topic Re: Security on Qualification Object in Application Development and Automation Discussions

Security on Qualification Object

Former Member — Thu, 17 Jun 2010 21:18:07 GMT

I have a requirement to set up security for qualifications such that all qualifications (Q) within a particular qualification group (QK) be visible to the employee who holds the qualification so that they can add, modify and delete qualifications in this group through ESS. That part is standard. The tricky part is that managers should NOT be able to see that their employees hold qualificaitons from this qualification group. Managers must be able to see all other qualificaitons the employee holds, just not any from that qualification group. All other qualification groups must function as normal where a manager may view, update, modify and delete their employees qualifications through MSS.

More information that may or may not be useful. We are deploying the standard delivered qualification managed tools through ESS and MSS that allow an employee to add, modify and delete their own qualifications and also allows managers to do the same. Qualification groupings (QK) are objects stored in HRP1000 and they are related to employees through HRP1001. Also, I am almost completely unfamiliar with how security is done in SAP. Thank you I appreciate any help that can be provided.

Whitney

Re: Security on Qualification Object

Former Member — Mon, 21 Jun 2010 22:01:38 GMT

Hi Whitney,

Make sure to create qualification tasks in such a way that it does not get included in the Qualification catalog before creating the profile which will be assigned to the Employees Manager.

Re: Security on Qualification Object

Former Member — Mon, 21 Jun 2010 23:01:21 GMT

Whitney,

Let say you have User1 to User3.

Qualigication: Q1 to Q20

Qualification group: group1 to group5

Group1 : Q1 to Q5

Group2 : Q6 to Q7

group3: Q8 to Q14

Let stay

User 1 will be able to see group1

User 2 will be able to see group2

user 3 will be able to see group3

Now manger will be able to see

Manager will be able to see : Q15 to Q20

So you can restrict on P_ORGIN

User 1 will get group1 access:

Infotype : Enter your infotype

Subtype: Subtype

Authorization Level : W

Personnel Area

Employee Group: group1

Employee Subgroup

Organizational Key

Manager will get:

Manager will get access to Q15 to Q20:

Infotype : Enter your infotype

Subtype: Subtype

Authorization Level : W

Personnel Area

Employee Group: Q15 to Q20

Employee Subgroup

Organizational Key

Thanks,

Sri

Re: Security on Qualification Object

Former Member — Thu, 16 Sep 2010 04:44:33 GMT

Hi,

Use context sensitive authorisations P_ORGINCON (switch on in tcode OOAC).

AUTSW INCON 1

Create structural profile (OOSP) which returns employees of manager and all Q objects what manager should see from his/her subordinates. nnnnnnnn refers to the Qualification Group (QK) which has the qualifications manager should be able to see. Make also sure that all employees and managers have their infotype 0105 subtype 0001 mapped to their user id.

<your manager profile>|10|01|O | |X|O-O-S-P |12| | |D|RH_GET_MANAGER_ASSIGNMENT

<your manager profile>|20|01|QK|nnnnnnnn| |QUALCATA|12| | | |

Then assign that to manager user-id (OOSB) and add this object P_ORGINCON to manager role (PFCG):

AUTHC: R

INFTY: 0024

PERSA: *

PERSG: *

PERSK: *

SUBTY: *

VDSK1: *

PROFL: <your manager profile>

99% of the companies use the "new" assignement of qualifications to employee using relationships (infotype 1001 between objects Q and P). But still authorisation to see which qualifications can be seen is depending on infotype 0024 authorisations. In the future also PLOG_CON object can be used to achieve this but it is not currently supported...

Regards,

Saku