Skip to Content
author's profile photo Former Member
Former Member

Restrict HR admin from viewing another HR admins infotypes

Posted on Jun 28, 2008 at 04:23 AM 11 Views

Hi

How can I restrict one HR admin from viewing the basic pay of his college? Should I implement an user exit so everytime a pa30 is executed, i remove all pernrs from my org unit? Please help...

Thanks

Security
Add comment
10|10000 characters needed characters exceeded

3 Answers

  • author's profile photo D. van Heumen
    D. van Heumen
    Posted on Jun 28, 2008 at 08:18 AM

    should the HR admin be able to view the basic pay of others than his colleague?

    if he's only allowed to see his own and not for anyone else, you should exclude infotype 8 from all P_ORGIN objects and only use P_PERNR like this:

     
AUTHC = M, R
PSIGN = I
INFTY = 0008
SUBTY = *

    Edited by: Dimitri van Heumen on Jun 28, 2008 10:19 AM

    Add comment
    10|10000 characters needed characters exceeded

    • D. van Heumen Former Member
      Jun 29, 2008 at 08:29 AM

      in order to avoid using structural authorizations, I would suggest restricting access through the enterprise structure. perhaps it is possible to differentiate between all employees and your team using the organizational key (VDSK1) in P_ORGIN?

      in this case you could include the position number for example into the org. key and through this exclude them from access without delimiting the edit/view functionality for other employees.

  • author's profile photo Former Member
    Former Member
    Posted on Jul 31, 2008 at 04:49 AM

    Hi Dimitri,

    Looked around and tried a few options, nothing really solves the problem without structural auths. Using orgkey, I will end up building a role for each hr admin. sounds like fun..eh.

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo Dianne Wheeler
    Dianne Wheeler
    Posted on Aug 04, 2008 at 02:10 AM

    Hi there,

    I saw you have closed this post, but I thought I'd see if I could add to it anyway.

    One I've seen implemented is to have a user exit that, every time a transaction that checks HR info is run, checks the value of field PA0001-SACHA. If the field is populated, then the user exit is called and depending on the values, will or will not show HR related information. e.g.

    HR manager has H1, HR team have H2, regular employee has blank.

    If the HR team goes to look at an employee, it checks to see if the employee has anything populated. If there's nothing, it goes ahead. If the field has something in it (H1 or H2) then the check looks to see what the HR team member has. If that member has H2, it will fail.

    then...

    If the HR manager goes to look at an employee the checks pass for the employee, if it looks at another HR team member, then there is a check to see if the field is populated. If the field is, it checks what the HR manager has against their personnel record (H2). users with H2 can see the values.

    I've also read something once where they solved this using structural authorisations and wrote a structural auth function module that, after running and building the structural authorisation listings, it completes a removal of specific (HR team related) objects from the lists via the customised FM.

    http://sap.ittoolbox.com/groups/technical-functional/sap-security/view-the-whole-org-but-not-hr-912916 is where I read about this.

    I know you can also use context sensitive HR auths depending on your SAP version.

    Good luck,

    Cheers,

    Dianne

    Add comment
    10|10000 characters needed characters exceeded