cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict own master data changes

Go to solution
Former Member

on ‎05-28-2013 9:45 AM

0 Kudos

Dear Experts,

Can you please let me know that How to restrict the user to edit their own master data thru PA30??

for example IT0002, IT0006, IT0007 ,IT0008, etc...records should not edit by own but should allow to edit other employees data.

Thanks

Cheera

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

JonathanM
Contributor
‎05-28-2013 9:53 AM
0 Kudos

Hi,

Therefore, you should the standard authorization object P_PERNR.

This object allows or denies the acces to the user own data. The link between user and pernr is made by the infotype 0105 sutbtype 0001.

This is the only HR authorization object that is working also reversely. Not only adding rights but also limiting some.

P_PERNR:

AUTHCAuthorization level
PSIGNInterpretation of assigned personnel number
INFTYInfotype
SUBTYSubtype

PSIGN should be I for Include or E for exclude.

Best regards,

Jonathan

Show replies
Show replies
Former Member
‎05-29-2013 9:13 AM
0 Kudos

Hi Jonathan,

I have maintain IT0105 user name and created role with your inputs, PSIGN is given as - E,

but still it is allowing employee to edit his own master data.

please let me know if any thing has to be maintained

Thanks

Cheera

JonathanM
Contributor
‎05-29-2013 9:37 AM
0 Kudos

Hi Cheera,

Did you check if the flag was activated? Transaction OOAC (or table T77S0) for AUTSW - PERNR entry should be on "1".

The object P_PERNR should be like:

AUTHC W

PSIGN E

INFTY 0008

SUBTY *

Can you please check this?

Best regards,

Jonathan

Former Member
‎05-30-2013 10:33 AM
0 Kudos

Hi Jonathan,

Yes, flag is activated and maintained as per your in puts, but still its allowing to edit his data.

waiting for your inputs if any...

Thanks

Cheera

JonathanM
Contributor
‎05-30-2013 10:42 AM
0 Kudos

Hi Cheera,

Can you please activate the authorization trace (transaction ST01) and retest this with PA30?

This way we'll see if the object are checked or not. Because I have my doubts on some points...

Can you please also check that the object P_ABAP is not in the user's role? In particular if this is P_ABAP

REPID *

COARS *

Thanks in advance,

Best regards,

Jonathan

Former Member
‎05-30-2013 11:30 AM
0 Kudos

Hi Jonathan,

No, its till remains the same, even i done all the ways suggested by you..

Please help me out this....

1. IT0105 - user ID

2. T777S0 - activate

3. ST01 switch on

4. Role

5. maintained P_ABAP as suggested in one of the role existed for this user.

Thanks

Cheera

JonathanM
Contributor
‎05-30-2013 12:55 PM
0 Kudos

Hi Cheera,

P_ABAP should not be in the role (execpt for some specific cases).

When you/the user tries what is happening? Can you please send the trace log (ST01 - analysis)?

Yes:

1) infotype 0105 subtype 0001 = link user to pernr

2) T77S0 for AUTSW PERNR

3) add object P_PERNR to role and assign role to user + do a "user compare" or transaction PFUD to synchronize the authorization buffer

3) go to PA30 with the user and access PA30 on modification for IT0008

4) System will not allow you to save the data

5) If ST01 auth trace is activated, you'll see that P_PERNR is checked

Best regards,

Jonathan

Former Member
‎06-03-2013 1:29 PM
0 Kudos

Dear Jonathan,

No use, I have tried as it is but problem remains the same.

Thanks

Cheera

JonathanM
Contributor
‎06-04-2013 7:47 AM
0 Kudos

Hi Cheera,

Did you tried with the authorization activated? Can you please send/show me the analysis of the trace (transaction ST01) for the test user with the access with PA30 transaction on his pernr?

Thanks in advance,

Jonathan

Former Member
‎06-04-2013 12:47 PM
0 Kudos

Dear Jonathan,

The user does not have ST01 access , please find the PA30 scren chnegd today just now.

Thanks

Cheera

JonathanM
Contributor
‎06-04-2013 1:21 PM
0 Kudos

Hi Cheera,

Bad luck for ST01. Can you go to transaction HRAUTH and provide me the extract of the objects? In the second tab "user specific" under the button "HR authorization object" for the user accessing his pernr.

If the config is correct, the issue should be within the role/profile definition...

Thanks in advance,

Jonathan

Former Member
‎06-04-2013 2:12 PM
0 Kudos

Dear Jonathan,

even for this Tcode user dose not have access, but I have  extracted login thru another user and mentioning test user Id under user specific -> user name.

Thanks

Cheera

Cjoseph.txt.zip
JonathanM
Contributor
‎06-05-2013 9:52 AM
0 Kudos

Hi Cheera,

From the file you've sent, I see that some other P_PERNR objects have been assigned to the user:

P_PERNRT-ED29001700AUTHC*
P_PERNRT-ED29001700INFTY*
P_PERNRT-ED29001700PSIGN*
P_PERNRT-ED29001700SUBTY*
P_PERNRT-ED51016900AUTHC*
P_PERNRT-ED51016900INFTY*
P_PERNRT-ED51016900PSIGN*
P_PERNRT-ED51016900SUBTY*
P_PERNRT-ED51073200AUTHCW
P_PERNRT-ED51073200INFTY0008
P_PERNRT-ED51073200PSIGNE
P_PERNRT-ED51073200SUBTY*

You should remove the P_PERNR with PSIGN * object from profiles T-ED51016900 & T-ED29001700.

In fact, there you're limiting the access on his own pernr but on the other hand, you're allow him to do everything on him...

You better work with PSIGN I or E, this is more understandable...

For more detail, please check the documentation of the authorization object P_PERNR via transaction SU21.

Best regards,

Jonathan

Former Member
‎06-06-2013 8:01 AM
0 Kudos

Excellent Jonathan,

Thanks a lot!!!  Issue solved as per your inputs...

Thanks

Cheera

Answers (1)

Answers (1)

Former Member
‎05-28-2013 9:47 AM
0 Kudos

this is a basis issue,

you have to let the basis consultant to create roles for each authorization either to include specific infotypes or not.

simply you can ask the basis consultant to create a role including all the infotypes except the infotypes you want to restrict, you have ability to let the user to display/ change/ create / delimit each infotype.

Show replies
Show replies
Ask a Question