2009 Jun 04 6:35 AM
Hi,
In HR roles we are facing problem with infotype 0000.
For PA30 tcode, in authorization object P_ORGIN, we have given R for infotypes 0006 and 0021.
Even though we have given R for infotype 0000, but it is allowing users to create and change.
Where as our requirment is to have display only for infotypes 0006 and 0021.
<removed_by_moderator>
Regards,
Siv
Edited by: Julius Bussche on Jun 8, 2009 8:03 PM
2009 Jun 04 6:41 AM
Hi Siv,
Run report RHUSERRELATIONSHIP for that user and check what all P_ORGIN access the user has and through which roles. This report is pretty helpful.
Cheers !!
Zaheer
2009 Jun 04 6:41 AM
Hi Siv,
Run report RHUSERRELATIONSHIP for that user and check what all P_ORGIN access the user has and through which roles. This report is pretty helpful.
Cheers !!
Zaheer
2009 Jun 04 6:51 AM
Dear Zaheer,
Thanks for your quick reply.
Only one role is assigned to this user id.
That role has only HR tcodes like S_PH9, PT, PA, S_AHR....i can provide the HR tcode list...but its pretty big one.
but in P_ORGIN....we have maintianed only 9 infotypes...with R and M authorization types...
infotypes 0006, 0021 and 0000 have only R assigned to them.
Regards,
Siv
2009 Jun 04 6:53 AM
2009 Jun 04 7:20 AM
2009 Jun 04 7:29 AM
So when you ran the report, with "Display HR Authorizations" radio button selected and "P_ORGIN" checked it showed you only the authorization objects pointing to the role only.
There may be some profiles, structural authorization which might be giving Write access to infotype 0000.
Alternatively, can you run a ST01 auth check trace and recreate the issue, and check the trace result for W,E,D,S or * for infotype 0000.
Cheeers !!
Zaheer
2009 Jun 04 7:40 AM
Dear Zaheer,
Below is the result of that report,
P_ORGIN T-DC61007500 AUTHC R
P_ORGIN T-DC61007500 INFTY 0000
P_ORGIN T-DC61007500 PERSA *
P_ORGIN T-DC61007500 PERSG *
P_ORGIN T-DC61007500 PERSK *
P_ORGIN T-DC61007500 SUBTY *
P_ORGIN T-DC61007500 VDSK1 *
Thanks for ur help.
Regards,
Siv
2009 Jun 04 7:45 AM
2009 Jun 04 7:48 AM
Dear Zaheer,
P_ORGIN RC=4 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
P_ORGIN RC=0 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
P_ORGIN RC=0 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=2401;PERSG=R;PERSK=R1;VDSK1=2401;
This trace is when i clicked on Create button on PA30 screen....
Nothing abut 0000....
Regards
Siv
2009 Jun 04 7:59 AM
Just got hold of an HR system, when i clicked "Create" in PA30 after selecting "Actions"...
I got this...
P_ORGIN RC=0 INFTY=0000;SUBTY= ;AUTHC=W;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
It surprises me that you didn't found any entry for Infotype 0000 in authorization trace.
2009 Jun 04 8:25 AM
Dear Zaheer,
I had removed the 0000 entry from the role, now when I select any user id and click on display, it is Not allowing. Below is the trace,
P_ORGIN RC=0 INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=2401;PERSG=R;PERSK=R1;VDSK1=2401;
P_ORGIN RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=2401;PERSG=R;PERSK=R1;VDSK1=2401;
P_ORGIN RC=0 INFTY=0021;SUBTY=' ';AUTHC=R;PERSA=2401;PERSG=R;PERSK=R1;VDSK1=2401;
and here also no 0000....
Edited by: K. Siva Srinivas Reddy on Jun 4, 2009 9:29 AM
2009 Jun 04 9:56 AM
Check the values in P_PERNR then..interestingly none of your trace results show up infotype 0000 (Actions), are you sure you are selecting actions and then clicking create...just verifying.
2009 Jun 04 10:30 AM
Dear Zaheer,
I am going into PA30.....clicking F4 for "Personnel no." and selecting any user randomly....then entering value 0000 in Infotype field under "Direct Selection".....now clicking on Create button.
The values for P_PERNR are
Authorization level R
Infotype 0002
Interpretation of assigned per I
Subtype ' '
2009 Jun 04 8:15 PM
Hi Siva,
When hit create for actions 0000.Did you try saving the entry ?? I think it will allow you to create an entry but won't allow you to save the record. you will get no authorization to maintain message.
Try and let us know
thanks
santosh
2009 Jun 05 3:54 AM
Santosh, i doubt that, system checks for write authorization as soon as you click the create button. Still you check that Siv.
Cheers !!
Zaheer
2009 Jun 08 5:16 PM
Zaheer, Even I had the same feeling however I tried with test role in the sandbox and yes it allowed me to create any entry but dint allow to save it.
thanks
Santosh
2009 Jun 10 7:42 AM
@Siv : Let us know what you find out....
@Santosh : Lets wait for Siv to come up with some more input for us
Cheers !!
Zaheer
2009 Jun 11 6:29 AM
Hi,
@ Zaheer - thanks bro for all your inputs and time.
@ santosh - thank u, but client requirment is that the end user should immediately get "not authorised" message when someone tries to click on create. it should not allow to the next screen.
The problem is solved now...instead of giving R...I had given D and tried and it works perfectly....they can display all but can't change or create.
If anyone click on change or create, immediately they will get "not authorised" message.
Regards,
Siv