I have a question regarding transaction CATS_APPR_LITE. Is this transaction intended to be used only by "master" time administrators?
My reason for asking is that I cannot find a way to restrict a user who has access to this transaction from approving their own time. I can restrict this capability when they use CAPS, but the same P_PERNR and/or P_ORGIN authorization objects restrictions don't seem to work in CATS_APPR_LITE. To give you some more background, I've created three levels of security around time entry/approval. The first level restricts the user to only enter their own time. This role is assigned to all users. The second level allows a user to enter time for another employee in the same organizational key. This role is assigned to all managers and admin assistants (in addition to the first level role mentioned previously). The third level allows a user to approve time within their organizational key. This role is assigned to department managers (in addition to the two previously mentioned roles) so they can approve their staff's time but not their own (at least when they use CAPS to approve time). However, we also have CATS_APPR_LITE included in this role so users have an option between the two time approval transactions. Should we just disallow using CATS_APPR_LITE or am I missing something in my authorization object restrictions? I would think these two time approval transactions would perform identical authority checks but they obviously don't. Does anyone have any suggestions?
Sorry, I did not read your question carefully. Please ignore first answer...
2nd attempt: Run an ST01 trace for both. Click on the P_PERNR check and in the top left corner there is a little "jump to source code" button.
Compare the coding of how the authority checks are made and any comments (or referenced SAP notes).
Cheers,
Julius
Edited by: Julius Bussche on Jun 12, 2009 3:38 PM
Edited by: Julius Bussche on Jun 12, 2009 3:40 PM
Julius, I have played around with P_PERNR in every way imaginable and still cannot get it to work. As I stated, everything works as required when transaction CAPS is used but not when CATS_APPR_LITE. I even started from scratch and built a new role with just CATS_APPR_LITE contained within it  and no other P_ORGIN or P_PERNR auth object settings anywhere else in the user account  and still can not get it to work. As soon as I get all the settings right to allow the user to approve staff time, it then allows them to approve their own time.
Hi,
Please check whether the 2 transactions have the Check Maintained option common in su24. I dont think its same for both the transactions. Hence you are facing the problem related to CATS_APPR_LITE trying to restrict it the same as CAPS. Instead of controlling it via p_pernr its better to use object p_orgin in this issue. But how to restrict and in which value can be determined by running a trace against CAPS. It should show p_orgin. Check the values and objects it is checking and then implement the same in su24 for CATS_APPR_LITE. It should work.
Regards
Aveek.
I am relatively new to SAP security and am not very familiar with SU24 yet. Here is what shows for transaction CAPS:
P_ABAP HR: Reporting Check NO
P_ORGIN HR: Master Data Check YS
P_PCLX HR: Clusters Check NO
P_PERNR HR: Master Data  Personnel Number Check Check NO
S_ALV_LAYO ALV Standard Layout Check NO
S_CTS_ADMI Administration Functions in Change and Transport System Check NO
S_DATASET Authorization for file access Check NO
S_DEVELOP ABAP Workbench Check NO
S_GUI Authorization for GUI activities Check NO
S_OC_DOC SAPoffice: Authorization for an Activity with Documents Check NO
S_OC_ROLE SAPoffice: Office User Attribute Check NO
S_OC_SEND Authorization Object for Sending Check NO
S_OLE_CALL OLE calls from ABAP programs Check NO
S_TCODE Transaction Code Check at Transaction Start Check NO
And here is what shows for transaction CATS_APPR_LITE:
K_VRGNG CO: Bus. Trans., Actual Postings and Plan/act. Allocations Check NO
P_ABAP HR: Reporting Check NO
P_CATSXT HR: Time Sheet for Service Providers Type/ Level Check Check NO
P_ORGIN HR: Master Data Check NO
P_ORGINCON HR: Master Data with Context Check NO
P_PCLX HR: Clusters Check NO
P_PERNR HR: Master Data  Personnel Number Check Check NO
P_TRAVL Travel Expenses Check NO
PLOG Personnel Planning Check NO
S_ALV_LAYO ALV Standard Layout Check NO
S_BDS_DS BCSRVKPRBDS: Authorizations for Document Set Check NO
S_BTCH_ADM Background Processing: Background Administrator Check NO
S_BTCH_JOB Background Processing: Operations on Background Jobs Check NO
S_CTS_ADMI Administration Functions in Change and Transport System Check NO
S_DATASET Authorization for file access Check NO
S_DEVELOP ABAP Workbench Check NO
S_DOKU_AUT SE61 Documentation Maintenance Authorization Check NO
S_GUI Authorization for GUI activities Check NO
S_OC_DOC SAPoffice: Authorization for an Activity with Documents Check NO
S_OC_ROLE SAPoffice: Office User Attribute Check NO
S_OC_SEND Authorization Object for Sending Check NO
S_PRO_AUTH IMG: New authorizations for projects Check NO
S_RFC Authorization Check for RFC Access Check NO
S_SPO_DEV Spool: Device authorizations Check NO
S_TABU_DIS Table Maintenance (via standard tools such as SM30) Check NO
S_TCODE Transaction Code Check at Transaction Start Check NO
S_TRANSLAT Translation environment authorization object Check NO
S_TRANSPRT Transport Organizer Check NO
It looks like both P_ORGIN and P_PERNR are being checked in both transactions. Am I reading this right?
Hi,
The list is long enough but if we view it discreetely we find there is no "Yes" so i guess none of the fields for this transaction are check maintained. Hence its not behaving the way like CAPS. For CAPS i guess there you will find at least one Yes (my guess p_orgin or p_pernr). It wont be wise to make the p_orgin Yes for CATS_APPR_LITE and function as CAPS as its not a customised Tcode. Hence try to provide same values to p_orgin or p_pernr for CATS_APPR_LITE as in CAPS and check the output using ST01 trace.
1. Check su24 for CAPS
2. Find the auth object that is Yes.
3. Check the values for that object against CAPS.
4. Use the same values in CATS_APPR_LITE.
There is a possibility it wont work as all auth objects are NO for CATS_APPR_LITE in ur su24.
Let me know if u understand my above details.
Regards
Aveek.
Aveek,
My apologies on the formatting of my previous post. I could not figure out how to format it so it was more readable. I actually included the SU24 settings for both CAPS and CATS_APPR_LITE in the previous post. In CAPS, P_ORGIN is set to "Check / Yes", while in CATS_APPR_LITE it is set to "Check / No". I'm not sure what you mean by step 3  "Check the values for that object against CAPS". I have both of these tcodes included in the same role  is that what you mean?
Hi,
So my guess that it should be Yes for P_Orgin was at par with ur settings :). Now to make CATS_APPR_LITE behave the same way in su24 you need to make it Yes. Since both the txns are in same role after you make CATS_APPR_LITE Yes in su24 you need to include the txn again in the role after removing it to make the su24 changes effective. In su24 you will need to give the transport number for Work Bench Request. It will automatically pop up when u make the change in su24 and then remove the txn CATS_APPR_LITE and add again in Dev System. Test whether it is working as you need. If not please let me know.
Regards
Aveek.
Aveek,
I followed your instructions per your last post. However, even though CAPS prevents me from approving my own time, CATS_APPR_LITE still allows it. Any further suggestions?
I created a new role that just contains CATS_APPR_LITE. I've removed all other P_PERNR and P_ORGIN access from my user account except for what is contained within this newly created role. In fact, I have no P_PERNR access at all and only the following P_ORGIN access in the new role. It still allows me to approve my own time. Could it be simply a matter of the fact that I am in the same organizational key as the people I need to approve, and since I've given myself the ability to approve their time, by default I have the ability to approve my time? FYI, I'm using the same logic for transaction CAPS and it works as desired  I can approve other people's time but not my own. Is my organizational key logic what's causing the issue? If so, I do not know of any other way to set everything up so that all employees can enter their own time, but only select employees can enter and approve their subordinates time, but cannot approve their own time.

AUTHC <FLD> Authorization level
D
INFTY <FLD> Infotype
0328
PERSA <FLD> Personnel Area
PERSG <FLD> Employee Group
*
PERSK <FLD> Employee Subgroup
SUBTY <FLD> Subtype
' '
VDSK1 <FLD> Organizational Key
10000000004141
10000000004142
10000000004143
10000000004144
20000000004141
30000000004141
40000000004141
50000000004141
60000000004141
___________________________________________________________
AUTHC <FLD> Authorization level
R
INFTY <FLD> Infotype
0000
0001
0002
PERSA <FLD> Personnel Area
PERSG <FLD> Employee Group
PERSK <FLD> Employee Subgroup
SUBTY <FLD> Subtype
' '
VDSK1 <FLD> Organizational Key
10000000004141
10000000004142
10000000004143
10000000004144
20000000004141
30000000004141
40000000004141
50000000004141
60000000004141
Hi,
See the Organization stucture and the position mapping can be referred to po13. But one thing can be done here is that we need to run a trace for CAPS. Find out the authorization objects that the coming starting with p* eg (p_orgin, p_pernr) etc.Find out the values it refers to in the fields like Infotype, subtype etc. Get into the role which only have CATS* txn and give the same values.
Regards
Aveek.
I ran traces for both CAPS and CATS_APPR_LITE while trying to approve my own time. For CAPS, there appears to be several more auth checks performed than with CATS_APPR_LITE. I'm not sure I understand the significance of lines with RC=0 versus RC=4. Are RC=4 lines auth checks that failed? How do I determine which auth values to include?
Here is the trace results for CAPS:
P_ABAP RC=4 REPID=RCATSC01;COARS=2;
P_ABAP RC=0 REPID=SAPDBPNP;COARS=2;
P_PERNR RC=4 AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=R;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=R;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=I;INFTY=0328;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';
P_ORGIN RC=4 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';
P_ORGIN RC=4 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';
P_ORGIN RC=4 INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';
P_ORGIN RC=4 INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';
P_PCLX RC=0 RELID=B2;AUTHC=R;
P_PCLX RC=0 RELID=B2;AUTHC=R;
P_PCLX RC=0 RELID=B2;AUTHC=R;
P_PCLX RC=0 RELID=B2;AUTHC=R;
S_ALV_LAYO RC=0 ACTVT=23;
S_GUI RC=0 ACTVT=61;
S_GUI RC=0 ACTVT=61;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=1000;PERSG=2;PERSK=01;VDSK1=10000000004141;
P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=2000;PERSG=2;PERSK=01;VDSK1=10000000004141;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;
P_PERNR RC=0 AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;
P_PERNR RC=0 AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;
P_ORGIN RC=0 INFTY=2002;SUBTY=0800;AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=2002;SUBTY=0800;
P_PERNR RC=0 AUTHC=D;PSIGN=E;INFTY=2002;SUBTY=0800;
Here is the trace for CATS_APPR_LITE:
P_ABAP RC=4 REPID=RCATS_APPROVE_ACTIVITIES;COARS=2;
P_ABAP RC=0 REPID=SAPDBPNP;COARS=2;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';
P_ORGIN RC=4 INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0000;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';
P_ORGIN RC=4 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0001;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';
P_ORGIN RC=4 INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0002;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';
P_ORGIN RC=4 INFTY=0007;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';
P_PERNR RC=0 AUTHC=R;PSIGN=*;INFTY=0007;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=;PERSG=;PERSK=;VDSK1=;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_PERNR RC=4 AUTHC=D;PSIGN=*;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=E;INFTY=0328;SUBTY=' ';
P_PERNR RC=4 AUTHC=D;PSIGN=I;INFTY=0328;SUBTY=' ';
P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=1000;PERSG=2;PERSK=01;VDSK1=10000000004141;
P_ORGIN RC=0 INFTY=0328;SUBTY=' ';AUTHC=D;PERSA=2000;PERSG=2;PERSK=01;VDSK1=10000000004141;
S_ALV_LAYO RC=0 ACTVT=23;
S_ALV_LAYO RC=0 ACTVT=23;
S_GUI RC=0 ACTVT=61;
Hi,
Your settings should match the value
P_ORGIN RC=4 INFTY=0328;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
You need to restrict the role containing CATS* transaction and remove values "R" (Authc)from it in p_orgin to get it restricted. Check it and let me know.
Regards
Aveek.
Hi,
You may also refer to this thread "CATS Timesheet creator and approver" for checking the settings needed in p_orgin and p_pernr as an example against CATS*
Regards
Aveek.
Hi,
The process that is to be followed is:
Check for the objects for CAPS for which RC=4. Compare that with CATS* RC=4. We need to make those same. As with CAPS you are getting RC=4 means u are restricted on that. The same restriction needs to be follwed for CATS*. Hope this will help.
Regards
Aveek.
I'm still not sure I understand what needs to be done. In comparing the traces between CAPS and CATS_APPR_LITE, it appears there are 4 auth checks that are being executed in CAPS that aren't even being checked in CATS_APPR_LITE.
P_PERNR AUTHC=R; PSIGN=*; INFTY=0328; SUBTY=' '
P_PERNR AUTHC=R; PSIGN=E; INFTY=0328; SUBTY=' '
P_ORGIN AUTHC=R; INFTY=0328; PERSA=; PERSG=; PERSK=; SUBTY=' '; VDSK1=
P_PERNR AUTHC=D; PSIGN=*; INFTY=2002; SUBTY=0800
All of the other auth checks in CAPS with RC=4 are behaving the same in CATS_APPR_LITE. It's actually the 4th auth check shown above that I'm wondering is the culprit as this is one of the last checks done before I get the "not authorized" popup within CAPS.
FYI, I ran traces against CATS_APPR_LITE for both approving my own time and for approving someone else's time. I found it interesting that the trace showed about a dozen additional auth checks that were done for approving someone else's time versus approving my own time. Why would that be? I would think there would be more checks for trying to approve your own time. I'll admit I'm thoroughly confused on this whole issue now.
Hi,
Please copy the values of porgin and p_pernr or other common p* objects of the role which is having CAPS txn into the role for CATS*.
1. Check the p* objects in role which has CAPS.
2. Find out the p* objects in role for CATS*
3. Insert the same values which CAPS role has in p* objects.
Regards
Aveek.
Aveek,
The issue I have is that both of these transactions  CAPS and CATS_APPR_LITE  are already in the same role, so they already share common values for all p* objects, and it still does not work.
Hi,
I was thinking to separate the CATS* transaction to a new role and asking to check all these traces and authorizations actually.In the same role it will be difficult as both CAPS and CATS* have different coding.
Regards
Aveek.
Sorry, I should have clarified my previous post. I ran the traces for each while they were in separate roles to get the differences but since all of the auth checks were the same except for the extra ones when tracing CAPS, there didn't seem to be a need to make any changes in the separate CATS* role.