User is able to view/modify all the personnel numbers belonging to other personnel areas. Ideally, a user should be able to view/modify personnel area belonging to his personnel area only.
E.g A user id "TEST3" is having below authorizations:
Maint.: 0 Unmaint. org. levels 0 open fields, Status: Unchanged
|-- Manually Cross-application Authorization Objects AAAB
| --- Manually Transaction Code Check at Transaction Start S_TCODE
| --- Manually Transaction Code Check at Transaction Start T-QR54717800
| ------ Transaction Code PA20, PA30, SU53 TCD
--- Manually Human Resources HR
--- Manually HR: Master Data P_ORGIN
--- Manually HR: Master Data T-QR54717800
|----- Authorization level R AUTHC
|----- Infotype 0000, 0001 INFTY
|----- Personnel Area ET19 PERSA
|----- Employee Group 1 PERSG
|----- Employee Subgroup * PERSK
|----- Subtype * SUBTY
------ Organizational Key * VDSK1
User "TEST3" should be able to modify personnel details of "ET19" only, however user is able to change details in infotype 0008 of personnels belonging to other personnel areas (e.g. ET01, E006 etc) also. Please see the attached document.
This issue is happening with all the users. As per our observations, as long as user is able to execute pa20/pa30 and pb* tcodes , they are able view and modify details of personnel areas irrespective of personnel area assigned in "PERSA" field of auth object "P_ORGIN".
Email id: firstname.lastname@example.org