Solved: Structural Authorisations - Connection to It0105

Former Member · ‎12-03-2013

Hi,

I think I have the answer but some confirmation that I have it interpreted it correctly would be a big help

We use structural Authorisations and use the indirect method of granting access to user IDs ( User ID connected to personnel number, connected to position number where all role and PD profile access( structural authorisations) are held.

We do have issues where some users have a more general HR access , but also need to enter sickness absence for their staff so require access to a smaller range of org units just to enter sickness records ( not see sickness personal data that is not to do with their team ), we don't use context sensitive' solution so we have to create 2nd user ids.

These second user IDs are connected to 'additional position numbers' that are held in their own 'additional structure' i.e outside of the main HR structure where the userID will sit. It has come to light that these users with the second user ID are able to update their own sickness record( IT0082, It2001) even though the role has P_PERNR is set as D,E,S,W, It0082,It2001, 'E' * to deny this to the user. The user ID is in the table ( OOSB) with access to just the relevant org units.

I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure. The 2nd User ID will pick only pick up access to the org units that is has been granted access to via PD profiles to areas in the Main HR structure and will deny access to anything outside of this, which is correct, it just being able to stop the user from updating their own records that is the issue.

Is this on the right lines

thanks

Debbie

jurjen_heeck · ‎12-04-2013


I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure.

Looks like you have indeed given the answer here. P_PERNR is of no use when the IT0105 connection isn't maintained for the logged on user.

jurjen_heeck · ‎12-04-2013


I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure.

Looks like you have indeed given the answer here. P_PERNR is of no use when the IT0105 connection isn't maintained for the logged on user.

Former Member · ‎12-04-2013

Hi, Jurjen,

Thanks for this

Do you know if it has always been like this ? We first started to use this method back in 2005ish and it seemed to work then ok

Regards Debbie

Former Member · ‎01-01-2014

Hi Debbie

The second user id, which you are assigning through the positions in the alternative structure are this ID able to be recognised to the person perhaps through a customer made subtype such as IT0105/ 9001 or a relation between US and P in HRP1001?

As Heeck also mentioned a missing communication user ID represented through IT0105/ 0001 will result in no recognition of the user to a personnel number PERNR, so P_PERNR will regard the 2^nd user ID as an “E”, which gives it access to update their own records.

So if my pre requisite is correct and you:

Have some kind of recognition of 2^nd user id and personnel number
Grant access to employees through the eval. path O - O - S - P/ or similar access from org unit.

Then you could try to solve it with a function module, which will eliminate the 2^nd user ID from access to its own personnel number. This could be solved in two ways:

create a structural profile which reads the personnel number of the 2^nd user ID this could be done through a custom function module which picks up the P object of 2^nd user ID. Assign it to the user in OOSB/ T77UA and mark the exclusion button. This structural profile is dynamic and can therefore be reused for all those users who have a general access to HR and who can be recognised to an employee number through their 2^nd user ID / (some way or the other)
create a structural profile, which uses a custom made function module. This function module reads those org units, positions and employees the user should be granted access to but before the function module returns the object ID’s to the structural profile in T77PR it should eliminate the employee number/PERNR for the 2^nd user ID. Result: it will not grant structural access to himself.

Br Niels Knuzen

Former Member · ‎01-07-2014

Hi Niels,

Thanks you for the reply, In answer to some of your ideas

For the 2nd user ID there is NO personnel number of any kind, the ID has just been attached to a position number that is only related to the 'additional org unit'
e,g

Position XXRD0000009 Helen Salter 2nd Id for Sickness

Planning Status Active

Relationships 01 S 50224919 1

1.1.2000 - 3.12.9999 A 003 belongs to O 50224761 XXRD

8.6.2012 - 31.12.9999 A 008 Holder US SLATERH1 Slater

8.6.2012 - 31.12.9999 B007 is describe AG ZS:HR SICKNESS ABSENCE

So here is the evidence as there is no IT0105 available, we have used the position to identify the person

Non Payroll staff can be set up with a personnel number, looks like it would be easier for us to persuade the HR people that this needs to be done

thanks for your help

Regards

Debbie

Former Member · ‎01-09-2014

Hi Debbie

I am pretty sure they can be persuade 🙂

BR Niels