This website is not affiliated with, sponsored by, or approved by SAP AG.

Access to View Non-Payroll-Relevant Employees

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Access to View Non-Payroll-Relevant Employees

Postby GlossopGirl » Mon Jun 27, 2011 3:13 am

We currently have a situation in our production system resulting from part of the company being sold off. The decision has been made to continue to allow HR/Payroll to be done in the current SAP system. Each employee has been given a new Personnel Number. They are retaining their positions. Its all date driven (somehow!).

Anyhow - the issue at the moment is the dates have changed for the move to the new company.

The employees are currently "non-payroll-relevant".

Could anyone tell me the rules around the authorisations relating to "non-payroll-relevant" employees?

We have HR Administrators who currently can't see these employees. I think there may be more to this around the dates they occupy their positions and the structural access. But I'd like to check this part of it too. Just in case.

Thank you.
GlossopGirl
 
Posts: 9
Joined: Fri Dec 03, 2010 5:11 am

Re: Access to View Non-Payroll-Relevant Employees

Postby Count » Tue Jun 28, 2011 10:38 pm

your question lacks in clarity so let me make a few assumptions and try and base my answer on those assumptions.
assumptions:
1. part of company sold but decision made to run hcm still & date driven new employee numbers with current positions = those employees who got new pernr are now in a different company code.

so if the above is correct, the lack of visibility could potentially be due to the non-inclusion of the new company code within the authorisation matrix of hr-related-auth-objects.
why dont you do a small test? ask one of your hr admin to try to access one of those culprit 'non-payroll' employee in pa30, he/she should get a nice looking error saying there i s a lack of authorisation. then get him/her to do a /nsu53 and take it to your security consultant for analysis.
case closed.
-------------------------------------------

Count
cognosce te ipsum, corripe cervisiam ;)

Dictator-for-life-of-the-Tuly-Idiot-Order
http://www.sapfans.com/forums/viewtopic.php?t=287109
-------------------------------------------
Count
 
Posts: 1373
Joined: Thu Feb 15, 2007 6:28 am

Re: Access to View Non-Payroll-Relevant Employees

Postby GlossopGirl » Thu Jun 30, 2011 2:00 am

Sorry. I think I may have overcomplicated what I was really trying to find out. Unfortunately (or fortunately), the OFT has intervened and put back the sale a month.

I was really wanting to know about any checks around Payroll Area - These "non-payroll-relevent" employees have a payroll area of "99". My understanding is that you cannot secure based on payroll area.

The HR Admin had access to these employees structurally and to the PERSA and emp subgrp which are the fields we use to secure against. But they still couldn't see them. I confess I didn't ask for the SU53. Basic School Girl Error! I immediately saw they were in the "99" payroll area and from previous rollouts thought the issue was around this.

As their access is for data validation checking, I do have the go ahead to give them support roles with wide ranging access for a couple of days. But I am still curious as to why users cannot see anyone in a payroll area of 99 and how that actually works. I know before Go Lives all the employees are dataloaded with the 99 and this switches over to the correct payroll area on the start date. They then become visible with the normal checks.

Thanks.
GlossopGirl
 
Posts: 9
Joined: Fri Dec 03, 2010 5:11 am

Re: Access to View Non-Payroll-Relevant Employees

Postby Count » Thu Jun 30, 2011 5:19 pm

hmm I still cannot confess that I understand you completely,... but since you seem to have an issue with payroll area, I would suggest you check out the auth-object p_pcr that could be the culprit if your problem is to do with payroll area.

now I need to get back to my guinness :mrgreen:
-------------------------------------------

Count
cognosce te ipsum, corripe cervisiam ;)

Dictator-for-life-of-the-Tuly-Idiot-Order
http://www.sapfans.com/forums/viewtopic.php?t=287109
-------------------------------------------
Count
 
Posts: 1373
Joined: Thu Feb 15, 2007 6:28 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 3 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.