Skip to Content
avatar image
Former Member

Excessive Access to Infotypes.

Hi all, greatly appreciate if someone can advice on a situation i encounter.

Setup. I have setup a role with Access to Employee Group 1-3 (excluding 0).

I then assign this role to a User A.

User A tries to access Employee ZZ whereby Employee ZZ has the following records in IT0001 (Org Assignment).

Ascending Order

01.01.1999 to 31.12.2003 (Employee Group = 3)

01.01.2004 to 31.03.2009 (Employee Group = 3)

01.04.2009 to 31.12.9999 (Employee Group = 0)

As you can see, the latest record points to EE group 0, which User A does not have access to.

Now User A tries to access a Customised Infotype 9xxx of this Employee ZZ with the following records;

01.01.2009 to 31.03.2009

01.04.2009 to 31.12.9999

My problem here is that based on IT0001 record, User A should not have access to employee ZZ based on the latest Org Assignment, and therefore should not be able to access IT9xxx of this employee ZZ. However User A is able to access BOTH records.

I then did a test, such that if i remove '3' from the role (meaning it's left with 1-2 EE group access), User A will then be restricted from viewing the record.

Is there any setting i can do to prevent such access? My understanding is that at the very most, User A should see only the earlier record of 9XXX but why is the latest record (01042009 to 31129999) showing as well ?

Baffled about, this. Hope someone can enoighten.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Jul 10, 2009 at 04:14 PM

    Please go to view V_T582A for custom infotypes 9xxx, and make sure field 'Access auth.' is check marked. If you don't have this set for the infotype, user will still have access to these infotypes even if the ee already moved out of the org the user has acces to.


    Add comment
    10|10000 characters needed characters exceeded

    • Please check what the tolerance time for authorization check in your system is set in your system (tcode 'OOAC', semantic 'ADAYS'). This setting allows user with access to employee's old org to still be able to access x number of

      days after the ee moves out of the org .