR_LITE and add again in Dev System. Test whether it is working as you need. If not please let me know.

                 

                Regards

                Aveek.

                • Re: CATS_APPR_LITE - restricting ability to approve own time
                  Michael Chohrach
                  Currently Being Moderated

                  Aveek,

                   

                  I followed your instructions per your last post.  However, even though CAPS prevents me from approving my own time, CATS_APPR_LITE still allows it.  Any further suggestions?

                  • Re: CATS_APPR_LITE - restricting ability to approve own time
                    Michael Chohrach
                    Currently Being Moderated

                    I created a new role that just contains CATS_APPR_LITE.  I've removed all other P_PERNR and P_ORGIN access from my user account except for what is contained within this newly created role.  In fact, I have no P_PERNR access at all and only the following P_ORGIN access in the new role.  It still allows me to approve my own time.  Could it be simply a matter of the fact that I am in the same organizational key as the people I need to approve, and since I've given myself the ability to approve their time, by default I have the ability to approve my time?  FYI, I'm using the same logic for transaction CAPS and it works as desired - I can approve other people's time but not my own.  Is my organizational key logic what's causing the issue?  If so, I do not know of any other way to set everything up so that all employees can enter their own time, but only select employees can enter and approve their subordinates time, but cannot approve their own time.

                     

                    -


                    AUTHC      <FLD> Authorization level

                        D                               

                                                       

                    INFTY      <FLD> Infotype           

                        0328                            

                     

                    PERSA      <FLD> Personnel Area     

                         

                    •                                 

                     

                    PERSG      <FLD> Employee Group     

                        *

                     

                    PERSK      <FLD> Employee Subgroup  

                         

                    •                                 

                     

                    SUBTY      <FLD> Subtype            

                        ' '                          

                     

                    VDSK1      <FLD> Organizational Key                                      

                        10000000004141                  

                        10000000004142                  

                        10000000004143                  

                        10000000004144                  

                        20000000004141                  

                        30000000004141                  

                        40000000004141                  

                        50000000004141                  

                        60000000004141      

                    ___________________________________________________________

                     

                    AUTHC      <FLD> Authorization level 

                        R                                

                                                           

                    INFTY      <FLD> Infotype            

                        0000                             

                        0001                             

                        0002                             

                                                           

                    PERSA      <FLD> Personnel Area      

                         

                    •                                  

                                                           

                    PERSG      <FLD> Employee Group      

                         

                    •                                  

                                                           

                    PERSK      <FLD> Employee Subgroup   

                         

                    •                                  

                                                           

                    SUBTY      <FLD> Subtype             

                         ' '                              

                                                           

                    VDSK1      <FLD> Organizational Key  

                        10000000004141                   

                        10000000004142                   

                        10000000004143                   

                        10000000004144                   

                        20000000004141                   

                        30000000004141                   

                        40000000004141                   

                        50000000004141                   

                        60000000004141

                    • Re: CATS_APPR_LITE - restricting ability to approve own time
                      Aveek Basu
                      Currently Being Moderated

                      Hi,

                       

                      See the Organization stucture and the position mapping can be referred to po13. But one thing can be done here is that we need to run a trace for CAPS. Find out the authorization objects that the coming starting with p* eg (p_orgin, p_pernr) etc.Find out the values it refers to in the fields like Infotype, subtype etc. Get into the role which only have CATS* txn and give the same values.

                       

                       

                      Regards

                      Aveek.

                      • Re: CATS_APPR_LITE - restricting ability to approve own time
                        Michael Chohrach
                        Currently Being Moderated

                        I ran traces for both CAPS and CATS_APPR_LITE while trying to approve my own time.  For CAPS, there appears to be several more auth checks performed than with CATS_APPR_LITE.  I'm not sure I understand the significance of lines with RC=0 versus RC=4.  Are RC=4 lines auth checks that failed?  How do I determine which auth values to include?

                         

                        Here is the trace results for CAPS:

                         

                        P_ABAP     RC=4      REPID=RCATSC01;COARS=2;

                        P_ABAP     RC=0  REPID=SAPDBPNP;COARS=2;                                     

                        P_PERNR    RC=4  AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=4  AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';                       

                        P_ORGIN    RC=4  INFTY=0328;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

                        P_PERNR    RC=4  AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=4  AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=4  AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=4  AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';                       

                        P_ORGIN    RC=4  INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';                       

                        P_ORGIN    RC=4  INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';                       

                        P_ORGIN    RC=4  INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';                       

                        P_ORGIN    RC=4  INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';                       

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';                       

                        P_PCLX     RC=0  RELID=B2;AUTHC=R;                                           

                        P_PCLX     RC=0  RELID=B2;AUTHC=R;                                           

                        P_PCLX     RC=0  RELID=B2;AUTHC=R;                                           

                        P_PCLX     RC=0  RELID=B2;AUTHC=R;                                           

                        S_ALV_LAYO RC=0  ACTVT=23;

                        S_GUI      RC=0  ACTVT=61;

                        S_GUI      RC=0  ACTVT=61;

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';                                        

                        P_ORGIN    RC=4  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;                

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';                                        

                        P_ORGIN    RC=0  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;                

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';                                        

                        P_ORGIN    RC=0  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=1000;PERSG=2;PERSK=01;VDSK1=10000000004141;

                        P_ORGIN    RC=0  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=2000;PERSG=2;PERSK=01;VDSK1=10000000004141;

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;                                       

                        P_PERNR    RC=0  AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;                                       

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;                                       

                        P_PERNR    RC=0  AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;                                       

                        P_ORGIN    RC=0  INFTY=2002;SUBTY=0800;AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;               

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;                                       

                        P_PERNR    RC=0  AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;                                       

                         

                         

                        Here is the trace for CATS_APPR_LITE:

                         

                        P_ABAP     RC=4  REPID=RCATS_APPROVE_ACTIVITIES;COARS=2;                                      

                        P_ABAP     RC=0  REPID=SAPDBPNP;COARS=2;                                                      

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';                                        

                        P_ORGIN    RC=4  INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;                

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';                                        

                        P_ORGIN    RC=4  INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;                

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';                                        

                        P_ORGIN    RC=4  INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;                

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';                                        

                        P_ORGIN    RC=4  INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;                

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';                                        

                        P_PERNR    RC=0  AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';                                        

                        P_ORGIN    RC=4  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;                

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';                                        

                        P_ORGIN    RC=0  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;                

                        P_PERNR    RC=4  AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';                                        

                        P_PERNR    RC=4  AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';                                        

                        P_ORGIN    RC=0  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=1000;PERSG=2;PERSK=01;VDSK1=10000000004141;

                        P_ORGIN    RC=0  INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=2000;PERSG=2;PERSK=01;VDSK1=10000000004141;

                        S_ALV_LAYO RC=0  ACTVT=23;

                        S_ALV_LAYO RC=0  ACTVT=23;

                        S_GUI      RC=0  ACTVT=61;

  • Re: CATS_APPR_LITE - restricting ability to approve own time
    Aveek Basu
    Currently Being Moderated

    Hi,

     

    You may also refer to this thread "CATS Timesheet creator and approver" for checking the settings needed in p_orgin and p_pernr as an example against CATS*

     

    Regards

    Aveek.

  • Re: CATS_APPR_LITE - restricting ability to approve own time
    Aveek Basu
    Currently Being Moderated

    Hi,

     

    The process that is to be followed is:

     

    Check for the objects for CAPS for which RC=4. Compare that with CATS* RC=4. We need to make those same. As with CAPS you are getting RC=4 means u are restricted on that. The same restriction needs to be follwed for CATS*. Hope this will help.

     

    Regards

    Aveek.

Actions