cancel
Showing results for 
Search instead for 
Did you mean: 

Control Workflow Report output using Structural Authorization

Former Member
0 Kudos

Is it possible to control output of Workflow Reports using Structural Authorizatins. E.g. Workflow Admins having access to tcode SWi2_FREQ will be able to see project wide data, but i want to restrict the workflow admins at department level from seeing workflow data for other departments. is that possible using Structural authorizations or any other mechanism?

My understanding is that Structural authorizations pretty much control PA/PD, and not other modules. I did a quick test,

1) Created a org structure

2) Created employees, users, and set up structural authorizations

Now when users are granted authorization to PA20, they are restricted to what they should be seeing, but when they are granted authorization for workflow admin reports, structural authorization don't seem to work, they are able to see data for workflow triggered for other departments as well. Is that the standard behavior or i am missing something. I don't have enough experience with Structural auth.

I will appreciate any guidance on this matter.

Thanks,

Saurabh

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Where in the workflow task i can hardcode Org. unit?

regarding variants, do you mean report variants, and if yes, how do we restrict users to one paricular variant using security profiles?

Thanks,

Saurabh

Former Member
0 Kudos

This thing should be determined in the method. Suppose for US Countries there should be a different Task and hence this can be restricted. According to different countries theres should be different Standard task in Workflow Template. The design would be huge but this will facilitate this requirement.

<b>Reward points if useful</b>

KKilhavn
Active Contributor
0 Kudos

Arghadip, please explain how this will prevent someone from Norway from looking at the workflow log of a workflow for an employee belonging to the Danish part of the organisation.

<i>Message was edited by Kjetil Kilhavn:</i>

To explain a bit more in detail: how does this prevent me (Norwegian) from going into SWI1, SWIA or any other transaction, and looking at data from other parts of the organisation. I don't think it will work.

I think the only way to achieve this is to either modify SAP's standard code and include some structural authorisation checks - or take the standard transactions out from every user role and create your own wrappers or program copies which basically does the same as the modification would have to do.

KKilhavn
Active Contributor
0 Kudos

I'm quite sure that is standard behaviour. I think structural authorization was created to limit the possibility to see sensitive data that you are not supposed to have access to. Workflow data will in general not be sensitive, unless you start displaying the attached personnel data objects - but then the structural authorizations will probably kick in.

Structural authorizations are checked using a function module call I mean to remember from a debugging session some years ago. You could of course (but it was not recommended by me if anyone asks...) implement a modification in the standard SAP reports if this requirement can not be avoided.

Former Member
0 Kudos

Yes you can restrict that by providing Task in the Filter part of SWI2_FREQ. In the Task part it should have Organization Unit hardcoded. So for each User you need to create variant and use Roles to restrict them accordingly

<b>Reward Points if useful</b>