How to use authorization object P_PERNR ?

Hi, Gurus~
In our system, there is a user whose User ID is "00041", and she can modify her own 0008, we want to control it so that she can only display her own 0008, but process 0008 for all other employees
So, i use the authorization object P_PERNR to do this, i set the fields value like this (totally copy from the SAP help for P_PERNR....):
Authorization level:  W,S,D,E
Infotype: 0008
Interpretation of assignment personnel number: E
Subtype: *
and then, i maintain her master data 0105's subtype 0001-system user name as 00041
i think she shouldn't maintain her own 0008 now ,but she still can maintain it
i want to know why and how to solve it, did i do it in the right way?
Thank you in advance!

P_PERNR   HR: Master Data - Personnel Number Check
You use the HR: Master Data - Personnel Number Check authorization object if you want to assign users different authorizations for accessing their own personnel number. If this check is active and the user is assigned a personnel number in the system, it can directly override all other checks with the exception of the test procedures.
The following values are possible for the PSIGN field:
I   =          Authorization for personnel number assigned, that is for own personnel number
E  =          Authorization for all personnel numbers excluding own personnel number
You can assign a user a personnel number using infotype 0105, subtype 0001 (in earlier releases using the V_T513A view).
This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own. In other words, this check is completely irrelevant for personnel numbers that are not assigned to the user.
Example of Personnel Number Check P_PERNR
The authorization checks for P_ORGIN and P_PERNR are activated in the system. In addition, there are user assignments for some personnel numbers.
The user in our example is assigned a personnel number and is administrator responsible for the Basic Pay infotype (0008) of a personnel area (that is, the user has the corresponding P_ORGIN authorization). The employee should also be able to display his or her own data but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. The corresponding authorizations for the P_PERNR authorization object must be set up as follows: AUTHC = R, M
PSIGN = I
INFTY = *
SUBTY = * AUTHC = W, S, D, E
PSIGN = E
INFTY = 0008
SUBTY = *
In our example, the user is an administrator responsible for the basic pay (infotype 0008) of a personnel area (since the administrator has the corresponding HR: Master Data authorization). The employee should also be able to display his or her own data at all times but not change his or her basic pay, irrespective of the personnel area for which the employee is responsible. You need to set up the appropriate authorizations for the HR: Personnel Number Check object as shown in this example.
The first authorization grants the employee read authorization for all infotypes that are stored under the employee's personnel number. The second authorization denies write access to all data records of infotype 0008 for the employee's own personnel number in case the administrator is responsible at some point in the future for the personnel area to which he or she belongs.
As the following examples illustrate, inconsistent authorizations can be granted.
Example 1:
AUTHC = *
PSIGN = I
INFTY = 0014
SUBTY = M* AUTHC = W, S, D, E
PSIGN = E
INFTY = 0014
SUBTY = *
The first authorization grants the employee read authorization (AUTHC = R) for the Recurrent Payments/Deductions infotype (0014), subtype M120, which allows the employee to access the data stored under his or her personnel number. In this case, the second authorization is irrelevant.
The first authorization grants the employee write authorization (AUTHC = W) for the Recurrent Payments/Deductions infotype (0014), subtype B030, which denies the employee access to the data stored under his or her personnel number. In this case, the first authorization is irrelevant.
The first authorization grants the employee write authorization for the Recurrent Payments/Deductions infotype (0014), subtype M120, the second authorization denies the employee this authorization. The desired system response is unclear from this example. According to the documentation, the system response is undefined in such situations. In reality, the authorization check always denies authorization in unclear situations, that is E is stronger than I and therefore the authorization is not granted.
Example 2:
AUTHC = *
PSIGN = *
INFTY = *
SUBTY = *
This type of authorization is required by superusers with unlimited access, for example. The above authorization is appropriate if an employee wants to access an infotype. However, since PSIGN = * and * can be substituted for any value, PSIGN and E can also be interpreted as I. This can also lead to an undefined situation. In earlier releases, the authorization was denied on the basis of the rule E is stronger than I. This meant that superusers with assigned personnel numbers were not able to access their own personnel number. The programs have since been changed and now * is interpreted as I and is stronger than E. In other words, * is stronger than E and E is stronger than I, whereby * is interpreted as I.
As already indicated in Example 1, the combination of different authorizations can produce a complicated result. We therefore recommend that you avoid combinations where P_PERNR authorizations can be interpreted differently for the same combination of AUTHC(Authorization Level), INFTY(Infotype) and SUBTY (Subtype).
Misunderstandings arising from the complex situations described above are not the most frequent causes of customer inquiries, however. The most frequent cause is the incorrect assumption that authorizations by personnel number affect authorizations for non-assigned personnel numbers. This is not the case at all.
If you use authorizations by personnel number, you should always first set up all non-personnel number-related authorizations. As soon as you have done this, you should create different access authorizations for the personnel numbers that are assigned to users using appropriate P_PERNR authorizations. This is always possible since the P_PERNR authorizations override all other authorizations directly (except Test Procedures).
P_PERNR authorization checks cannot bypass test procedures directly. For instance, a test procedure is only carried out on the Recurring Payments/Deductions infotype (0014) if a corresponding P_PERNR authorization (with PSIGN = I) exists. If an appropriate authorization for the corresponding subtype of the infotype 0130 exists, it can be used effectively to carry out the test procedures.

Similar Messages

  • How to use lock object? what we lock either total ztable or only record?

    Hi
    How to use lock object? what we lock either total ztable or only particular record?
    Don't tell create lock object on se11 with E letter & acll it in program with eENQUEUE & DEQUEUE.
    just tell me we will lock only particular record or total ztable?
    specify with example.
    Thanks.

    Hi
      Go to SE11, in the option 'Lock object' enter the name of your lock,
    begin with 'E', suppose 'EXXXX' And create. In tab 'Tables' fill the
    table name where the record you want to lock exist and select the
    lock mode. Lock mode can be shared and exclusive. If 'shared',
    when you lock the record, other can also read data, but can not
    modify. If 'exclusive', when you lock the record, other can neither
    read nor modify the record. After save and activate, you will get two
    function module.'ENQUEUE_EXXXX' to lock record,
    'DEQUEUE_EXXXX' to release lock on one record.
    When use this function module it only lock one record at a time. It
    does not lock the table.

  • How to use swf object

    Hi have been trying to get my head around how to use swf object, I know very little javascript and so am having difficulty in modifying the code to suit my needs.  This is my page which I have used dreamweaver cs3 and have used insert>media>flash and it is working well but does not validate.  I would really appreciate if somebody could write the exact html code I need to convert this to swf object.
    http://www.kimberleywebdesign.com.au/Links.html

    You should be able to just declare a variable outside of the onComplete function and assign it the loaded object when the file loads...
    var loadedSWF:MovieClip;
    function loadComplete(e:Event):void {
         removeChild(old_mc);
         addChild( DisplayObject(LoaderInfo(e.target).content) );
         loadedSWF = MovieClip(e.currentTarget.content);
    function doStuffToSWF(){
          loadedSWF.something....

  • How to use  Business Object like Vendor or PurchasingInfo

    Hi,
    How to use Business Object ( like Vendor or PurchasingInfo ) from my Object?
    For example:
    CLASS myEntity DEFINITION.
              PUBLIC SECTION.
                   METHODS: getVendor EXPORTING pVendor TYPE Vendor.
               PRIVATE SECTION.
               DATA: aVendor TYPE REF TO Vendor.
    ENDCLASS.
    CLASS myEntity IMPLEMENTATION.
    METHOD getVendor
               pVendor = aVendor .
    ENDMETHOD.
    ENDCLASS

    Hi,
    I am giving u a demo Program for ur doubt.
    REPORT demo_class_counter .
    CLASS counter DEFINITION.
      PUBLIC SECTION.
        METHODS: set IMPORTING value(set_value) TYPE i,
                 increment,
                 get EXPORTING value(get_value) TYPE i.
      PRIVATE SECTION.
        DATA count TYPE i.
    ENDCLASS.
    CLASS counter IMPLEMENTATION.
      METHOD set.
        count = set_value.
      ENDMETHOD.
      METHOD increment.
        ADD 1 TO count.
      ENDMETHOD.
      METHOD get.
        get_value = count.
      ENDMETHOD.
    ENDCLASS.
    DATA number TYPE i VALUE 5.
    DATA cnt TYPE REF TO counter.
    START-OF-SELECTION.
      CREATE OBJECT cnt.
      CALL METHOD cnt->set EXPORTING set_value = number.
      DO 3 TIMES.
        CALL METHOD cnt->increment.
      ENDDO.
      CALL METHOD cnt->get IMPORTING get_value = number.
      WRITE number.
    For more demo programs type 'abapdocu' in the command field
    U will be getting some demo programs.
    There select the abap objects.
    Regards,
    Jagadish

  • How i know Authorization object in system?

    Hi all,
    i create new BAdi with Enhancement Spot: ZWORKORDER_GOODSMVT (copy WORKORDER_GOODSMVT in standard SAP)
    now i have Badi definition: ZWORKORDER_GOODSMVT
    with Interface: ZIF_EX_WORKORDER_GOODSMVT
    all ok.
    now how i can see authorization object in Badi definition: WORKORDER_GOODSMVT (standard)? i already creat Authorization object but now i don't know what field and choose in maintain the authorization (from Badi definition: WORKORDER_GOODSMVT )
    ex: 1. in package BSFC have interface IF_EX_BSFC_POLICY and method GET_POLICY
         2. Authorzation object: B_BSFC (have field name: BSFC_APPL and ACTVT in maintain the authorzation)
    because i get this and solve in my job.
    when i activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object???
    Processing Logic: 
    •     The backflush errors are created after the execution of backflushing transaction in Repetitive Manufacturing (REM) – t-code MF42N or MFBF
    •     If during the backflush execution the components are not available in the respective production storage location then system by default will create backflush errors
    •     Backflush errors will need to be cleared everyday and must be cleared before end month stock take
    •     Backflush errors can be processed using the following t-code:
    o     MF45 – Individual
    o     MF46 – Collective
    o     MF47 – Post processing List
    o     COGI – Post processing Individual Components
    Authorization will be applied only for COGI, while others will not be used in PSECI
    •     Create new authorization object called Z_PP_COGI to be assigned later to the user id
    •     Activate the BAdI function called WORKORDER_GOODSMVT and assign to the a.m. authorization object
    •     For unauthorized users, an errors message will appear if they try to delete the backflush errors in COGI transaction as follows:
    o     You are not authorized to change/ delete the backflush errors! Please contact your superior!
    Thanks so much all, ......

    Hi Nguyen,
    Check the following links:
    http://help.sap.com/saphelp_erp2004/helpdata/en/b8/bdb83b5b831f3be10000000a114084/content.htm
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/6714a9439b11d1896f0000e8322d00/content.htm
    Regards,
    Rajesh K Soman
    <b>Please reward points if found helpful.</b>

  • How to assign authorization objects to a cube

    Hello,
    My cube includes 0profit_ctr which is marked as authorization relevant. Still in RSSM my cube is not included in the list of infocubes for an authorization object (zprofit) linked to 0profit_ctr. I'm therefore not able to enable that authorization object for my cube. I have a few ODSs which are included in the list. Why is my cube missing? Is there something I must do to include it, or is it a bug?
    When checking the infocube for authorization objects in RSSM this list is empty as well. I don't see any option to add authorization objects in that list.
    I have read the following document:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b849e690-0201-0010-9b88-c00cca40736f
    I'm using BW 3.5.
    Regards,
    Christoffer

    Hi Christoffer,
    In RSSM  you will find a button  "Update Check Status ( Authorization Objects, Info providers) ". After this update you should find your cube in the list.
    Jaya

  • How to use a object(in MXML - in FLEX 4) in multiple way.

    This is my object in MXML:
    <mx1:Canvas id="menuElement" visible="true" rotationY="-15">
         <mx1:Canvas mask="{imageMask}">
              <mx1:Image id="menuImage" visible="true"/>
              <s:BorderContainer id="menuBackground" width="70" visible="true"  borderVisible="false">
                    <s:Label id="menuDescription" fontSize="30" fontWeight="bold" rotation="-90" />
                        <s:backgroundFill>
                             <s:LinearGradient rotation="90">
                                  <s:entries>
                                       <s:GradientEntry  id="backgroundColor" color="0x000010" alpha="0.6"/>
                                  </s:entries>
                             </s:LinearGradient>
                        </s:backgroundFill>
                   </s:BorderContainer>
              </mx1:Canvas>
         <mx1:Canvas id="imageMask" backgroundColor="#FF0000"/>
    </mx1:Canvas>
    I use this object (one time) with configuration in actionscript (positions, source of picture etc.) and I receive something like on a picture below:
    Now, I need to create 4 elements like below. I don't wan't to copy 4 times this block of program. Anybody have idea how can I make it and how can
    I recall of each element from actionscript?
    Regards

    if you run nw04s SP8, it's a limitation. you can create your own simple types and use them in your entities. but the custom data structures you create in the dictionary don't show in list of available structures when you want to create a new complex attribute

  • How to use Logger object in Lookout 5.0

    I am now trying to log data using Logger object. I use Switch1 for activating LogContinuously mode and Switch2  for breaking logging process. If I turn off Switch1, the logging process stops, its ok. My problem is if Switch1 is still on and I turn off Switch2, the logging process is still running. I seems different from what I have read from Help file. Anyone has the solution for it?Please give me an advice! Thanks a lot. Its better if someone post an example about using Logger object here for reference.
    Regards, 

    I think the behaviour you described is correct. If you turn on switch2, the logging process will stop, even when switch1 is on. If you turn off switch2, the process will be running.
    Here is an example of logger object.
    http://zone.ni.com/devzone/cda/epd/p/id/3816
    you can change the "log break" button into a switch, which can better show you how it works.
    Ryan Shi
    National Instruments

  • How to use Generic Object Services(GOS) for each table control record.

    Dear Expert,
                       I am using generic object services for document attachment but i am facing a problem while attaching document to a table control row. my requirement is to attach separate document for each and every row of table control but  i am unable to attach document row wise of the table control.for each row GOS should display corresponding attached document not all the attached document.
    Thanks in Advanced
    Bhuwan Tiwari
    Edited by: BHUWAN TIWARI on Feb 8, 2011 4:16 PM
    Edited by: BHUWAN TIWARI on Feb 8, 2011 4:16 PM

    You haven't explained what object and object key you're using, nor have you provided any indication of how you implemented the GOS attachment functionality.  You need to provide more information to resolve an issue like this.

  • How to use session object in jsp

    hi all
    marry christmas
    can anyone plz tell me how to use session obect in jsp
    rachna
    Message was edited by:
    rachna_arora82

    hi rachna,
    JSP has a default(implicit) session object...... use the getSession(true) method on the session object and then going u can either get or set attributes depending on the requirement
    That was in general and now with the issue u have got..... what u can do is that the u can create session for every user who logs in and when he/she tries to login again then u can probably check for the existing session object in the JSP and perform the logic as required..... any clarifications plzzzzzzz let me know
    Thanks n Regards
    Naveen M
    Message was edited by:
    Novice_inJAVA
    Message was edited by:
    Novice_inJAVA

  • How to use std object RFBIBL00

    Dear All,
    For uploading open item of vendor and customer std lsmw RFBIBL00 is available.
    I know how to do recording in lsmw for new object but any one can help how to use std lsmw available in SAP. For eg.RFBIBL00
    Regards,
    Bhadresh

    You'll find that the RFBIBL00 program, suprisingly, has extensive documentation attached - or you could try
    http://help.sap.com/saphelp_45b/helpdata/en/35/a47e63763e0392e10000009b38f9b7/content.htm
    or the print documentation at
    help.sap.com/printdocu/core/Print46c/en/data/pdf/CAGTFADM/CAGTFADM-FI.pdf
    cheers
    Jonathan

  • How to use ConnectionPoolDataSource object?

    i use embedded OC4J server,
    build in data-source.xml file the information about DataSource object
    and try to organized ConnectionPoolDataSource object,
    but a java.lang.ClassCastException rises.
    The problem is, i need to use a pooled connection datasource,
    to do this i get the information about datasource object
    throw lookup in JNDI tree the "pooled-location" name,
    so the type of my datasource object became com.evermind.sql.OrionPooledDataSource.
    but in my jsp code i can use only DataSource object,but not ConnectionPoolDataSource object because of java.lang.ClassCastException.
    Hlp me please to understand how to use ConnectionPoolDataSource.
    thank you

    Please post this question on the application server forum at:
    http://forums.oracle.com/forums/forum.jsp?id=486963
    Thanks,
    JR

  • How to use an object's paint method

    I have created a class imagePanel which extends a jPanel to display an image. When I create a new imagePanel object I pass it an image argument which is used to paint my image on the jPanel, so far so good. I don't wish to have to continuously create new ImamePanels to display new images so I thought I could make a set_Image method that would set a new image in an exising imagePanel object. This is where I run into problems how to use the existing object paint method to replace the image. I tried this without success:
    public Image setMyImage (Image myImage)
    imageX = myImage; // imageX is the image that is painted by the imagePanel object's paint method
    paint(g);
    Something must be wrong on how I access the paint method. Thanks for any help.
    Jack

    Yahoooo, got it. This was the code I needed and thanks for your help:
    public void setImage (Image myImage)
    imageX = myImage;
    repaint(300);
    }

  • How to use BOR object?

    Hello,
    We have never used a BOR object. We want use FIPP object. How can we do it? How can we call the Post method?
    Thanks a lot.
    Edited by: LM on Sep 8, 2008 11:07 AM

    Hi
    Refer to the links,
    Probel with POST method of FIPP
    FIPP Workflow
    Regards
    Sumit Agarwal

  • How to use same object in another vi file.

    Hi i am new to OOP in labview.
    How to use (ACCESS) same Object in multiple VI fiels in labview.
    in c# if we use same name space , then we can acces the object .
    i dont know how to use it in labview.
    and also i need to know , how to use oop in large applications

    Well LVOOP tries to be this...
    And the Actor Framework tries to be this... Using some of LabVIEW's object oriented components.
    You can have LVOOP without Actor Framework, but you can't have the Actor Framework without LVOOP.  You can however have other actor based designs without LVOOP but honestly few go this route because classes help force the developer to work inside the constructs of the design.
    Also quit yelling so much.  And before you try taking on LabVIEW's object oriented designs (and Actor for crying out loud) I'd suggest taking some beginner training which can be found at the bottom of this page.
    https://decibel.ni.com/content/docs/DOC-40451

Maybe you are looking for

  • Most efficient way to extract the amplitude of a signal and display on an intensity graph

    Hi All, I am having difficulty to display the amplitude of an voltage signal (voltage picked up by NI DAQ card). what I am trying: Voltage signal (Dynamic data type)--> 2D array of dynamic data type (using 2 nested for loops) --> normal 2D array with

  • Mouse pointer

    I hope this is the right place for my question (please let me know if I should've posted it somewhere else). I really want is something that will help me find the mouse pointer, like the Windows option "Show the location of the pointer when I press t

  • My 4620 will not let me copy 8.5x15 help!!!!

    My 4620 will not hold the copy page size to 8.5x14 it defaults back to 11 and will not let me copy 14 ! I am stuck

  • Oracle Reports 2.5 to 6.0 - getting REP-1800 error in Unix

    I have an Oracle report which was created using Reports 2.5 with Developer 2000 in Windows NT. I have since opened it in Reports 6.0 in Windows 2000 and compiled it (in a word, converted it to 6.0) and it runs fine under Developer in Windows. However

  • Link for an usable version of flash player

    as im sure you all know the new flash player SUCKS nothing works with it, i need a link to the last usable flash player that allows live streams to play, im running windows xp 32bit, IE8. i have tried the archived links at http://kb2.adobe.com/cps/14