- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Removing access to IT0009 from all SAP roles excep...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Removing access to IT0009 from all SAP roles except for portal roles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2011 12:28 PM
Hi,
We use only Z-roles(copy of std) which are large in number that might have access to infotype 0009 bank details using the authorization object P_ORGIN. We also use structural authorization in our security setup.
Now business decided to remove the access of IT0009 from everywhere except from portal roles and create 2 new SAP roles exclusively for IT0009 that grants read and write access respectively.
> What is best and safe way to identify and remove the access of IT0009 from all Z-roles?
> How to create a new "Bank details maintainer" role must have access to the same personnel areas and employee groups as another data maintainer and give full access to infotype 0009 (create, change, display, delete, etc)
> How to create another new "Bank details displayer" role must have access to the same personnel areas and employee groups as another data maintainer and give display access to infotype 0009.
> The two new roles must be created with maximum attention to future maintainability. I.e. the master roles must contain as much as possible, so that inheriting roles can be easily updated in the future.
> Any development required to acheive this?
Vamsi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2011 12:27 AM
Hi Vamsi,
Some quick thoughts and answers to your questions:
> What is best and safe way to identify and remove the access of IT0009 from all Z-roles?
Tcode SUIM
Navigate to Roles --> By Authorization Values
Auth. Object: P_ORGIN (then press enter)
Enter 0009 to Infotype value
Execute (F8)
Results list is all roles which have some sort of access to infotype 0009. Remove infotype 0009 from the infotype listing of the Z-roles (leave access to portal roles of course).
PS. ESS role is not listed because access to infotype 0009 is given to own data using P_PERNR object.
> How to create a new "Bank details maintainer" role must have access to the same personnel areas and employee groups as another data maintainer and give full access to infotype 0009 (create, change, display, delete, etc)
> How to create another new "Bank details displayer" role must have access to the same personnel areas and employee groups as another data maintainer and give display access to infotype 0009.
Create a role using Profile Generator (tcode PFCG). If you want to give maintain access add transaction PA30 to the menu. If it is display only add transaction PA20. Then go to authorisations tab and click change authorisation data button. When you maintain the authorisations and object P_ORGIN add infotype 0009 to the infotype field. You have to study your HR and role setup and roles returned by SUIM in first step to get other values correct. Use F1 help to get information regarding different fields. Authority level W is to write - it includes access to create, changed and delete. R is to Read. M is used to allow access to data through search helps (restricted read access). S/D/E can be used to implement 4 eyes principle - another user can do the change but another one needs to check and "approve" (unlock) the changed record. You can assign the role to test user in user tab or in SU01.
> The two new roles must be created with maximum attention to future maintainability. I.e. the master roles must contain as much as possible, so that inheriting roles can be easily updated in the future.
Master/derived role concept allows you to leave organisational level fields empty in master role and then derive roles from the master where you need to fill in only organisational level fields. In standard P_ORGIN doesn't have any organisational level fields. But you have a change to make some field organisational level field using program PFCG_ORGFIELD_CREATE. Quite often I see that personnel area has been made organisational level field.
That is just the starting point. I am sure you can find more specific help and instructions from internet when you now have starting point for your research.
Enjoy HR authorisations!
SaQ
Edited by: SaQ on Sep 15, 2011 9:29 AM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2011 12:27 AM
Hi Vamsi,
Some quick thoughts and answers to your questions:
> What is best and safe way to identify and remove the access of IT0009 from all Z-roles?
Tcode SUIM
Navigate to Roles --> By Authorization Values
Auth. Object: P_ORGIN (then press enter)
Enter 0009 to Infotype value
Execute (F8)
Results list is all roles which have some sort of access to infotype 0009. Remove infotype 0009 from the infotype listing of the Z-roles (leave access to portal roles of course).
PS. ESS role is not listed because access to infotype 0009 is given to own data using P_PERNR object.
> How to create a new "Bank details maintainer" role must have access to the same personnel areas and employee groups as another data maintainer and give full access to infotype 0009 (create, change, display, delete, etc)
> How to create another new "Bank details displayer" role must have access to the same personnel areas and employee groups as another data maintainer and give display access to infotype 0009.
Create a role using Profile Generator (tcode PFCG). If you want to give maintain access add transaction PA30 to the menu. If it is display only add transaction PA20. Then go to authorisations tab and click change authorisation data button. When you maintain the authorisations and object P_ORGIN add infotype 0009 to the infotype field. You have to study your HR and role setup and roles returned by SUIM in first step to get other values correct. Use F1 help to get information regarding different fields. Authority level W is to write - it includes access to create, changed and delete. R is to Read. M is used to allow access to data through search helps (restricted read access). S/D/E can be used to implement 4 eyes principle - another user can do the change but another one needs to check and "approve" (unlock) the changed record. You can assign the role to test user in user tab or in SU01.
> The two new roles must be created with maximum attention to future maintainability. I.e. the master roles must contain as much as possible, so that inheriting roles can be easily updated in the future.
Master/derived role concept allows you to leave organisational level fields empty in master role and then derive roles from the master where you need to fill in only organisational level fields. In standard P_ORGIN doesn't have any organisational level fields. But you have a change to make some field organisational level field using program PFCG_ORGFIELD_CREATE. Quite often I see that personnel area has been made organisational level field.
That is just the starting point. I am sure you can find more specific help and instructions from internet when you now have starting point for your research.
Enjoy HR authorisations!
SaQ
Edited by: SaQ on Sep 15, 2011 9:29 AM
- SAP Managed Tags:
- Security
