Skip to Content
0
Former Member
Dec 09, 2009 at 11:24 PM

Excluded structural profiles in Context authorizations (P_ORGINCON)

101 Views

I have working context authorizations using p_orgincon and using the BAdI HRBAS00_GET_PROFIL. I have recently tried to add another context authorization. (To simplify I have made a hypothetical scenario)

There are three structural profiles

A. test_01: test_01 uses the top org unit, evaluation path O-S-P, no time limits and maint is not checked (the user should be able to see the

B. test_02 finds the current users org unit and allows changes for all persons assigned to the current org unit including the manager who is a member of his org unit

C. xtest_03 which finds the person id for the logged on user. It is intended to be used with the parameter excluded (e.g. t77UA-excluded = "X" and should exclude the user from changing his own data.

The user role will contain two authorizations for p_orgincon

1. Display all employees for a range of infotypes.

p_orgincon

Auth level R

Infotypes 0001 etc.

auth profile test_01 (A. above)

all other fields *

2. Change all the users in your own org unit

p_orgincon

Auth level W

Infotypes 0001 etc.

auth profile test_02 and xtest_03

all other fields *

The logic of the BAdI (as implemented) properly recognizes that xtest_03 is to be excluded and that is visible in HRAUTH.

The effect of this should be to prevent the assigned user from maintaining his own information. The context authorization is only limiting change access. The first authorization for p_orgincon above doesn't have any limitations

The actual result is that the user can neither see nor change his own access. This is certainly the result one would expect without context authorizations but not with context authorizations.

The upshot is that structural profiles that exclude objects appear to work non-contextually.

Can anyone suggest what I may be doing wrong? (I have several more advanced scenarios that work perfectly in a contextual way but when I add the exclude profile to any one of the authorizations it works completely non-contextually for the exclusion only)