Authorization issue in HR: Manager has access to other employees

Hello Gurus,
I need to restrict access to HR reports to Users based on their group segment.
Situation I am facing is that a level 1 user(Segment manager) belonging to a particular Group segment is getting access to data of employees other than those belonging to his segment.
Also take in to consideration the fact that there are level 2 users that have authorisation to data of employees belonging to multiple group segments.
My req. is to restrict access of level 1 users to their own Group segment.
Edited by: Julius Bussche on Dec 18, 2009 9:22 PM
Subject title improved and moved to the security forum

Hi Rishi,
Did you check the roles assigned to this user. Go through the roles assigned to the user.
Look for the valrious P_* objects allocated to him in this role. You would be able to find one which will restrict the acceess you would want it to be.  I cant say which object will restrict this, but you will have to see which one is allocating this access. If you are not sure you could create a replica of the user and do the same tasks while an anuthorization trace is on.
Hope this helps.
CP

Similar Messages

  • HR Auths - Manager has access to employee in OOSB but cannot access record

    Hi,
    I currently have a problem where a manager (M1) has the A012 relationship to an org unit (O1), however org unit (O2) reports (O1). Employees in org unit (O2) report to a supervisor who in turn reports to manager (M1).
    I assumed that with structural authorisations in place the manager (M1) would have access to employees from O1 & O2 - however it seems that the manager can only view/access employees from O1 which is the org unit that the manager is part of.
    If I take a look at the records that the manager can access via structural authorisations in OOSB, employees from both org units appear in the list. However when the manager attempts to create a leave record for any employee in O2 he gets an authorisation error.
    I have ensured that the depth field for the structural authorisations is blank.
    For object type O - I use eval path O-O-S-P and the function module RH_GET_ORG_ASSIGNMENT. For object type P - I use the eval path O-O-S-P and the function module RH_GET_MANAGER_ASSIGNMENT.
    I have changed an employee from O2 to report to the manager (M1), but this still does not correct the problem.
    Can anyone assist with this problem?
    Thanks in advance
    Sujeet

    Hi,
    Verify if the trace is showing authorization failure for other Objects like PLOG.
    as this might require access to new HR Objects (with infotypes like 1001)pertaining to leave record creation.
    verify 0105 entry exists for all the persons in context
    Second thing is te evaluation path might not be the correct on in some cases.
    For troubleshooting add the ALL PD profile and see if the user is able to perform the actions if he is then the problem is with the PD profile. if he is not able to do that even with that then the problem is with authorizations.
    Hope this helps

  • One of my team members has access the other one doesn't what's up with that.  Both are on the same payment account.

    I have updated my payment information and all other team members can access all the CC apps and services but only one team member can't.  What do I need to do?

    Thanks for your fast reply. Since I posted I've been looking at old posts under the tag "sorting_albums" and found a very detailed explaination from "turingtest2" which includes your solution along with other great info. Only trouble is it looks like there's a bunch of editing work I have to do. Before the recent download I had gone through my 500 albums and had everything sorting the way I wanted it. Looks like I have to do it again. Thanks Apple!

  • How to tackle the Training appraisal form whenever manager has to appraise Trainees?

    Dear Team,
    I am having a query on creation of  a Training  Appraisal Template.
    As per the requirement, we need to create a template which has to Evaluate/ appraise by the Reporting manager.
    After a stipulated time, reporting manager has to evaluate the employees who have attended the training program.
    As per the standard TEM, there will be  appraisal for the Training program.
    How to manage the apprisal of Trainees by the respective managers.
    Kindly advice me to proceed.
    Regards,
    Sairam.

    Hello Tiberiu,
    Have you tried to change the element access for the appraisee for this particular element (tab 'emelent access' in the criteria maintenance).
    Regards
    Nicole

  • The application has accessed a fund managements or cash mgt module with par

    When I am trying to post a entry Mesage appears F1030
    The application has accessed a fund managements or cash mgt module with parameters missinfg or defective
    Please solve

    Hi,
    This error occurs when you post data which is not related to that specific company code.
    post the correct data and check.If the problem still exits.Please clearly explain the problem.
    Thanks
    micheal

  • My audio unit manager has gone, i cant scan it and all the components are in the right place, i just cant access my au manager at all in logic

    my audio unit manager has gone, i cant scan it and all the components are in the right place, i just cant access my au manager at all in logic
    any help please im going out my mind
    regards james

    Thanks for getting back to me, The AU manger was there, just when you treid to click on it, it just wasn't responding.
    But i had a scan thourgh google and found the answer, i removed the audio units cache and restarted it and all was good. I was really starting to get stressed over the matter but however i got to the bottom of it.
    Again thanks for replying
    Regards James

  • MySite set for deletion... manager has no access.

    I've got managers receiving the following:
    "The My Site of [USER] is scheduled for deletion"
    Now, the issue isn't that the user is scheduled for deletion (a problem for which there are dozens and dozens of articles around the web). This is working perfectly.
    The issue is that the manager, upon trying to access the MySite, the manager gets "Error - User not found.".
    The users' MySite is still there, but the permissions are apparently not set so that the manager can access the site.
    I can turn off notifications on this so it's no longer a problem, but that doesn't resolve the access denied issues.
    Thanks to anyone who can help us get around this problem.

    Who is set as the site collection owner when viewed in Central Admin?

  • Authorization issue - need to know the Role providing this access

    Hi,
    User is facing an authorization issue below:
    "You donot have authorization to display DataSource 2LIS_06_INV, Component MM" and
    "You donot have authorization to display DataSource 2LIS_11_VAITM, Component SD"
    Kindly let me know what Role is missing from the user's profile?
    Thanks and Regards,
    Sachin
    SAP Security Consultant

    Hi Murali,
    It helped.
    I found out the BW Data Support role for the object S_RO_OSOA and when checked it was already in user's profile but the missing part was user Comparision for that role.
    I did user comparision and then user is able to view the below DataSources....
    Thanks for your help, it triggered to find the root cause.
    Thanks
    Sachin

  • Appraiser Authorization Issue (Objective Settings and Appraisals)

    Hello!
    We are currently using Objective Settings and Appraisals for our
    performance appraisals. ESS and MSS is also used during the process. We
    do not use structural authorizations either.
    Authorizations work fine for the vast majority of employees. However, we have an issue with some of our Human Resources users. For his/her ID they have authorization to certain personnel areas. However, his/her appraiser is in a personnel area they do not have authorization for. As a result, the appraisal does not show up when the user access ESS to work on their appraisal.
    For example we have an HR user who has access to information in
    personnel area 1081. However, her appraiser/manager is actually in 2054. As
    a result when she accesses her appraisal it says no entries exist.
    One solution we tried was selecting the 'No Authorization Check for Appraiser' on the
    template. With this selected, the appraisal shows up with the personnel
    number of the appraiser on the listing. When the appraisal is accessed
    and the user tries to perform an action, the following error pops up stating the
    appraisee person is not allowed and it has the appraiser number within
    the error message.
    Currently, we have the HR employee using a different ID for ESS that allows the
    user to access the appraisal. Is there anything standard that will
    allow the user to view the appraisal without using a different ID?

    Bump

  • Secured WebDAV Mounted Volume Authorization Issues

    I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
    1) I am able to mount the secured WebDAV share using my security credentials.
    2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
    3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
    I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
    Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
    The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
    I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
    Thanks in advance for any insights.

    same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
    Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
    Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
    Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
    Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
    Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
    Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
    Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
    Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
    Jun 11 12:34:52: --- last message repeated 1 time ---

  • BI Variable authorization issue

    Hello Experts,
    Please help me with the below issue. I have implemented Variable authorizations as below.
    1)I have marked Cost Center and Profit Center info objects as Auth relevant.
    2) Created a global Variables for CC and PC with processing by authorization & user exit.
    3) Created analysis authorization for the info object 0cost center and Profit Center and added value as $ ZCOST.
    4) Created the include program ZSECTEST in the user exit to check the Variables.
    I have created only one analysis authorization with both CC and PC fields and restricted to Variables.
    Scenario 1: If the Query that was built on the Cube has only CC data authorizations are working fine by picking the values from the table. u2013 Working
    Scenario 2 : I have a query that was created on MP which has cube A with CC and cube B with PC data.
    (system checks if the user has access both info objects since both were auth relevant fields)
    When user ran the query u2013 custom code checks the table and gets the CC and PC values to the query variable screen.
    Issue: If the query has both CC and PC data for the given date it was showing results fine.
    If the query has only CC data and no PC data then query is giving message saying no data available.
    My requirement is even there is not PC data for that date I want to display the CC data.
    Thanks in Advance.
    Thanks,
    Kumar.

    Hello Sandipan,
    Thanks for the quick response.  Primary key has been already defined in the table.  Issue is I have only one analysis authorization created with fileds  CC and PC restrcited to variables VAR1 and VAR2 respectively.
    When I execute the query in the variable selection screen values are coming fine as below from the custom table. (works)
    Variable selection screen :                   
    Cost Center   -    1,2,3,4
    Profit Center   -     A,S,D,F
    Date               -   10/2010
    In the above example if the query has only CC data for that date - I get error no data available because system is fetching for the  combination of CC 1,2,3,4 and PC A,S,D,F .  I guess some aggregation auth are missing.
    When I execute the same query with SAP_ALL and BI_ALL I get results with only CC - because PC data on this query was not available for that date.
    My requirement is  even if the PC data was not avaiable for that date I want to display all the CC realted  data.
    Thanks,
    Kumar.

  • Authorization issue in BPS

    Hi guys,
    I've the authorization issue in a BPS application, where a user can upload a flatfile into a BPS-cube, but only when I select in the authorization object S_RS_AUTH 0BI_ALL.
    Without selecting 0BI_ALL (another analysis authorization) yields to the message, that the user has not enough authorization...
    Now the user gets access to data in the BW reporting to all the organizational marks like the organization unit (0ORGUNIT).
    How is it possible to design the authorizations / analysis authorization, that the same user can upload data via flatfile, but gets only access to transaction data for organizational data which he should see???
    How should the analysis authorization should be designed? Has it something to do with the techn. char. like 0TCAACTVT?
    THX in advance!
    Clemens

    Hi,
    Have you tried creating Authorization Variable for organizational Unit ?
    This will give restricted access to data based on the authorization assigned .
    Thanks
    Pratyush

  • Authorization issue with VA02 radio buttons

    Hello All,
    We are stuck at one authorization issue. The user navigates using tcode VA02.
    1)     Execute Tcode -VA02=>
    2)     2) puts order number # 100001 =>
    3)     press enter =>
    4)     press enter =>
    5)     Screen: Change (Company Name) Return 100001: Overview =>
    6)     Option: Display doc. Header details (looks like a magnifying glass beside PO_date) =>
    7)     This bring us to Change (Company Name) Return 100001: header Data =>
    8)     select status tab =>
    9)     on Status tab lower end there is a button u201CObject Statusu201D =>
    10)     Press it => 
    11)     Come to Change Status :
    12)     On this screen There is Status with status no. on the right side with 7 options
    e.g:
    u2022     1 BLK Approval Required for,
    u2022     2 BL1 Approval for Credit,
    u2022     3 BL2 Approval for material Replacer
    We need to restrict the radio button access for user for which we are unable to find the authorization object.
    Could any one help.
    Thanks & Regards
    gab

    Hi,
    Use ST01 to trace the user activities and check which objects its hitting when you click on those buttons, then you can restrict radio buttons using those objects.
    I have'nt run the tcode myself and performed the steps you mentioned, but if you think its calling other transaction from those buttons you can manage tht in SE97, or add the t-code VA02 in the S_tcode auth object in PFCG.
    Hope this should get you going
    Thanks,
    Vijay

  • Issue with the site level access in the trial ac

    I am following the given video to get an understanding of site level access.
    SAP HANA Cloud Portal Setting Access Levels in the Site - YouTube
    I could not find the option of setting the site level access to either public, restricted or private in my trial ac. in the site settings as per the given video above. Could this be some authorization issue or some settings that needs to be done.

    Hello,
    The site access level configuration is now under the Access Managment entry in the side panel.
    Please follow the documentation in the link below.
    SAP HANA Cloud Portal Documentation
    Regards,
    Eliel.

  • ABAP dump on authorization issue

    hello,
    I am not sure if this is the correct forum for this or not.
    I have an ABAP program that was written before I got here that performs the following statement
    <b>OPEN DATASET w_file FOR OUTPUT IN TEXT MODE ENCODING DEFAULT.</b>
    where w_file is a file on the app server. the users that run this program have no issues.
    I have made a copy of the program to add some additional functionality and when the users run this program, the program is abending with the following error messages when trying to execute the same command stated above
    Runtime Error      OPEN_DATASET_NO_AUTHORITY
    Except.               CX_SY_FILE_AUTHORITY
    I have talking to the security person and he is going to make another role with the authorizations needed to run the program but I am curious as to why the same person can run the one program successfully and my program (which does basically the same thing when it comes to the file processing) abends with the authorization issue.
    thanks in advance for your help

    I believe you can use FM to check if user has sufficient authorization.
    NOTE: authority-check uses PROGRAM NAME, so it looks like your profile should be updated with new program name.
    Here is what help says :
                                                                                    Check file access authorization                                                                               
    Functionality                                                                               
    This function module allow you to check the user's authorization to          
        access files (with the key words OPEN DATASET, READ DATASET, TRANSFER and    
        DELETE DATASET). A check should be performed before opening a file.                                                                               
    The authorization check is performed uwing the authorization object          
        S_DATASET.                                                                               
    Description of function parameters:                                                                               
    o  PROGRAM: Name of the ABAP/4 program that contains the file access. If     
           no program name is specified, the system assumes the current program.                                                                               
    o  ACTIVITY: Access type. The possible values are:                                                                               
    -  READ:              Read file                                           
           -  WRITE:             Change file                                         
           -  READ_WITH_FILTER:  Read file with filter function                      
           -  WRITE_WITH_FILTER: Change file with filter function                    
           -  DELETE:            Delete file                                                                               
    o  FILENAME: Name of accessed file                                                                               
    Example                                                                               
    TYPE-POOLS SABC.                                                                               
    CALL FUNCTION 'AUTHORITY_CHECK_DATASET'                                      
             EXPORTING  PROGRAM          = 'ZDATASET'                                
                        ACTIVITY         = SABC_ACT_READ                             
                        FILENAME         = '/tmp/sapv01'                             
             EXCEPTIONS NO_AUTHORITY     = 1                                         
                        ACTIVITY_UNKNOWN = 2.                                                                               
    Notes                                                                               
    The values to be passed as the ACTIVITY are defined as constants in the      
        TYPE-POOL SABC.

Maybe you are looking for