Question:
Hi All,
I am setting up HR security roles and are trying to avoid structural authorizations. One of the requirements is to set up a reporting role for managers that will allow them to view detail of employees in certain geographical areas and also certain functions.
The first one we will be able to restrict by Personnel Area without any problems. The second however is proving to be a problem. Employees in a functional area (i.e. IT) are scattered all over the org structure in different org units, personnel areas, employee groups etc.
What I would like to know is if it would be possible to restrict managers from only accessing these users by assigning them to a payroll administrator with P_ORGXX. This field is not otherwise used in the system. That would basically be a payroll administrator for each functional area and then assign the employees accordingly?
Also, if I then assign * to the payroll administrator field would it only include employees that are assigned to any payroll administrator or all employees?
Any help in this regard would be grately appreciated.
Regards.
Answer:
You can use this for the purpose you want but Structural authorizations can be self determaning an you only need ONE structural profile using the function module option to do this. It only requires the proper relationship set which may already exist for reporting.
THe use o P_ORGXX may require NUMERIOUS role to be set up all with the correct values in it.
Answer:
Hi John,
Thanks for the advise. Thinking about it I have to agree, my original thought might do the job but we will end up with a large amount of roles to maintain.
If I then go ahead and create a structural profile to restrict according to function but I still also want to allow a manager to see all employees in a number of personnel areas regardless of the functional group they are in. I can do this in the standard HR roles with object P_ORGIN in personnel area. But will my structural profile overwrite this so that I end up only seeing people in the function module as per the structural profile?
Regards.
Answer:
Hi John,
Thanks for the advise. Thinking about it I have to agree, my original thought might do the job but we will end up with a large amount of roles to maintain.
If I then go ahead and create a structural profile to restrict according to function but I still also want to allow a manager to see all employees in a number of personnel areas regardless of the functional group they are in. I can do this in the standard HR roles with object P_ORGIN in personnel area. But will my structural profile overwrite this so that I end up only seeing people in the function module as per the structural profile?
Regards.
Answer:
Hi All and specifially John,
I've searched the forum for similar probs as the one i'm having and this is the closest i got...
I am using the "Time Administrator" field to restrict certain managers to their team members by the Admin Code. I've given each manager (only 10, so not so many roles to maintain) a seperate role, each time changing the SACHZ (in P_ORGXX) value accordingly. NOTE: the customer is not using org structure for autoriztions and user maintenance!
For some reason these limitations put on the managers don't seem to be doing the job and they are free to change time reports for employees set do different Time Admins... i also ran a trace and noticed that they weren't even being checked according to P_ORGXX.
What am i doing wrong and what do i need to do differently?
thank,
yoyosha
Answer:
Thank you... in the end i found the solution:
in order to activate the auth check for P_ORGXX you can find the following documentation in the auth object:
"The object HR:Master data - Extended check (P_ORGXX) can be used to
check authorization for personal data (HR infotypes).
This check is not active in the standard system.
You can use the HR: Master Data - Extended Check (ORGXX) authorization
main switch to define whether this check should be performed additively
or alternatively to the HR: Master Data authorization check. This is
different to the standard set up. You can edit the main switch settings
using the HR: Authorization Main Switches (OOAC) transaction."