Authorization Level in HR athorisations

Similar Messages

• Authorization level question

  Hi,
  Can anybody throw some light on to this.
  1.Let us say I have provided a user with authorization level " 0/1". Can he delete 1.One line item 2.Entire shopping cart during the aproval process. With the deletion of one line item is the system is going to move forward with the current workflow. We might use Dynamic N-Step workflow.
  2.Also we wanted to provide role based authorization levels( Employee-0, Manager-4), and here comes one more problem. If manager himself is creating the shopping cart, we want the system to treat  manager as with authorizationlevel-0 for that shopping cart. He cannot change the shopping cart that he has created. What wuld be the better check for this.
  3.Ideal process "User should able to delete line items/entire shoping cart during the approval, but should not change the quantity/price/acc-assignments". Is this a standard process,if not how can we achieve this  
  Thank you,
  Manyam
  Message was edited by: manyam gt

  Thank you Disha, and Yann.
  Here I got three more doubt after looking at both posts:
  1.Let us say I have created SC with single line item, deleting such a line item after the aproval is as good as deleting the shoping cart. What is the system behavior in this regard (if the line item to be deleted is last line item in the shopping cart).
  2. Is the authorization level will only effective during the approval and not after the approval?.
  3. If a PO is already sent to Vendor( Goods are shipped) and  and now the user deletes the line items( Before confirmation). What would be the business process in this regard.
  Thank you,
  Manyam
  Message was edited by: manyam gt

• Authorization level check for Condition records.

  Hi,
  Hi Gurus,
  Pls help me out in the the following scenario.
  I want to activate Authorization level check for Condition records.
  For example, Product price PR00 is being entered by first level.
  After verification done by second level only, that condition record to be used for sales order processing.
  I have gone through Process status & Release Status. But once it is Blocked  i am not able to release it...
  Rgds,
  Amol

  Amol,
  Please confirm transaction code you are using in this scenario to release. I can help with this, just a little more detail.
  Thanks,
  Jay

• Reg: Multiple authorization level for HR Report

  Dear Experts,
  I have a customized report for the payroll area, I need to have authorization for this report.
  The requirement is  as below
  For Ex: i have 5 payroll areas, 1000 personnel numbers, the multiple users and one customized report.
  The user has access for 2 payroll areas, the user should select the personnel numbers which has access to the same payroll area.
  The same user should not be authorized to access the other payroll areas and the personnel numbers.
  One customized report is being executed by the mulitple users, one user will have access only for one payroll area and he needs to select the personnel area for which payroll area he has access.
  Similar concepts follows for the other users.
  Can anyone help me to achieve this authorization concept. It would be grateful.
  Awaiting for your suggestions.
  Thanks in advance.
  Regards,
  Abdur Rafique

  hi,
  You can use sy-uname. Such that if some other user enters you can pop up the message you are not authorized.
  Regards,
  Pawan.

• Posting of difference between PO and invoice by authorization level

  Hi all,
  I have a question on price difference between PO and invoice. 
  If i want to restrict postings of invoice by authorization like the following, is it possible to be done?  If yes, how?
  Clerks only allowed to post those invoice with no difference and rounding difference (small difference).  Other invoice with difference (not caused by rounding) can be posted by a higher authorised person and not the clerk.  Can this type of authorization be set? 
  Thanks.
  Regards,

  Hello
  First decide on the authorization roles for different users.
  Then these roles can be set by the BASIS team.
  Also tolerence groups for different users and amounts can also be set.
  Tolerances for Employees
  To carry out the activity, choose one of the following navigation options:
  Transaction Code     SPRO
  IMG Menu     Financial Accounting ® Accounts Payable Accounts Receivable  ® Business Transactions ® Incoming Payments  ® Manual incoming payments ® Define Tolerance Groups for Employees
  Tolerances for Business Partners
  To carry out the activity, choose one of the following navigation options:
  Transaction Code     SPRO
  IMG Menu     Financial Accounting ® Accounts Payable Accounts Receivable  ® Business Transactions ® Incoming Payments  ® Manual incoming payments ® Define Tolerances (Customer)
  Regards

• Customer Discount with authorization level

  Dear Expert
  Please i want to have this in place when giving discount i.e When we want to give customers discount if the discount is 5% below some one with a lower profile or Role should be able to give but when discount Exceed 5% only a super user should be able to give or authorize. how do i do the settings to achieve this.
  thanks

  Use different condition types. Restrict the upper value of the less controlled condition type.
  Control who has authorization to the more controlled condition using the authorization object for condition types (V_KONH_VKS).
  In your pricing configuration, have the presence of the more controlled condition result in the exclusion of the less controlled.

• Infotype authorizations at Company Code level

  The project I am working on has two company codes 1000 & 1100.  The user requirement is that a person working in one company should be able to make changes only to employee data of employee's in his/her company and to have only read authorizations for employee data from the other company.
  I've tried creating a role for Company 1000's employees where the authorization object P_ORGIN has Personnel Areas for that company code itself and all permissions (read, write etc.) and another role with read access to all Personnel Areas.  However, when assigned to a user, they are still able to access data from the other company (i.e. the company whose personnel areas were not listed in the first role). 
  Any ideas what I am doing wrong and how I can resolve them?

  Authorization level            *
  Infotype                       *
  Personnel Area                 1000's Personnel Areas
  Employee Group                 *
  Employee Subgroup              *
  Subtype                        *
  Organizational Key             *
  Authorization level            R
  Infotype                       *
  Personnel Area                 1100's Personnel Areas
  Employee Group                 *
  Employee Subgroup              *
  Subtype                        *
  Organizational Key             *
  This config should work.
  Or can you post the values you entered in all the HR authorization objects in your role so that we can check. (P_ORGIN, PLOGI, P_PERNR etc)

• PM Organization Units Authorization on User Level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY
  This role should be able to display equipment from the Plant Maintenance module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
  We know we can create this authorization creating several roles, like:
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
  but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Best regards,
  Fernando Montenegro

  Hi ,
  Could you share about your solution ? I think I have face the same problem as yours.

• Organization Units Authorization on user level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZFI_AP_REPORT_DISPLAY
  This role should be able to display AP report from the Financial module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
  We know we can create this authorization creating several roles, like:
  ZFI_AP_REPORT_DISPLAY_3201
  ZFI_AP_REPORT_DISPLAY _3202
  ZFI_AP_REPORT_DISPLAY_3203
  but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Christine Tseng

  I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
  Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

• Authorization for MRP contoller level for PR creation...

  HI ..,
           Can anybody suggest me How to control the PR creation through authorization level for MRP controller.
  Regards
  sam

  Hi,
  Maintain the activity "Purchasing Group in Purchase Requisition", this is M_BANF_EKG. Set activity to:
  01     Create or generate
  02     Change
  03     Display
  06     Delete
  08     Display change documents
  Then maintain the purchasing group EKGRP and entered desired purchasing group.
  If you add this to a role, or create a new one say "Purchase Requisitioner", then assign the users. If each user should have different access rights to purchasing group, you would need to maintain this seperately per role. Perhaps create a unique per purchasing group.
  Use SUIM>Roles>By Auth Object and enter one above. This will show all roles which this current object and you can check which users have the role. Again through SUIM or AGR_USERS table.
  Thanks.

• We need to give field-level authorization for some fields

  The schenario is as follows :
  1. There are various storage locations within a plant.
  2. There is one or more people incharge of creating PO and receiving
  stocks for every storage location.
  3. We dont want to authorise the person incharge of one storage
  location to receive stock in another storage location or even view the
  other storage locations at the time of creating the PO or any other
  transaction. The user incharge of one storage location should not be
  able to view any other storage location in any storage location field's
  drop down.
  regards
  Manish
  +91 9811647727

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• Field level Authorization for IT0002

  Hi All,
  We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
  This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
  We want to disable the access of this field to every one, even the HR administartor.
  Kindly suggest if this is possible using authorizations.
  I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
  Regards,
  Umesh Chaudhari.

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• Segment Level Authorizations

  Hello SAP Gurus,
  We have created two two segments and we need to restrict the authorization level for both the plants. Please advice how to restrict users to post transactions which doesnt belong to them. Please let me know as i am doing Roles designing for FI.

  HI Gurus,
  I have raised this to sap and they came back with the below reply:
  The object used is F_FAGL_SEG.
  The functionality you are asking for is not provided:
  Some years ago a few customers asked for the functionality like
  payment or clearing per addional account assignments
  (example was profit center but technically it makes no difference
  if the split criteria of new G/L is PRCTR or like in your case segment)
  of new G/L but our solution management so far didn't plan to
  realize this development request.
  Anyways i have marked this question as answered.

• Authorization concept for the operating SAP staff after Go-live

  Dear all,
  we are implementing SAP FI and CO. We will have three systems (development, Quality, Production).
  1)Customizing is supposed to be done in development only. However, we will need to be able to view the customizing in the production client as well. What is best practice to achieve this? Is there a role /authorization object which only can configure "IMG-allowed to read"?
  in the development client, we will need to distiguish the following roles: developer including transports, customizer, and authorization administrator.
  2) Are there any SAP standard roles with which you can distinguish these roles?
  thank you very much for your support.
  best regards Timo

  There is no standard IMG display only role.
  Even with all of the SOX  requirements out there so I guess you will need to build this from scratch.
  You also need to make sure you look at all of the information and not just at a t code level as you need to make sure the authorization levels are display rather than maintain.

• HR Authorization issue for specfic User

  Dear all,
  One of the HR user , he can run payroll on particular site ,
  i have assigned Org key of site to master data on the particular role .
  User tried to run payroll using pa30 with personnel no (one of store user) .
  but system is not take any value and its not showing any error also .
  For example pls check below detail i have tried my user id and system has shows below details of the user (below details is one of the store user ).
  Personnel no.   2941
  Name         A  Mohammed Younus
  Personnel ar ZOSO                            EE group   A
  Subarea      STCH                            EE subgrp  3E
  Kindly suggest to resolve the issue
  Note : 1, i have deleted the user and i have recreated role .
  2, i have copied another user role (he can run payroll) to effected user ,even though he cant able to run payroll.
  Edited by: satheesh0812 on Dec 17, 2010 9:29 AM

  Dear all,
  I dont thing so there is no issue with Role  ,only issue with Structure Auth..
  Becoz pls check below Authorization Object.
  Changed    HR: Master Data
    Authorization level            E, M, R, W
    Infotype                       *
    Personnel Area                 *
    Employee Group                 *
    Employee Subgroup              *
    Subtype                        *
    Organizational Key             20000156, 20000157, 20000201
  In OOSP for particular Org key .
  Auth profile              Auth.Profile name
  CTHR_CHENNAI     CTHR_Chen
  Auth profile             No  Plan Vers Obj Type   Object I         Maint Eval.path Status vec
  CTHR_CHENNAI     1     01               O                   20000156              O-S-P     12
  CTHR_CHENNAI     2     01               O                  20000157             O-S-P     12
  CTHR_CHENNAI     3     01               O                  20000201            O-S-P     12
  In OOSB details
  IN OOSB I have assigned Authorization profile to UserXXX, user can see all employee details in PA30 except one employee details , can
  User name Autho.profile                           Start date        End date            Exclustion Display Objects
  XXXX          CTHR_CHENNAI                     01.01.2005     31.12.9999
  If i give Autho.profile --> all instead of CTHR_CHENNAI ..
  HR executive can able see all employee details in PA30 ...
  Let me know where exactly issue is there ...
  Kindly suggest...