Skip to Content
0
Former Member
Jun 19, 2015 at 02:22 PM

How does SAP evaluate (PFCG) Authorizations when used in conjunction with other single role(s)?

193 Views

I have created a new SAP Authorization role (Role-1) via PFCG, which allows the user only to View/ Display all countries’ data of 3 InfoTypes only (Actions (0000), Org Assignment (0001), Pers. Data(0002)). The user also has an Existing role (Role-2) which allows him to access and CHANGE all records including Basic Pay records of UK only.

While testing when I use Role-1 on its own, it works perfectly (Displays only IT 0000, 0001, 0002 data, Basic pay data is not displayed in any SAP reports). When I use it in conjunction with Role-2, it works well under PA screens (displays Basic Pay records of UK only).

However when I run SAP reports, Basic pay records of not only UK but all countries are pulled through.

Also, under PPOME, the user is able to delete some Non-UK positions, OrgUnits and relationships if there are no employees assigned to them.

The Authorizations of both the roles are as below:

Role-1:

HR: Master Data

Authorization level M, R

Company Code *

Infotype 0000, 0001, 0002

Personnel Area *

Employee Group *

Employee Subgroup *

Subtype *

Organizational Key *

Role-2 (Existing):

HR: Master Data

Authorization level *

Company Code UK

Infotype *

Personnel Area UK

Employee Group *

Employee Subgroup *

Subtype *

Organizational Key *

I would ideally want the user not to be able to view any non-UK Basic Pay records and also not be able to touch the Non-UK OrgStructure at all. How does SAP evaluate these roles, when used together?

Is there a hierarchy which is followed to evaluate the user’s access rights? Or is there a different Authorization that needs to be used for SAP reports? Or am I missing something?

Many Thanks,

Desma