cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP: Modify PA infotype without authorization check

Go to solution
jensupetersen
Participant

on ‎07-21-2014 4:34 PM

0 Kudos

Hello everyone,

Short version:

I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).

Does anybody know a solution?

Long version:

We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.

So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.


The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jensupetersen
Participant
‎07-22-2014 8:40 AM
0 Kudos

Thanks all so far.

BDC most obviously does authorization checks (as it is but a simulation of regular manual input) and is therefore no solution.

What I have stumbled across now is the function group HRECM00INFTYACCESS. FM HR_ECM_INSERT_INFOTYPE (or HR_ECM_MODIFY_INFOTYPE), followed by HR_ECM_FLUSH_INFOTYPE, appears to do the job nicely and does have an import parameter NO_AUTH_CHECK. Does anybody know anything about these FM? Are they safe to use? Are there any drawbacks to them? What does "ECM" stand for?

Show replies
Show replies
former_member223988
Explorer
‎07-22-2014 3:51 PM
0 Kudos

ECM stands for Employee Compensation management and is one of the SAP HR module.

But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.

 

Employee Infotype

 

Description

0758

Compensation Program

0759

Compensation Process

0760

Compensation Eligibility Override

0761

LTI Granting

0762

LTI Exercising

0763

LTI Participant Data


Answers (4)

Answers (4)

jensupetersen
Participant
‎07-22-2014 4:19 PM
0 Kudos

Well after simply trying it out I can tell that it does work.   The infotype 17 entry is being created and contains the content that I have shoved into the FM.

My only concern is whether this is reliable in terms of future existence and proper operation of the FM (as well as possible side effects from using it that I might not be aware of). But if you can tell that it is a normal FM as far as the infotypes you listed are concerned, then I suppose my approach is pretty safe.

Show replies
Show replies
former_member223988
Explorer
‎07-21-2014 8:27 PM
0 Kudos

Try implementing this intended functionality using BDC.

Show replies
Show replies
former_member31961
Contributor
‎07-21-2014 7:41 PM
0 Kudos

Hi Jens,

One option is to create wrapper RFC function module for HR_INFOTYPE_OPERATION and call that function module with local destination which uses the user with sufficient access. (e.g: WORKFLOW_LOCAL* which uses the WF-BATCH user id). But the Drawback is: Changed by will have RFC User ID.

Thanks,

Shrinivas Shenoy

Show replies
Show replies
Former Member
‎07-21-2014 4:58 PM
0 Kudos

Maybe this sulutions is not good but you can use idocs. In you small abap program you realize creation of the idoc HRMD_A basic type for you 17 infotype, all of this idocs is store with 64 status (ready to post). And via background job with report rbdapp01 for all of this idocs are posted under autorized system uname.

Show replies
Show replies
Ask a Question