Authorization Level in HR athorisations
Hi Experts,
In HR Authorizations, What is the use of 'M'(Match Code) and 'S' (Symmetrical) access modes and how does they work under the authorisation objects. How to use them? and
How does the Organization Key field works?
Can some one explain this?
Thanks in Advance,
Sandhya
authorization level M is used to allow acces to the input help (using F4).
for more info on symmetrical double verfication principle (as opposed to asymmetrical) have a look [over here|http://help.sap.com/saphelp_47x200/helpdata/en/ab/4bba3b3bf00152e10000000a114084/frameset.htm]
the organizational key (VDSK1) can be useful in many cases if you want to include additional authorization through organizational assignments. for more info [look here|http://help.sap.com/saphelp_47x200/helpdata/en/17/4bba3b3bf00152e10000000a114084/frameset.htm]
Similar Messages
-
Hi,
Can anybody throw some light on to this.
1.Let us say I have provided a user with authorization level " 0/1". Can he delete 1.One line item 2.Entire shopping cart during the aproval process. With the deletion of one line item is the system is going to move forward with the current workflow. We might use Dynamic N-Step workflow.
2.Also we wanted to provide role based authorization levels( Employee-0, Manager-4), and here comes one more problem. If manager himself is creating the shopping cart, we want the system to treat manager as with authorizationlevel-0 for that shopping cart. He cannot change the shopping cart that he has created. What wuld be the better check for this.
3.Ideal process "User should able to delete line items/entire shoping cart during the approval, but should not change the quantity/price/acc-assignments". Is this a standard process,if not how can we achieve this
Thank you,
Manyam
Message was edited by: manyam gtThank you Disha, and Yann.
Here I got three more doubt after looking at both posts:
1.Let us say I have created SC with single line item, deleting such a line item after the aproval is as good as deleting the shoping cart. What is the system behavior in this regard (if the line item to be deleted is last line item in the shopping cart).
2. Is the authorization level will only effective during the approval and not after the approval?.
3. If a PO is already sent to Vendor( Goods are shipped) and and now the user deletes the line items( Before confirmation). What would be the business process in this regard.
Thank you,
Manyam
Message was edited by: manyam gt -
Authorization level check for Condition records.
Hi,
Hi Gurus,
Pls help me out in the the following scenario.
I want to activate Authorization level check for Condition records.
For example, Product price PR00 is being entered by first level.
After verification done by second level only, that condition record to be used for sales order processing.
I have gone through Process status & Release Status. But once it is Blocked i am not able to release it...
Rgds,
AmolAmol,
Please confirm transaction code you are using in this scenario to release. I can help with this, just a little more detail.
Thanks,
Jay -
Reg: Multiple authorization level for HR Report
Dear Experts,
I have a customized report for the payroll area, I need to have authorization for this report.
The requirement is as below
For Ex: i have 5 payroll areas, 1000 personnel numbers, the multiple users and one customized report.
The user has access for 2 payroll areas, the user should select the personnel numbers which has access to the same payroll area.
The same user should not be authorized to access the other payroll areas and the personnel numbers.
One customized report is being executed by the mulitple users, one user will have access only for one payroll area and he needs to select the personnel area for which payroll area he has access.
Similar concepts follows for the other users.
Can anyone help me to achieve this authorization concept. It would be grateful.
Awaiting for your suggestions.
Thanks in advance.
Regards,
Abdur Rafiquehi,
You can use sy-uname. Such that if some other user enters you can pop up the message you are not authorized.
Regards,
Pawan. -
Posting of difference between PO and invoice by authorization level
Hi all,
I have a question on price difference between PO and invoice.
If i want to restrict postings of invoice by authorization like the following, is it possible to be done? If yes, how?
Clerks only allowed to post those invoice with no difference and rounding difference (small difference). Other invoice with difference (not caused by rounding) can be posted by a higher authorised person and not the clerk. Can this type of authorization be set?
Thanks.
Regards,Hello
First decide on the authorization roles for different users.
Then these roles can be set by the BASIS team.
Also tolerence groups for different users and amounts can also be set.
Tolerances for Employees
To carry out the activity, choose one of the following navigation options:
Transaction Code SPRO
IMG Menu Financial Accounting ® Accounts Payable Accounts Receivable ® Business Transactions ® Incoming Payments ® Manual incoming payments ® Define Tolerance Groups for Employees
Tolerances for Business Partners
To carry out the activity, choose one of the following navigation options:
Transaction Code SPRO
IMG Menu Financial Accounting ® Accounts Payable Accounts Receivable ® Business Transactions ® Incoming Payments ® Manual incoming payments ® Define Tolerances (Customer)
Regards -
Customer Discount with authorization level
Dear Expert
Please i want to have this in place when giving discount i.e When we want to give customers discount if the discount is 5% below some one with a lower profile or Role should be able to give but when discount Exceed 5% only a super user should be able to give or authorize. how do i do the settings to achieve this.
thanksUse different condition types. Restrict the upper value of the less controlled condition type.
Control who has authorization to the more controlled condition using the authorization object for condition types (V_KONH_VKS).
In your pricing configuration, have the presence of the more controlled condition result in the exclusion of the less controlled. -
Infotype authorizations at Company Code level
The project I am working on has two company codes 1000 & 1100. The user requirement is that a person working in one company should be able to make changes only to employee data of employee's in his/her company and to have only read authorizations for employee data from the other company.
I've tried creating a role for Company 1000's employees where the authorization object P_ORGIN has Personnel Areas for that company code itself and all permissions (read, write etc.) and another role with read access to all Personnel Areas. However, when assigned to a user, they are still able to access data from the other company (i.e. the company whose personnel areas were not listed in the first role).
Any ideas what I am doing wrong and how I can resolve them?Authorization level *
Infotype *
Personnel Area 1000's Personnel Areas
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
Authorization level R
Infotype *
Personnel Area 1100's Personnel Areas
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
This config should work.
Or can you post the values you entered in all the HR authorization objects in your role so that we can check. (P_ORGIN, PLOGI, P_PERNR etc) -
PM Organization Units Authorization on User Level
Hello experts,
Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
For example,
I would like to create the following Role (profile):
ZPM_AUT_EQM_EQUIPMENT_DISPLAY
This role should be able to display equipment from the Plant Maintenance module.
However our problem is, we would like to create authorization levels with organizational units for each user:
For example:
User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
We know we can create this authorization creating several roles, like:
ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
Is there a way to do this?
Thank you in advanced for your replies.
Best regards,
Fernando MontenegroHi ,
Could you share about your solution ? I think I have face the same problem as yours. -
Organization Units Authorization on user level
Hello experts,
Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
For example,
I would like to create the following Role (profile):
ZFI_AP_REPORT_DISPLAY
This role should be able to display AP report from the Financial module.
However our problem is, we would like to create authorization levels with organizational units for each user:
For example:
User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
We know we can create this authorization creating several roles, like:
ZFI_AP_REPORT_DISPLAY_3201
ZFI_AP_REPORT_DISPLAY _3202
ZFI_AP_REPORT_DISPLAY_3203
but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
Is there a way to do this?
Thank you in advanced for your replies.
Christine TsengI agree with Jurjen. There is no point creating a "new" authorisation concept for a few transactions. If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend). By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role. -
Authorization for MRP contoller level for PR creation...
HI ..,
Can anybody suggest me How to control the PR creation through authorization level for MRP controller.
Regards
samHi,
Maintain the activity "Purchasing Group in Purchase Requisition", this is M_BANF_EKG. Set activity to:
01 Create or generate
02 Change
03 Display
06 Delete
08 Display change documents
Then maintain the purchasing group EKGRP and entered desired purchasing group.
If you add this to a role, or create a new one say "Purchase Requisitioner", then assign the users. If each user should have different access rights to purchasing group, you would need to maintain this seperately per role. Perhaps create a unique per purchasing group.
Use SUIM>Roles>By Auth Object and enter one above. This will show all roles which this current object and you can check which users have the role. Again through SUIM or AGR_USERS table.
Thanks. -
We need to give field-level authorization for some fields
The schenario is as follows :
1. There are various storage locations within a plant.
2. There is one or more people incharge of creating PO and receiving
stocks for every storage location.
3. We dont want to authorise the person incharge of one storage
location to receive stock in another storage location or even view the
other storage locations at the time of creating the PO or any other
transaction. The user incharge of one storage location should not be
able to view any other storage location in any storage location field's
drop down.
regards
Manish
+91 9811647727Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0002 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name SAPDBPNP
Degree of simplification 1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah -
Field level Authorization for IT0002
Hi All,
We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
We want to disable the access of this field to every one, even the HR administartor.
Kindly suggest if this is possible using authorizations.
I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
Regards,
Umesh Chaudhari.Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0002 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name SAPDBPNP
Degree of simplification 1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah -
Hello SAP Gurus,
We have created two two segments and we need to restrict the authorization level for both the plants. Please advice how to restrict users to post transactions which doesnt belong to them. Please let me know as i am doing Roles designing for FI.HI Gurus,
I have raised this to sap and they came back with the below reply:
The object used is F_FAGL_SEG.
The functionality you are asking for is not provided:
Some years ago a few customers asked for the functionality like
payment or clearing per addional account assignments
(example was profit center but technically it makes no difference
if the split criteria of new G/L is PRCTR or like in your case segment)
of new G/L but our solution management so far didn't plan to
realize this development request.
Anyways i have marked this question as answered. -
Authorization concept for the operating SAP staff after Go-live
Dear all,
we are implementing SAP FI and CO. We will have three systems (development, Quality, Production).
1)Customizing is supposed to be done in development only. However, we will need to be able to view the customizing in the production client as well. What is best practice to achieve this? Is there a role /authorization object which only can configure "IMG-allowed to read"?
in the development client, we will need to distiguish the following roles: developer including transports, customizer, and authorization administrator.
2) Are there any SAP standard roles with which you can distinguish these roles?
thank you very much for your support.
best regards TimoThere is no standard IMG display only role.
Even with all of the SOX requirements out there so I guess you will need to build this from scratch.
You also need to make sure you look at all of the information and not just at a t code level as you need to make sure the authorization levels are display rather than maintain. -
HR Authorization issue for specfic User
Dear all,
One of the HR user , he can run payroll on particular site ,
i have assigned Org key of site to master data on the particular role .
User tried to run payroll using pa30 with personnel no (one of store user) .
but system is not take any value and its not showing any error also .
For example pls check below detail i have tried my user id and system has shows below details of the user (below details is one of the store user ).
Personnel no. 2941
Name A Mohammed Younus
Personnel ar ZOSO EE group A
Subarea STCH EE subgrp 3E
Kindly suggest to resolve the issue
Note : 1, i have deleted the user and i have recreated role .
2, i have copied another user role (he can run payroll) to effected user ,even though he cant able to run payroll.
Edited by: satheesh0812 on Dec 17, 2010 9:29 AMDear all,
I dont thing so there is no issue with Role ,only issue with Structure Auth..
Becoz pls check below Authorization Object.
Changed HR: Master Data
Authorization level E, M, R, W
Infotype *
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key 20000156, 20000157, 20000201
In OOSP for particular Org key .
Auth profile Auth.Profile name
CTHR_CHENNAI CTHR_Chen
Auth profile No Plan Vers Obj Type Object I Maint Eval.path Status vec
CTHR_CHENNAI 1 01 O 20000156 O-S-P 12
CTHR_CHENNAI 2 01 O 20000157 O-S-P 12
CTHR_CHENNAI 3 01 O 20000201 O-S-P 12
In OOSB details
IN OOSB I have assigned Authorization profile to UserXXX, user can see all employee details in PA30 except one employee details , can
User name Autho.profile Start date End date Exclustion Display Objects
XXXX CTHR_CHENNAI 01.01.2005 31.12.9999
If i give Autho.profile --> all instead of CTHR_CHENNAI ..
HR executive can able see all employee details in PA30 ...
Let me know where exactly issue is there ...
Kindly suggest...
Maybe you are looking for
-
Canon CD Tray incompatible with Leopard?
Hi, I'm a "happy" owner of Canon's iP4200 Pixma printer and I've occassionally used it's CD-Tray C for printing CD labels. This worked fine on my PC but ever since I got my Mac Mini with Leopard, I haven't been able to get it to work. Causal printing
-
Multiple vs one schema in a Forms context
Hello, I was asked a question relating to a Forms application architected as follows: The main application is comprised of 10 sub-systems. Each system is related to a schema with a given owner. However, there are a number of grants that are required
-
Repeated column in mapping error - Hibernate mapping
Hi, I am relatively new to using Hibernate. I have two tables which I have tried to map unsuccesfully. Table 1: Primary Key(Instrument) -> Generated using function. Table 2: Primary Key(Instrument) -> Referenced from primary key of table 1 Table 3: P
-
Why can't I open Quicktime files in Safari
Other brousers work, but not Safari.
-
HT1751 iTunes thinks I'm running two versions on my computer. Please help.
My old computer crashed and I just replaced it. Since the new computer I installed a newer version of itunes. Now itunes thinks I'm running two versions on my computer. Please help.