Question:
Hi All,
We have run into a security problem as follows:
We want a non-HR user to update IT0033 for all persons. So he is given an HR security role with access to IT0033 and transactions PA10,20,30.
This same person has EH&S roles that require him to have read access to certain (other) HR infotypes in order to run their transactions. When we combine the EH&S roles and the HR role, he is then given access to all of the extra infotypes in PA20,30 that are granted by the EH&S roles.
Does anyone know of a way to limit him to only IT0033 in PA20,30 but still allow him to access the additional infotypes he needs for the EH&S transactions, but perhaps just in the background, not visible in PA20,30?
Thanks very much, please let me know if it is unclear...
Answer:
Working as designed...
You do not control PA20, PA30 as up like as delivered, perfect example of "SAP does not care how you get to the data, just can you"
If the other EH&S transactions are indeed reports there might be a chance with P_ABAP control ,but a ST01 authorization trace will tell you this.
Answer:
If you are on 4.7 you *may* be able to use the new context sensitive authorizations (ith structural authorizations) to control this.
Answer:
If permitted to do so, you could try providing two Users - not a terribly attractive option, but it would work.
Answer:
We have been doing a lot of research into context-sensitive structural authorizations and although I'm by no means an expert, I don't believe this is going to solve our problem. From what I understand, it will allow you to specify certain access to certain infotypes, employee groups, subgroups, etc. for a particular group of people (based on the authorization profile you assign). But our problem is that this employee should have access to IT0033 for all employees (thru PA20,30) but also needs access to other infotypes (0000,0001,0002,0006,0007) in the background for his EH&S roles (also for all employees). However we do not want him to access more than IT0033 thru PA10/20/30. But when you put both types of roles on the user, it gives him access to all of it.
I am wondering if creating a customer specific authorization object may help? I believe you can specify a transaction code as well as an auth profile (on top of the regular auth object fields). Maybe this means specifying access to only IT0033 through transactions PA10/20/30. Does anyone have any experience with this?
Thanks so much.
Answer:
By the way, thanks everyone for your input... much appreciated!!
Answer:
HR allows you to create a customer specified authorization object but it REPLACES the other HR checks. There is a BADI exit where you may be able to add access chesk but I also beleive it REPLACES the SAP standard checks... THe simple solution is to create two Ids, much more cost effective.
Answer:
Here is what I did.
One of our requirements was that everone could see infotypes 1 and 2 except in any PA transaction. (The confidential data in IT0002 wasn't presented.)
We adopted structural ajuthorization, and we used the bAdi for structural authorization checks. If the transaction didn't start with PA* we let them see the data. If it did then they had to have additional authority.
Some refinements will be required down the road but it is working for now.
Answer:
The key thing with role design is not to mix & match display and maintain authorisations i.e. pa20 and pa30. To solve the problem you need to create 2 roles; 1 for display and 1 for maintain.
In the dislpay role assign pa20 ONLY and the relevant security settings for your EH&S infotypes - AUTHC=M,R + whatever else is appropriate.
In the maintain role assign PA30 ONLY and allow access to IT0033 - AUTHC=* + whatever else is appropriate.
That should work - I am doing similar at my customer and have managed to aportion HR access to display certain infotypes and maintain others.
Did you create 2 profiles within a single role? If so, the cross fertilisation problem you speak of will occur. If you create 2 roles and then assign these both to the user it should work.