Question:
Gurus,
What options exist to eliminate the need to provide IT 0002 access for displaying Employee Partners in other modules (e.g., an employee partner assigned to a sales order VA03).
P_ABAP doesn't appear to have any effect; I've tested with full access to this object, but P_ORGIN is still being failed on.
Thanks in Advance,
Restless in Raleigh
Answer:
Are you sure IT 0002 access failure is what is causing the problem or are you relying on the SU53's last recorded failure as the reason for the falure?
HR generally cycles thru all long list of IT's and logs the Pass/fail in an internal table. It then "fails" on access read from the table so the SU53 has no meaning.
Does giving only 0002 make the data visible?
Generally you only need 0000 and 0001
Answer:
Positive, for both initially displaying the name in the Partners tab, as well as drilling into the partner for more info: phone number, e-mail, etc.
Getting a fresh SU53 failure of IT 0002
- add P_ORGIN with IT 0002 back into test role and
voila, partner info is again available.
Answer:
I know this isn't the same transaction as in my example above, but in initial OSS research, this note suggests the same for IT 0002 - I can't accept that I must open up IT 0002 for this trivial purpose:
652989 VC01N: No display of name employee responsible
Prerequisite: The user does not have any authorization for HR infotype 0002.
Answer:
I don't know how to remove the authorization but you can use a user exit (and structural authorizations) to make it so that they need more authorization to see IT0002 in an HR transaction than they will in the non-HR transactions (where presumably the sensitive data isn't shown).
Answer:
That does sound like a project - we're on 4.6C, so I'm presuming we'd need to apply a supportpack to introduce context authorizations?
Also, we're currently not using structural authorizations, we'd have to examine all the implications of applying them, particularly for time-entry and approval - I have to admit, I'd probably get shot down at this point in suggesting structural auths as an option, ...
... but I'll put it in the list of options.
Any other avenues to consider?
Answer:
Think you may be stuck with this. I experienced an almost identical problem with time manager's workbench (PTMW) whereby you need to give access to IT0002 in order to be able to see the basic employee data - access to IT0000 and IT0001 was not enough. Got the project ABAPer to look into this and the reason was that is was coded into the module pool that was used to display the screen data. Suspect this will be the case in the screen/transaction that you are accessing
Not sure if this helps but maybe at least reinforces where you stand on this point.
If you want to alter this IT0002 access route you are unfortunately off down the changing SAP standard code/screens route unless there is a helpful BAPI. We decided not to do this for obvious reasons and live with the need to give IT0002 access