08-13-2009 11:52 AM
Good day,
Can you kindly suggest solutions to the following?
Users with access to IT0008 can view basic pay across company codes. Iam using user groups for restriction per company code and PD Profiles for structural authorisations - there is also a restiction on personnel areas for the company code in the role in which IT8 is allocated...
Can you advise how i can restrict IT8 access for users across sites/company codes?
Thanks have a lovely day!
08-14-2009 8:12 AM
Could you maybe explain a little more what the setup of your company is? The P_ORGIN authorization object would allow you to control infotype 0008 on a personnel area level and although my experience with HR authorizations is fairly limited I would imagine that a personnel area might be more or less the same as the company code.
Best regards,
Anders
08-14-2009 8:12 AM
Could you maybe explain a little more what the setup of your company is? The P_ORGIN authorization object would allow you to control infotype 0008 on a personnel area level and although my experience with HR authorizations is fairly limited I would imagine that a personnel area might be more or less the same as the company code.
Best regards,
Anders
08-14-2009 10:19 AM
Hi Anders,
Thank you for the reply,
We are using HR structural authorisations with context solution P_ORGINCON, we have a HR Organisational based structure - where roles and PD profiles are linked to postions (PD Profiles are per company code as well nd linked to IT1017 on object S)... That is correct In our HR enterprise structure the personnel area is a breakdown of the section/s within a company code.
My roles have the personnel area restriction specified however when using Ad hoc query it is still allowing cross company access on it8. is there perhaps an object that is allowing this access we are not using object S_QUERY at this stage. could P_ABAP be allowing this access?
08-14-2009 11:03 AM
Hi,
Most of the HR ad hoc queries works on P_ABAP, however a trace will show you exactly what object is checked. Also queries reads data directly from tables. if the user has read access on authorization group related to your query then he can list down the entire information.
Regards,
Gowrinadh
08-14-2009 1:21 PM
Hello again, as Gowrinadh suggests you might want to trace the authorization checks on the problematic query. You can do this with ST01, where you set trace on, choose authorizations for a specific user, have the user run the report and then set trace off and analyze the results.
Best regards,
Anders