Skip to Content
avatar image
Former Member

Structural Authorisations - Connection to It0105


Hi,

I think I have the answer but some confirmation that I have it interpreted it correctly would be a big help 😊

We use structural Authorisations and use the indirect method of granting access to user IDs ( User ID connected to personnel number, connected to position number where all role and PD profile access( structural authorisations) are held.

We do have issues where some users have a more general HR access , but also need to enter sickness absence for their staff so require access to a smaller range of org units just to enter sickness records ( not see sickness personal data that is not to do with their team ), we don't use context sensitive' solution so we have to create 2nd user ids.

These second user IDs are connected to 'additional position numbers' that are held in their own 'additional structure' i.e outside of the main HR structure where the userID will sit.   It has come to light that these users with the second user ID are able to update their own sickness record( IT0082, It2001) even though the role has P_PERNR is set as D,E,S,W, It0082,It2001, 'E' * to deny this to the user.  The user ID is in the table ( OOSB) with access to just the relevant org units.

I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure.  The 2nd User ID will pick only pick up access to the org units that is has been granted access to via PD profiles to areas in the Main HR structure and will deny access to anything outside of this, which is correct, it just being able to stop the user from updating their own records that is the issue.

Is this on the right lines

thanks

Debbie

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 04, 2013 at 07:19 AM

    I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure.

    Looks like you have indeed given the answer here. P_PERNR is of no use when the IT0105 connection isn't maintained for the logged on user.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi, Jurjen,

      Thanks for this 😊

      Do you know if it has always been like this ?   We first started to use this method back in 2005ish and it seemed to work then ok

      Regards Debbie

  • avatar image
    Former Member
    Jan 01, 2014 at 05:51 PM

    Hi Debbie

    The second user id, which you are assigning through the positions in the alternative structure are this ID able to be recognised to the person perhaps through a customer made subtype such as IT0105/ 9001 or a relation between US and P in HRP1001?

    As Heeck also mentioned a missing communication user ID represented through IT0105/ 0001 will result in no recognition of the user to a personnel number PERNR, so P_PERNR will regard the 2nd user ID as an “E”, which gives it access to update their own records.

    So if my pre requisite is correct and you:

    1. Have some kind of recognition of 2nd user id and personnel number
    2. Grant access to employees through the eval. path O - O - S - P/ or similar access from org unit.

    Then you could try to solve it with a function module, which will eliminate the 2nd user ID from access to its own personnel number. This could be solved in two ways:

    1. create a structural profile which reads the personnel number of the 2nd user ID this could be done through a custom function module which picks up the P object of 2nd user ID. Assign it to the user in OOSB/ T77UA and mark the exclusion button. This structural profile is dynamic and can therefore be reused for all those users who have a general access to HR and who can be recognised to an employee number through their 2nd user ID / (some way or the other)
    2. create a structural profile, which uses a custom made function module. This function module reads those org units, positions and employees the user should be granted access to but before the function module returns the object ID’s to the structural profile in T77PR it should eliminate the employee number/PERNR for the 2nd user ID. Result: it will not grant structural access to himself.


    Br Niels Knuzen

    Add comment
    10|10000 characters needed characters exceeded