Question:
We'd like to switch on / invoke the P_ORGIN authorisation check for the transction PCP0 (display posting runs).
We want to do this as the authorisation of our HR setup is all working well and only allows access to infotypes according to how we have implemented P_ORGIN.
However, users with restrictions on HR data (basic pay for example) for certain grades of employee can now see this information for all employees if they have access to PCP0 for their company code.
I know to do this that the SAP code needs to be altered in some way but cannot find an appropriate user exit / BADI to help me with this problem. Does anyone have any experience of dealing with this issue?
Regards, SPW.
Answer:
Have you run a st01 authorization race on the tcode to see,
1. That the code is checkin P_ABAP and skipping the P_ORGIN check,
2. That the P_ORGIN check is turned OFF in SU24 for the tcode?
3. Looked for an alternate report?
Answer:
1. Objects checked are S_PROGRAM, P_PYEVDOC, P_PYEVRUN and P_TCODE. P_ABAP & P_ORGIN are not checked.
2. In su24, P_ORGIN is set to 'Check' for P_ORGIN, P_ABAP is not in the list.
3. Do not think that an alternative report exists but will check.
I know that I will need to later su24 at some point to 'CM' for P_ORGIN but this counts for nothing unless the code is calling this object first. I've had a very good developer look at the code in any case and he cannot find any suitable user exits / BADIs. Hence I thought that I would throw it out on the forum just in case anyone else has come across this specific problem.
Am thinking that, unless we decide to go down the custom code route we will have to alter our processes and look at people's business roles.
SPW
Answer:
It is likely harder than you may think. First of all the posting run is reading transactional data out of a cluster. You could check by running a trace to see if it is reading master data out of the HR master data tables but I tend to doubt it.
Also please note that changing something to CM in SU24 is meaningless if SAP has not written and authorization check in the code.