SAP HR Security

-----Original Message-----
Subject: HR Security

We have created a user role which has access to tCodes PA10 and PA20 so users can see their own PA Master Data, a "see self" type of role. It uses P_PERNR security object. We also are using the CATS functionality in which a role can enter someone else's time. This CATS role requires access to the P_ORGIN security object with access to ALL employees PA Master Data. (Since this CATS role doesn't have access to PA10 or PA20, he/she cannot "see" their data directly, but can execute the business process of time entry.) However, when the two roles are assigned to a user, the user account now has authorization to execute PA10/PA20 ("See Self" role) and access to all PA Master Data ("Time Entry" role), with the result that the Time Entry role can see EVERYONE'S PA Master Data. Can anyone suggest a solution? Has anyone implemented Employee Self Service (ESS) and CATS? Is this simply a limitation of SAP's HR Security due to their (grossly) inadequate set of security objects? 

-----Reply Message-----
Subject: RE: HR Security

Have you checked out OSS note 130035? It gives a pretty good explanation of the interaction between P_PERNR and the other PA authorization objects, along with instances where conflicting definitions can result in undefined authorizations.

-----Reply Message-----
Subject: RE: HR Security

hello, 

Off course you know that typically when you have granted half the access in one profile (the data access to see other personnel numbers) and half the access in another profile (transactional access to see personell data: PA10/PA20) the result is that the person should see other peoples data. The most easy solution is: seperate user-ids for the internet-access and the SAP access. But that is kinda stupid, so here are two other possibilities. 

I am going to assume that you tested it, and that it is working the way you described it. That means, that you changed the switches in MPPAUTSW and that you populated table T513A, right? 

solution 1. 
Easiest is to create a seperate transaction for access to a person's own information. This is not much work, since you basically can piggyback on transaction pa10.  You can write the abap (or ask an ABAP-er) to apply the following logic: 

Select pernr from T513A where bname is sy-uname 
move pernr to pernr_id 
endselect 

export pernr_id to memory id con_memid-appl 

call transaction PA10 and skip first screen. 

Basically what this does is finding the personnel number of the user id that is running the report, and populating the personnel number for this person, without giving the option to change this (skip first screen). 

solution 2. 
This will be more trial and error. But in the cats profile, also specify option I for the P_PERNR object. I know, now this person cannot enter time for someone else. So, include the object P_ABAP as well. This object allows for some (yes, mostly undocumented) 'simplification' on the logical database access. What you have to find out, is the technical names of the reports that SAP uses to process the CATS. System --> status will be your help.  Specify these report name(s) in P_ABAP, with option 1 or 2. See if it works. If not, you may have forgotten a report, see if SU53 helps you. 

-----End of Message-----

SAP Human Resouce Books
SAP HR Books - Certification, Interview Questions and Configuration

SAP Human Resource Tips
SAP HR Tips and Human Resource Management

Main Index
SAP Basis, ABAP Programming and Other IMG Stuff

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of 
www.erpgreat.com or the content authors.