HR infotype authorization

Similar Messages

• HR-ABAP Infotype Authorization issue!

  Hello Experts,
  Need your quick suggestions and inputs, which we're currently facing in our project.
  We're using the PNPCE Logical Database for processing/retrieving the records from infotypes and ALV reports are generated.
  Currently, we have an authorization control which will restrict the user roles in accessing certain infotypes. Thus, the user role is assigned with necessary infotype access in PFCG.
  Now the issue is if a particular user role donot have the authorization to infotye XXXX, which is defined in the Global Declaration (Top Include) in the INFOTYPES statement. Eg: INFOTYPES: XXXX.
  Thus, when the report is executed, the following XXXX infotype authorization is checked as it is defined in INFOTYPES statement, but since the user role is not given the XXXX infotype authorization in PFCG the report execution fails when it checks the infotype authorization when it enters GET PERAS. Thus, a blank screen is thrown with standard SAP error... "No authorization for XXXX infotype".
  Is there any way this error message which blocks the execution of the report be by-passed? If yes, please help to suggest the necessary steps to do so. Thus, the report execution should not be blocked and the ALV report should be displayed with blank values for those XXXX infotypes which donot have authorization even though defined in INFOTYPES statement in Top Include.
  Hope am much clear in describing the major issue that we're currently facing.
  Any inputs to get this issue resolved will be highly appreciated.
  Thanks in anticipation.
  Regards,
  Sundar

  Have you explored the option of using the BAdI HRPAD00AUTH_CHECK?
  ~Suresh

• Infotype authorizations at Company Code level

  The project I am working on has two company codes 1000 & 1100.  The user requirement is that a person working in one company should be able to make changes only to employee data of employee's in his/her company and to have only read authorizations for employee data from the other company.
  I've tried creating a role for Company 1000's employees where the authorization object P_ORGIN has Personnel Areas for that company code itself and all permissions (read, write etc.) and another role with read access to all Personnel Areas.  However, when assigned to a user, they are still able to access data from the other company (i.e. the company whose personnel areas were not listed in the first role). 
  Any ideas what I am doing wrong and how I can resolve them?

  Authorization level            *
  Infotype                       *
  Personnel Area                 1000's Personnel Areas
  Employee Group                 *
  Employee Subgroup              *
  Subtype                        *
  Organizational Key             *
  Authorization level            R
  Infotype                       *
  Personnel Area                 1100's Personnel Areas
  Employee Group                 *
  Employee Subgroup              *
  Subtype                        *
  Organizational Key             *
  This config should work.
  Or can you post the values you entered in all the HR authorization objects in your role so that we can check. (P_ORGIN, PLOGI, P_PERNR etc)

• Report authorization

  The authorization check on reports based on PNP/PNPCE logical database (both SAP and custom), I think is not working as suggested by SAP.  We have reports that have information on some sensitive information on employees.  From what SAP suggests if the user has infotype authorization then it should display all (including sensitive ) and if the user does not have authorization to view one infotype then it should display everything except this one infotype.  BUT in our place if a user does not have authoriztion for one infotype the reports stop saying no authorization for that particular infotype.
  I have experimented this with P_ABAP with swith 1 and 2.  It still does not resolve the issue. 
  It works fine on the structural profiles side.
  I would appreciate if somebody can tell me if my assumptions are wrong or there is a way to make it work.
  Thanks,
  Net

  Any ideas???

• HR Authorization Specific Scenarios.

  Hi all, i am faced with the following scenarios and trying to see if my solution is correct;
  There is a group of HR Users in the company and each HR user in the HR department is not allowed to view each other's Personal Data. However the challenges come with this 2 exception;
  1. 1 User is able to approve the leave of another, meaning there must be some maintenance access to allow Write to say IT2001 (Absences)
  2. 1 or more HR users will run PAyroll for the HR department. Again, more infotypes need to be read in order to achieve this.
  To separate the access within their own staff, i implement a value in IT0001-SACHP (value 001) so that they are restricted in their profile to their own HR Grouping. Their profile has all access except 001.
  For the ability to approve Leave and also perform payroll, am i right to specify P_ABAP to say that i bypass IT check for the reports/programs related to the leave approval and Payroll run ?
  Advice is greatly appreciated!

  Hi,
  I don't think P_ABAP bypasses Program authorization. It's for Reports.
  To quote :
  P_ABAP does not affect the authorization to start reports (this controls the program execution checks). Simplifies and accelerates additional individual checks in HR reports, or switches them off entirely.
  If the user, as a general rule, is permitted to carry out uncritical reports (e.g. creating a list of telephone numbers), then do not assign an authorization for the object HR: Reporting (P_ABAP).
  Using P_ABAP in HR Reporting:
  You can use the relevant authorizations for this object to control how the objects P_ORGIN, P_ORGXX,
  Customer-specific authorization object P_NNNNN are used in the specified reports to check the authorization of HR infotypes.
  You can also use reports to control the infotype authorization check. This can be useful for functional reasons or to improve performance at runtime of the corresponding reports.
  For this object, enter the report name(s) in the REPID field and the degree of simplification to be used for the authorization check in the COARS field.
  The following degrees of simplification are possible:
  COARS = <BLANK> or no authorization.
  COARS = 1.The authorization checks for the infotype/subtype combination and for organizational assignment are to be checked separately.
  This means that a user is authorized to read a personnel number when he or she has a read authorization for all the infotypes (subtypes) requested by the program and that the user has a read authorization for the organizational assignment of the personnel number.
  COARS = 2. The authorization check is inactive.
  Note that an ABAP authorization for report SAPDBPNP with COARS = 2 means that all HR reports based on the logical databases PNP or PAP (nearly all reports) cannot perform any more authorization checks. In general, you will only want to deactivate the authorization checks for a very small number of Reports. In case of doubt, do not assign your users authorizations for the P_ABAP object.
  Futhermore, this authorization object differs from the object S_PROGRAM (ABAP: Program Run Checks).
  The latter is used for _general program authorization checks.
  In HR reports, these checks are carried out in addition to the HR infotype authorization check. HR Reporting, however, overrides the HR infotype authorization check for selected reports, with the result that the authorization checks are weakened or completely switched off.
  SAP_EMPLOYEE_ERP is available only in mySAP ERP 2004 ;
  Regards,
  Remi

• Authorization newly created user

  hi experts,
  can any body explain, what infotype/authorization will be required for newly created user of HCM.
  Thanks,
  Waqas
  You should first go through the
  [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/EN/48/efa441d54eae5fe10000000a1550b0/frameset.htm]
  & then seek help for specific issues. Please do not post vague questions.
  Edited by: Suresh Datti on Aug 13, 2009 5:10 AM

  Hi Waq,
  Infotype access can be given based on client requirement. What ever infotype they will be using for their requirement you can add under role. Role can be created via Tcode PFCG. There are 2 objects named P_ORGIN & P_ORGXX can be used for giving infotype access under firld INFTY.
  Then creaed role can be assigned to user via Tcode SU01.
  If you want to give Tocde access, then authorization object P_Tocde & S_Tcode can be used.
  Regards,
  Purnima

• Default Authorization object P_ABAP for PA20

  Dear colleagues!
  After SP implementation roles werу adjusted and new authorization check for P_ABAP was added for transaction PA* (PA20, PA30...).
  Where is hr-reporting checks in these transactions? It's critical for personnel data maintenance or used only for sub-menu reports?
  Trace for PA20 shows the following values for P_ABAP check (PA20-Goto-Planning Data-...):
  P_ABAP     RC=12 REPID=SAPMP50A;COARS=2;
  P_ABAP     RC=12 REPID=SAPDBPNP;COARS=2;
  SAP Release ERP 6.0 EHP4 (10 stack)
  Regards,
  A.M.

  Hi,
  The values mentioned for P_ABAP here is not necessary to be added in a role. SAPDBPNP is a logical database and providing P_ABAP with degree of simplification (COARS) = 2 is very dangerous, as it will bypass any authorization check while executing reports related to that logical database.
  Providing such values will disturb your entire authorization design as even though you might restrict an user on few Infotypes in P_ORGINCON, but with this value, it actually bypasses any report using this logical database to check for Infotype authorization or structural auth restriction.
  To suggest a possible solution, I would like to know exact activities intended to be done with PA20 and level to access provided in P_ORGINCON. Please can you share that here?
  Thanks,
  Deb

• PA30 Display Facsimiles Authorization Issue

  Dear All,
  I am facing one authorization issue in PA30 Transaction. User trying to display the archived documents from PA30 > Extras > Display All Facsimiles, when user trying to execute he is facing the below authorization issue.
  You have no authorization to display the facsimile
  Message no. PG424
  I have analyzed this issue this is lack of infotype authorization, but I am not sure which infotype we have to give under P_ORGIN authorization object. SU53 not showing anything for infotype, it is showing  ' ' in infotype.
  I checked the below SAP notes also.
  1562091 - Display all facsimiles: Incorrect Message PG424/PG425
  1990223 - HRFORMS : Can not view archived documents in PA20
  373063 - Authoriztn for applicnts opticl archv does not work
  User getting access If I maintained Star (*) or (' ') . Please help me to solve this issue.
  Thanks
  Kishore ch

  Hello,
  You can check which Infotype your archived document is linked to in table V_T585O. A user will require read authorization for that infotype as well as an authorization for S_WFAR_OBJ for the document type. If I'm not mistaken you may even need S_TCODE or P_TCODE for transaction SDV.
  Secondly, I would not advise you to rely only on SU53 data for authorization checks as it only shows the last failed authorization check. You'll get a better view on what's going on by using the system trace (ST01) or the authorization trace (STAUTHTRACE).
  It seems a bit odd to me that assigning P_ORGIN with value ' ' for INFTY would solve the problem as that is the dummy value and should match with any other INFTY value your user has. Seeing as he/she has PA30 then I assume he/she will already have an authorization for P_ORGIN. Check the settings in V_T585O for the document type. Maybe someone made a mistake there and left the Infotype cell empty instead of "-".
  Good luck
  Brent

• Error return immediately using GET pernr (PNP logical db)

  I have a requirement to use HR PNP logical database for a report. The report should display the values from employee's infotypes. Should the user does not have authorisation on one or more infotype, the column field for that infotype should be left blank.
  I tried using 'Get Pernr' but system will return error immediately that user does not have authorisation on any of the infotypes. Please advice how should I code my report in order to fit into my requirement.

  There is afunction module to disable the infotype authorization check ( do a wildcard search in se37 for 'HRINFAUTH* ).. call that before the Get Pernr event & implement explicit authzn checks in your program..
  ~Suresh

• Candidate Profile - External Candidates- Data not saving

  HI All,
  I have a developed a custom Web Dynpro application and added it to the Candidate Profile.
  This Custom Webdynpro application is updating a custom infotype.
  When I run the candidate profile application for external candidates, it does not save data in the custom infotypes but it is working(saving) fine for internal candidates.
  Also I noted that there the standard Education infotype updating the standard infotype is saving data and working fine even for external candidate.
  Can anyone help me on this?
  Is it Infotype Authorization issue?
  Thanks,
  Shilpa.

  Hey Nicole,
  Can it be some infotype level authorizations that we need to maintain.
  Because the standard application for education, updating infotype 5104 is working fine for both internal and external candidate.
  But my custom application updating the custom infotype(9XXX) is working fine(i.e. saving data) for internal candidate but not for external candidate.
  Thanks,
  Shilpa.

• Infotype 1001 skipped due to lack of authorization

  Hi,
  I am using PP03 for maintaining Organisation Unit relationship with Cost Center,but i am getting this Information message.
  Althouhg i have * in PLOG object in authorsation.
  Please let me know where would be the problem.
  THanks,
  Viru

  Hello,
  Authorization check failed
  bject Class HR   Human Resources
  Authorization Obj. PLOG       Personnel Planning
     Authorization Field INFOTYP Infotype
                                                                                  1001
     Authorization Field ISTAT Planning Status
                                                                                  1
     Authorization Field OTYPE Object Type
                                                                                  S
     Authorization Field PLVAR Plan Version
                                                                                  01
     Authorization Field PPFCODE Function Code
                                                                                  INSE
     Authorization Field SUBTYP Subtype
                                                                                  <Dummy>
  Check if this is the case if your metting the message.
  Regards,
  Regi ALex

• Authorization Issue with infotype

  Dear Guru's,
           There are a couple of Customer IT that have been created. For which I have also assigned the authorization. But for some of these Infotypes though the user has no authorization he is able to access it.
          Can you guys give me a heads up on what might have gone wrong...
  Regards
  Vijaya Sankar

  Vijay,
  You may have already tried this but the first thing that pops into my head is to use SUIM.
  Roles -> Roles by authorization values  ->  plug in P_orgin or P_orgincon  (Whichever object you use)  -> then under infotype plug in the value of the infotype you DON'T want them to see.  Hit execute.  Then compare those roles to the access your users have.
  Thanks,

• How to set authorization for only Create infotype record

  How can I set the authorization so that the user can only create Infotype 14,15,2010,2001,2006 but cannot change and delete the record for these infotypes.
  But user has the authorization to create,change and delete other infotypes.

  Hi irene,
  1. For this we have to use the
     authorisation object
    P_ORGIN
  2. It has got the following fields, on which authorisations can be controlled.
  AUTHC     Authorization level
  INFTY     Infotype           
  PERSA     Personnel Area     
  PERSG     Employee Group     
  PERSK     Employee Subgroup  
  SUBTY     Subtype            
  VDSK1     Organizational Key 
  regards,
  amit m.

• Authorization-Infotype Bank details

  Hi All,
  While changing infotype 0009-Bank Details, we are facing the authorization missing for SAPDBPNP.
  Please throw some light on why this would be needed to modify infotype bank details.
  Thank you.
  Regards.
  Nishy

  Hi,
  This is releated to your authorization issue because PNP is the Logical Data Base. Take a screen shot of su53 and discuss with your basis team.
  Thanks,
  Dora.

• ABAP: Modify PA infotype without authorization check

  Hello everyone,
  Short version:
  I know two FM that can modify PA infotype data:  HR_MAINTAIN_MASTERDATA and HR_INFOTYPE_OPERATION. However, neither of those includes a parameter that allows using them without them automatically checking authorizations (like you can do with, say, FM RH_INSERT_INFTY which has parameter AUTHY to disable authorization checks but only works with OM infotypes, but not PA infotypes).
  Does anybody know a solution?
  Long version:
  We want the travel department to be able to maintain infotype 17, and only infotype 17. In fact, there are only two fields there that need to be maintained in our company. That department should not have access to any other infotypes, and we are not going to give them PA30. On the other hand, they shall be able to do so for any employee, no matter from which personnel area, subarea, and organizational unit.
  So I have created a small program with a mask specifically tailored to their needs. But we do not want to give them any PA authorizations. Giving them P_ORGIN to infotype 17 might not be a big deal, but then we would also need to give them structural authorization to all companies (= org units and personnel areas). Unlimited structural authorization is a big deal, and I would rather avoid granting that to someone who is not supposed to be doing anything but this tiny bit in HR. The only authorization that I would like to see in place is transaction authorization for my program. Anyone who has that should be allowed to maintain these IT 17 fields for any employee, but nothing else.
  The problem is that upon writing the data, FM HR_INFOTYPE_OPERATION auto-checks the authorization required for maintaining the infotype, including structural authorization, and so does FM HR_MAINTAIN_MASTERDATA, as far as I understand. Is there an alternative I could go for?

  ECM stands for Employee Compensation management and is one of the SAP HR module.
  But I doubt you can use ECM specific function module to modify/insert infotype 17 values as below are the main infotypes for ECM module.
    Employee Infotype
    Description
  0758
  Compensation Program
  0759
  Compensation Process
  0760
  Compensation Eligibility Override
  0761
  LTI Granting
  0762
  LTI Exercising
  0763
  LTI Participant Data