Skip to Content
avatar image
Former Member

Security on Qualification Object

I have a requirement to set up security for qualifications such that all qualifications (Q) within a particular qualification group (QK) be visible to the employee who holds the qualification so that they can add, modify and delete qualifications in this group through ESS. That part is standard. The tricky part is that managers should NOT be able to see that their employees hold qualificaitons from this qualification group. Managers must be able to see all other qualificaitons the employee holds, just not any from that qualification group. All other qualification groups must function as normal where a manager may view, update, modify and delete their employees qualifications through MSS.

More information that may or may not be useful. We are deploying the standard delivered qualification managed tools through ESS and MSS that allow an employee to add, modify and delete their own qualifications and also allows managers to do the same. Qualification groupings (QK) are objects stored in HRP1000 and they are related to employees through HRP1001. Also, I am almost completely unfamiliar with how security is done in SAP. Thank you I appreciate any help that can be provided.

Whitney

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jun 21, 2010 at 10:01 PM

    Hi Whitney,

    Make sure to create qualification tasks in such a way that it does not get included in the Qualification catalog before creating the profile which will be assigned to the Employees Manager.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 21, 2010 at 11:01 PM

    Whitney,

    Let say you have User1 to User3.

    Qualigication: Q1 to Q20

    Qualification group: group1 to group5

    Group1 : Q1 to Q5

    Group2 : Q6 to Q7

    group3: Q8 to Q14

    Let stay

    User 1 will be able to see group1

    User 2 will be able to see group2

    user 3 will be able to see group3

    Now manger will be able to see

    Manager will be able to see : Q15 to Q20

    So you can restrict on P_ORGIN

    User 1 will get group1 access:

    Infotype : Enter your infotype

    Subtype: Subtype

    Authorization Level : W

    Personnel Area

    Employee Group: group1

    Employee Subgroup

    Organizational Key

    Manager will get:

    Manager will get access to Q15 to Q20:

    Infotype : Enter your infotype

    Subtype: Subtype

    Authorization Level : W

    Personnel Area

    Employee Group: Q15 to Q20

    Employee Subgroup

    Organizational Key

    Thanks,

    Sri

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 16, 2010 at 04:44 AM

    Hi,

    Use context sensitive authorisations P_ORGINCON (switch on in tcode OOAC).

    AUTSW INCON 1

    Create structural profile (OOSP) which returns employees of manager and all Q objects what manager should see from his/her subordinates. nnnnnnnn refers to the Qualification Group (QK) which has the qualifications manager should be able to see. Make also sure that all employees and managers have their infotype 0105 subtype 0001 mapped to their user id.

    <your manager profile>|10|01|O | |X|O-O-S-P |12| | |D|RH_GET_MANAGER_ASSIGNMENT

    <your manager profile>|20|01|QK|nnnnnnnn| |QUALCATA|12| | | |

    Then assign that to manager user-id (OOSB) and add this object P_ORGINCON to manager role (PFCG):

    AUTHC: R

    INFTY: 0024

    PERSA: *

    PERSG: *

    PERSK: *

    SUBTY: *

    VDSK1: *

    PROFL: <your manager profile>

    99% of the companies use the "new" assignement of qualifications to employee using relationships (infotype 1001 between objects Q and P). But still authorisation to see which qualifications can be seen is depending on infotype 0024 authorisations. In the future also PLOG_CON object can be used to achieve this but it is not currently supported...

    Regards,

    Saku

    Add comment
    10|10000 characters needed characters exceeded