cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue in structural authorization

Former Member

on ‎10-02-2014 11:34 AM

0 Kudos

Hi Gurus,

Good day.

We have an issue on Structural Authorization.

Our setup:

In Tcode OOSP

Auth. Profile               No     Plan Vers.          Obj. Type          Object I          Maint          Eval Path          Status vec

ZHRLINE100               5          1                         O                   100000               X          O-O_DOWN               12

ISSUE: There's a staff (ie pernr 100) under an OU (ie 100020) that is also under the main OU 100000 that they dont want to display.

Since all the profiles are using the above setup in OOSP they were able to see in PA20 staff 100.

Is there a way in Structural authorization to prevent all line managers from seeing the record of staff 100?

Thanks.

Cris

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎10-07-2014 2:15 PM
0 Kudos

Hi Dimitri,

If i enter the pernr in PA20 the record is not being displayed for employee 2 all blanks.

But for employee 1 i can see the record in PA20.

thanks.

Show replies
Show replies
former_member74904
Contributor
‎10-07-2014 3:03 PM
0 Kudos

Alright, that makes sense.

Please let me know when you get the chance trying the other evaluation path.

You can also use transaction HRAUTH to get a nice overview of the authorized objects per user.

That way you can easily see if changing the evaluation path has the desired effect.

Stephen_B
Participant
‎10-08-2014 5:30 AM
0 Kudos

Hi Crisostomo Ibarra,

My guess is that PERNR 2 have corrupted data or it's relationship to the Org Unit has been delimited already.

But to answer your original question:

'Is there a way in Structural authorization to prevent all line managers from seeing the record of staff 100?'

Delete the line with the '1000000' org unit and configure the structural authorization profile with all the 'child' org units of 10000000 instead BUT exclude OU '10000020' - or the org unit where the employee you want to exclude belongs.

The new profile can look like the ff: The object ids are the 'child' OUs of OU 10000000.

Auth. Profile               No     Plan Vers.          Obj. Type          Object I          Maint          Eval Path          Status vec

ZHRLINE100               5          1                         O                   100010               X          O-O_DOWN

ZHRLINE100               6          1                         O                   100030               X          O-O_DOWN

ZHRLINE100               7          1                         O                   100040               X          O-O_DOWN

PS. I like your user name.

Cheers

Stephen

Former Member
‎10-07-2014 1:51 PM
0 Kudos

Apologies for any confusion.

As we progress on this is it quite a bit confusing.

To summarize, we have the below setting for structural auth:

In Tcode OOSP

Auth. Profile      No     Plan Vers.  Obj. Type       Object I          Maint          Eval Path          Status vec

ZHRLINE100      5          1                O              100000               X          O-O_DOWN               12

When user with this profile execute PA20, in search help Org assignment tab we enter the org unit of employee 1 and 2 (they both belong to same OU under mother OU 100000). However, only employee 1 record is being displayed in the hit list. (this happens to all line managers with the same profile). The other employee 2 is not being displayed.

Hope this gives more clarity.

Thanks.

Show replies
Show replies
former_member74904
Contributor
‎10-07-2014 2:07 PM
0 Kudos

Crisostomo,

First, would you mind trying to change the evaluation path to O-O-S-P and see if the employee of the subordonate OU is being displayed then?

Also, you mention that the employee is not being displayed in the hitlist (F4) of PA20's search. If you enter the corresponding PERNR directly in PA20, are you able to display any infotype of this employee?

Good luck!

Dimitri.

Former Member
‎10-07-2014 10:52 PM
0 Kudos

Hi,

this is weird. O-O_DOWN should not give users any access to any people. Just to Orgunits. Or have you changed O-O_OUT? .Are you sure you have structural authorisation for employees and OM-Integration switched on?

What is the value for the following T77S0 entries:

AUTSW - ORGPD

PLOGI - ORGA

Are the two employees assigned to a position in OM or is the position or orgunit just captured in infotype 0001?

Or do these users have any further structural profiles apart from O-O_DOWN?

Are you sure structural authorisation is the problem?

Dimitri's suggestion of using the proper evaluation path may solve your problem. Please try that.

But that still leaves you with the problem, why, without using teh right authorisation path one personnel number was visible.With standard O-O_DOWN, you should see no employees at all.

many possible reasons - if integration and structural auth are activated propely, data is most likely. Please check both emplyees are really assigned with teh right relationships at teh right point in time.

kind regards

Sven

Former Member
‎10-02-2014 5:05 PM
0 Kudos

Hi,

Just to clarify:

It is just this one individual you don't want to be seen?

You could use the exclude option in struct auth from his position, but "exclude" has been a bit arbitrary in the past, so I avoid it. But do try.

Alternative: not do it with structural, but normal auth? Is there any characteristi, eg EE subgroup, setting this person sparz, so you could use it in P_ORGIN. Can you assign a particular value to the Orgkey field (VDSK1) in IT0001 of that person to exclude it in P_ORGIN? Or do you use P_ORGXX and have a spare field.

Finally? There are always the BADIs, but seems too much vor just one individual

Kind regards

Sven

Show replies
Show replies
Former Member
‎10-07-2014 9:31 AM
0 Kudos

Hi Sven,

Thanks for your response.

The main issue is just there are 2 employees in that same Org unit.

However, only one employee is being displayed in PA20 object manager hit list.

ie Org unit 1000000 has employee 1 and 2..but in the hitlist only ee 1 is displayed.

Sorry to confuse.

Cris

former_member74904
Contributor
‎10-07-2014 1:42 PM
0 Kudos

Hi Crisostomo,

I think the way you're describing the issue is still confusing.

In your first description you mention that you want line managers to not display employee 100.

In your reply to Sven Ringling you say only one employee is being shown in PA20.

Can you clarify the issue a bit more?

Ask a Question