on 10-02-2014 11:34 AM
Hi Gurus,
Good day.
We have an issue on Structural Authorization.
Our setup:
In Tcode OOSP
Auth. Profile No Plan Vers. Obj. Type Object I Maint Eval Path Status vec
ZHRLINE100 5 1 O 100000 X O-O_DOWN 12
ISSUE: There's a staff (ie pernr 100) under an OU (ie 100020) that is also under the main OU 100000 that they dont want to display.
Since all the profiles are using the above setup in OOSP they were able to see in PA20 staff 100.
Is there a way in Structural authorization to prevent all line managers from seeing the record of staff 100?
Thanks.
Cris
Hi Dimitri,
If i enter the pernr in PA20 the record is not being displayed for employee 2 all blanks.
But for employee 1 i can see the record in PA20.
thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Crisostomo Ibarra,
My guess is that PERNR 2 have corrupted data or it's relationship to the Org Unit has been delimited already.
But to answer your original question:
'Is there a way in Structural authorization to prevent all line managers from seeing the record of staff 100?'
Delete the line with the '1000000' org unit and configure the structural authorization profile with all the 'child' org units of 10000000 instead BUT exclude OU '10000020' - or the org unit where the employee you want to exclude belongs.
The new profile can look like the ff: The object ids are the 'child' OUs of OU 10000000.
Auth. Profile No Plan Vers. Obj. Type Object I Maint Eval Path Status vec
ZHRLINE100 5 1 O 100010 X O-O_DOWN
ZHRLINE100 6 1 O 100030 X O-O_DOWN
ZHRLINE100 7 1 O 100040 X O-O_DOWN
PS. I like your user name.
Cheers
Stephen
Apologies for any confusion.
As we progress on this is it quite a bit confusing.
To summarize, we have the below setting for structural auth:
In Tcode OOSP
Auth. Profile No Plan Vers. Obj. Type Object I Maint Eval Path Status vec
ZHRLINE100 5 1 O 100000 X O-O_DOWN 12
When user with this profile execute PA20, in search help Org assignment tab we enter the org unit of employee 1 and 2 (they both belong to same OU under mother OU 100000). However, only employee 1 record is being displayed in the hit list. (this happens to all line managers with the same profile). The other employee 2 is not being displayed.
Hope this gives more clarity.
Thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Crisostomo,
First, would you mind trying to change the evaluation path to O-O-S-P and see if the employee of the subordonate OU is being displayed then?
Also, you mention that the employee is not being displayed in the hitlist (F4) of PA20's search. If you enter the corresponding PERNR directly in PA20, are you able to display any infotype of this employee?
Good luck!
Dimitri.
Hi,
this is weird. O-O_DOWN should not give users any access to any people. Just to Orgunits. Or have you changed O-O_OUT? .Are you sure you have structural authorisation for employees and OM-Integration switched on?
What is the value for the following T77S0 entries:
AUTSW - ORGPD
PLOGI - ORGA
Are the two employees assigned to a position in OM or is the position or orgunit just captured in infotype 0001?
Or do these users have any further structural profiles apart from O-O_DOWN?
Are you sure structural authorisation is the problem?
Dimitri's suggestion of using the proper evaluation path may solve your problem. Please try that.
But that still leaves you with the problem, why, without using teh right authorisation path one personnel number was visible.With standard O-O_DOWN, you should see no employees at all.
many possible reasons - if integration and structural auth are activated propely, data is most likely. Please check both emplyees are really assigned with teh right relationships at teh right point in time.
kind regards
Sven
Hi,
Just to clarify:
It is just this one individual you don't want to be seen?
You could use the exclude option in struct auth from his position, but "exclude" has been a bit arbitrary in the past, so I avoid it. But do try.
Alternative: not do it with structural, but normal auth? Is there any characteristi, eg EE subgroup, setting this person sparz, so you could use it in P_ORGIN. Can you assign a particular value to the Orgkey field (VDSK1) in IT0001 of that person to exclude it in P_ORGIN? Or do you use P_ORGXX and have a spare field.
Finally? There are always the BADIs, but seems too much vor just one individual
Kind regards
Sven
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
11 | |
6 | |
6 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.