Solved: How SAP evaluates an authorization object with sev...

Former Member · ‎04-10-2007

Hi,

I would like to know how SAP evaluates authorizations when the user has several instances of the same authorization object (in my case p_orgin) with different values.

For example: I need that users with this role has only access to infotypes 0001, 0002 y 0006, and only for those employees of personnel area "PA01".

So I add two instances of P_ORGIN object, one filling "personnel area" field with the value "PA01" and the other filling "Infotypes" field with values "0001, 0002 and 0006". The other fields are filled with '*'.

But with this configuration, I have access to all infotypes of employees in area "PA01" and access to all employees in system for infotypes "0001, 0002, 0006"

I know that the best way to solve my probles is merging the two instances into only one. But what I would like to know is how SAP evaluates authorization objects, because if I'm trying to access into infotype 0002 for an employee of area "PA02", it's ok for the second instance of authorization object but not for the first authorization object (because user doesn't have access to personnel area PA02).

I believed that SAP joines all instances and creates a new instance more restrictive (in my case the join of two instances would result in access for infotypes 0001 0002 y 0006 but only for employees of area AP01), but how SAP actually deals with these kind of situations?

thanks in advance

Former Member · ‎04-12-2007

As far as I know particular fields of authorization object P_ORGIN are considered separately depending of the step of HR data maintenance. After the user has entered a personnel number for a HR data maintenance transaction, the system checks whether the user has the relevant authorization for the person. At the time, authorization-related fields in the infotype Organizational Assignment (0001) are checked (Personnel Area, Employee Group, Employee Subgroup and Organizational Key). After you have entered the infotype/subtype and specified the action, the system checks if you have the authorization for the infotype/subtype needed to perform the action.

The following combination of values in P_ORGIN auth object:

INFTY=0001, 0002, 0006

PERSA=*

gives a user authorization to access infotypes 0001, 0002, 0006 for all employees, while combination:

INFTY=*

PERSA=PA01

lets the user to maintain all infotypes for employees assigned to personnel area PA01 only. But if you assign them both, they will be able to access all infotypes for every employee. In term of logics, the system makes logical disjunction of two sets of authorizations.

Regards,

Renata

Former Member · ‎04-12-2007

As far as I know particular fields of authorization object P_ORGIN are considered separately depending of the step of HR data maintenance. After the user has entered a personnel number for a HR data maintenance transaction, the system checks whether the user has the relevant authorization for the person. At the time, authorization-related fields in the infotype Organizational Assignment (0001) are checked (Personnel Area, Employee Group, Employee Subgroup and Organizational Key). After you have entered the infotype/subtype and specified the action, the system checks if you have the authorization for the infotype/subtype needed to perform the action.