on 03-06-2008 6:34 AM
Hi,
I have a requirement to restrict the user to view and maintain all employee data except some manager position for some company codes. How can I do this .
Cheers
Senthil
Hi,
(This is what we had done....)
Check the composite role : SAP_EMPLOYEE_ERP
Create a Z role for SAP_EMPLOYEE_ERP;
Will prompt you to copy the corresponding roles in it to z roles.
The z-composite role is then assigned to the user.
While creating an ESS user, to to restrict access to personnel master data, changes in the authorization P_ORGIN needs to be done.
In our case, check the z-role created ; zSAP_ESSUSER_ERP.
In Authorizations tab=>Display authorization data option => ;
Expand Human Resources;
In HR : Master data, you can find the various authorization assignments to P_ORIGIN;
Authorization level (AUTHC)
Infotype (INFTY)
Personnel Area (PERSA)
Employee Group (PERSG)
Employee Subgroup (PERSK)
Subtype (SUBTY)
Organizational Key (VDSK1)
Authorization level (AUTHC) takes the values :
R (Read) : for Read access
M (Matchcode) : for Read access to Input helps (F4)
W (Write) : for Write access
S (Symmetric) : for Write access using the Symmetric Double Verification Principle
* : always includes all other authorization levels simultaneously
E and D (Enqueue and Dequeue) :
for Write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
In your case probably you need to consider for :
Employee Group (PERSG) / Employee Subgroup (PERSK)
the Authorization level set to R for the defined infotypes.
This is again, Basis work....
Please Check the links to get more clue :
http://www.sapsecurityonline.com/hr_security/hr_security.htm
http://help.sap.com/erp2005_ehp_02/helpdata/en/70/b7b83b5b831f3be10000000a114084/frameset.htm
Hope this helps you!!
Cheers and Good Luck!!
Remi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
For authorization, you have to create different profiles, for eg we can create a role
HR Administrator1 can see all the employee details
HR Administrator 2 can see all employee details except 0008, 0014, 0015 and 2010 etc
You have to specify very clearly each roles and the transaction codes attached to it. You can take the help of your basis consultant for giving general authorization.
We normally work on object P_ORGIN where we can restrict the authorization across personal area, infotype, employee group, employee subgroup, org key etc
Kindly let me know if you have further doubts on this.
Regards
Santhosh.S
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.