Excluded structural profiles in Context authorizat...

Former Member · ‎12-09-2009

I have working context authorizations using p_orgincon and using the BAdI HRBAS00_GET_PROFIL. I have recently tried to add another context authorization. (To simplify I have made a hypothetical scenario)

There are three structural profiles

A. test_01: test_01 uses the top org unit, evaluation path O-S-P, no time limits and maint is not checked (the user should be able to see the

B. test_02 finds the current users org unit and allows changes for all persons assigned to the current org unit including the manager who is a member of his org unit

C. xtest_03 which finds the person id for the logged on user. It is intended to be used with the parameter excluded (e.g. t77UA-excluded = "X" and should exclude the user from changing his own data.

The user role will contain two authorizations for p_orgincon

1. Display all employees for a range of infotypes.

p_orgincon

Auth level R

Infotypes 0001 etc.

auth profile test_01 (A. above)

all other fields *

2. Change all the users in your own org unit

p_orgincon

Auth level W

Infotypes 0001 etc.

auth profile test_02 and xtest_03

all other fields *

The logic of the BAdI (as implemented) properly recognizes that xtest_03 is to be excluded and that is visible in HRAUTH.

The effect of this should be to prevent the assigned user from maintaining his own information. The context authorization is only limiting change access. The first authorization for p_orgincon above doesn't have any limitations

The actual result is that the user can neither see nor change his own access. This is certainly the result one would expect without context authorizations but not with context authorizations.

The upshot is that structural profiles that exclude objects appear to work non-contextually.

Can anyone suggest what I may be doing wrong? (I have several more advanced scenarios that work perfectly in a contextual way but when I add the exclude profile to any one of the authorizations it works completely non-contextually for the exclusion only)

Former Member · ‎12-15-2009

are you sure, HRBAS00_GET_PROFIL works when you have set T77UA? i understood, that it is an alternative to T77UA, not an addition ...

Former Member · ‎12-15-2009

Some SAP documentation suggests that the BaDI is required when using contextual authorizations. I meant to say that it is not actually required. You can activate the BaDI or you can use T77UA for structural authorizations used contextually.

Former Member · ‎12-15-2009

exactly. but can you use both? like i have understood your original post?

Former Member · ‎12-15-2009

I don't know. I haven't tried it. I suspect not but I will try a scenario. I actually used the t77ua-excluded reference in my question but there is a type in the BaDI that has the same excluded parameter that is set in the BaDI for the profile that is to be be excluded. It actually does get excluded but in every context not just the one it is referenced in.

Edited by: Corwin Slack on Dec 15, 2009 9:35 AM

Former Member · ‎12-15-2009

state your settings in table T77PR for all three of your profiles, please.

Former Member · ‎12-15-2009

The structural profiles are very simple

1. 01 O (root organization) evaluation path O-S-P maint = ''.

2. 01 O (local organization) evaluation path O-S-P maint = 'X'

3. 01 P (the person himself ) maint = '' (This is the excluded profile)

These are test profiles. They are very simply defined just for proof of concept.

Excluded structural profiles in Context authorizations (P_ORGINCON)