This website is not affiliated with, sponsored by, or approved by SAP AG.

HR roles - P_ORGIN

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

HR roles - P_ORGIN

Postby stlai » Thu Aug 18, 2011 2:31 am

I have list of HR security roles assigned to one user.
Each of the HR security roles with P_ORGIN object. When I want to grant
a new personnel area to that user - normally I update all the roles
assigned to him with the new personnel area - to ensure all roles
updated with new personnel area.
To limit the future maintenance, can I go into each of the HR roles and
deactivate the P_ORGIN object, then create a blank role with few P_ORGIN
objects and enter all the P_ORGIN value - some with R,M, for specify IT, some with full access in specify IT. This way, I will consolidate
P_ORGIN maintenance and easier to limit master data access.
(continue to assign all the HR roles which with P_ORGIN deactivated -
ensure all access like S_TCODE, REPORTING tools, BASIS transaction still there, and
assign together with the newly created blank role with all the P_ORGIN value).
Please let me know if this workable or advisable.

Thanks in advance
Posts: 9
Joined: Wed May 03, 2006 11:01 pm

Re: HR roles - P_ORGIN

Postby Count » Thu Aug 18, 2011 6:12 pm

am not a security guy and the question you asked can be answered with both a yes and a no based on various criteria,.. but one small value add I can suggest is:
try using p_orgxx for non-admin-type of users and limit the assignment of p_orgin to them altogether,.. couple that with role assignment via org-structure and you could wipe-out a major chunk of day-to-day role maintenance work....

but then again you know your requirements best,.. so .. choose your poison wisely.


cognosce te ipsum, corripe cervisiam ;)

Posts: 1373
Joined: Thu Feb 15, 2007 6:28 am

Return to SAP Security

Who is online

Users browsing this forum: No registered users and 2 guests

This website is not affiliated with, sponsored by, or approved by SAP AG.