on 06-15-2010 11:25 AM
Hi Gurus, I'm struggling to get CATS working the way I want, and I'm not sure what I'm doing wrong.
I am setting it up so employees can only access there own timesheets, so I am using P_PERNR. My understanding of this object is that you use it insted of P_ORGIN in this scenario.
Things are looking good on the initial screen, I have linked the SAP user licence to the HR record in IT0105 subtype 0001, and Ive also completed the users parameters PER & CVR with their Personel nr and the required CATS profile. The initial screen for CATS defaults in the right profile and personel nr, but when I try to go into the timesheet, I get an auth fail, which according to the auth check is object P_ORGIN.
I'm wondering if I have P_PERNR set up correctly, as how can I give the user P_ORGIN without that giving them access to more than their own HR data?
My P_PERNR settings are below (seperate post)
Have I got them wrong?
Thanks for any advice
Graham
if you want to use the personnel number check (authorization object:
P_PERNR) you have to activate it via transaction OOAC. In case
you want to achieve that one user can only maintain his own personnel
number we would recommend not to use P_ORGIN in the authorization
profile, but only P_PERNR. You can assign all infotypes that are
necessary for CATS via P_PERNR in the authorization profile. But
please activate 'P_PERNR' AND 'P_ORGIN' via transaction OOAC as
described in the attached note 362675.
Additionally, if you have IT0316 & IT328 defined, you might want to
consider just using IT0316.
IT0316 represents the authorization for data entry profiles and
depends on the profile setting. If a user has authorization for
IT0316 and for a specific profile authorization group (subtype of
infotype 0316) that has profiles not requiring approval assigned to it
the user can approve the data, even if he/she does not have
authorization for infotype 0328.
Please see the following example of how we have our user defined for
reference:
Object: P_PERNR (HR master data -personnel number check)
1) level: E, M, R
infotype: 0316
interpretation: I
subtype: *
2) level: *
infotype: 0005, 2001-2013
interpration: I
subtype: *
depending on CATS profile. I assume data entries in CATS
don´t have to be approved and directly create HR data.
Maybe you will have to adjust authorization levels.
3) level: M,R
infotype: 0000-0002, 0007, 0105, 0315, 2001-2003
interpretation: I
subtype: *
Object: Transactions: Cat2 and cat3
If approval of data in CATS is necessary, IT 0328 still has to be
checked.
This was tested in one of our systems and it worked: if no
authorization for time entry in cat2 for other personnel no. it did
not allow entries; they could only make entries for their own
personnel no. as in IT 0105 and T513A.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Graham,
In order to make everybody see their own timesheet, we have implemented use exit CATS0001.
There you should check whether the employee whose timesheet is being recorded is the same with the employee who is assigned to the logged in user name (check IT0105).
If not, issue a message.
Regards,
Dilek
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
My P_PERNR settings are......
AUTHC=E,M,R
Infotypes=0000-0002, 0007, 0315, 0316, 2001-2003, 2010
PSIGN=I
SUBTY=*
plus
AUTHC=R
Infotypes=0000-0002, 0007, 0316, 2001-2003
PSIGN=I
SUBTY=' '
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mauricio. Yes we have had to deal with the PR05 auth issue, which is annoying, as we don't enter expenses via CATS, but it is resolved nonetheless.
Yes the intention is that each employee enters only their own time data via CATS. The basic process is working correctly, in that they are taking directly into their own timesheet by default based on the user paramaters and entries we have made in IT0105.
My issue is purely an authorisation issue. I have given the users P_PERNR only with settings that should restrict them to their own record only, but they can go in to other records. I would expect that P_PERNR would be checked on an attempt to access somebody elses timesheet, and stop them automatically.
Dilek, regarding your comments. I have not looked at the User Exit, as my issue is purely authorisation, and if I'm reading correctly what P_PERNR is supposed to do, I wouldn't expect to have to resort to using a user exit?
Thanks
Graham
P_PERNR is to check if you have authorization to display / change your own record. It doesn't control whether you have access to other ees . P_ORGIN controls that.
Did you try to add 'W' authorization to P_PERNR on time infotypes ? I see it has 'E' (lock/unlock) authorization which may not
necessary mean the ee has change authorization to their own records.
Hi Ted. I have only given them P_PERNR, and yes, they can enter their own times fine. They don't have P_ORGIN, which is why I cant understand how they can get into another persons timesheet.
I would have though P_PERNR forces a check against IT0105 and if the user ID doesn't match the logon they get an auth fail if they don't have P_ORGIN, but it doesn't seem to work like that?
I think the user somehow has P_ORGIN authorization assigned in one of his user profiles (doesn't necessary have to be in CATS profile specific).
Run SAP program 'RSUSR002', and key in the user id (user that supposed to only has access to his/her own record) in 'User' parameter, and 'P_ORGIN' in 'Authorization Object' parameter. If it comes back with a result, it means the user has 'P_ORGIN' authorization in one of the assigned user profiles.
User | Count |
---|---|
110 | |
12 | |
11 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.