Authorization 0008

Hi,
        how to block the infotype 0008 in order to make any changes to it ? explain me indetail
Thanks in adavance
Rupa Prasad

Hi,<br>
Security Consultant has to block the IT number in a HR role and assign it to the users.
Good luck<br><br>
Thanks,
Amosha
<br><br>"Known is a drop & unknown is an OCEAN!"

Similar Messages

  • Authorization for Infotype 0008

    Dear Experts,
    I am new for SAP HR module, and I am facing one authorization issue.
    It is about the PA30 authorization for Infotype 0008, I want to restrict user ( ext_test) who can change Infotype 0008 for person ID 44000156, Employee group 1, Employee subgroup EP(ETXAT).
    And I create the role for T-code PA30.
    In the P_ORGINCON object, I configure the activity as following :
    Authorization level            E, R, S                                                                      AUTHC
    Infotype                           0008                                                                          INFTY
    Personnel Area                *                                                                               PERSA
    Employee Group              1                                                                               PERSG
    Employee Subgroup         EP                                                                            PERSK
    Authorization Profile         *                                                                               PROFL
    Subtype                          ' ', 0                                                                          SUBTY
    Organizational Key          *                                                                               VDSK1
    But when I execute PA30 with person ID 44000156, and want to change Infotype 0008, It shows that I miss the authorization.
    The result of SU53 are
    Authorization level            E
    Infotype                           0008   
    Personnel Area                *
    Employee Group              *
    Employee Subgroup         *
    Authorization Profile         *
    Subtype                          0
    Organizational Key          *
    I don't know why it asks the * authorization for Employee group and subgroup even I want to chagne the data which are fit my created authorizations.
    Could anyone give me some advice?

    Dear Amamath,
    Employee group is 1 (Direct), and subgroup is EP ( Expat).
    I don't know if it is possible if I want to restrict the authority as following:
    I have two person ID, one is 44000156, the other is 44000246.
    44000156 has Employee group 1(Direct) and subgroup EP(Expat)
    44000246 has Employee group 2(Indirect) and subgroup 3(Management)
    I want to restrict the authority that end user can only change Infotype 0008 for the person which subgroup is EP ( No matter the Employee group is 1,2, or 3).That is , in this case, I can only change 44000156 basic pay but not 44000246.
    So in the P_ORGINCON object, I restrict the Authorization level as "E,M,and R); Infotype as "0008"; and subgroup as "EP".
    After that , I did the test with end user's accout. then SU53 shows that it need to have Employee subgroup = "*".
    I don't know why it need the * authority for Employee subgroup. I should be able to change 44000156 since I granted the subgroup "EP" to end user account.

  • Authorization on 0008 Infotype

    Hello experts,
    I have scenario regarding the Authorization of infotype 0008 - Basic Pay.
    We have two users and client want that Level 2 user can not see the salary part(0008 IT) of Director level employee.
    Director's E subGrp is DR and Payscale group is DR.
    So, how should i do it?
    -Jagdish

    Hi
    Do not give authorization for the employees whom you do not want to by structural authorization.
    R K

  • RPTQTA00 deamnds for 0008 authorization

    Hi,
    There is report called RPTQTA00 which generate sick leave quota for employee.
    But at the time of execution its demands IT0008 authorization.
    Here the situation is like this:
    We donu2019t want to give IT0008 to our leave user since its store basic salary which our policy doesnu2019t allow us, but we want our leave user should execute this report.
    please suggest us how to execute this report without hitting IT0008.

    You can look for references on AUTHORIZATION OBJECT P_ABAP. This object allows you to skip authorizations for a particular report.

  • Infotype -0008 (Changes)

    Hi,
    The query was if any Change are made in Infotype 0008, by any users if he has authorization of PA30,  to change or delete etc.
    The client Wantu2019s an email should generate if any changes are made to Infotype 0008.and that mail has to go to the respective head
    Any standard report or any customization step pls tell
    Regards,

    Try Dynamic Actions. Go to SM30 --> t588z --> Maintain.
    Enter:
    Itype : 0008
    Fieldname : Any infotype field in IT0008 whose change has to trigget a mail
    FC: Choose function code 2 digits as required (press F1 on the field for further information)
    No: Enter a sequence number
    S: Choose M(Send Mail)
    Variable Function part : Trigger Feature name - Ex. M0001 (press F1 on the field for further information)

  • Authorization and moving employes to another organizational assignment

    Hello! I have a big problem with authorization.
    Lately some employes have been moved from one organizational assignment to another organizational assignment.
    After moving I prepared the user and the role for this user he will be able to read infotype records for employes in the organizational assignment where they were moved.
    And now I have big problem because this user can read data of employes in current organizational assignment and also  data of these people in old organizational assignment, thought I didn't give him authorization for this old organizational assignment.
    I checked view of table V_T582A and there in infotype 0001, 0007, 0008 in detailes the field: Access auth was checked, so I executed tests and this field was unchecked. But this test wasn't successfule.
    In table T77S0 I have the following settings for AUTSW:
    AUTSW     ADAYS            15
    AUTSW     APPRO     0
    AUTSW     NNNNN     0
    AUTSW     ORGIN     1
    AUTSW     ORGPD     0
    AUTSW     ORGXX     0
    AUTSW     PERNR     1
    AUTSW     VACAU
    I changed them but the tests also weren't successfule.
    Please, help me, where the error can be?. Now I don't know
    where I can look for the solving of this problem.
    I my company we have the system:
    46C
    SAPKE46CB0
    the latest note: LCP CE 74
    Thank you very much if anyone helps me.

    Hello Marta,
    yes, the behaviour is corret. The old one can not see the new data but the new one the old. It's like a personal file where the new manager has access to and the old only knows what was entered up to the end of his responsibility.
    This litle "picture" always helps me.
    Please go to:
    http://service.sap.com/erp-hcm
    On the left side click:
    Services for mySAP ERP HCM
    - Special Documentation
    In the document "Authorizations in mySAP HR (4.6C)" from page 70 chapter "4.4 Process of Time Logic" describes the behaviour in detail.
    Hope to help,
    Michael

  • How to use authorization object P_PERNR ?

    Hi, Gurus~
    In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
    So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
    Authorization level:  W,S,D,E
    Infotype: 0008
    Interpretation of assignment personnel number: E
    Subtype: *
    and then, i maintain her master data 0105's subtype 0001-system user name as 00041
    i think she shouldn't maintain her own 0008 now ,but she still can maintain it
    i want to know why and how to solve it, did i do it in the right way?
    Thank you in advance!

    P_PERNR   HR: Master Data - Personnel Number Check
    You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
    The following values are possible for the PSIGN field:
    I   =          Authorization for personnel number assigned, that is for own personnel number
    E  =          Authorization for all personnel numbers excluding own personnel number
    You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
    This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
    Example of Personnel Number Check P_PERNR
    The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
    The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
    PSIGN = I
    INFTY = *
    SUBTY = * AUTHC = W, S, D, E
    PSIGN = E
    INFTY = 0008
    SUBTY = *
    In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
    The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
    As the following examples illustrate, inconsistent authorizations can be granted.
    Example 1:
    AUTHC = *
    PSIGN = I
    INFTY = 0014
    SUBTY = M* AUTHC = W, S, D, E
    PSIGN = E
    INFTY = 0014
    SUBTY = *
    The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
    The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
    The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
    Example 2:
    AUTHC = *
    PSIGN = *
    INFTY = *
    SUBTY = *
    This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
    As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
    Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
    If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
    P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

  • Create, but no changes in Infotype 0008

    Hi all,
    We have the following issue in HR authorization
    There's one role with some transactions of HR, some of them is PA30 and PA40.
    One of the rules at the company is, in transaction PA40, the person who made the admission of an employee, can register the salary data (IT 0008);
    And later, the same person can consult this register of employee by transaction PA30, but cannot change the salary in Infotype 0008, only the manager could do this.
    But, both transactions uses the same object (P_ORGIN).
    The question is, this type of restriction (register salary in PA40, and only consult in PA30) can be made only in authorization profile (PFCG)?
    How can we do this?
    Thank you all!

    Hi,
    When you add both PA40 and PA30 tcodes into the same role. You can actually restrict the Infotype 0008 and its Subtype in the same role.
    You can give restrict authorizations to only register salary and only consult via the field values in P_ORIGIN.
    Regards,
    Kiran Kandepalli.

  • Authorization Check in Business Transactions in CRM 2007

    Hi everybody, I have a problem whit the authorization check in CRM 2007.
    This link help me to follow the steps
    http://help.sap.com/saphelp_crm60/helpdata/en/e9/b29a39e7aee372e10000000a11
    I follow this steps:
    1.- Created a new single role on the PFCG
    2.- On the Menu tab add the transaction BSP_CRMD_BUS2000108 (Trax for LEADS)
    3.- On the authorization tab create a new profile and in the authorization data set the values for CRM_ORD_OP: PARTN_FCT ‘00000012’, PARTN_FCTT ‘*’, ACTVT ‚'02,03’
    4.- Generate the authorization.
    5.- Set my user "TESTUSER" on the user tab
    6.- Save the profile
    Then, I login to CRM whit TESTUSER and I see all the leads.  I miss something, what could be the problem ?
    Thanks for your help

    Hi Shaji, Pankaj and Jushan, thanks four your answers.
    I still have the same problem, I want to see only my leads that I´am the responsible, after I generated the authorization and assign the role to my user from tcode PFCG and SU01, I logout and login again and no changes, I still see all the leads.
    Another test I made, I changed the authorization data and set the values for CRM_ORD_OP: PARTN_FCT ‘’, PARTN_FCTT ‘0008’, ACTVT ‚'’   (person responsible)  and the results was the same, see all the leads.
    How works the User Comparisons and how can I check for errors in my pfcg role ?
    Thanks for your help.

  • Infotype 0008 Not Updated

    Hi Gurus,
    We have created a dynamic action running in background in order to
    update infotype 0008 with the new Grades and Levels of the
    employee,when an Organizational Reassignment is executed. However, the
    user who executes the action doesn't have sufficient authorization to
    display infotype 0008 and this prevents the dynamic action to be
    executed,although in background. The customer, cannot give
    authorization to the user and the action cannot be executed from users
    with appropriate authorization due to business processes. We need to
    overcome this, as infotype 0008 contains wrong data.
    Steps for Reconstruction    
    The user executes the action Organizational Reassignment (transaction
    pa40)but he has no authorization for infotype 0008. After he saves
    infotype 0001, a dynamic action is triggered and checks whether the
    employee's job has changed. If yes, the system should execute the
    dynamic action in background, in order to update infotype 0008 (both
    subtypes 0,9000) with the grades and levels of the new job.
    Thanks in advance for help

    A mail is sent through dynamic action to the responsible of payroll and he enters the data manually.

  • Authorization with ppom

    Hi everyone,
    can anybody help me with that?
    is it possible to give people authorization according to organization chart in ppom.
    i mean a chief can use all the transactions that his staff is authorized.
    Please help me.
    Thanks.

    Hi Ali!
    There are several solutions to cover this situation.
    1) We have to clearify what is your need. -> Do you need to have a payslip to be visible or Personal Data?
    2) Do you use ESS and MSS or dont?
    If you have ESS/MSS than you can realize this the easyest way. You only have to authorise the users and managers to reach the specific infotype (f.e. IT 0008 for loan data)
    Or you can show the payslip as well on the ESS/MSS site as a link.
    If you dont have ESS/MSS than you have to create the authorisation objects for example on Windows folder system -> you create an archive for each payslip and these you transfer after payroll finished into the right directory on your storage drive. For the directories you build up an authorisation tree and permissions are givin to the right person/user/manager..
    If you provide more data, perhaps I can help you further!
    have a nice day!
    Best regards,
    Zsolt

  • Opportunity authorization

    Hi,
    Currently i could able to restrict the editing of opportunities for the partner function employee responsible using  object  crm_ord_op.
    If i want  to create a super user role which allows group of people to edit the opportunities, what objects i should use and what configuration change should be done for determination.
    Regards
    John

    Hi John,
    Will you be adding the group of people as some partners in the Opportunity document ?
    If you see the Definition of this object "crm_ord_op", it tells that
    If an user has a partner function of a specific partner function category in a document, this authorization object defines which activities can be carried out in this partner function.
    Only partner function categories 'Employee' = 0005 and 'Person responsible' = 0008 are taken into account.
    This authorization check controls other checks, for example, the authorization check for the transaction type, so that a user may process a document when the above criteria are met, even if he has no authorization for the corresponding transaction type and activity.
    Defined fields
    The authorization object checks the following fields:
    u2022PARTN_FCT Partner function
    u2022PARTN_FCTT Partner function category
    u2022ACTVT Activity
    Also You may want to check this link to see Authorization Objects and Authorization Fields
    http://help.sap.com/saphelp_sm40/helpdata/EN/f6/57fa3ab5573919e10000000a114084/content.htm
    Looks like the Authorization object "CRM_OPP (authorization object CRM transaction u2013 business transaction category opportunity) with authorizatin field "ACTVT" might help you.
    rgrds,
    Randhir

  • PA0008 table Authorization

    The information in infotype 0008 is accessed in multiple ways (direct select statements, throu' PNP and function modules) by HR programs.  Many of these programs do not have an authorization check built in. Is it possible to give a authorization check in Data base table (PA0008) level .Using AUTHORITY CHECK statement ABAP can  be used,but the problem is so many pgms are there .So is there any way to overcome this situation.

    The only method of getting to Inftoype 0008 without an authorization check is a direct select from the database.  Now eventually all SAP Programs, functions etc have to do a select at the lowest level of code to get the data.
    To answer your question, the only way to ensure an authorization check is carried out is to have it in the ABAP Code.  But here are some more specific answers:
    1.  Logical Database PNP - As long as a program uses PNP in combination with the provide, enprovide commands for the infotype, authority checks will be carried out.  The only time a program will not do an authority check is if a programmer bypasses this with a direct select.
    2.  Standard SAP Function Modules - I have yet to come across standard SAP Function modules that read infotype 0008 without an authority check.  I have seen some function modules that have a parameter to skip the auth check, but I have not seen this used much in SAP Standard Code.  I have seen developer's write custom code that have set the parameter to ignore the auth checks but we don't allow this.
    3.  Custom Z Programs - My recommendation is to use logical database PNP or SAP Standard functions whenever possible to read infotype 8.  If you have to do a direct select, the custom program an authority check.
    For the most part, if you stick to SAP standard, you should be fine.  The most problems will come in with custom development where these guidelines are not followed.
    Best Regards,
    Chris H.

  • Time Logic of HR Authorization !!!!

    Hi Gurus,
    My senario is as below.
    An employee 1000 who's information is :
    2009.08.01-2009.10.30  personal area (IT0001) = PA01 basic pay (0008) = 1000
    2009.11.01-2009.12.31  personal area (IT0001) = PA02 basic pay (0008) = 1000
    Authorization is:
    USER A - personal area PA01 granted, IT0001/ IT0008 granted
    USER B - personal area PA02 granted, IT0001/ IT0008 granted
    Query date (sy-datum) is 2010.01.01
    Symptom:
    User A can NOT see any  payroll result of employee 1000 with PC_PAYRESULT.
    User B can see all of the payroll result from 2009.08 to 2009.12 with PC_PAYRESULT.
    I think user A should be able to see 2009/08-2009/10 payroll result.How to make it happen?
    Thanks!

    Thanks Paul.
    Just one more question.
    In PA20, User 1 can access basic pay of 2009.08.01-2009.10.30, but can not access basic pay of 2009.11.01-2009.12.31.
    And the system msg shows:"records skipped by authorization!". Which means, user 1 can still access history information about IT0008. This is reasonable.
    But as for the payroll result, user 1 can NOT access any history result in payroll cluster once SY-DATUM is after tolerance day(AUTSW-ADAYS).
    Is this what standard authorization designed as? I don't think it make sense anyway.
    SOLVED! This is system standard behavior of PC_PAYRESULT and wage type reporter that we can not change. But for those customized reports, we can use <SAP Note 82144> to achieve what I want. Thanks anyway!

  • Authorization restriction for CRM 2007

    Dear Experts,
    We are in process of defining the authorization matrix for CRM 2007 for end users who will be using Web UI.
    Here my requirement is the service orders created by USER1 should not be displayed by USER2 and vice-versa when they do a search in both Web UI and GUI in Tx CRMD_ORDER for service orders.
    Please let me know how can I acheive this and what is the auth. object for the same.
    Thanks & Regards,
    Sharath

    Dear babu,
    If I understood your request, you want that, only one user will be able to access the document. If you want to do that, this is the answer:
    At tcode PFCG you shoud set:
    First you must set what type of document will be avaible to the user, in this case Z020.
    CRM_ORD_PR: PR_TYPE 'Z020',ACTVT '*'
    Next you must set which activities they will be able to do (notice, you must set the same field in the previsou object(
    CRM_ACT: ACTVT u2018*u2019
    And then you set which partner function or partner category are able to access the document, here is the main point !
    In this example I set that only users who has Partner Category (not partner function) Employee Responsible (std partner category 0008) are able to access the document
    CRM_ORD_OP: ACTVT '', PARTN_FCT '', PARTN_FCTT '0008'
    Here you can notice again field ACTVT, here you will set what user are able to do, "*" means everything, "1" = create, "2" = modify, etc. (I can see the list at PFCG, adding the auth. object to the PFCG profile).
    I notice only std partner function or partner category works with this object. I sent a message to sap support, and they confirm that, so if your user has Z partner funcition or category it is not possible to do that.
    Summary, your user must be present in the partner list of the document, and they must have a partner function or partner category std. It is possible to set together both values PARTN_FCT  and PARTN_FCTT, but I think it is not necessary.
    The easy way to do that is, user who will be able to access the document, must be the employee responsible.
    This help is very usefull
    http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
    Regards,
    Lalas
    ps.: As you should know, only one partner function must have partner category Employee Responsible, in the partner det. procedure, otherwise, you will get error message in your application.

Maybe you are looking for

  • How to start Bea 9 asynchronously with Ant?

    Unfortunately the whole text is condensed because of a forum bug. I hope, you still read it. With Bea 8 it was possible to start the Bea application server asynchronously with Ant. But I couldn't start <b>Bea 9</b> asynchronously with Ant. I get this

  • Smart tags

    I really like the Smart Tags app for BB 10, but one feature I am expecting to use the most is missing. The app can not write a tag which would start hotspot. As long as it seems taht users can not add reviews in the app world I am writing here. So pl

  • How to use coherence snapshot feature

    Hi, Refer - http://wiki.tangosol.com/display/COH33UG/Overview+for+Implementors If long-term persistence of data is required, Coherence provides snapshot functionality to persist an image to disk. This is especially useful when the external data sourc

  • OS X Calculator: bits don't show in binary view

    I don't know when this started, but in the binary view of the OS X Calculator the bits aren't showing anymore (0 or 1). I haven't found a solution yet. Could I reinstall the calculator?

  • Built-In iSight Issues

    Ever since I installed Mac OS X Lion, my camera hasn't been working. I don't even get the green light when I try and turn it on. Instances where I can't use it? Skype, Photo Booth, FaceTime, and other Apps that need a camera.