Question:
Hi
We have a 4.7 system and at present we have a team of users who can change everyone's HR data in PA30. We are trying to restrict them from altering their own and other members in their team's data and coming across a few problems.
We first tried to do this by delimiting the personnel area, however it checks the history of personnel areas and displays their data if they have been in others.
We are now hoping that we can restrict it by using the personnel number check, we have activated this in transaction OOAC. As the system administrator we can go in and attach their user ID to their personnel number using the communication infotype 105. Then by changing the object P_PERNR in the relevant role we have been able to stop them from altering their own data, however they are still able to change other people's in their team due to only being allowed to attached one ID to their personnel number.
Does anyone have any suggestions to solving this? All feedback is appreciated.
SAP Devotee
Answer:
Working as designed. In HR you can ALWAYS see any record you are authorized to see even though the current record may not be accessable so if you once had access to an employee record you will always have access to display the HISTORY record. If you select it for change it will error out as not auhtorized to change.
Personell number check is "working as designed" it is to stop access to the USER's own record, no one elses. What you are attempting to control is done via structural authoriztion not standard authorizaitons.
Answer:
Are you using PDs to secure your HR structure? If you dont, the PD structure defaults to state similar to SAP* or you can alter anyone in the org structure. If they are limited by PDs / Org Units, You can restrict them.