cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HR Role

Go to solution
Somdeb
Active Participant

on ‎2010 Nov 11 3:32 PM

0 Kudos
100

Hi Experts,

We have a requirement for creating a new HR Role . The User assigned to this Role will have to go to PA20/PA30 screen and search for employees by Personnel Area 0020 Only.

We have already assigned Personnel Area 0020 to this role. However if this User accidentally makes a search by Personnel Subarea in the Search Help, he is able to see all Personnel Areas related to this subarea too.

He should be able to see only Personnel Area 0020 empls only.

Can you please help.

Regards,

Somdeb.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎2010 Nov 12 8:39 AM
0 Kudos

Hi,

Create a role wtih T codes PA20 & PA30.

Keep only one P_ORGIN object

AUTH = M

Personnel Area = 020.

Save and Generate teh role. Do a user comparison.

Still if this doesnt helps use ST01 and talk to BASIS guys.

Also check if any structural authrizaitons exists or not?

Hope this helps.

Param

Show replies
Show replies
Somdeb
Active Participant
‎2010 Nov 16 12:35 PM
0 Kudos

Hi Experts,

Sorry, but we have an updated requirement now:

1) User should only be able to search for Active empls belonging to Personnel area 0020 in the the Search Help in PA20 screen.

2) When the user selects 'Overview' icon for IT0001 in PA20 screen, he should not be able to see any records other than for Personnel Area: 0020

OR ELSE

Disable 'Overview' icon for this User completely.

Regards,

Somdeb.

paul_davidson
Active Contributor
‎2010 Nov 16 2:42 PM
0 Kudos

Hi,

Now you may have some different problems as P_ORGIN does not limit to only Active employees. Also, the logic of SAP authorizations does not limit the viewing of records once the individual meets the P_ORGIN requirement for the individual to be viewed. For example, you are now in Personnel Area 0020, so I can access your data in the infotypes permitted in P_ORGIN via PA20. But you previously worked in Personnel Area 0030, since I have access to you in PA20, I can view all your records of the permitted infotypes.

You could create a custom authorization object to include "Status" as a field, that would solve your first problem. But not sure the standard authorization logic can be overcome to solve your second concern. Even if the overview icon was removed, entering the individual infotype record and using the back arrow would still bring up previous records.

Paul

Somdeb
Active Participant
‎2010 Nov 17 1:29 PM
0 Kudos

Hi Paul,

Thank you for the inputs. I was wondering if we could make use of the Administrator Group field in IT0001.

For example, Administrator 0020 will only be able to see/maintain employee records belonging to Personnel area 0020 only.

I am not sure though, if this will be feasable and how ?

Regards,

Somdeb.

paul_davidson
Active Contributor
‎2010 Nov 18 2:19 PM
0 Kudos

Hi Somdeb,

Even using the Administrator authorization would not solve your concerns about Active Only and prior records when not in PA 0020. You would also have to do the additional work to assign all individuals in PA0020 to the appropriate administrator - new IT0001 Organizational Assignment created for each individual - and keep these up to date.

Best bet is to work with the P_ORGIN authorizations that are assigned to the role for this administrator. There are probably several assigned and you must be careful that one does not override another. As stated previously, one should have AUTHC = M with PERSA = 0020. This would limit searches to only individuals in Personnel Area 0020. The another P_ORGIN with AUTHC = R with the INFTY entries for the particular infotypes the administrator has read access to. A third may be needed if the administrator has write access to a different group of infotypes AUTHC = W.

The problem with seeing records from other areas is due to the time dependency logic in SAP. It is different for read access and write access, but basically if you have view access and the record is valid within your period of authorization, you can see the record.

Paul

Answers (2)

Answers (2)

Former Member
‎2010 Nov 17 7:50 PM
0 Kudos

Hi,

If you are using the admin group in IT0001, then all the users assigned to this group will be able to access. However still the problem of retrieving only active employees in search exists? I would rather suggest modify the serach help screen wtih abaper to add status field , then the user can put active status to retrieve the records wanted.

Hope this helps

Regards

Joe

Show replies
Show replies
reinhard_meixner2
Explorer
‎2010 Nov 12 8:32 AM
0 Kudos

Dear Somdeb,

access to personal master data in search helps is controlled by authorisation object P_ORGIN.

Please check the following field values:

- AUTHC = M

- PERSG = 0020

For further analysis you should activate authorisation trace with transaction ST01.

Please check all authorisation checks for object P_ORGIN.

Restricted access is recorded as follows:

09:27:04:973 AUTH - - - P_ORGIN RC=4 INFTY=0002;SUBTY=' ';PERSK=20;VDSK1=PES;AUTHC=M;PERSA=2100;PERSG=1;

Regards

Reinhard

Show replies
Show replies
Ask a Question