Question:
I am having a problem with restricting the payroll journal to remote "decentral' payroll personnel. Usually the personnel area restriction in P_ORGIN successfully restrict access to a particular area of the company, but even with a structural profile and personnel area restrictions, the decentral user can run the payroll journal for the entire company. Is there another auth object that can help restrict payroll to different areas of an ORG?
Thanks for your help.
Answer:
Hi,
When you say 'decentral', what do you mean?
Answer:
In our org, decentral for security is a group of personnel areas that make up a company code or a divisional ORG unit with all underlying orgs, positions and personnel.
In functional terms it is a division of the company.
Answer:
Hi,
Have you explored the use of the context sensitive solution utilising P_ORGINCON in place of P_ORGIN? This allows for multiple structural profiles for those employees whose access spans more than one part of the org strucutre......a manager for example who has responsabilities in more than one org unit.
Maybe that this is not what you are looking for and so would suggest a trace to determine the path being taken by the auth check for one who is restricted and compare against a user who is able to execute and see all....hope this helps
Answer:
I have looked at the context solution, but I don't think that applies to this situation. The structural profile assigned to the user is correct, however, it seems like the payroll journal report does not take the structural authorization or personnel area restriction in P_ORGIN restriction. I have ran a trace on the payroll journal report and I can't seem to find where it checks the p_orgin personnel area restriction.
Thanks,
Answer:
Check to see if the user has oject P_ABAP. If the user has this and the access is correct it is overriding the P_ORGIN checks.
_________________
John A. Jarboe