Skip to Content
author's profile photo Former Member
Former Member

Evaluation Paths in MSS backend security role

Hi all,

we are in the process of building back end security roles for the managers. Currently we have custom evluation paths to determine who the manager can view through MSS.

Manager can view employees reporting to him S-S relationship 0002.

I want to know as to how we can ensure that a manager who has access to PA30 in the back end can only view employees information that report to him through this evulation path ( B002) and no tbe able to view any other employees information?

How can we ensure that the manager only view employee reporting to him via B002 relationsip and no other employees information in the same area subarea etc

regards

Raj

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Jun 14, 2008 at 09:55 AM

    Hello Raj,

    you need so called Structural Authorizations to accomplish your requirenment. But be aware this has a direct effect on your entire HR-based Authorization concept in your company if you switch it on!

    To activate Structural Authorizations call transaction OOAC and set the switch for ORGPD to a proper value which does meet your needs. (See http://help.sap.com/erp2005_ehp_03/helpdata/EN/c7/4aba3b3bf00152e10000000a114084/frameset.htm) If it is already set to a value <> 0 is is already activated.

    The next thing you need to do is to maintain your Manager Role. The authorization object in question is P_ORGIN. If you want for instance to give a user read access to Infotype 0001 of another person you provide the following values:

    - AUTHC: R

    - INFTY: 0001

    - PERSA: *

    - PERSG: *

    - PERSK: *

    - SUBTY: *

    - VDSK1: *

    If you would stop here, every user would have access to Infotype 0001 of any other Person in your company. But as you want to restirct the access to just persons which lay within you evalution path B002, you have to maintain tables T77PR and T77UA.

    T77PR: Create a Profile (e.g. name it My Team or something) and add the following values: http://help.sap.com/erp2005_ehp_03/helpdata/EN/34/49ba3b3bf00152e10000000a114084/frameset.htm

    - Planversion: 01 (most likely)

    - Object Type: O

    - Evalution Patch: <Hint> You cant use B002 directly as B002 just give objects of type O back, but you need object of type P. Use SBES for instance.

    - Status Vector: 12

    - Depth: 0

    - Function Module: RH_GET_ORG_ASSIGNMENT (Gives you the root object where to start the evaluation with path SBES.

    Now you need to assign your users (in your case your managers) to this profile. Use table T77UA to do this.

    Thats it

    regards

    Markus

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jun 16, 2008 at 04:45 PM

    Markus,

    thanks for this detailed information. I haven't tried this but am pretty sure that this will surely work

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.