on 05-28-2013 9:45 AM
Dear Experts,
Can you please let me know that How to restrict the user to edit their own master data thru PA30??
for example IT0002, IT0006, IT0007 ,IT0008, etc...records should not edit by own but should allow to edit other employees data.
Thanks
Cheera
Hi,
Therefore, you should the standard authorization object P_PERNR.
This object allows or denies the acces to the user own data. The link between user and pernr is made by the infotype 0105 sutbtype 0001.
This is the only HR authorization object that is working also reversely. Not only adding rights but also limiting some.
P_PERNR:
AUTHC | Authorization level |
PSIGN | Interpretation of assigned personnel number |
INFTY | Infotype |
SUBTY | Subtype |
PSIGN should be I for Include or E for exclude.
Best regards,
Jonathan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Cheera,
Can you please activate the authorization trace (transaction ST01) and retest this with PA30?
This way we'll see if the object are checked or not. Because I have my doubts on some points...
Can you please also check that the object P_ABAP is not in the user's role? In particular if this is P_ABAP
REPID *
COARS *
Thanks in advance,
Best regards,
Jonathan
Hi Cheera,
P_ABAP should not be in the role (execpt for some specific cases).
When you/the user tries what is happening? Can you please send the trace log (ST01 - analysis)?
Yes:
1) infotype 0105 subtype 0001 = link user to pernr
2) T77S0 for AUTSW PERNR
3) add object P_PERNR to role and assign role to user + do a "user compare" or transaction PFUD to synchronize the authorization buffer
3) go to PA30 with the user and access PA30 on modification for IT0008
4) System will not allow you to save the data
5) If ST01 auth trace is activated, you'll see that P_PERNR is checked
Best regards,
Jonathan
Hi Cheera,
Bad luck for ST01. Can you go to transaction HRAUTH and provide me the extract of the objects? In the second tab "user specific" under the button "HR authorization object" for the user accessing his pernr.
If the config is correct, the issue should be within the role/profile definition...
Thanks in advance,
Jonathan
Hi Cheera,
From the file you've sent, I see that some other P_PERNR objects have been assigned to the user:
P_PERNR | T-ED29001700 | AUTHC | * | |
P_PERNR | T-ED29001700 | INFTY | * | |
P_PERNR | T-ED29001700 | PSIGN | * | |
P_PERNR | T-ED29001700 | SUBTY | * | |
P_PERNR | T-ED51016900 | AUTHC | * | |
P_PERNR | T-ED51016900 | INFTY | * | |
P_PERNR | T-ED51016900 | PSIGN | * | |
P_PERNR | T-ED51016900 | SUBTY | * | |
P_PERNR | T-ED51073200 | AUTHC | W | |
P_PERNR | T-ED51073200 | INFTY | 0008 | |
P_PERNR | T-ED51073200 | PSIGN | E | |
P_PERNR | T-ED51073200 | SUBTY | * |
You should remove the P_PERNR with PSIGN * object from profiles T-ED51016900 & T-ED29001700.
In fact, there you're limiting the access on his own pernr but on the other hand, you're allow him to do everything on him...
You better work with PSIGN I or E, this is more understandable...
For more detail, please check the documentation of the authorization object P_PERNR via transaction SU21.
Best regards,
Jonathan
this is a basis issue,
you have to let the basis consultant to create roles for each authorization either to include specific infotypes or not.
simply you can ask the basis consultant to create a role including all the infotypes except the infotypes you want to restrict, you have ability to let the user to display/ change/ create / delimit each infotype.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
9 | |
8 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.