cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HCM - Payroll Officer from new Personnel Area can see past salary in old Personnel Area.

former_member80091
Discoverer

on ‎08-04-2020 8:03 AM

0 Kudos

Hi all experts,

I have two Single Roles restricting the view of Payroll Officer on Employee Data, using the Authorization Object (P_ORGIN).

- Role_2000 will be used for Personnel Area 2000.

- Role_2001 will be used for Personnel Area 2001.

With these role, Payroll Officer from Personnel Area 2000 cannot see any employee in Personnel Area 2001 and vice versa.

However, when an employee transferred from 2000 to 2001, the Payroll Officer in 2001 can see all the data of this employee, even the past (when working in 2000), and this violate the Confidential Protocol of customer.

Does anyone have the idea how can we restrict the permission in this case? Means that Payroll Officer in Personnel Area 2001 should only read the data from the date that the employee move to 2001.

Thank you very much,

Hieu

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

TammyPowlas
Active Contributor
‎08-04-2020 9:00 AM
0 Kudos

Hello Hieu - I recommend running an STAUTHTRACE on Payroll Officer in 2001 to see what authorization objects are available to you to restrict. It could be one of the roles has a display all on personnel area. But the security trace will tell you the specific details for sure

Show replies
Show replies
former_member80091
Discoverer
‎08-04-2020 10:05 AM
0 Kudos

Hi Tammy,

Thanks for your help.

The Authorization Object I created as below:
P_ORGIN

-- INFTY *

-- SUBTY *

-- AUTHC R

-- PERSA 2000 (2001)

-- PERSG *

-- PERSK *

-- VDSK1 *

I've run the STAUTHTRACE and see a lot of successful record showing the P_ORGIN, with 2000 and 2001 in the field VDSK1.

Then I tried to changed the VDSK1 value to 2001 (cannot see 2000 as I thought). Then the Payroll Officer in 2001 cannot even see the transferred employee (still can see other employee in 2001). I check the STAUTHTRACE again, and all the record are unsuccessful, with only 2000 in the VDSK1.

What is the value that supposed to put in VDSK1 for this case?

Regards,

Hieu

TammyPowlas
Active Contributor
‎08-04-2020 10:24 AM

Hi Hieu - it depends on how you are set up - see blog re: VDSK1 https://blogs.sap.com/2013/10/29/configuring-feature-vdsk1-for-organizational-key-in-infotype-0001/

former_member80091
Discoverer
‎08-07-2020 8:19 AM
0 Kudos

Hi Tammy,

Thanks for the post.

Seems like the value VDSK1 is not changed when employee transfer to new Personnel Area.

Do you know how to solve this?

Regards,

Hieu

Ask a Question