cancel
Showing results for 
Search instead for 
Did you mean: 

P_ORGINCON authorization problem in PA20

Former Member
0 Kudos

We are implementing context-sensitive roles using P_ORGINCON and are encountering a problem with PA20. When a user is granted authorization to PA20 in a role, the system is correctly providing access to the infotypes specified in P_ORGINCON for the specified authorization profile. However, if a user has additional infotype access given by P_ORGINCON in a separate role which does not include PA20, those additional infotypes are now available to the user in PA20. For example, access to infotype 0008 is given in a reporting role so the EEO-4 report can be run. The user can correctly run the EEO-4 report, but now can also see IT0008 in PA20 even though IT0008 was not specified in the security role for which PA20 is a listed tcode. What is making PA20 provide 'cumulative' infotype access beyond what is specified in the PA20 role?

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

This is standard SAP functionality both for P_ORGIN and P_ORINCON.

You can try to adrees accoess issue other way. For example, with object P_ABAP you can switch off authorization check for particular report, then you can restrict access to IT 0008 for the user completely.

Cheers

Former Member
0 Kudos

Thank you very much. I'd just like to clarify the standard functionality, is the following correct: P_ORGINCON will accumulate all infotype access (for the personnel specified in each authorization profile) granted in all roles assigned to the user. Is this accumulated infotype access available in all transactions or are some transactions limited to only the infotypes/structure specified in the role that provided the tcode authorization?

Thank you for the suggestion of P_ABAP. Is it safe to assume that opening up (using *) will only expand the users infotype access for the listed programs (reports)? If so, that will definitely help our situation.

Former Member
0 Kudos

Hi,

Yes, your understanding is correct. SAP treats authorization by objects not by roles. For example, to check whether user has access to certain transaction it reads all objects S_TCODE (P_TCODE) and if it is there grants access, the next step read data - SAP reads all objects P_ORGINCON and if access rights are there grants access to the data. So it is cumulating access rights by authorization object.

With P_ABAP the full access will only be given to report specified in the object, all other reports will follow standard authorization procedure.

Cheers

Answers (0)