Question:
Hi - we created a custom authorization object that is a copy of P_ORGIN called Z_PORGN. When using the custom authorization object in PA infotypes (0000, 0001, 0002, etc), it is working as expected.
However, we using OM infotypes, the authorization is not working. The user was able save records even though the user is not allowed.
Example: User has authorization in company code 1000. When displaying an infotype 0001 of an employee that does not belong to company code 1000 via PA20/PA30, a message is displayed saying that user has no authorization.
However, when creating Account Assignment in OM management (infotype 1008) to be created as an infotype of a position, the user was able to save the record using other company code aside from 1000. Why is this so? It seems that the custom authorization object is not working in OM? Is there a missing relationship that I need to create for this to work? Please help...
Answer:
Working as designed... P_ORGIN or its replacments using the customer defined method is used for personnel records not org structuter records. Yes HR is all built on Infotypes but the accesss icontrolled with different objects. PLOG (org structure) and P_ORGIN ( personnel records of employees)
Answer:
HI - how do we inplement now the valication? ABAP code via user exit (assuming there is an available user exit)?
Answer:
You can look for a user exit, there are two type in HR the standard as found in SMOD and the "not so easy to code" BADI exits.
But before you venture off in that direction investing a ton on coding, testing , and loss of the effort in an upgrade, answer the following.
Are you using this security to replace training?
What is the risk and cost to the company if one is created in the wrong Co code?
What is the possibility of it occuring?
Are there detective controls to use instead?
Is Security being used to allow someone NOT to do thir job?
If Any of these answers are YES. then think long and hard before implementing a customer solution to a non-problem.
Answer:
Thanks for the information. One more clarification, is it possible to have field specific authorization in infotypes? like a userid can access infotype 0002 but can only display/view some fields and a superuser can displa/view all IT0002 fields?
Answer:
look at the subtypes - you can restrict at this level if you wish. This way it is possible to give display access to all subtypes within an infotype and edit to a select few.
Answer:
what if the Infotype has no subtype like IT0002 given in the example above? or IT0001?
Answer:
If there is no subtype then you may be better off looking for another way to control the access. You could use change reports to monitor who does this stuff.