Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Structural/Context Auth Issue RPTQTA10/RPLABSG0_ABSENCE_OVERVIEW IT2006

Former Member
0 Kudos
187

We have a requirement for MSS users to see IT0000, IT0001 and  IT0002 data for all users in the Org structure only for the purposes of Employee Change Requests and in the future for Performance Management/Appraisals functionality.

We have set up context specific authorisations. Within our MSS role we have separate instances of P_ORGINCON.

Users are restricted to seeing only their own part of the organisational structure for all other infotypes with a MSS structural profile in one instance P_ORGINCON.

In a separate instance of P_ORGINCON in the MSS role users have access to IT0000, IT0001 and IT0002 with a structural profile giving unrestricted access to object types O, S and P.

This works for all reports except for RPLABSG0_ABSENCE_OVERVIEW(Absence Overview) and RPTQTA10(Absence Quota Information) which  returns IT2006(Absence Quotas) for all users.

We do not have auth object P_ABAP in the role.

The context auth switch is set correctly.

8 REPLIES 8

Former Member
0 Kudos
119

Hello Kevin,

You might have already checked this but is the user assigned with any other role other than the MSS role which might contain IT2006 unrestricted access?

Please run a ST01 trace on the user to see which instance of P_ORGINCON is providing access to IT2006 and let me know.

Thanks

Sandipan

0 Kudos
119

Only the MSS role has access to IT2006.

Trace shows this as being the only instance of IT2006.

Kevin

0 Kudos
119

Trace shows lines:

P_ORGINCON RC=0  INFTY=2006;SUBTY=11;AUTHC=R;PERSA=*;PERSG=*;PERSK=*;VDSK1=*;PROFL=*;

P_ORGINCON RC=4  INFTY=2006;SUBTY=11;AUTHC=R;PERSA=1111;PERSG=1;PERSK=06; VDSK1=1;PROFL=ALL;

Even though ALL profile with unrestricted access to the org structure is not included in the instance of P_ORGINCON with IT2006.

Kevin

0 Kudos
119

Hello Kevin,

Thanks for posting the trace results. Please check if the user is directly assigned with ALL profile (check table T77UA or via tcode OOSB) or check if any profile is attached to user's position thru' OM IT1017.

On further review, seems like auth check for PROFL=* is being passed with a RC=0. Please try to check roles of user and make sure he is not assigned with any SAP delivered profiles or any reference user.

Also, since you have context based structural authorization, make sure BADI- HRBAS00_GET_PROFL is implemented in your system. You can check BADI status thru' HRAUTH transaction code.

Thanks

Sandipan

Message was edited by: Sandipan Choudhury

0 Kudos
119

User gets ALL profile via P_ORGINCON against IT0000-2 in the MSS role.

This shows up in OOSB/T77UA.

No profile is assigned to the user via IT1017.

The BADI is implemented.

Everything looks as it should but still not working.

Kevin

0 Kudos
119

So the INFTY field of your MSS P_ORGINCON contains IT0000-2 ? Please change it to IT0000-IT0002, run RHBAUS02 & RHBAUS00 programs and try again.

Thanks

Sandipan

0 Kudos
119

No - it is aready set as  IT0000-IT0002.

There is nothing obviously wrong with the set up.

Kevin

0 Kudos
119

Hi,

Apparently from your trace results, it seems following values of P_ORGINCON is causing the issue as PROFL=* is equivalent to ALL profile.

P_ORGINCON RC=0  INFTY=2006;SUBTY=11;AUTHC=R;PERSA=*;PERSG=*;PERSK=*;VDSK1=*;PROFL=*;

Can you check the user buffer thru's SU56 and see if the user has these values in its buffer? Also try resetting user buffer and then running following programs in sequence to re-generate indices for structural authorization of user:

1. RHBAUS02

2. RHBAUS01

3. RHBAUS00

Let me know what you find.

Thanks

Sandipan