07-30-2008 8:30 PM
Experts,
I am trying to restrict a user to only allow them to use certain data entry profiles. I have created authorization groups (spro>Cross-app components>Time Sheet>Settings for all User Interfaces>Authorizations>Create Authorizations for Data Entry Profiles) and assigned that authorization group to a data entry profile.
I created a new security role with transaction CAT2. For P_ORGIN assigned infotype 0316, and set subtype as the authorization group that I created.
When I try to run CAT2, initial screen allows me to choose data entry profile and personnel number. But, when I click Enter Times (F5) to access the time sheet I get error message:
"No authorization for personnel number 00000137 using profile M_GEN on 16.07.2008
Message no. LR034"
In config for "Maintain Authorization Main Switches" and "Profile Generator" for CAT2, only P_ORGIN is being checked.
Any ideas why I can't maintain the time sheet when infotype 0316 and subtype is set?
07-30-2008 9:01 PM
HI Steven,
I would suggest you have look at the SU53 or ST01 auth check trace. That will help you a lot.
Just check the the P_ORGIN and P_ORGXX field AUTHC, and verify that it has E and R in it.
Regards,
Zaheer
Edited by: Phoenix on Jul 30, 2008 1:01 PM
08-06-2008 1:53 PM
It is still not working. I checked SU53 and ST01, here are the results.
A check of SU53 says that "The last authorization check was successful"
The ST01 auth trace shows:
08:40:44:123|AUTH | - - - |S_TCODE RC=0 |TCD=CAT2;
08:40:57:993|AUTH | - - - |P_ORGIN RC=4
|INFTY=0000;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
08:40:57:1.0|AUTH | - - - |P_ORGIN RC=4
INFTY=0000;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
08:40:58:14 |AUTH | - - - |P_ORGIN RC=4
|INFTY=0001;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
08:40:58:14 |AUTH | - - - |P_ORGIN RC=4
INFTY=0001;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
08:40:58:40 |AUTH | - - - |P_ORGIN RC=4
INFTY=0002;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;
08:40:58:40 |AUTH | - - - |P_ORGIN RC=4
|INFTY=0002;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;
08:40:58:42 |AUTH | - - - |S_TCODE RC=4 |TCD=PR05;
Edited by: Steven R on Aug 6, 2008 3:39 PM
08-06-2008 3:47 PM
Can you please provide your role parameters for P_ORGIN?
Manually New HR: Master Data P_ORGIN
Manually New HR: Master Data T-DS46153900
Authorization level AUTHC
Infotype INFTY
Personnel Area PERSA
Employee Group PERSG
Employee Subgroup PERSK
Subtype SUBTY
Organizational Key VDSK1
08-07-2008 1:25 PM
Here are the details of my role authorizations
Changed HR: Master Data P_ORGIN
Authorization level AUTHC: E, R
Infotype INFTY: 0000-0002, 0007, 0315, 0316, 0328, 2001-2006, 2010
Personnel Area PERSA: *
Employee Group PERSG: *
Employee Subgroup PERSK: *
Subtype SUBTY: MA03
Organizational Key VDSK1: *
Inactive HR: Master Data - Extended Check P_ORGXX
Inactive HR: Master Data - Personnel Number Check P_PERNR (these were deactivated so I could isolate the problem and get P_ORGIN working with infotype 0316)
08-19-2008 8:35 PM
I figured it out. I was able to get Infotype 0316 to work with the P_PERNR object.
P_ORGIN and P_PERNR objects are switched on. Here are the details of my authorization role:
P_ORGIN
authc: E, R
infty: 000-0002, 0007, 0315, 2001-2006, 2010
persa: *
persg: *
persk: *
subty: *
vdsk1: *
P_PERNR
authc: E, R
infty: 0316
psign: I
subty: MA03
P_PERNR
authc: D, E, S, W
infty: 0316
psign: E
subty: MA01-MA02, MA04-MA08
What this authorization role does is restrict the user to only use Data Entry profiles with authorization group MA03. In addition, the P_PERNR checks against infotype 0105, subtype 0001 for an assigned username, so user can only maintain CATS entries for that user.
02-14-2012 12:13 PM
Hi Steven,
I set up the authorizations exactly the way you mentioned, but was still not able to achieve the desired result.
I want to restrict the time sheet entry to own user id only. Currently any user can access any other users timesheet.
Your help will be greatly appreciated.
Thanks & Regards,
Preshit.