12-03-2013 5:15 PM
Hi,
I think I have the answer but some confirmation that I have it interpreted it correctly would be a big help
We use structural Authorisations and use the indirect method of granting access to user IDs ( User ID connected to personnel number, connected to position number where all role and PD profile access( structural authorisations) are held.
We do have issues where some users have a more general HR access , but also need to enter sickness absence for their staff so require access to a smaller range of org units just to enter sickness records ( not see sickness personal data that is not to do with their team ), we don't use context sensitive' solution so we have to create 2nd user ids.
These second user IDs are connected to 'additional position numbers' that are held in their own 'additional structure' i.e outside of the main HR structure where the userID will sit. It has come to light that these users with the second user ID are able to update their own sickness record( IT0082, It2001) even though the role has P_PERNR is set as D,E,S,W, It0082,It2001, 'E' * to deny this to the user. The user ID is in the table ( OOSB) with access to just the relevant org units.
I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure. The 2nd User ID will pick only pick up access to the org units that is has been granted access to via PD profiles to areas in the Main HR structure and will deny access to anything outside of this, which is correct, it just being able to stop the user from updating their own records that is the issue.
Is this on the right lines
thanks
Debbie
12-04-2013 7:19 AM
I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure.
Looks like you have indeed given the answer here. P_PERNR is of no use when the IT0105 connection isn't maintained for the logged on user.
12-04-2013 7:19 AM
I feel that its may be happening because there is no link between the user id and a personnel number ( because one does not exist, as this is just a second ID that has been linked to an 'additional position and org unit ') so SAP cannot make the connection to where this 'sits' in the org structure.
Looks like you have indeed given the answer here. P_PERNR is of no use when the IT0105 connection isn't maintained for the logged on user.
12-04-2013 10:57 AM
Hi, Jurjen,
Thanks for this
Do you know if it has always been like this ? We first started to use this method back in 2005ish and it seemed to work then ok
Regards Debbie
01-01-2014 5:51 PM
Hi Debbie
The second user id, which you are assigning through the positions in the alternative structure are this ID able to be recognised to the person perhaps through a customer made subtype such as IT0105/ 9001 or a relation between US and P in HRP1001?
As Heeck also mentioned a missing communication user ID represented through IT0105/ 0001 will result in no recognition of the user to a personnel number PERNR, so P_PERNR will regard the 2nd user ID as an “E”, which gives it access to update their own records.
So if my pre requisite is correct and you:
Then you could try to solve it with a function module, which will eliminate the 2nd user ID from access to its own personnel number. This could be solved in two ways:
Br Niels Knuzen
01-07-2014 3:51 PM
Hi Niels,
Thanks you for the reply, In answer to some of your ideas
For the 2nd user ID there is NO personnel number of any kind, the ID has just been attached to a position number that is only related to the 'additional org unit'
e,g
Position XXRD0000009 Helen Salter 2nd Id for Sickness
Planning Status Active
Relationships 01 S 50224919 1
1.1.2000 - 3.12.9999 A 003 belongs to O 50224761 XXRD
8.6.2012 - 31.12.9999 A 008 Holder US SLATERH1 Slater
8.6.2012 - 31.12.9999 B007 is describe AG ZS:HR SICKNESS ABSENCE
So here is the evidence as there is no IT0105 available, we have used the position to identify the person
Non Payroll staff can be set up with a personnel number, looks like it would be easier for us to persuade the HR people that this needs to be done
thanks for your help
Regards
Debbie
01-09-2014 6:40 AM