Skip to Content
0
Sep 09, 2011 at 01:12 PM

P_PERNR does not exclude changes, related to the use of P_ORGINCON?

319 Views

Hi there,

I have the following question:

I want to restrict a HR Administrator to be able maintain its own infotypes 0008 and 0105.

The role contains the following authorizations:

P_ORGINCON:

Authorization level D, E, M, R, S, W

Infotype 0008, 0105

Personnel Area 2000

Employee Group *

Employee Subgroup *

Authorization Profile *

Subtype *

Organizational Key *

P_PERNR:

Manually HR: Master Data - Personnel Number Check

Authorization level D, E, S, W

Infotype 0008, 0105

Interpretation of assigned per E

Subtype *

However, the user is still able to maintain its own salary

The ST01 trace shows that P_PERNR only performs checks for read access, write access is only checked for P_ORGINCON:

P_PERNR RC=4 tcode=PA30;AUTHC=R;PSIGN=*;INFTY= ;SUBTY= ;

P_PERNR RC=4 tcode=PA30;AUTHC=R;PSIGN=E;INFTY=;SUBTY=;

P_PERNR RC=4 tcode=PA30;AUTHC=R;PSIGN=I;INFTY= ;SUBTY= ;

The followin switches have been turned on in OOAC:

AUTSW ADAYS 15 HR: Tolerance Time for Authorization Check

AUTSW APPRO 0 HR: Test Procedures

AUTSW DFCON 1 HR: Default Position (Context)

AUTSW INCON 1 HR: Master Data (Context)

AUTSW NNCON 0 HR:Customer-Specific Authorization Check (Context)

AUTSW NNNNN 0 HR: Customer-Specific Authorization Check

AUTSW ORGIN 0 HR: Master Data

AUTSW ORGPD 0 HR: Structural Authorization Check

AUTSW ORGXX 0 HR: Master Data - Extended Check

AUTSW PERNR 1 HR: Master Data - Personnel Number Check

AUTSW XXCON 0 HR: Master Data - Enhanced Check (Context)

I am a little confused why this customer has activated the context switch, because all P_ORGINCON values for PROFL are '*'

Could this be the reason for ignoring the P_PERNR authorization?

I want to know for sure before making any changes in customizing.

Can anybody rule out [note 1434022|https://service.sap.com/sap/support/notes/1434022] ?

Thanks in advance for your suggestions.

Kind regards,

Lodewijk Borsboom