https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686446#M1292311 <HTML><HEAD></HEAD><BODY><P>Hi Venkat,</P><P></P><P>Try restricting on P_PERNR, i don't have an HR system to check in, though i recall, P_PERNR should be able to restrict users on their own personnel numbers for the expense infotypes.</P><P></P><P>Cheers !!</P><P>Zaheer</P></BODY></HTML> Thu, 04 Jun 2009 05:55:24 GMT Former Member 2009-06-04T05:55:24Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686443#M1292308 <HTML><HEAD></HEAD><BODY><P>Hi Geeks,</P><P>I'm facing a problem in restricting a user accessing from another users data.</P><P>Let me give you a picture of my issue.</P><P></P><P>I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.</P><P></P><P>Can you please let me know how to restrict this.</P><P></P><P>&lt;removed_by_moderator&gt;</P><P></P><P>Thanks</P><P>Venkat</P><P></P><P>Edited by: Julius Bussche on Jun 4, 2009 8:44 AM</P></BODY></HTML> Thu, 04 Jun 2009 04:27:59 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686443#M1292308 Former Member 2009-06-04T04:27:59Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686444#M1292309 <HTML><HEAD></HEAD><BODY><P>Venkat, can you be more specific ?</P><P>Roles may be assigned to position but that itself wouldn't restrict the access, it is the authorization within the role that gives access to data.</P><P></P><P>Cheers !!</P><P>Zaheer</P></BODY></HTML> Thu, 04 Jun 2009 04:38:02 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686444#M1292309 Former Member 2009-06-04T04:38:02Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686445#M1292310 <HTML><HEAD></HEAD><BODY><P>Zaheer, thanks for the quick reply, </P><P>here it goes. my client implemented SAP TV, &amp; user X logs his expenses, while other users do. </P><P>but when User X is accessing his data (Expenses) he is also able to see the expenses of User Y.</P><P></P><P>I have used the Auth Obj, F_TRAVL_RW, TV_CREAT, TV_EVSIM, also assigned a T.Code KSB1/KOB1.</P><P></P><P>Let me know if u need more details.</P><P></P><P>Thanks,</P><P>Venkat</P></BODY></HTML> Thu, 04 Jun 2009 04:58:26 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686445#M1292310 Former Member 2009-06-04T04:58:26Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686446#M1292311 <HTML><HEAD></HEAD><BODY><P>Hi Venkat,</P><P></P><P>Try restricting on P_PERNR, i don't have an HR system to check in, though i recall, P_PERNR should be able to restrict users on their own personnel numbers for the expense infotypes.</P><P></P><P>Cheers !!</P><P>Zaheer</P></BODY></HTML> Thu, 04 Jun 2009 05:55:24 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686446#M1292311 Former Member 2009-06-04T05:55:24Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686447#M1292312 <HTML><HEAD></HEAD><BODY><P>Venkata, are you using Structural Authorization? You may want to look in to assigning structural authorization using PD Profiles. </P><P></P><P>Maintain Evaluation Path</P><P>Maintain Structural profiles</P><P> - rh_get_manager_assginment</P><P> - rh_get_org_assignment</P><P></P><P></P><P>"while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users."</P><P></P><P>Sapsec-HB</P></BODY></HTML> Thu, 04 Jun 2009 14:33:44 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686447#M1292312 Hank 2009-06-04T14:33:44Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686448#M1292313 <HTML><HEAD></HEAD><BODY><P>Hi Venkat</P><P></P><P>If user X is able to view data for another user it is probably the P_PERNR object. Try Interpretation of assigned personnel number (I) which allows users to view data for his own records. Structural auth will control the Org assignment however accessing Infotypes or data will be controlled by P_ORGIN /P_PERNR. </P><P></P><P>Let us know</P><P></P><P>thanks</P><P>santosh</P></BODY></HTML> Thu, 04 Jun 2009 15:23:43 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686448#M1292313 Former Member 2009-06-04T15:23:43Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686449#M1292314 <HTML><HEAD></HEAD><BODY><P>&gt; If user X is able to view data for another user it is probably the P_PERNR object. </P><P>That is the exact opposite of what P_PERNR does... <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Probably P_ORGIN is proving the access via some other role assignment, or indirectly via a reference user.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Thu, 04 Jun 2009 16:09:14 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686449#M1292314 Former Member 2009-06-04T16:09:14Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686450#M1292315 <HTML><HEAD></HEAD><BODY><P>thanks Julius</P><P></P><P>I meant to convey P_PERNR controls to update persons own data. like user cannot update his own basic pay. you are correct it is P_ORGIN ...my bad on the P_PERNR <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>thanks</P><P>santosh</P></BODY></HTML> Thu, 04 Jun 2009 16:19:03 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686450#M1292315 Former Member 2009-06-04T16:19:03Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686451#M1292316 <HTML><HEAD></HEAD><BODY><P>Here is my understanding... </P><P></P><P><STRONG>p_orgin</STRONG> providing access to infotyes with this object automatically gives access to both own user's reocord and the other employee records.</P><P></P><P><STRONG>p_pernr</STRONG> when this object is present, including infotypes in this object allows you to control access to own record <U>only</U>(I), or other employee records <U>only</U>(E) excuding own. </P><P></P><P>Sapsec-HB</P></BODY></HTML> Thu, 04 Jun 2009 16:37:06 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686451#M1292316 Hank 2009-06-04T16:37:06Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686452#M1292317 <HTML><HEAD></HEAD><BODY><P>&gt; p_pernr when this object is present, including infotypes in this object allows you to control access to own record <U>only</U>(I), or other employee records <U>only</U>(E) excuding own. </P><P>Stated like that it could still be misleading. </P><P></P><P>E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will <STRONG>exclude</STRONG> their own personel number from that authorization, even although they have the access.</P><P></P><P>This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus... <SPAN __jive_emoticon_name="happy"></SPAN></P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Thu, 04 Jun 2009 16:49:32 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686452#M1292317 Former Member 2009-06-04T16:49:32Z https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686453#M1292318 <HTML><HEAD></HEAD><BODY><P>Thanks a bunch, Guyz, will mark it solved, once I try with the solution given.</P><P></P><P>Regards,</P><P>Venkat</P></BODY></HTML> Thu, 04 Jun 2009 16:51:55 GMT https://community.sap.com/t5/application-development-and-automation-discussions/user-level-authorization-in-position-based-security/m-p/5686453#M1292318 Former Member 2009-06-04T16:51:55Z