cancel
Showing results for 
Search instead for 
Did you mean: 

ESS Security - Double Verification

Former Member
0 Kudos

Hi Experts,

I am trying to implement the concept of double verification within ESS. My requirement is that the employee should be able to modify an existing record or create a new one but only with the lock indicator, so then the HR Administrator can go in the backend and remove the lock indicator once he's checked the information (the main purpose being to avoid developing a workflow).

I've read a lot about the concepts of double verification and went through something like 60 posts, but still i can't manage to work it out.

I've made a copy of the standard role SAP_ESSUSER_ERP to modify authorizations. Let's take the example of infotype 0006 - Address. I've removed this infotype from existing lines of class P_PERNR to isolate it. I've created a new authorization object in which i tried to play around with authorization levels. The theory is that authorization level should be set to R, E or R, E, M to allow this. However i've tried that and it doesn't work as i'm getting an error message at the review step of my iView saying "You do not have authorization to change". The only authorization level giving me this authorization is either D or W, in which case the lock indicator is not set.

Anyone has ever done that this way ??

Many thanks,

Sylvain.

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos

1. how many roles are assigned to your user.

2. if you are using same user in R/3 and EP then this is not possible that you can do it from R/3 and not for EP

3. How are you doing it from R/3 is it through PA30.

4. Which authorization object are being given the authorization E R S is it p_orgin or p_pernr

Former Member
0 Kudos

Barin,

Here are the answers to your question :

1. how many roles are assigned to your user.

I have assigned the following roles to my user :

SAP_BC_EMPLOYEE

SAP_BC_ENDUSER

SAP_HR_PA_XF_EXPERT

ZSAP_ESSUSER_ERP (copie of SAP_ESS_USER modified to play with that authorization thing)

2. if you are using same user in R/3 and EP then this is not possible that you can do it from R/3 and not for EP

Exactly the same user ! Incredible i know, i don't understand it either...

3. How are you doing it from R/3 is it through PA30.

Yes via PA30

4. Which authorization object are being given the authorization E R S is it p_orgin or p_pernr

That's P_PERNR, as in the portal the employee should only be able to mmodify his own data.

Former Member
0 Kudos

remove all other roles except ZSAP_ESSUSER_ERP and test from EP if this works

Pl also make sure there is no profile attached other then roles.

pl revert so that we can take this forward.

Message was edited by:

Barin Desai

Former Member
0 Kudos

I have done what you suggested but this doesn't work either. I still get the same message.

I've tried to run a trace with ST01 but i got no result at all.

Any idea how i can get more information ?

Sylvain.

Former Member
0 Kudos

Hi,

I am facing the same problem. Could anybody able to resolve this. It works pefectly fine in backend SAP ECC but not in ESS. I have used Authorization object P_PERNR and E, M, R levels. I tried also with E, M, R & S for infotypes but still no success. When I try in backend SAP, i can create as a locked record. However if I try in ESS, I get a message, no sufficient authorization.

Pls let me know as to how to resolve this.

Thanks in advance!

Former Member
0 Kudos

Hi swetha and everybody,

In older Portal versions (transactions PZ...), it was possible, also in PA30 and all the backend std programs.

In new Portal versions (web dynpro technology) that it's not possible, only write or read functions are available.

There is some workarounds you can do (including NWDI development); e.g. create a transaction (or IAC) iView that calls the old PZ... transactions

KR

Former Member
0 Kudos

hi please use S and E both for it. I have createad a role just now and used s and e both for IT6 subtype 1 and it has worked.

thank you

Former Member
0 Kudos

Hello Barin,

I have just made the test as well, as you said, but this doesn't work for me in the portal. I gave authorization level E, S and R in P_PERNR for infotype 0006 subtypes 1 and 4, and i'm still getting the "You have no authorization to insert" message. It works fine in the backend though.

Any other idea ?

Sylvain.

Former Member
0 Kudos

sorry for that its

S (write locked record; unlock if the last person to change the record is not the current user),

E (write locked record),

pl use E

Former Member
0 Kudos

Hi again Barin,

I've done what you said, i tried with authorization level E, but that doesn't work. I have tried many combinations of authorization levels but i couldn't make it to work from ESS. It seems that it is working in the backend though, but that is not what i need to do.

Regards,

Sylvain.

Former Member
0 Kudos

This is very much possible and we have done this. you can send an executable email to administrators inbox and when administrator executes this it will automatically go to pa30 where he / she can unlock.

check the authorization object P_PERNR - HR MASTER DATA Personnel Number authorization check and put value S in authorization level for infotype 0006.

you will surely achieve this.

Former Member
0 Kudos

Hi Barin,

Actually the 'S' authorization would be for the HR Administrator to validate the data (that is not a problem). What i'm struggling with is the authorization of the employee to modify his own data. I've tried to give the employee authorization level RE or RS, but that doesn't work, it still tells me in the portal that i do not have the right to change or insert data.

How did you set the authorizations for the employee in your own case ?

Thanks,

Sylvain.