cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting Users From Accessing/Changing Data (Thru ESS/MSS) During Payroll Run

Go to solution
Former Member

on ‎07-30-2015 6:25 AM

0 Kudos

Hi All,

Hope the message finds you guys well. We recently went live with one of our green field implementations and currently we are in support phase. The client (Cannot disclose the name) runs payroll every fortnightly (so 2 payroll runs every month). There are some issues with the payroll solution and currently the payroll process is taking close to 2 days (Fixing all the issues) to complete. The payroll team is changing the status of payroll control record to "Released For Corrections" during this phase and the users were able to edit data (e.g. updating bank details) thru ESS/MSS.

My query is to check if there is a process or solution in security where we can restrict the users from accessing/changing specific infotypes during this phase thru ESS/MSS. I can lock the users through SU10 but that will restrict them from accessing the system as a whole (Correct my understanding).

The users should be able to access the system but shouldn't be able to update/delete any data.

My apologies for a lengthy query and more than happy to award points for correct answers. Thanks a lot in advance and have a great week ahead.

Regards

SB

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

diwheeler
Explorer
‎07-30-2015 11:12 AM
0 Kudos

Hi Sandeep,

you can grant access/remove it, but it becomes part of an application security provisioning/removal activity, and you'll need to have HR coordinate with whoever does your role provisioning for example, when HR are 'in process' grant read only access, when HR have completed processing, get the display only access changed again.  This will work while you're managing your payroll bugs, but would not suggest it for long term business as usual processing.

To do this, you would review the ESS/MSS roles you have assigned end users for any maintenance access to your sensitive infotypes,  You will need to alter the existing roles to ring fence the maintenance of these infotypes, keeping display, but removing maintenance, and then assigning the maintenance access into a separate role for each ESS/MSS role.  for example, you have the following:

current role

ESS_Employee (composite)

Role 1 - contains : P_PERNR: Read, Write - IT0008

becomes

ESS_Employee (composite)

Role 1 - contains : P_PERNR: Read - IT0008

Role 2 - contains : P_PERNR: Write - IT0008(then, assigned in or removed from as required following your system change protocols).

The auth objects you want to look at will depend on the solution you have implemented and might be things like P_PERNR, P_ORGIN, P_ORGXX, P_ORGINCON etc

You have another option that may work, which you would definitely want to test first it but maybe changing the maintenance access for your sensitive infotypes to be two-step change maintenance for ESS/MSS users instead of one-step might work; grant the ability to enter updates (P_PERNR/P_ORGIN activity type E) but only e.g. HR/Payroll can update the change for each individual which means people can still enter in changes as they like, but they will stay in what is effectively a pending state until an administrator 'accepts' the change.  This option is a little harder to advise if it's possible, I don't know what kind of ESS/MSS you have, what sort of checks etc, sometimes the functions users interact with will only work with full write permissions.

Best of luck with your question.

Cheers,

D

Show replies
Show replies
siddharthrajora
Product and Topic Expert
Product and Topic Expert
‎07-30-2015 3:21 PM
0 Kudos

Typically during payroll process, HR admins send a bulletin out for the employees to avoid changes

and this is what organisation does, although you can never eliminate edit of data unless you remove their privileges as stated above, payroll is able to check for the changes etc but bank details typically shouldnt be changed and avoided and for this you need to let end users

Also, you can unlock also personnel numbers during or before payroll runs ie using

HFIUCPL0

Former Member
‎08-03-2015 1:24 AM
0 Kudos

Hi Dianne,

Hope you had a great weekend. As suggested we are currently building some ESS/MSS roles (Maintenance Roles) to tackle the issue. I'll let you know once the process is approved and the issue is resolved. Thanks a zillion for the help and hope everything works out as expected.

Regards

SB

Former Member
‎08-03-2015 1:29 AM
0 Kudos

Hi Siddharth,

Hope you had a great weekend. We already have a process in place (Sending comms to users, holding the batch runs e.g. CATA) during payroll run. It's not working out as expected as we still have some users (quite a few to be precise ) who are playing with the system. Thanks for the suggestion and will def. look into (HFIUCPL0) for unlocking the users. Have a great day/week ahead and I'll keep you posted.

Regards

SB

Answers (0)

Ask a Question