Question:
Hi!
Scenario:
All employees should have access to their own data via Managers Desktop(PPMDT) and furthermore we would like to introduce on-line courceevaluation using transaction PPPM to access infotype 0025.
Challenge:
PPMDT require a structural authorization to be maintained for the employee. But to make this athorization discrete it must only concern the employees own data. And since we have app. 1000 employees we do not want to maintain one authorization per employee where P is the object and the personnel number is the object id.
Expectation:
We would expect it to be possible to maintain a structural authorization, where the unique link between personnel number and userid maintained on infotype 0105 is used. And furthermode to maintain one generic employee authorization based on this unique link.
Question:
How can this be done? We have tried with the evaluation path U-P-O, but it opens up to all employees in Time Reg. (PTMW) and in PA20. So is there another evaluation path, function module or whatever that can be used to secure discrete access for each employee.
Thank you in advance for any feedback.
Kind regards
HJO
Answer:
It cannot with what is delivered. You can create a function module to be used in the Structural authorization profile definition to do what you want and the function module could be written "generically" . The drawback is if not written correctly it may limit access too strickly for those users that SHOULD be able to see the data.
Answer:
HJO, investigate function module RH_GET_PERSON_FROM_USER. Using object P in the PD profile and this function , this might return the employeget you the employee only. Of course then the role authorizationobjects would kick in ...P_PERNR with Interpretation value I ( see own data only ).
_________________
regards,
rob
Answer:
I am a bit curious as to why you give access to the managers desktop (PPMDT) to all employees. This tool is generally only to be used by line managers within an org unit, designated by relationship A012 to O, to manage the staff that report to them in their org unit and org units that report to theirs
The ability of employees to display their own data is usually enabled using the employee self service functionality.
If you don’t use ESS, you can still grant all employees access to display their own data. The assumption I am going to make here is that you use PPMDT to only allow access to PA data.
If this is true you can give the user PA20, you probably call it currently in PPMDT, and only use object P_PERNR in the role, it is not necessary to use object P_ORGIN when granting or denying an employee access to their own data. Whether you use ESS or PA20 P_PERNR is the only required object for accessing own data.
By changing the way people access their own data i.e. PPMDT to PA20 then you do not need a PD profile for all employees.
You mention that you would like to do course evaluation for IT 0025. Are you having the employee evaluate a course, or is the course administrator evaluating the employee as part of the appraisal process?
Regards
Peter Hofer