Field level Authorization for IT0002
Hi All,
We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
We want to disable the access of this field to every one, even the HR administartor.
Kindly suggest if this is possible using authorizations.
I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
Regards,
Umesh Chaudhari.
Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0002 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name SAPDBPNP
Degree of simplification 1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah
Similar Messages
-
We need to give field-level authorization for some fields
The schenario is as follows :
1. There are various storage locations within a plant.
2. There is one or more people incharge of creating PO and receiving
stocks for every storage location.
3. We dont want to authorise the person incharge of one storage
location to receive stock in another storage location or even view the
other storage locations at the time of creating the PO or any other
transaction. The user incharge of one storage location should not be
able to view any other storage location in any storage location field's
drop down.
regards
Manish
+91 9811647727Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0002 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name SAPDBPNP
Degree of simplification 1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah -
Hi Gurus,
Can you explain me how to proceed forward inrelation to Field Level Authorizations in SAP HR. For instance I want to restrict roles of individuals based on Field for example restrict users based on Field Workschedule in IT 0007 ( Planned Working Time).
Regards,
HappyAUTHORITY-CHECK OBJECT 'S_TABU_LIN'
ID 'ORG_CRIT' FIELD 'MOLGA'
ID 'ACTVT' FIELD '03'
ID 'ORG_FIELD1' FIELD '10'
ID 'ORG_FIELD2' FIELD '*'
ID 'ORG_FIELD3' FIELD '*'
ID 'ORG_FIELD4' FIELD '*'
ID 'ORG_FIELD5' FIELD '*'
ID 'ORG_FIELD6' FIELD '*'
ID 'ORG_FIELD7' FIELD '*'
ID 'ORG_FIELD8' FIELD '*'.
IF sy-subrc NE 0 .
MESSAGE e000 WITH 'No Authorization for area' v_text.
ENDIF.
Use S_TABU_LIN authority object for field level authorizations. -
SM30 Field level authorization check
Hi,
I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
Thanks,
Gagan ChodhryHi,
I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
If anyone can send the sample or the way to skip the record based on the check.
Also is there any other way to add the field level authorization to custom and standard tables...
Thanks,
Gagan Chodhry -
Field level Authorization configuration in SAP BO issue !!!
Hi gurus,
I want to create field level authorization at query level and use the same at BO web Intelligence. (Ex if i h ave company code as A,B,and C. and if i have created a rolehe users where only A and C is assigned so when i crreate a webi where users should only able to select comapny code as A and C only.)
Now i want to know the steps to configure the same in BO for roles import and SAP authentication setting.Please do tell the pre-requisites .I got lot of links but am still confused.
So please provide exact steps and setting to configure the same.
Thanks &Regards,
Montz
Edited by: montz2006 on Jun 27, 2011 9:05 PMAUTHORITY-CHECK OBJECT 'S_TABU_LIN'
ID 'ORG_CRIT' FIELD 'MOLGA'
ID 'ACTVT' FIELD '03'
ID 'ORG_FIELD1' FIELD '10'
ID 'ORG_FIELD2' FIELD '*'
ID 'ORG_FIELD3' FIELD '*'
ID 'ORG_FIELD4' FIELD '*'
ID 'ORG_FIELD5' FIELD '*'
ID 'ORG_FIELD6' FIELD '*'
ID 'ORG_FIELD7' FIELD '*'
ID 'ORG_FIELD8' FIELD '*'.
IF sy-subrc NE 0 .
MESSAGE e000 WITH 'No Authorization for area' v_text.
ENDIF.
Use S_TABU_LIN authority object for field level authorizations. -
"Low-level" authorizations for accessing BW reports - add users to role
Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
<i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i> -
Plant level authorization for Notification Change
Hi All
We have 7 plants and person belong to one plant is able to open and change the notification of other plants.
In the role we have given restriction for the plant for the Tcode IW 22 and for the object SWERK .In the Notification only Workcenter and Plant fields are mandatory.
How can we restrict for a user belong to a particular plant can only change his plant notifications using IW22 only ---not IW28
Thanks in advance
gangsDear gangs,
Check in all the roles of that user in orgnozation levels maintenance plant and planning plant.
It may happen in one role you have ristricted for that user, but in other roles it may be having the t.code authorization for IW22 and with other plant also.
Check that also.
Regards,
Praveen. -
Best way to author field level help for a CHM?
Hi
I have been asked to create an HTML help (CHM) system for a .Net application which will include context sensitive help at both page and field level.
I have used map ids for page level help before - i.e. assigned a map id to topics and given this list to a developer for implementation, but I have never created field level help.
I've been looking at the 'What's This?' help project wizard but am confused as to whether this is the best approach and how it fits with the project as a whole (or even if it compatible with .Net applications). Does this mean that I need two help projects for the application - one for the main help, and one for the field level help? Is there a way to create field level help without using the 'What's This?' wizard?
I am using Robohelp 7.
Any advice gratefully received!
ChloeHi, Chloe,
As Peter notes, even Microsoft has backed away from using field-level Help in the last few years, so it may be worth trying to determine whether your users will benefit from having it available to them. That's not to say that you can't deliver field-level Help, however, as all the required methods for calling it are still available to .NET developers.
To clarify, what Madcap Software calls "DotNet Help" is just a proprietary Help viewer that the company hopes will be more modern and appealing to writers than the older HTML Help (.chm) viewer. HTML Help remains the recommended format for Windows applications, whether .NET or not, and you can use any authoring tool that is capable of outputting a .chm file to create online Help for a .NET application.
The method that your developers use to call field-level Help determines how it should be authored. If they use the standard .NET method (the SetHelpString method of the HelpProvider class), each text string is embedded in the application code itself, and not retrieved from your .chm file. More information here:
http://msdn.microsoft.com/en-us/library/system.windows.forms.helpprovider.sethelpstring(VS .71).aspx
http://support.microsoft.com/kb/821777
http://helpware.net/mshelp2/demo2/h1xNET.htm
Alternatively, developers can use the old HTML Help API to retrieve the text string from a .chm file. See:
http://msdn.microsoft.com/en-us/library/ms670082(VS.85).aspx
http://helpware.net/htmlhelp/how_to_whatsthis.htm
http://support.microsoft.com/?kbid=317406
The drawback of both methods is that the Help popups are plain text only — no graphics, text formatting, hyperlinks, etc. To work around this, some people use the third-party KeyHelp control to create feature-rich HTML popups. See:
http://www.keyworks.net/keyhelp.htm
This allows you to deliver the type of Help that you mentioned in your second message ("is there a way to do this so that these topics open in a small popup, without the TOC / tri-pane structure?").
Pete -
Object level authorization for SLT Configuration schema in HANA DB
Hi All,
We have connected SLT with HANA DB (& ECC as source system).
Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
Regards,
KumarHi Santosh,
You can find more info about SLT Roles and Authorization from below security guide.
http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
Regards,
V Srinivasan -
Field level validations for an Infotype
Hi,
Can anybody tell me if field level validations can be done for each and every field in a HR infotype?
Thank you.You can do most of the validations using the Infotype User exit ZXPADU02 or the AFTER_INPUT mrthod in the BAdI HRPAD00INFTY.
But each & every field -- NO
~Suresh -
Withdraw Field level RETRO for IT-0021
Hi,
Please let me know, is there any impact on Payroll (Indian) in case Field level RETRO is withdrawn for IT-0021
G.V.Mohan Rao,sCCLIT 0021 is Dependent on.....Subtypes
-
Second Level Authorization for ESS
Hi,
I have an issue regarding ESS . The requirement is to provide a second level authorization when anybody clicks on the content in ESS. i,e a logon screen. On successful authentification the user has to see the required info. We should also be able to provide a 5 min idle time out. Can anybody help me with this.
Thanks,
AbhishekAbhishek, Did you find any solution for second level authentication for ESS?
-
Object level authorizations for deffirent user restrictions
Hi
i have 1 object, this object have only 3 values?
i need authorizations for this object at report level?
rsa1- i keep authorization relevant?
rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em knowHi Suneel,
Go to RSECADMIN.
Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
0PLANT
0TCAACTVT
0TCAIPROV
0TCAVALID
Double click on each characteristic to assign them the authorized value set.
Thus, you will create two authorizations
Z_PLANT_1
0PLANT...................I..EQ..............1
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Z_PLANT_2&3
0PLANT...................I..EQ..............2
..............................I..EQ..............3
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
Like assign User1 -
>Z_PLANT_1
................User2 -
>Z_PLANT_2&3
Refer the link below for more information
[Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
Hope this helps,
Best regards,
Sunmit. -
BI7 InfoObject Value Level Authorization for Queries
Hi Guys/Gals,
this is my requirement.....
we have a HR ODS which has personal information of employees from 72 Companies.
we have a query based on this ODS ....
My requirement is when User A runs the query only data from Company A must be displayed...
and when User B runs the same query only data from Company B must be displayed....
no pop-ups for the company code .....
i posted this question yesterday & got a few replies....i tried them out... but there is this issue...
i used the RSECADMIN & created the AO which includes the 0COMP_CODE....
then i added it to the role using PFCG....
when i add the AO i created in the " BI Analysis Authorizations: Na " section...
the query gives a "no authorization" error.....
then one of u guy asked me to add it in to the
"SAP Business Information Warehouse - Reporting" section,,,, so i did that....
but unless i also add " BI Analysis Authorizations: Na " with * the query doesn't work....
and when i add " BI Analysis Authorizations: Na " with * &
"SAP Business Information Warehouse - Reporting" with the AO i created...
the filter doesn't work... it displays all the data
please help me.....Hello Christopher,
your thread is a little bit confusing and unclear. I just had a look at the other two threads you posted and here are my comments:
Prerequisite for the use of BI 7.0 analysis authorizations:
- each user needs authorizations for the three special dimensions (0TCAACTVT, 0TCAIPROV and 0TCAVALID) otherwise queries won't run!
As a consequence you will have to create analysis authorizations like this:
<b>ZCOMP_1000</b>
0COMP_CODE<i> I EQ</i> 1000
0TCAACTVT <i>I EQ</i> 03
0TCAIPROV <i>I EQ</i> your HR DSO
0TCAVALID <i>I EQ</i> *
<b>ZCOMP_2000</b>
0COMP_CODE<i> I EQ</i> 2000
0TCAACTVT <i>I EQ</i> 03
0TCAIPROV <i>I EQ</i> your HR DSO
0TCAVALID <i>I EQ</i> *
You can then assign these authorizations directly to your specific users using RSU01 or you will create a role and add the authorization object S_RS_AUTH with value ZCOMP_1000 and another one that contains S_RS_AUTH with value ZCOMP_2000.
Of course your users will need authorizations for standard reporting such as S_RFC, S_RS_COMP, S_RS_COMP1.
S_RS_ICUBE, S_RS_ODSO, S_RS_MPRO, S_RS_ISET are not necessary any more for reporting because they were replaced by 0TCAIPROV in the analysis authorization.
Finally the query selection must be COMPLETELY be a part of the user's authorizations. This is best done by an query variable that is filled from the user's authorizations at runtime.
Good luck,
Petra -
Object level authorizations for reports
HI
I have 20 charactesr in cube , around 15 have navigational attributes.
i need to give authorizations for 5 objects only .( navigational attributes).
i have 10 reports, i need 2 reports only authorizations relavant.
if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
ple let me knowhi suneel,
As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
So, the user will be able to see whole data for 3 reports where authorization is not used.
Hope it is clear.
Thanks
Lavanya
Maybe you are looking for
-
How to write an element in a JTable Cell
Probably it's a stupid question but I have this problem: I have a the necessity to build a JTable in which, when I edit a cell and I push a keyboard button, a new Frame opens to edit the content of the cell. But the problem is how to write something
-
if I extract my previews from lightroom, will they still show up in the catalog? I am trying to recover certain images. Can I just extract specific folders?
-
Can't open files on websites like pdf
For some reason,i can no longer open files on my business website. How do i fix this?
-
Load balance issues with RV042
Hi, I have some issue to configure my RV042. I have 8 voip phones and 10 pcs on my network. I used DHCP to attribute IP between 192.168.1.10 and 192.168.1.20 to the phones and over .100 to the PC. I want my phone to have their own connexion. My switc
-
Mac Pro Retina stalls on start up! Urgent!
My Mac Pro is stalling on start up. The loading bar gets half way and then stalls. I have reset the p ram and the smc. I have attached a photo of the verbose start up. I desperately need to get this working. Thanks