10-31-2006 10:35 PM
I have a Scenario where I want some users to see some fields (X, Y, and Z) on infotype 0002 but I also want other (different) users to see ONLY one field (let say X). SAP doesnt support field-level security and I am not sure how to solve this issue? I thought about givin users authorization to read infotype 0002 and hide sensitive fields but the problem with this approch hidden fields will effect all users. I don't know what to do about some users who want to view this sensitive fields (manager for examples).
Thanks for your help
11-01-2006 6:14 AM
Yes, you are right SAP does not provide field level security. We had a simillar issue when we wanted to hide the SSN field in some screens. We cannot have a security solution here.
11-01-2006 10:16 AM
Hi,
have a look at IMG (transaction SPRO)
[Personnel Management][Personal Administration][Customizing User Interface][Change Screen Modifikations]
There you could use your own feature (and also own coding) to display different screens.
I have used this to disable some fields depending on the role of an user.
Hope this helps.
Regards
Bernd
11-10-2006 2:04 PM
hi , follow the link, it talks about custom developed auth objects which can solve ur problem.
OR try using transaction variant Tcode- SHD0
with this u can specify field statuses for individual screens.
especially considering u want restrictions that affect only to particular group
of users.
hope it helps.
11-11-2006 8:25 AM
Hi
Sorry, but I do not think that Context Solution, nor the screen modification will solve your Issue.
The Context solution deals with the integration of structural authorization in the standard authorization concept. But P_ORGINCON still only deals with access on infotype level, not field level.
Modifying the screen, can help to some extend (in PA20, PA30), but the users will still have access in e.g. search help, reports etc. Here you could of course limit the access to infotype 0002 in search help, by avoiding giving access to search help (No 'M' Access), unfortunately, by doing this, the users won't be able to search on employee name , Further more you should thoroughly test all granted report to make sure that they wont contain access to the field you want to protect.
If this requirement is an absolute must, you need to modify the standard authorization checks. I have never tried this, but my guess is that you should/could look at can the include MPPAUTZZ.
Regards
Morten Nielsen