Skip to Content
avatar image
Former Member

Question on backend MSS access clubbing with PA30 / PA20


I am facing a cross-pollinaiton issue with MSS and PA30 / PA20. I have configured the MSS backend role, with bareminimum access it needs. MSS does read a lot of infotypes in the backend. Our roles are broken down by country restricted by $PERSA.

Right now, I have created one MSS role unrestricted by $PERSA. Say I club this role with a restricted HR role (PA30/PA20), the infotypes maintained in the MSS role are opened up now. The only way out I can think is breaking up the MSS role by countries. This will reduce the $PERSA to only the country.

Could you please suggest if there is any way out or my understanding is correct?



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Aug 23, 2011 at 03:06 AM

    For me this sounds like you need structural authorisations. Normally MSS user has lot of read access to all employees under him/her in the org. structure. If same user gets access to PA20/PA30 in the backend you need to restrict the read access still to the group of employees under the MSS user. This is where structural authorisations come in place. With them you can specify which employees from organisational structure you should be able to view. Then you can use P_ORGINCON authorisation object to say which infotype access you want to give for with organisational part.

    Quick run through for steps would be following (please google more):

    1. Set authorisation switches for Structural authorisations and Context solution on - Tcode OOAC

    - AUTSW-INCON =1

    - AUTSW-ORGPD = 1

    2. Create structural profile for Manager - Tcode OOSP

    - Create Auth. profile (for example ZMSS)

    - Maintain profile parameters something like this: ZMSS | 1 | 01 | O | | X | O-S-P | 12 | | | P | RH_GET_MANAGER_ASSIGNMENT

    3. Assign structural profile to you test user - Tcode OOSB

    - Assign structural profile ZMSS to your user with valid dates

    - Assign also structural profile ALL to you user also to test PA20 access in context

    4. Amend your MSS role to include P_ORGINCON object - PFCG

    - Add object P_ORGINCON and copy all values what you have currently in P_ORGIN for MSS role

    - To the new field PROFL add ZMSS

    5. Add another P_ORGINCON object to the role to work with PA20

    - First make sure your user has access to PA20

    - Copy the P_ORGINCON you created earlier but change PROFL to all and infotypes to 0001 and 0002 only.

    6. Now you user should be able to view same information about his/her own employees as he can see in MSS right now and only infotype 0001 and 0002 for all other employees.

    Add comment
    10|10000 characters needed characters exceeded