Question:
Hello,
We would like to restrict the access to the time sheet transaction CAT2. It's necessary that users have access only to their own data sheet.
I applied the solution described in the messages of the forum opened by M.F.S during november 2002 (I inactivated the P_ORGIN in the role), but, when it's done, I've the following error message =>You donīt have autorization for the personnel number ... in profile ...
In the SU53, the following authorization object is checked => Transaction code PR05 (why ?)
If I reactivate the P_ORGIN, it works but the users have access to all data sheets.
All users used for the tests have associated to a personnel number in PA30 (infotype 105, subtype 0001). Please, have you any idea to help me ?
Thanks a lot
PS: I have searched in the forum any solutions before post this message, but no one didn't help me (I've tested all described solutions)
Answer:
I've seen what you describe with PR05 being required for CAT2 - and I don't know why. So I assigned it, and when we went to contextual authorizations it wasn't required any more.
You are not going to be able to run CAT2 without P_ORGIN, so you have to leave it active. And you have to use P_PERNR to restrict users to their own data.
Answer:
When I let the P_ORGIN, the users have access to all timesheet. I've configured the role as follow:
- P_ORGIN (default value):
Changed HR: Master Data T-D132215208
Authorization level R
Infotype 0000-0002, 0007, 0315, 0316, 2001-2003
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype ' '
Organizational Key *
Changed HR: Master Data T-D132215209
Authorization level E
Infotype 0316
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype ' '
Organizational Key *
- P_PERNR
Maintained HR: Master Data - Personnel Number Check T-D132215207
Authorization level *
Infotype 105
Interpretation of assigned per E
Subtype 0001
In the P_ORGIN, I let the * for the starting tests, but perhaps is too much ?
Answer:
First. Do not worry about PR05. It is checked, but is of no relevance to you.
Second. Your definition of P_ORGIN is way to wide. You need to move most of the infotypes to P_PERNR and change the interpretation to I instead of E.
Answer:
sorry, I made an error in my copy of P_PERNR, I wanted to try the value E for "Interpretation of assigned per" to verify (unlucky for E, the test user has access to everybody but too to his own timesheet) and I forgot to change before the copy. The problem occurs of course for the value I.
Blaster, I have to move most of infotypes from P_ORGIN to P_PERNR ?
Thanks a lot for your help
Answer:
Be sure to leave the Orglevel fields in P_ORGIN that you restrict in P_PERNR open as they will overrule that restiction (Like Personnel Area etc)
Answer:
Channig: If you have given access to other transactions that need them, I cannot tell you, but you should move the time relevant infotypes to P_PERNR. No use in having them in P_ORGIN for CAT2.
Auke: I do not understand you point. The infotypes should not be in P_ORGIN at all.
Answer:
As i do not have access to an HR system at this moment i can not check, but as i recall we did not change the default P_Orgin as coming in from USOBT. But entered no values for personnel number etc. As it will overrule the P_PERNR check whit given values.
In P_PERNR we entered the CATS infotype 315, 316 and the rest as proposed.
If it works when you deactivate the original P_ORGIN i do not know.
Answer:
I made a ST01 to analyze the authorization error and I found the following lines:
1 <- P_PERNR:AUTHC=R,PSIGN=*,INFTY=0002,SUBTY=' '
1 <- P_PERNR:AUTHC=R,PSIGN=E,INFTY=0002,SUBTY=' '
1 <- P_PERNR:AUTHC=R,PSIGN=I,INFTY=0002,SUBTY=' '
The problem was that I configured the role in P_PERNR with subtype 0001 and I changed it to *
As proposed by you, Auke, I come back to the default value in the P_ORGIN. I use too your solution, blaster, to copy all infotype from P_ORGIN to P_PERNR
And with all these changes, it's OK. The 3 test users have only access to their own data sheet in CAT2
Thank you a lot to all for your very precious help
Answer:
Hello all,
I've another problem with CAT2 for some users. These users use the PA30 which requires the object authorization P_ORGIN, as the transaction CAT2.
The people have to manage users in PA30, but, if we limite the access in P_ORGIN for that people have access to their own datasheets, they don't have the possibilities to manage the users in the PA30 (due to the restriction in the authorization object P_ORGIN).
Which infotypes we have to give in P_ORGIN enough access in the PA30 without impact on the transaction CAT2 ?
Thank you for your help
Answer:
infotypes 315 and 316 control time writing so you should play around with these to allow controlled access to CAT2 while giving wider access to other TCODES by not having 315 and 316 in the wider objects
Answer:
For CAT2 you need only the following for P_ORGIN
Authorization level R, E
Infotype 0315, 0316, 2002
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
Answer:
but, as I explained in a previous message in the same topic, to give the access to the CAT2, I let the default values in the P_ORGIN:
Authorization level E, R
Infotype 0000-0002, 0007, 0315, 0316, 2001-2003
Personnel Area
Employee Group
Employee Subgroup
Subtype ' '
Organizational Key
And for the P_PERNR, I give the following values:
Authorization level *
Infotype 0000-0002, 0007, 0315, 0316, 105, 2001-2003
Interpretation of assigned per I
Subtype *
With these authorizations, the users have access only to their own timesheets. Polarbear, if I modify the values as you explained, the users can access to all timesheets.
Auke, I tried to configure the P_ORGIN as you explained: I removed the 315 & 316 from the Infotype for PA30 (I let the default values for CAT2):
Standard HR: Master Data
Authorization level E, R
Infotype 0000-0002, 0007, 0315, 0316, 2001-2003
Personnel Area
Employee Group
Employee Subgroup
Subtype ' '
Organizational Key
Changed HR: Master Data
Authorization level *
Infotype 0000-314, 2003-9999, 317-2001
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
For the PA30, it's OK, but for the CAT2, it's not OK ... I entered stars for other values, because some users should have access to all user properties in the PA30. Maybe, my error come from here ?
Answer:
Sorry, I chose the wrong way and your informations were good. Now it works with the following configuration in the authorizations:
For the P_ORGIN
Standard HR: Master Data
Authorization level E, R
Infotype 0000-0002, 0007, 0315, 0316, 2001-2003
Personnel Area
Employee Group
Employee Subgroup
Subtype ' '
Organizational Key
Changed HR: Master Data
Authorization level *
Infotype 0000-0006, 0008-0314, 0317-0327, 0329-2000, 2004-9999
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
For the P_PERNR
Maintained HR: Master Data - Personnel Number Check
Authorization level *
Infotype 0007, 0315, 0316, 2001-2003
Interpretation of assigned per I
Subtype *
Thank you for your help