09-08-2010 9:38 PM
Hello, I have a requirement where HR staff have should have access to update all infotypes except for on their own master data record. In other words, one cannot change/maintain their own data. They can continue to have display access though. I was hoping there was something within auth object P_ORGIN, but no such luck. If you have come across a similar requirement, please advise.
09-09-2010 2:30 PM
Hi,
use P_PERNR in addtion to P_ORGIN and maintain IT0105 Subtype 0001 for this to work.
Thanks,
SS
Edited by: sun on Sep 9, 2010 3:32 PM
09-08-2010 10:38 PM
auth object P_ORGIN,
Use the above with P_PERNR
look at the below SAP example: I is for own, E is for all others except administrator(own data)
1. A personnel administrator, who processes the basic pay for all employees, should be able to display, but not maintain his or her own pay. For the HR: Master data - Personnel number check object (P_PERNR), you assign an authorization with the following specifications:
Authorization level: W,S,D,E
Interpretation of assignment
User - personnel number E
Infotype: 0008
Subtype: *
09-09-2010 2:30 PM
Hi,
use P_PERNR in addtion to P_ORGIN and maintain IT0105 Subtype 0001 for this to work.
Thanks,
SS
Edited by: sun on Sep 9, 2010 3:32 PM
09-10-2010 11:15 PM
Hi, it's me again. The solutions provided work for the most part, however I am still able to 'create' on my own master data record. I cannot change any infotypes and I can display all infotypes which is what I want. We have PA30 and PA40 contained in the same security role so auth object P_PERNR should apply for both tcodes shouldn't it? Can somebody please advise on what should be added/removed? I'm using the following for P_PERNR:
Auth level: D, E, S, W
Infotype: *
PSIGN: E
Subtype: *
Thanks so much!
09-11-2010 12:50 AM
Check if multiple entries of P_PERNR
AND P_ORGIN are in
post the values of each of those objects/object to evaluate
Regards
09-13-2010 2:02 PM
You can use SU56 transaction to check the buffered authorisation per user/authorisation object. Check all P_PERNR objects of the test user.
I would try following P_PERNR settings:
Auth level: R, M
Infotype: *
PSIGN: I
Subtype: *
Auth level: D, E, S, W
Infotype: *
PSIGN: E
Subtype: *
Quite often P_ORGIN and P_PERNR require at least one object with Auth. level R. Good rule to remember how PSIGN works is to think that 'I' means include and 'E' exclude. So with I you include read access to all infotypes and with E you exclude all write options to all infotypes. Level M means that search helps have access to data (for example if you want to give access to search employee number by last name of employee but you don't want to give access to read Personal Data you can give M access only to infotype 0002).
Make also sure that PERNR authorisation switch (tcode: OOAC) has been switched on.
Hope this helps.
Saku
09-13-2010 8:59 PM
Hi,
As i told you before did you link P_PERNR to the user ID? in IT0105 Subtype 0001 or table V_T513A. if you don't maintain this then your restrcition in P_PERNR won't work.
Thanks,
SS
09-27-2010 5:49 PM
Thanks to all. The settings that SaQ provided in his post for P_PERNR is what worked for me.