Invoking HR Master Data (P_ORGIN) authorization check for transaction PCP0

Hello,
We have to limit access to executives (managers) sensitive posting data in transaction PCP0 (display posting runs).
Since executives belong to a personnel area other than all other employees, I thought we can achieve this by personnel area distinction.
In order to have this done, P_ORGIN authorization check should be performed.
It looks that by standard, such check is not performed.
Does anyone have any experience of dealing with this issue?
Thanks,
Isaac

Hi,
I have a vague idea.
I remember while creating an ESS user, we did something in P_ORGIN so as to to restrict access to personnel master data.
Check the composite role : SAP_EMPLOYEE_ERP.
A Z role was created for SAP_EMPLOYEE_ERP=>the corresponding roles in it had to be copied to a z role.
Check the z-role created ; zSAP_ESSUSER_ERP.
In Authorizations tab=>Display authorization data option => ;
Expand Human Resources;
In HR : Master data, you can find the various authorization assignments to P_ORIGIN;  where
Authorization level (AUTHC)
Infotype (INFTY)          
Personnel Area (PERSA)
Employee Group   (PERSG)
Employee Subgroup  (PERSK)
Subtype (SUBTY)
Organizational Key (VDSK1)
Authorization level (AUTHC) takes the values :
• R (Read) for read access
• M (Matchcode) for read access to input helps (F4)
• W (Write) for write access
• E and D (Enqueue and Dequeue) for write access using the Asymmetrical Double Verification Principle. E allows the user to create and change locked data records and D allows the user to change lock indicators.
• S (Symmetric) for write access using the Symmetric Double Verification Principle
• * always includes all other authorization levels simultaneously
In your case if some has to make changes through PPCO.. it's equivalent to making changes to infotype 0001 (Organizational Assignment)
So, probably, you need the Authorization level to R for Infotype 0001.
I have no personal hands-on experience on this...since we are not allowed to anything Basis
I have seen this being done and have noted what was done... !! May or may not be correct....!!
I hope this is what you want.
Cheers and Good Luck!!
Remi

Similar Messages

  • Disabling authorizations checks for transactions SU53 and/or SU56.

    Greetings.
    I seem to remember reading that there was either a system profile parameter or a table entry that can be used to disable all authorizations checks for transactions SU53 and/or SU56.
    Any truth in this or is my mind playing tricks on me?

    Hi,
    I guess theres is profile param auth/tcodes_not_checked(I guess thats right), this will exclude SU53/SU56 from checks on transaction code.
    This can be done using RZ10 and need to restart the system.
    Rakesh

  • Remove Authorization check for transactions VF03, FB03 and MIR4

    HI,
    We r using call transaction in BADI. When we r calling through BADI authorisation checks should not happen and allow any user to view the documents for the T-codes VF03, FB03 and MIR4 depending on document type.
    Early response is appreciated.
    Thanks,
    Raju

    hi,,
    Confimr with Basis team reg the Profile in which partculare authorization  object used.
    Either inactive that one or make a auth.Obj as per your requirment and assign to role and then user profile.
    Check out se54,24,pfcg.
    Regrads
    ricky

  • Authorization checks for bank account number in vendor master

    I am trying to find a way to set up authorization checks for specific fields in the vendor master: LFBK-BANKL, LFBK-BANKN, LFBK-EBPP_ACCNAME and LFBK-EBPP_ACCNAME. I am tring to set ip up so that if you have access to transactions FK03 or XK03, you can view vendor master data except for the above fields.
    Does anyone know of a way to accomplish this? Your help will be greatly appreciated.
    Thanks
    -Peru

    HI Peru,
    To supress a field in FK03 u will have to check
    Financial Accounting (New)>Accounts Receivable and Accounts Payable>Vendor Accounts>Master Data>Preparations for Creating Vendor Master Data-->Define Screen Layout per Activity (Vendors)
    in that Display Vendor (Accounting) for FK03 and Display vendor (centrally) for Xk03
    But there bank account no is not there.
    Moreover there r no authorization objects for all the fields that u gave.
    So try creating screen variant/ transaction variant in SHD0.
    Regards,
    Kiran

  • Bypass P_orgin auth check for standard MSS reporting

    Hi SAPers,
    on my HR system, I have 2 types of users : ESS/MSS users (via portal) and backend users (via sapgui).
    ESS/MSS role does not contain any P_ORGIN authorization because it should be added to their authorizations if they are also backend users.
    The problem is coming from standard MSS reports : the "time statement overview" among other report needs P_ORGIN (IT 0, 1, 2, 7, 8, ...) !
    Is there a way to bypass the standard authorization check for MSS reports ?
    Thanks in advance,
    Olivier.

    >
    Olivier TACA wrote:
    > Example :
    >
    > Portal Role for ESS user contains P_ORGIN for IT 0006 (Address)
    >
    > Backend Role for backend user contains P_ORGIN for IT 0002 (Personal data) ... and S_TCODE for PA30 of course.
    >
    > The backend user, who is also an ESS user, can manage IT 0006, which is not foreseen in the backend role.
    >
    > I use P_PERNR for the portal role to manage access to infotype.
    I see two issues here:
    1. ESS is NOT setup correctly.
    - You don't need P_ORGIN for ESS.  You only need P_PERNR.  The trace might even show an error looking for P_ORGIN but you do not need it.  This is an example of a role I have using ESS services for addresses.  I don't have P_ORGIN, P_ORGINCON or P_ORIGXXCON.  Do NOT use PA30, for ESS, that is very dangerous.  The ESS services can be added to a role and should be use for ESS.
    Here is an example of what I have:
    Manually   HR: Master Data - Personnel Number Check                     P_PERNR
    Manually   Address Change - Permanent and Emergency
         Authorization level            D, E, M, S, W                                                               AUTHC
         Infotype                       0006                                                                        INFTY
         Interpretation of assigned per I                                                                           PSIGN
         Subtype                        *                                                                           SUBTY
    2. MSS - I can't find the service for the report you are looking for.  If you provide the MSS service I can run some traces and probably help you isolate your problem.  Example of an MSS service (sap.com/mss~pla/PlanningPrimaryCosts).
    I hope I didn't sound too harsh; I am just trying to help.
    Regards,
    -John N.
    Edited by: John Navarro on Aug 5, 2008 5:46 PM

  • Direct database data access without data level authorization check

    Hello,
    My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
    To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
    The things in my mind are
    SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
    Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
    Data Browser : SE11, SE12, SE16, SE16N, SE17
    Table Maintenance : SM30
    Function Module : RFC_READ_TABLE
    Function Module : DB_EXECUTE_SQL (DML)
    Anyone knows anything which is not listed above?
    Thanks

    HI,
        Generally in production user's should not be given all these authorizations.
    Ram.

  • Authorization check for production order settlement

    Hi All,
    Production order settlement currently can be done by any user of any company code. there is a high risk involved in the same since unauthorized postings may happen. Hence we need to add authorization check for production order settlement. Can we maintain the same at the plant or the company code level?
    Waiting for your replies. Thanks in advance!
    Regards,
    Aman Goel

    hi
    What venki has told abt the exit, its absolutely correct.Even i have used the same exit
    •     From table CAUFV pick Material(PLNBEZ),Basic Start Date(GLTRP),Plant(WERKS) .
    •     Pass parameter Material(PLNBEZ) and Plant(Werks) in table MBEW in respective fields i.e. Material(MATNR) and Plant(WERKS).
    •     Pick the latest record for the current period(LFMON) and year(LFGJA).
    •     Pick Product Cost Estimate number(KALN1) from the record and pass it to table KEKO.
    •     Check if Production Order Basic Start Date(GLTRP)<= BIDAT, if NO post Error Message.
    This is the FS for EXit PPco0007
    Reward if useful
    Amit

  • Authorization Check For Pricing Reference Materail In VA01 & VA02

    Hi Expert, 
    User has requested to do authorization check for pricing reference material in line item in VA01/VA02. currently SAP does not has any authorization check for pricing reference material field at line item in VA01/VA02.  Is there any standard authorization object for this purpose or needs to use user exit to do this checking ie if the pricing reference material entered does not belong to the sales org as entered in sales header data then system will issue warning/error message.  What will be the standard user exit routine if there is no standard authorization object for this purpose ?
    Thanks.
    Regards,
    Tay
    Edited by: Hung How Tay on May 13, 2010 2:48 AM

    Hi,
    Try below in MV45AFZB
    USEREXIT_SOURCE_DETERMINATION
    Best regards,
    Anupa

  • Authorization check For T code

    Hi everyone,
    Can anybody guide to set a  authorization check  for a particular Tcode.
    I have ztable where users are assigned particular numbers.
    I want the users who are assigned some numbers should be able to use this particular t code
    Thanks in advance

    hi
    chk this out
    AUTHORITY-CHECK
    Basic form
    AUTHORITY-CHECK OBJECT object
        ID name1  FIELD f1
        ID name2  FIELD f2
        ID name10 FIELD f10.
    Effect
    Explanation of IDs:
    object
    Field which contains the name of the object for which the authorization is to be checked.
    name1 ...
    Fields which contain the names of the
    name10
    authorization fields defined in the object.
    f1 ...
    Fields which contain the values for which the
    f10
    authorization is to be checked.
    AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
    You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
    The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
    If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
    If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
    The return code value changes according to the different error scenarios. The return code values have the following meaning:
    4
    User has no authorization in the SAP System for such an action. If necessary, change the user master record.
    8
    Too many parameters (fields, values). Maximum allowed is 10.
    12
    Specified object not maintained in the user master record.
    16
    No profile entered in the user master record.
    24
    The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
    28
    Incorrect structure for user master record.
    32
    Incorrect structure for user master record.
    36
    Incorrect structure for user master record.
    If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
    Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
    Note
    Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
    The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
    Example
    Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
    Table OBJ: Definition of authorization object
    M_EINF_WRK
       ACTVT
       WERKS
    Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
    M_EINF_WRK_BERECH1
       ACTVT 01-03
       WERKS 0001-0003 .
    can display and change plants within the Purchasing and Materials Management areas.
    Such a user would thus pass the checks
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
        ID 'WERKS' FIELD '0002'
        ID 'ACTVT' FIELD '02'.
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
        ID 'WERKS' DUMMY
        ID 'ACTVT' FIELD '01':
    but would fail the check
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
        ID 'WERKS' FIELD '0005'
        ID 'ACTVT' FIELD '04'.
    To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK

  • How can I remove this extra authorization check for dynamic parameters

    Hello expert,
           I created a new dynamic hirarchical parameters as " client-->policy" in crystal report.   these parameter value are coming from a physical table.  the other part of report extract data by a oracle procedure. when I ran this report in client, it is ok for everything. but when I schedule it or run it in infoview,  I need extra authorization for access these dynamic parameter, eventhough this is not for accessing other parameters.  How can I remove this extra authorization check for dynamic parameters?

    Hi
    Open the crystal designer  Edit the parameter In the prompt window at the existing option you can find the LOV name.
    Open the Business view manager and find that prompt name in u201CRepository Exploreru201D window and select that parameter  right click that parameter  Select edit rights  provide rights for your user name in that window.
    --Naga

  • Master Data Services Add-in for Excel Issue

    I am trying to configure MDS in the Production server. I am running into isssues.
    (I was able to do the whole process successfuly in my local system - Versions are same in the local and server - Only difference is local machine is windows 7 server is Windows 2008 R2)
    I have installed SQL server 2012 Enterprise Version SP1. I am able to browse the MDS URL. User has got full permissions. When I try to access the MDS via Excel I get the below error.
    Can any one help me please I have spent days on this withou any joy.
    Error message
    TITLE: Master Data Services Add-in for Excel
    An error occurred while receiving the HTTP response to
    http://MYIPADDRESS/mds/service/service.svc/bhb. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See
    server logs for more details.
    ADDITIONAL INFORMATION:
    The underlying connection was closed: An unexpected error occurred on a receive. (System)
    Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. (System)
    An existing connection was forcibly closed by the remote host (System)
    BUTTONS:
    OK
    Bn

    I have finally found a solution for this problem!  Every time I opened Excel (unless I ran as administrator) I would have to activate the MDS add-in; this was time-consuming and annoying. It seems like there was no solution posted online anywhere! Well
    after much aggravation, I have finally found a solution:
    Fixing the Microsoft MDS Excel Add-In so it Stays Enabled
    Press the Start button (Windows button)
    In the search bar type “REGEDIT”
    Open regedit.exe
    A pop-up will ask permission for the Registry Editor to make changes to the computer, select Yes.
    In the Registry Editor expand HKEY_CURRENT_USER
    In the HKEY_CURRENT_USER folder, expand in the following order:  Software -> Microsoft -> Office -> Excel -> Addins
        Select Microsoft.MasterDataServices.ExcelAddIn
    Double-click on LoadBehavior in the right panel
        In the Edit Value popup, change the value to 
    Press OK
    Exit the Registry Editor
    The excel add-in should now be active anytime you open Excel. If multiple errors occur while using the add-in, the Load Behavior may change back to 0.  If that occurs simply follow these steps so the add-in will be active when Excel starts up.
    I hope this helps some of you avoid the long hours of trying to find a solution to this silly problem.
    Cheers!
    Tony

  • Authorization checks for PNP LDB

    question    : how to validate authorization checks for pnp logical database?
    2 nd question: hr report
    this report is basically for salary survey. in this i had so many fields can any body let me know how
    can i form the internal tables. and i have to display overall 150 fields in csv file for that
    how can i take in to the final internal table.
    what is the logic behind this:
    T71JPR09-JOBCODE
    PA0000-PERNR
    HRP1000-STEXT
    P0006-PSTLZ
    PA0008-ANSAL * 100 / PA0008-BSGRD
    PA0015-BETRG
    PA0761-LTEXT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
    PA0761-GRADT  WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
    PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
    PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
    like that i had.
    please give me the steps how can i proceed.

    Hi,
    The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
    Hope this helps.

  • Create authorization check for a report

    Hi,
    I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
    Say the report name is ZHR_TIMEABC.
    Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
    Thanks in advance,
    VG

    Hi,
    Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
    If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
    Your inputs will be helpful to understand this concept.
    Thanks,
    VG

  • Authorization Check for Special Stock Indicator in IE02

    Dear Gurus,
    Would like to check with you if there is an authorization check for change in Special Stock Indicator in IE02-SerData Tab?
    For example, the User will only be allowed to change the Special Stock Indicator only to "E" - Sales Order.
    Would appreciate your help.
    Thanks.

    Hi,
    This cannot be done by using standard auth object. Standard SAP doesnt support control via this field.
    Take help of your ABAP team and create an customized authorization object "Z_OBJECT" with field SOBKZ and which check these field value in table EQBS. Assign this auth object to role and profile you want.
    Use the user exit IEQM0003 Additional checks before equipment update. Give a logic to check auth object when while using equipment change tcode.

  • Authorization check for a program/table

    Hi ,
    Can anyone help me out in
       How to do authorization check for an abap program and also a table.
       I have no idea about the authorizations.
    My requirement is that I need to do the authorization check in such a manner that only users having a certain profile
    1. should be able to execute the program
    2. View of the entries of the table.
    Thanks & Regards,
    Keerthi

    Hello Keerhi ,
    I got you wrong at first!
    If you want to have only certain users to be able to do certain operations, then you need to assign the appropriate roles to those users!
    First find the role
    second add the user in the role ( PFCG T code---> USers tab)
    Raj

Maybe you are looking for

  • How to use recovery partition for installing OS

    hello,          i tried a lot to recover my os with lenove own button for system restore but it did't work and finaly i install OS XP Professional and manualy install all drivers. i must wanna say to lenove mangment that their this way is absolut mor

  • Game Center is missing Requests button

    Hi all, I have never opened Game Center before, but I have received a friend request from my fiancee, and in trying to accept it, I discovered that my Requests button along the bottom is missing (see image below. I have "Me," "Friends," and "Games,"

  • Duplicating de confirmation for Clients with credit problems

    Hi, We are using GATP to confirmed the sales orders quantities. In the check instructions, we are using check availability and then RBA (product substitution) When I create a sales order for a client with credit problems the confirmed quantity is bei

  • Display items in designated page

    This is sooo basic, but being new to Portal, I just can't figure it out: The case is, I have a page with news-items that users can add and edit. Only the last 5 or 10 items off course, because there maybe hundreds. I used a "custom search" portlet, t

  • HT201401 The  headset of Iphone 4 can be used on Iphone 5?

    The headset and audio jack hardware of iphone 4/4s is different from iphone5?