Question:
All,
I would like to know what the effect will be combining a role that restricts on Personnel Area or Payroll Admin with a structural authorization selecting all employees managed by the user's position.
I suspect you would get a situation where only employees that satifies both scenarios (pers area and in the structural auth) will be selected.
Is there a way to get a combination of the two populations instead of just the intersection?
Answer:
Structual authorizations filter the standard authorizations based on the org structure to allow only those in the org structure path as determined by the evaluation path. If you want more you have to add more structural authorizations with starting org structures instead of allowing the function module to determine where the user is.
Answer:
John,
Thank you for the response. It makes sense.
But I think if I put in another structural authorization starting from the top of the org structure it will give me all the personnel areas or payroll admin group that I want but will probably drop out the employees reporting to the manager who is NOT in the required personnel area or payroll admin group. I am trying to find a way to see both?
I was just wondering if this could be a situation where the new context objects could be used?
Answer:
Adding a higher or different structural profile will allow access to the Personal Areas etc as allowed by P_ORGIN. THe structural authorization have nothing to do with Personal areas, ets, it could care less.
SAP FIRST checks the access a user has with P_ORGIN ( checking the IT, auth level, Pers Area, etc) and it does not care where they are in the HR structure.
THe sructural authorization then evaluates the HR structure using either the hard coded start point or the Function module to determine where the user is or the manager relationship and then with the evaluation path takes away the people not in the evaluated path in the HR structure, it does not ADD access it removeds it.
So by adding a PD profile to evaluate other branches in the HR structure SAP will keep the already approved records. If you want to look at other Personal areas you have tp grant it with P_ORGIN not a PD profile.
But what you appear to be asking is not NOT USE Structuural authorization at all and use just P_ORGIN. Personnel are is evaluated with P_ORGIN not structural authorizations
Answer:
Hello:
I agree with John, one thing is to access the org structure via Structural Authorization and other to access the employees based on their personal area, business area, etc.
Where I am working now, e.g. we have a single standard role applicable to all managers, which contains the infotypes and the type of access a manager has to them (read, write, etc). The role comes WITH broad access all over the country to all PA, BA, etc.
Additional to that, there are other roles with the appropriate transactions or groups of transactions the managers have access to, e.g. Time Display. These roles carry no infotype access information.
On top of that, we added Structural Authorizations, using the generig function module for managers and the whole solution works.
A manager has the 2 group of roles defined above, which as I wrote, give them brad access to see the whole country. What really restricts them is when the Structural Authorization takes place.
You must have a very acurate and up to date Organizational Strcuture for this to work, but again, as John wrote, these are 2 different things.
Finally, we have HR people in the company and the regions who are restricted by PA, BA, etc. We are not using Structural Authorizations with them, because HR people are supposed to see more than only an Organizational Unit they belong to, they should see a whole Regioal Centre. However, Structural Authorizations could still be applicable for them. It is just the type of organization I work for, that required us not to got SA for the regional HR people.
Regards,
Juan