HR authorizations with logical databases

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Post Reply
roro535
Posts: 14
Joined: Thu Dec 08, 2005 3:12 pm

HR authorizations with logical databases

Post by roro535 » Thu Feb 15, 2007 5:00 pm

Hi All,
Im a developer so dont have much knowledge with authorizations in HR. However I have developed numerous reports using the logical database PNP. What we are trying to achieve is the following scenario:

User A, can see all infotypes except infotype 0008 (Basic Pay).
If User A runs the report, he can see all the information, except data from infotype 008. Is this scenario even possible?

Currently our problem is it prevents him from even running the report as he has no access for infotype 0008.
Im assuming our problem is how we've setup the P_PERNR and P_ORGIN auth objects for him.

We currently dont have infotype 0008 in his P_ORGIN object, but if we leave it out of the P_PERNR object, we get the error "No authorization for Infotype 0008".
If we add it to P_PERNR, he can run the report but then can see infotype 0008 information, even though it is still not in his P_ORGIN object.

Anyone know how to solve this so he can still run the report but just not see infotype 0008's data?
By the way, we have taken out the P_ABAP auth object.
Thanks

MikeNZ
Posts: 36
Joined: Fri Apr 28, 2006 12:43 am
Location: New Zealand

Post by MikeNZ » Fri Feb 16, 2007 7:19 am

Hi

If User A runs the report, he can see all the information, except data from infotype 008. Is this scenario even possible? Yes should be possible depending on the type of report - and whether IT 0008 is a require output.

P_PERNR is used for giving access to an employee's personal information.

http://help.sap.com/saphelp_47x200/help ... ameset.htm

You can either allow them to only access own info or exclude them from accessing own info - so probably not relevant in this case.

The object you should be using is P_ORGIN (and possibly P_ORGXX) - you are correct in thinking that this should not need access to infotyoe 0008.

You can run a auth trace (ST01) which should show you what the issue is -there will be a auth check on P_ORGIN for IT 0008. I believe the problem will be what the program says to do when it fails on IT 0008 - currently it appears the program displays error message "you are not authorised...."

I believe this has something to do with the return code - but I am not an expert in this area.

If it is a custom report you might be able to change the return code.

Trying looking a a report developed via SAP Query (SQ01) in a trace - with the desired authorisations as this should work. You might be able to work backwards from there to get your answer.

Hope some of above helps

roro535
Posts: 14
Joined: Thu Dec 08, 2005 3:12 pm

Post by roro535 » Fri Feb 16, 2007 9:41 am

Thanks for the reply MikeNZ, but we have a report developed using SQ01 with logical daabase PNP and it gives us the same error. "No authorization for infotypre 0008".

The funny thing is if we do not put in the infotype "0008" in the P_PERNR (inftyp) field, this is when we get this error. If we put infotype 0008 in P_PERNR, we do not get this error and it allows the user to see infotype 0008's data even though it is missing from P_ORGIN. Its like P_PERNR controls it all.

I know this isnt right, but we are all stumped.

Just to re-iterate, we dont want a hard error, we want the user to still be able to run the report, but just not see 0008 data.

Post Reply