Skip to Content

Mix of Authorization objects PLOG and ORGINCON

Dear Experts

In an authorization role we have activated the ORGINCON-object incl. structural authorization so that the user can only maintain PA data from his area. On the other side we have the PLOG-Object where we set restrictions for the PD infotypes.

In practice we search for a solution to the following problem: a user can only create relationships in infoype 1001 for people from his area, e.g. book participants on a course but in case of relationship A 026 (is held by), the ORGINCON should be ignored, so that the user can book anybody as a trainer of the course.

Is there a possibility to ignore the ORGINCON restrictions for a specific relationship?

Many thanks for your help.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    May 23, 2012 at 07:04 AM

    Hi Diego,

    Sorry, I would need more to accurately understand the scenerio. In structural authorization based security, structural profiles determine the PD/OM objects of org structure that are accessible to the users & P_ORGINCON values restrict the access to maintain/display PA data (PA infotypes) for the authorized OM entities.

    But PLOG works independently and is only restricting access of creating, maintaining, relating OM objects which the user is authorized to, as per his structural profile. Can you please let me know in your case which PA infotype is being checked when user tries to create an OM/PD relationship in IT1001 with Subtype A026, that you want to bypass?

    so that the user can book anybody as a trainer of the course.

    The above statement I believe is creation of relationship A026. Please excuse me if I have misinterpreted the actual issue Appreciate if you could ellaborate the scenerio a bit more for my understanding.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Diego Singh

      Hi Diego,

      Glad we could identify the root cause of the issue.

      Do I understand correctly: If we would have PLOG in combination with P_ORGINCON we could solve the problem, but as soon as we have a Z_ORGINCON with a BADI implemented it doesn't work?

      As I mentioned in one of my earlier posts, object PLOG and P_ORGINCON restrict user's access independently (PLOG controls OM/PD access & P_ORGINCON controls PA data access). Only thing common between them are the OM/PD objects (part of org structure) as determined by user's assigned structural profiles.

      With customization in your system, BADI enforces the system to check for PLOG first and then Z_ORGINCON whenever users try to create OM relationship as you described in your first post.

      Hope this is helpful. Should you have any questions, please do let me know.