Question:
The problem I am facing while implementing MSS is as follows:
The MSS function modules that we are implemeting is checking for P_ORGIN with IT0001and several other IT's. I have created only one MSS role with P_ORGIN as follws:
Authorization level M, R
Infotype 0000, 0001, 0002, 0006, 0019, 0032, 105
Personnel Area *
Employee Group 1, 2, 4
Employee Subgroup *
Subtype ' ', 0001, 0010, 0020, 01-06, 03, 1, 10, 4, Z1 SUBTY
Organizational Key *
Using this role, the leaders can see only thier subordinates eventhough I gave * in PA as MSS is configured like that. No issues.
The probelm arise if I assign this role to any Leader who already have HR access (Example - as below:)
Authorization level R
Infotype 0008
Personnel Area 0006
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
If we assign MSS role to users with above access, He will have access to all Personnel area's (not just PA 0006) when he execute HR transactions like PA20....
Stuctural profiles may not be a good option as some of the HR leaders may want access to more than 1000 PA's except a few. The only solution that I can think of is to inactivate P_ORGIN in MSS role and make sure the HR roles that have been assigned to HR leaders have IT 0001 for their PA in P_ORGIN( as IT 0001 is not critical). Is there any other solution? Please help.
Answer:
In general Leader can't see 008 infotype data for all Personel Areas,because these are two different objects
Answer:
You could create new MSS roles for HR leaders restricting by PA, something like this:
Authorization level M, R
Infotype 0000, 0001, 0002, 0006, 0019, 0032, 105
Personnel Area 0006
Employee Group 1, 2, 4
Employee Subgroup *
Subtype ' ', 0001, 0010, 0020, 01-06, 03, 1, 10, 4, Z1 SUBTY
Organizational Key *
Answer:
You do not write what IT's the person can access through PA20, but I would believe that the person cannot access 0008 for all pers.areas.
1. As you say yourself, standard MSS can delimite access structurally without you having to do anything in backend.
2. When assigning PA20, pers.area comes into play since you have assigned a * and that this is not part of MSS. The users should not be able to access 0008 though for other areas than 0006.
3. Structural restrictions for HR are indeed not the solution, but you have got more than 1000 pers.areas? What does determine which pers.areas HR can access?
Answer:
Thank you SecAdmin and Blaster for the reply.
Solution for my problem is as follows:
I created one MSS role with PA * in it and assigned the role to Non HR leaders.
I created one more MSS role without P_ORGIN (NO PA's) and assigned the role to leaders who have HR access. The only thing I need to make sure is the roles that HR leaders have should have Read access to IT 0001 for their PA (MY MSS function modules are checking for S_RFC and P_ORGIN with R, IT0001). I did not use any Structural profile or created Multiple Derived roles.
This solution may not work for others as the MSS function modules that you use may be different.