Excessive Access to Infotypes.

Hi all, greatly appreciate if someone can advice on a situation i encounter.
Setup. I have setup a role with Access to Employee Group 1-3 (excluding 0).
I then assign this role to a User A.
User A tries to access Employee ZZ whereby Employee ZZ has the following records in IT0001 (Org Assignment).
Ascending Order
01.01.1999 to 31.12.2003 (Employee Group = 3)
01.01.2004 to 31.03.2009 (Employee Group = 3)
01.04.2009 to 31.12.9999 (Employee Group = 0)
As you can see, the latest record points to EE group 0, which User A does not have access to.
Now User A tries to access a Customised Infotype 9xxx of this Employee ZZ with the following records;
01.01.2009 to 31.03.2009
01.04.2009 to 31.12.9999
My problem here is that based on IT0001 record, User A should not have access to employee ZZ based on the latest Org Assignment, and therefore should not be able to access IT9xxx of this employee ZZ. However User A is able to access BOTH records.
I then did a test, such that if i remove '3' from the role (meaning it's left with 1-2 EE group access), User A will then be restricted from viewing the record.
Is there any setting i can do to prevent such access? My understanding is that at the very most, User A should see only the earlier record of 9XXX but why is the latest record (01042009 to 31129999) showing as well ?
Baffled about, this. Hope someone can enoighten.

Hi Ted Dinh, i've checked and the switch is already on.
it is checking correctly if the User does not have any access to 3 records of IT0001 but somehow system allows him to access when he has access to a historical record where the EE group is accessble.
Hope to get more comments on this.
Cheers!

Similar Messages

  • Report all user who has access to * infotypes

    Hi guys,
    im loking for a report that show me wich users has access to infotypes.
    right now i need to go to su01 then clic on roles, then clic on a especific role and then in display role authorizations, there i can see human resources, personal data and infotipe with *.
    and i need to know all the users that have access to all infotypes or an especific one.
    any ideas?

    There are a lot of auth objects in the HR area....
    My advice would be to pick the main ones and search with pattern '#**' for the infotype field to see what you get.
    But other fields are also relevant. In HR you need to know the data, and not just the coding and the customizing (SPRO) and the authority (PFCG).
    Talk to your functional folks and the HR system support. They will be able to help you more than we can, most likely.
    Cheers,
    Julius

  • BAPI to access/modify infotype data?

    Hi gurus,
    Is there any existed remote enabled function modules or web services could be used to access and modify infotypes? I want to do that in webdynpro java but nowhere to find them.
    thanks in advance.
    Xiaoming

    Hi,
    Yes.You need to  create a wrapper RFC around this FMs
    You can look at this FMs
    For 1000.
    RH_INSERT_INFTY
    RH_COPY_INFTY
    RH_UPDATE_INFTY
    For 1001.
    RH_INSERT_INFTY_1001_EXT
    RH_UPDATE_INFTY_1001_EXT
    RH_BASE_READ_INFTY_1001
    RH_READ_INFTY_1001
    RH_READ_INFTY_1001_EXT
    Manoj.

  • Handling for un-authorize access to infotype

    I am calling function module to add the record in info type, i want to set a returncode if user is not authorized to access infotype
    but nothing has come in wa_return even the infotype is not getting updated
    data: wa_return type bapiret1.
    CALL FUNCTION 'HR_INFOTYPE_OPERATION'
        EXPORTING
          infty         = '9077'
          number        = wa_p9077-pernr
          validityend   = wa_p9077-endda
          validitybegin = wa_p9077-begda
          record        = wa_p9077
          operation     = 'INS'
        IMPORTING
          return        = wa_return.
    please guide

    This forum is for Web Dynpro ABAP directly related questions only.  This question has no relation to Web Dynpro ABAP.  Locking thread.

  • Authorization Access to Infotypes

    Hi,
    I am trying to set up some authorisations which restrict access to certain infotypes.
    I have tried to stop a user changing IT9 but still able to view it   and I have made the below settings in the role using  P_ORGIN
    Authorization Level: R
    Infotype: 9
    Pers Area: *
    Employee Grp: *
    Employee Subgrp: *
    Subtype: *
    Org Key: *
    But I can still create and edit the bank details.
    Am I using the wrong object?
    Thanks
    Tom

    Have you tried this with an ST01 trace in the background? The trace analysis should give you some clues about failed and succeeded authorization checks.
    This is the only P_ORGIN object in all roles assigned to the user? If not, what are the values of the other ones?

  • Delete and unlock access for infotypes

    Hi All,
    Is there way to have only access to delete and unlock infotypes in HR?
    We need to give access for unlocking and delete access to few users
    Please suggest.
    Regards
    Manish

    HI Gaj,
    I have check E and D:
    E comes with package of delete,create and change records
    and D has auth to unlock records.
    But my req is just to have delete locked records and Unlock lock records.
    That is combination of E and D.
    please advise
    Regards
    Manish

  • SAP HR infotype access through portal

    Hi All,
    Below is the client requirement
    *They want to access an infotype "pa9016" in portal*
    In order to do is I have created a SAP Transactional iview and selected the system and in the Tcode area I have given the infotype name "pa9016".
    Assigned the iview to Role
    Now the problem I am facing is when i click on the Role I see the error message
    pa9016 tcode unknown
    My question is Can we access infotype using SAP Transactional iview.If not how to access the infotype in portal
    thanks in advance

    Hello All,
    It is not possible for you to create a transactional Iview for an Infotype in Portal.
    We have 2 options to access the PA info type 9016 in Portal
    1. Create a program in the back end system which will pull the data from the Info type 9016 and attach the program to the new ransaction code. Then create a Transactional Iview in Portal for this newly created transaction code.
    2. Add this Info type 9016 in the existing PA role (back end role). We can add the PA Info types in the following authorization objects
    P_ORGIN
    P_ORGINCON
    P_ORGXXCON
    P_PERNR
    The second option is recommended.
    Best Wishes,
    Suganthi.

  • PA30 access restricted to only infotype 105

    Hello All,
    I am trying to create a role with PA30 and it should have access only to create or change infotypr 105 ( communication)
    I tried putting infotype 0105 in the 'infotype' value in auth.obj , but it doesn't seem to work.
    Any ideas on how this can be acheived?
    Thanks and Regards,
    Shobana

    it should have access only to create or change infotypr 105 ( communication)
    I tried putting infotype 0105 in the 'infotype' value in auth.obj , but it doesn't seem to work.
    Create or Change access to Infotype 0105 has to be restricted on auth object P_ORGIN  via following fields:
    INFTY= 0105
    SUBTY= Specify any subtype of IT0105 you would want to restrict (like 0001 or 9001 etc), in case of full access assign *
    AUTHC= Authorization levels W- Write data records, E- Write locked records
    PERSA= Personnel area to which user should have access to
    EE group
    EE Subgroup
    VDSK1 (Org key)
    Last three fields are further levels of restrictions which can be used based on your design.
    To activate check on P_ORGIN, put value of AUTSW ORGIN = 1 in table T77S0 or OOAC tcode.
    In case these steps have already been addressed in your case, please provide with more details about the error message users are receiving or what is the issue being encountered.
    Thanks!
    Sandipan

  • HR-ABAP Infotype Authorization issue!

    Hello Experts,
    Need your quick suggestions and inputs, which we're currently facing in our project.
    We're using the PNPCE Logical Database for processing/retrieving the records from infotypes and ALV reports are generated.
    Currently, we have an authorization control which will restrict the user roles in accessing certain infotypes. Thus, the user role is assigned with necessary infotype access in PFCG.
    Now the issue is if a particular user role donot have the authorization to infotye XXXX, which is defined in the Global Declaration (Top Include) in the INFOTYPES statement. Eg: INFOTYPES: XXXX.
    Thus, when the report is executed, the following XXXX infotype authorization is checked as it is defined in INFOTYPES statement, but since the user role is not given the XXXX infotype authorization in PFCG the report execution fails when it checks the infotype authorization when it enters GET PERAS. Thus, a blank screen is thrown with standard SAP error... "No authorization for XXXX infotype".
    Is there any way this error message which blocks the execution of the report be by-passed? If yes, please help to suggest the necessary steps to do so. Thus, the report execution should not be blocked and the ALV report should be displayed with blank values for those XXXX infotypes which donot have authorization even though defined in INFOTYPES statement in Top Include.
    Hope am much clear in describing the major issue that we're currently facing.
    Any inputs to get this issue resolved will be highly appreciated.
    Thanks in anticipation.
    Regards,
    Sundar

    Have you explored the option of using the BAdI HRPAD00AUTH_CHECK?
    ~Suresh

  • HR-ABAP-Infotypes concept

    Hi Masters,
                           Can you please let me know the perfect reason for infotypes concept in HR-ABAP.
    1 Why we are using infotypes and exactly what is purpose?
    2.Why we are using LDB's why cannot we extract data directly from database tables?
    3.Can you please give me clear explanations about these infotypes.

    Hi
    Infotype(s) are used in the Personnel Management (PA) module primarily. This is where personnel master data is stored. Data is grouped according to subject matter. The Human Resources component aims to enable the user to process employee data in an effective structure in accordance with business requirements. The data structure of infotypes mirrors a logical set of data records. Infotypes can be identified by their four-digit keys, for example, the Addresses infotype (0006). To facilitate reporting on past employee data, infotypes can be saved for specific periods.
    Some people use the term HR ABAP to describe the method of managing the infotype data. Typically HR logical databases are used which offers more secure methods of accessing the infotype data. Once the infotypes are declared, you can use standard macros to access the data. Table TRMAC holds the macro name and the code behind it. This makes developing HR programs much quicker and easy to turn around.
    HR uses INFOTYPES instead of tables.
    There are different sub modules exist in HR.
    For Personal Admn the Infotypes start with PA0000 to PA1999
    Time Related Infotypes start with PA2000 to PA2999.
    Orgn related Infotypes start with HRP1000 to HRP1999.
    All custom developed infotypes stsrat with PA9000 onwards.
    In payroll processing we use Clusters like PCL1,2,3 and 4.
    Instead of Select query we use PROVIDE and ENDPROVIDE..
    You have to assign a Logical Database in the attributes PNP.
    Go through the SAp doc for HR programming and start doing.
    http://www.sapdevelopment.co.uk/hr/hrhome.htm
    See:
    http://help.sap.com/saphelp_46c/helpdata/en/4f/d5268a575e11d189270000e8322f96/content.htm
    http://help.sap.com/saphelp_47x200/helpdata/en/bb/bdb041575911d189240000e8323d3a/frameset.htm
    see this link you would get information about types of infotypes
    Logical databases are special ABAP programs that retrieve data and make it available toapplication programs. The most common use of logical databases is still to read data fromdatabase tables by linkin them to executable ABAP programs.
    Logical databases contain Open SQL statements that read data from the database.You do not therefore need to use SQL in your own programs. The logical database reads theprogram, stores them in the program if necessary, and then passes them line by line to theapplication program or the function module LDB_PROCESS using an interface work area .
    For further info
    check link http://help.sap.com/saphelp_nw70/helpdata/en/9f/db9b5e35c111d1829f0000e829fbfe/frameset.htm
    1. A logical database is in fact
    a program only.
    2. This LDB provides two main things :
    a) a pre-defined selection screen
    which handles all user inputs and validations
    b) pre defined set of data
    based upon the user selection.
    3. So we dont have to worry about from
    which tables to fetch data.
    4. Moreover, this LDB Program,
    handles all user-authorisations
    and is efficient in all respects.
    5. tcode is SLDB.
    /people/srivijaya.gutala/blog/2007/03/05/why-not-logical-databases
    <b>REward fi suefull</b>

  • Adhoc query for OM infotypes

    Hi Experts,
    We have an adhoc query based on PNP logical database. But client wants to access OM infotypes data using that query. Can you guide me how we can do that?
    Thanks and Regards,
    Ashish.

    If you are looking to add few fields, you can create custom fields in function group and write code for them . You can create the custom fields by following steps.
    Go to t-code SQ02
    Give your infoset name go to change ->
    Click on "EXTRAS"
    Click "Paper u201CCreate " Pop-up will appear
    -Choose "Additional field" name as Zamnt1
    Give long text & header
    Like reference as u201Cpa0008-BET02u201D
    Code in screen u201Csave it"
    Go back to fields group and assign additional fields to your Fields group.
    Donu2019t forget to generate. You can create as many as fields this way.
    FYI https://forums.sdn.sap.com/click.jspa?searchID=14569976&messageID=5750674
          http://jelajahsap.files.wordpress.com/2008/01/abap-query.pdf
    Thanks,
    Khan

  • Are there any SAP delivered screens in infotypes for different countries

    HI,
    I am looking if they have any SAP delivered interfaces for diiferent infotypes. e.g. diffrent screen for MExico or Brazil for IT 0002. Please let me know,
    Thanks,
    Rashmi

    Dear Rashmi,
    In IMG (SPRO) under 
    Personal Management -> Personal Administration -> Customizing Procedures -> Infotypes -> Assign infotypes to countries
    If the Country-Dependent Subtypes indicator is set for the infotype in view T777D Infotypes - Dialog/Database Assignment, you can also specify the permissibility of Subtypes for country infotypes.
    At the moment, this indicator can only be used for infotypes whose subtypes are defined in the Subtype Characteristics view (V_T591A).
    Examples:
    Itype Itype text   Type  Descript.   Cntgrp   Descript.    Status
    0006 Addresses    J2  Guarantor      22       Japan       permitted
    0012 Tax Data D    *  all subtypes    01      Germany      permitted
    There is no entry for the Personal Data infotype (0002). This means the infotype is permitted for all country groupings.
    In the Addresses infotype (0006), the subtype Guarantor (J2) is only allowed for Japan.  All other subtypes are permitted for all country groupings.
    The Tax Data D (0012) infotype is only permitted for country grouping Germany.  Other countries cannot access this infotype.
    Regards,
    Naveen.

  • Qualifications and Infotype 0024

    I would like to understand the relationship between Qualifications Profiles and Infotype 0024
    When we create Qualifications Profiles on the PD side, on the Person Object, for example, does it automatically get transferred to IT0024 or do we have to run a Program or a Report to populate IT0024.
    Similarly, if we create IT0024 with Qualification data, do we have to also maintain Profile on the PD side with similar data or does it trnasfer data automatically or do we have to run a Report or a Program.
    <b>Pl note that PA/PD/OM integration is all ACTIVE</b>

    Hi My Friend
    Please refer to the SAP note  384001 -  FAQ: Qualifications and Requirements
    1.  How do you activate integration between Personnel Administration and
         Personnel Planning for qualifications?
    Customizing: table T77S0, parameter PLOGI QUALI
                                                                       Page 2
    2.  How does active integration affect infotype 0024 in a personnel
         action?
    When integration is active, infotypes 0024 or 0025 must always come at
    the end of a personnel action.
    3.  What impact does active integration have for the Ad Hoc Query?
    When integration is active, the data is no longer physically stored in
    infotype 0024 (table PA0024), but in infotype 1001 (table HRP1001
    subtype A032).This explains too, why you can no longer directly access
    the infotype fields of IT0024 in the query. Any attempt to access these
    always fails.
    4.  Why is the qualifications catalog not alphabetically sorted in F4
         possible entries help?
    Generally speaking, sorting in the qualifications catalog (transaction
    OOQA or PPQD) is not the same as sorting in the possible entries feature
    (F4 help). The reason for this is the different method used for the
    sorting. While sorting in transactions OOQA and PPQD is done
    alphabetically, the possible entries feature only sorts the first level
    (qualification groups) alphabetically. All other levels are sorted by
    object ID.
    From release 4.6C you can sort qualifications manually in the
    qualifications catalog (transaction OOQA).From a technical point of
    view, this information is stored in the database field P1001-PRIOX.This
    sorting also applies to the possible entries help.Thus, the
    qualifications catalog has the same sorting throughout.
    If you have a pre-4.6C release, you can only achieve the same sorting if
    you adjust the field P1001-PRIOX accordingly using transaction PP01 or
    PP02. Before you use transactions PP01 or PP02, you should check whether
    maintenance is allowed in table T777I.
    5.  How are notes for qualifications stored in the qualifications
         profile?
    The notes are stored period-independent with the key 'person has
    qualification' (for example, P 0003212 A032 Q 50001231).The advantage of
    this is that you only have one note attached to a qualification, whose
    history you can monitor.
    Example (Qualifications profile):
    Qualification Proficiency Period Note
       English 1 01.01.1980 - 30.06.1998 X
       English 2 01.07.1998 - 31.12.9999 X
    The same note is displayed regardless of whether you look at the note
    for the first or second entry.
    6.  Can you create customer-specific Infosets (Ad Hoc Query) for the
         unrestricted search for persons and applicants?
    Yes, you can create customer-specific InfoSets. These customer-specific
    InfoSets must be defined in the 'global work area' in transaction SQ02.
    Customer-specific InfoSets for Personnel Development must not be
    defined in the standard work area, they must always be in the global
    area.
    7.  How does the inheritance logic work for the specification
         descriptions for qualifications?
    If you want to store standard values for the specification descriptions,
    you can do this in the IMG (Personnel Development) under 'Edit scales'.
    So that these standard values are inherited to the qualifications, in
    the qualification catalog, the 'Default' flag must be set both in the
    qualification group and in the qualification in the tab.
    If the flag in the qualification group is not set, the stardard values
    are not inherited t othe qualification below.
    If the flag is not set in the individual qualification, the standard
    values are only not inherited to this qualification. Then you can enter
    a specification description for this qualification.
    Hope it can give you answer
    Regards,
    Jun

  • Authorization fail with CATS Bapi's on InfoTypes

    Hello all -  when running BAPI_CATIMESHEETMGR_INSERT we are failing on Authorization  - for example our profile doesn't have access to InfoType 0002 - however we cannot assign it directly as the user may also have PA20 etc. and we can't permit them to see data via online transactions - any solution would be greatly appreciated

    If the BAPI is not..
    No, other way around: if your z-table is not respected by the BAPI then an enhancement point might be?
    Where did you add the z-table coding? It might be your own fault (just being honest).
    Cheers,
    Julius

  • Structural profile for HR conflicts with MRS

    Hi,
    We have ECC 6.0 and implemented mini-HR for mainly CATS use and to create the organisation for MRS (multi-resource scheduling). Now we are facing problems with managers who need to have a structural profiles to limit their access to HR information.
    A manager cannot execute transaction /MRSS/PLBOORGM - Planning Board for RP Node
    The other problem is that structural profiles (evaluation path O-S-P) seem to be interfaring with IW32 when user tries to change technical person (i.e. a partner) or sales order.
    CATS is classic, not CATS for Srvice providers which also brings problems with those users who have to accept hours or enter hours (CAT2) for other than their own subordinates; i.e. they are project managers.
    Any suggestion for structural profile corrections, evaluation path that should be used in addition to the "normal" O-S-P for the manager role?
    Help is highly appreciated.
    BR,
    Pia

    Hi,
    Firstly P_ORGINCON is used for context solutions where you want users to access specific infotypes for selected Objects in the Org structure and simultaneously perform other activities for some seperate set of Objects.
    P_ORGINCON won't understand the concept of exclusion.
    3) we assign to the manager a second structural profile in exclusion mode and a role with with a P_ORGINCON in order to exclude some infotypes.
    Why do you want to design such approach?
    Please remember when you assign PD profile to a position and check the exclusion Box, it means what all objects returned by that structural profile should be excluded from entering into T77UU and INDX table, when you run RHBAUS* programs.
    After reading through your Business requirement, I would only suggest you to drive this design through Function Modules and included those FMs in your structural.
    If required create multiple structural add them in separate nodes in P_ORGINCON in combination of Infotypes.
    In othe words, it is possibile to assign a structural profile to a user in exclusion mode and use this structural profile with a P_ORGINCON in order to exclude some inforypes ? -
    NO, assigning structural in exclusion mode will only exclude objects which are being pulled up by that structural and using the same with P_ORGINCON means, user will be able access set of Infotypes for all Objects in the Org Structure apart from the ones excluded because the structural assigned in exclusion mode.
    Hope this answers your question.
    Thanks,
    Deb

Maybe you are looking for

  • Computer was stolen--how to transfer from iPod to new computer

    My computer was stolen and I want to transfer my iPod library to my new computer. I know how to transfer from one computer to another using an iPod but is there a way to do it when I don't have the computer that has my iTunes library?

  • After Effects + Adobe Media Encoder + Flash = Most Random File Sizes Ever

    Asking this question in this AE forum because I think more would have knowledge on the topic here than the Flash Forum.  I've heard that video compression is more of an art than a science...  Could someone provide me some insight on the following? -C

  • BPM- Switch Condition ?

    Hi All, I have a question regarding the usage of Switch condition (Like Option) in BPM. For Example I want to give a condition such that I should pass all the messages starting with 'J' followed by any letter. Thanks in advance

  • A request about keeping the "Issues we are aware of" post more up to date

    A request: Please keep the "UPDATED - Issues we are aware of (updated August 5, 2007 07:30am)" more up to date with what issues Apple's aware of and intending to fix. It's a nuisance to not know if: 1) a problem is caused by Apple's website being bro

  • Another N82 query - Menu Icon Animation

    Yes, I have too much time on my hands today, but seeing as people have been so helpful of late- I read in the N82 user guide (p97 in fact) that menu icon animation should be an option, and can be turned on and off. But I assumed that this was an erro