Question:
Dear SAPFans
Problem: to restrict access to a particular personnel subarea. Created auth object Z_BTRTL to reduce access further to a subarea within a personnel area. But this auth object created via Transaction SU21 isn't working- still allows user to access all subareas within the personnel area.
The access has been created to allow a user to view/update Infotypes 0001,0002,2001,2006. Within HR, P_ORGIN it is restricted to the required Personnel area.
Another problem I am experiencing is that the user can create holiday absence type via IF2001, but this record is created as 'locked'. I have given access to unlock but this is time consuming. Via SU53 the auth objects missing refer only to access for all personnel areas and not the restricted one I am tying the access to.
Kind Regards
Rach
Answer:
Hi Rach,
Have you ensured that the auth object is actually checked?
Concerning the locked records, then take a look at activity 'E'. If you do not use the double verification concept (something like that), I do not see any reason that you use 'E' on IT 2001.
Finally do never use SU53 when it comes to HR authorizations. It is useless. Enable a trace instead.
Answer:
Hi and thanks for the quick response.
I removed 'E' from the role, but this meant that the test user could not create & save an absence created in IF2001. Do you have any other ideas?
Therefore currently one P_ORGIN:
Authorization level D Infotype 2001
E
M
R
Personnel Area 11 Employee Group *
Employee Subgroup * Subtype 4000
Security *
If I use ST05 can I follow another users trace or do I need to 'log-on' as that user - as typically we wouldn't give users this access.
As regards the creation of my Z_BTRTL can you elaborate on the ' Have you ensured that the auth object is actually checked?'
kindest regards
As regards
Answer:
Hi Rach,
I have had the exact same problem, but sorry I cannot remember how I solved it. I will take a look when I go back to work, but I am having some days off. Alternatively then try and error You can monitor in SE16 PA2001 if the records get locked or not.
Personally I prefer using ST01. And yes you can track all users.
What I meant concerning Z_BTRTL is that it does not matter that you create a custom auth object, if it is not coded into the program that the object is going to be checked.
Answer:
Authorization level D Infotype 2001
E
M
R
Add W
Answer:
Morning Blaster cheers for your 2nd response,
I have removed E and D auth levels as found info relating to
Auth Level E (write to locked record) and D (maintain lock indicator) enables double verification principle ie one user creates locked record and another user unlocks that record.
So that bit is sorted. I now have M,R,W. Inspiration sat morning after a good night sleep....and a file 'config of HR system' Lite reading.
And so to your last bit of the answer. Background: The access is to PA20, PA30 & PC00_M08_ABSENCE. The science bit: Z_BTRTL how do I use the role access to limit access to the subarea. You mentioned 'program' can you tell me a little more??
Cheers Rach
Answer:
HI Rach,
do you use the field Organizational Key in P_ORGIN for auth check? Or have you * in this field?
And do you use this field (P0001-VDSK1) for storing some important info in infotype 0001?
If not, you can simply change the default value of VDSK1 in IT0001 (copy there the pers subarea instead of standard combination of WERKS and KOSTL) and use only P_ORGIN in your roles.
Regards