Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

User Level Authorization in Position Based Security

Go to solution
Former Member

‎2009 Jun 04 5:27 AM

0 Likes
1,520

Hi Geeks,

I'm facing a problem in restricting a user accessing from another users data.

Let me give you a picture of my issue.

I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.

Can you please let me know how to restrict this.

<removed_by_moderator>

Thanks

Venkat

Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2009 Jun 04 5:38 AM

0 Likes
1,420

Venkat, can you be more specific ?

Roles may be assigned to position but that itself wouldn't restrict the access, it is the authorization within the role that gives access to data.

Cheers !!

Zaheer

10 REPLIES 10
Read only

Go to solution
Former Member

‎2009 Jun 04 5:38 AM

0 Likes
1,421

Venkat, can you be more specific ?

Roles may be assigned to position but that itself wouldn't restrict the access, it is the authorization within the role that gives access to data.

Cheers !!

Zaheer

Read only

Go to solution
Former Member
In response to Former Member

‎2009 Jun 04 5:58 AM

0 Likes
1,420

Zaheer, thanks for the quick reply,

here it goes. my client implemented SAP TV, & user X logs his expenses, while other users do.

but when User X is accessing his data (Expenses) he is also able to see the expenses of User Y.

I have used the Auth Obj, F_TRAVL_RW, TV_CREAT, TV_EVSIM, also assigned a T.Code KSB1/KOB1.

Let me know if u need more details.

Thanks,

Venkat

Read only

Go to solution
Former Member
In response to Former Member

‎2009 Jun 04 6:55 AM

0 Likes
1,420

Hi Venkat,

Try restricting on P_PERNR, i don't have an HR system to check in, though i recall, P_PERNR should be able to restrict users on their own personnel numbers for the expense infotypes.

Cheers !!

Zaheer

Read only

Go to solution
Former Member
In response to Former Member

‎2009 Jun 04 4:23 PM

0 Likes
1,420

Hi Venkat

If user X is able to view data for another user it is probably the P_PERNR object. Try Interpretation of assigned personnel number (I) which allows users to view data for his own records. Structural auth will control the Org assignment however accessing Infotypes or data will be controlled by P_ORGIN /P_PERNR.

Let us know

thanks

santosh

Read only

Go to solution
Former Member
In response to Former Member

‎2009 Jun 04 5:09 PM

0 Likes
1,420

> If user X is able to view data for another user it is probably the P_PERNR object.

That is the exact opposite of what P_PERNR does...

Probably P_ORGIN is proving the access via some other role assignment, or indirectly via a reference user.

Cheers,

Julius

Read only

Go to solution
Former Member
In response to Former Member

‎2009 Jun 04 5:19 PM

0 Likes
1,420

thanks Julius

I meant to convey P_PERNR controls to update persons own data. like user cannot update his own basic pay. you are correct it is P_ORGIN ...my bad on the P_PERNR

thanks

santosh

Read only

Go to solution
Hank
Explorer

‎2009 Jun 04 3:33 PM

0 Likes
1,420

Venkata, are you using Structural Authorization? You may want to look in to assigning structural authorization using PD Profiles.

Maintain Evaluation Path

Maintain Structural profiles

- rh_get_manager_assginment

- rh_get_org_assignment

"while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users."

Sapsec-HB

Read only

Go to solution
Hank
Explorer

‎2009 Jun 04 5:37 PM

0 Likes
1,420

Here is my understanding...

p_orgin providing access to infotyes with this object automatically gives access to both own user's reocord and the other employee records.

p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.

Sapsec-HB

Read only

Go to solution
Former Member
In response to Hank

‎2009 Jun 04 5:49 PM

0 Likes
1,420

> p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.

Stated like that it could still be misleading.

E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.

This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...

Cheers,

Julius

Read only

Go to solution
Former Member
In response to Hank

‎2009 Jun 04 5:51 PM

0 Likes
1,420

Thanks a bunch, Guyz, will mark it solved, once I try with the solution given.

Regards,

Venkat