on 04-29-2015 1:17 PM
Hello everyone,
as part of our authorization concept, we are using the field PERSG in authorization object P_ORGIN (and P_ORGINCON) to determine whether a user has access to the infotypes of a given employee.
In the current example, the user may access employees with a personnel group (PERSG) '1' - '9', but not 'M', because our PERSG 'M' stands for 'manager', so his P_ORGIN and P_ORGINCON are restricted to PERSG BETWEEN '1' AND '9'. Basically, this works nicely.
However, there are cases in which an employee is promoted to manager level. His former PERSG in infotype 0001 is '1', but beginning from a certain date, his PERSG changes to 'M'. The autorization system now lets the user still see the former periods of time of this employee during which his PERSG was still '1', even though now he is 'M'. I understand that this is correct system behavior as SAP designed it. However, in our case it is undesired by the management. Once an employee has been promoted to PERSG 'M', none of his infotype periods should be visible to any user who does not have the 'M' authorization level.
Is there a way to achieve this?
Hello Jens,
yes, it is standard time logic in HR authorization (see note 2054808's attachment). You can implement HRPAD00AUTH_CHECK/BAdI HRPAD00AUTH_TIME to bypass it.
Cheers
Eva
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Eva,
thank you very much, that appears to be the right track already. Trouble is, HRPAD00AUTH_TIME is very poorly documented. It has two methods "CONSIDER_SY_DATUM_EXIT" and "BEGDA_ENDDA_COMPARE_EXIT" which have documentations of their own.
My other hope was note 570161, but the BADI HRPAD00CHECK_TIME which is referred to there does not seem to exist in our release anymore, so I assume it is obsolete.
Do you happen to know anything more about the BADI that would make its usage for my purpose more transparent?
The table is T582A which is the infotype table.
I found this interesting link:
Apparently, as per this link, HRPAD00CHECK_TIME cannot be used if custom time dependent logic is dependent on employee group (PERSK) as is in your case.
Hello Donnie,
I think there is a small misunderstanding here. Time logic is ment to describe how the authorization check works for an administrator if an employee has an organizational change. This can be PERSK, or PERSG or any other P_ORGIN relevant field from IT0001. For this case there is a standard time logic delievered (see note 385635). If you want to change it you can use HRPAD00AUTH_TIME.
The author in this documentation you copied here ment "PERSK dependent time logic"! Which is not the case here.
Cheers
Eva
Thank you very much. That pretty much explains it. So the mistakes are on SAP's side (wrong table name in the documentation of method CONSIDER_SY_DATUM_EXIT in interface IF_EX_HRPAD00AUTH_TIME and repeatedly wrong BADI name in "Symptom"-section of note 570161). Sad that they never cared to fix this.
Unfortunately, it seems as if HRPAD00AUTH_TIME will not do for me, because the logics I described is only desired for the personnel group (PERSG), not e.g. for the personnel area (PERSA). We do not want a user who may see e.g. personnel area Z001 to be able to view the employee data from the time when the target employee belonged to a different personnel area. In other words, as far as the personnel area is concerned, we need the SAP standard time logics.
I understand that this can onyl be implemented using the big BADI HRPAD00AUTH_CHECK, which is a risky thing to do. We will now ponder our options.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
107 | |
12 | |
11 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.