P_ORGIN
I have to add access to a user in HR with authorization object P_ORGIN.
Currently she already have access to certain infotypes but only to a specific employee subgroup.
I need to give her additional access to infotype 2001 for all the employee subgroup.
Question is P_ORGIN being checked as a block or will it take the combination of all the P_ORGIN data that she has. Meaning when I give her * to the employee subgroup in one role, she can now have access to all the employee subgroup for the infotypes that she has from her other role.
Thanks in advance for the response.
Angel,
Question is P_ORGIN being checked as a block or will it take the combination of all the P_ORGIN data that she has. Meaning when I give her * to the employee subgroup in one role, she can now have access to all the employee subgroup for the infotypes that she has from her other role.
If infotypes are same then * will overdie(she can now have access to all the employee subgroup ). Whether you create two roles or one role.
eg1:
infotype: 2001
Subgroup: A
eg2. Infotype: 2001
Subgroup: *
If infotype is different then * will not override.
Infotype: 2001
Subgroup: A
eg2:
Infotype: 2002
Subgroup: *
Thanks,
Sri
Similar Messages
-
How to delimitate the authorization on BI based on HR auth. object P_ORGIN
Hi all,
I need to insert in my BI role one authorization object to delimitate the view of data in the report (data are extracted from and SAP HR system) based on Personnel Area. On the HR system I have the authorization Object P_ORGIN that can be filled inside the roles for what concerns the value of Personnel Area.
How can I apply the same limitation inside the BI role?
Many Thanks,
ValentinaHi,
R u using any other roles . If yes then open that roles and add object p_origin .It should work.
Regards
Nilesh -
Authorization Check Failed for HR P_ORGIN on VDSK1
Hi Experts,
We have an issue where an HR secretary is making an address change to an employee via pa30. She is successfully able to save the change with no warning on the screen. However, when we run /nsu53 immediately after, we see that there was an authorization check failed. The check failed is in class HR, object P_ORGIN. The field is VDSK1. We have values defined there, whereas SAP is requesting a *. We do not want to use the *, but the value in VDSK1 is correct and should not be failing.
Anyone ever see this issue before?
Thanks
ShaneHi Shane,
Since the secretary was able to save the record I assume there is no issue with the role. SU53 always shows last failed authorisation check. Even if transaction has been succesful you normally find failed authorisation checks from SU53. In your case I assume that PA30 checks first that if user happens to have P_ORGIN with * value in VDSK1. If not then it checks employees infotype 0001 and organisational key and tries to match that to the value in the role. If you pass this check SU53 will still show failed check where VDSK1=*.
So this is normal behaviour for SU53 and nothing to be worried about. Annoying is when SU53 gives something sill as last check after error. Annoying are SU53 reports from users to add S_DEVELOP with Debug object because programmer has decided to leave break-point to program.
cheers, s -
HR Authorization : Custom Authorization Object for P_ORGIN
Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN objectOnline Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a> -
Error "Inconsistancy in the auth object P_ORGIN"
Hello Gurus,
I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
Please let me know how should I add the tcode now. Thank you !
Regards,
MAPLease provide tcode
The reason why the profile generator cannot correctly insert the
default values of these transactions is due to a data inconsistency in
table USOBT_C (default values for customers). The table does not
contain an entry for field BTRTL of authorization object P_Orgin.
You can immediately correct the incomplete data in your customer table
USOBT_C using the following steps:
Step 1 Execute transaction SU24
Step 2 Enter the transaction affected by this error ie XXXX
Step 3 "Change check indicator" (F6) in the application toolbar.
Step 4 With "Display field values" (F7) you check the default values of
P_Orgin. Please document the values.
Step 5 Go back to the previous screen and set the check indicator from
"Check/maintain" to "Check" for P_Orgin.
Step 6 Set the indicator for P_Orgin back to "Check/maintain".
Step 7 Choose the function "Change field values" (F6) and insert the
formerly documented values for AUTHC in object P_Orgin.
Now you see also the field BTRTL being presented.
Save the changes.
Repeat steps 3-7 for each of the transactions affected.
Hope you are clear with the steps.
Thanks,
Prasant
Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM -
Add Authorization field to Authorization Object (BTRTL to P_ORGIN)
Hi,
Could anybody please let me know the steps to add authorization field to an authorization object.
I want to add authorization field (BTRTL) to authorization object (P_ORGIN).
Please suggest..
Thanks is advance!Hai..
Goto SU03- access Class HR -> Object P-ORIGIN-> then check/create the values for the field BTRTL.
For checking authorization Reports, we use command 'AUTHORITY-CHECK OBJECT'. -
Restrict user on custom report by using P_orgin
Hi
I have a requirement of restricting the view of a custom HR report based on Personnel Area(PERSA). I am using the standard authorization object "P_ORGIN" and call the following in my code, still I am not being able to restrict the view of the report based on PERSA.
The test user id created has the role rest
CALL METHOD zyclmdmim_authority_chk=>zyxapm_authority_check
EXPORTING
infty = '0001'
authc = 'R'
persa = '0684'
EXCEPTIONS
noauthorization = 1
OTHERS = 2.
method zyxapm_authority_check.
authority-check object 'P_ORGIN'
id 'INFTY' field infty
id 'AUTHC' field authc
id 'PERSA' field persa.
if sy-subrc <> 0.
raise noauthorization.
endif.
endmethod.
Regards
Swarnali
Edited by: swarnali_IBM on Jan 28, 2012 9:10 AMHi Swarnali
You can use codee below
CALL METHOD zyclmdmim_authority_chk=>zyxapm_authority_check
EXPORTING
infty = '0001'
authc = 'R'
persa = '0684'
EXCEPTIONS
noauthorization = 1
OTHERS = 2.
method zyxapm_authority_check.
authority-check object 'P_ORGIN'
id 'INFTY' field infty
id 'AUTHC' field authc
id 'PERSA' field persa.
if sy-subrc NE 0.
raise noauthorization.
endif.
endmethod. -
Is there a BAPI for updating hundreds of HR roles (P_ORGIN)?
I need for hundreds of HR roles that have P_ORGIN auth. object to copy the P_ORGIN object to P_ORGINCON object.
As PFCG is an enjoy SAP tx, I cannot do BDC and I am wondering if there is a BAPI to do this process.
Thanks.Hi Nadine,
did you get an answer on this as yet? We will be having the same tedious task.
Regards Dries -
Bypass P_orgin auth check for standard MSS reporting
Hi SAPers,
on my HR system, I have 2 types of users : ESS/MSS users (via portal) and backend users (via sapgui).
ESS/MSS role does not contain any P_ORGIN authorization because it should be added to their authorizations if they are also backend users.
The problem is coming from standard MSS reports : the "time statement overview" among other report needs P_ORGIN (IT 0, 1, 2, 7, 8, ...) !
Is there a way to bypass the standard authorization check for MSS reports ?
Thanks in advance,
Olivier.>
Olivier TACA wrote:
> Example :
>
> Portal Role for ESS user contains P_ORGIN for IT 0006 (Address)
>
> Backend Role for backend user contains P_ORGIN for IT 0002 (Personal data) ... and S_TCODE for PA30 of course.
>
> The backend user, who is also an ESS user, can manage IT 0006, which is not foreseen in the backend role.
>
> I use P_PERNR for the portal role to manage access to infotype.
I see two issues here:
1. ESS is NOT setup correctly.
- You don't need P_ORGIN for ESS. You only need P_PERNR. The trace might even show an error looking for P_ORGIN but you do not need it. This is an example of a role I have using ESS services for addresses. I don't have P_ORGIN, P_ORGINCON or P_ORIGXXCON. Do NOT use PA30, for ESS, that is very dangerous. The ESS services can be added to a role and should be use for ESS.
Here is an example of what I have:
Manually HR: Master Data - Personnel Number Check P_PERNR
Manually Address Change - Permanent and Emergency
Authorization level D, E, M, S, W AUTHC
Infotype 0006 INFTY
Interpretation of assigned per I PSIGN
Subtype * SUBTY
2. MSS - I can't find the service for the report you are looking for. If you provide the MSS service I can run some traces and probably help you isolate your problem. Example of an MSS service (sap.com/mss~pla/PlanningPrimaryCosts).
I hope I didn't sound too harsh; I am just trying to help.
Regards,
-John N.
Edited by: John Navarro on Aug 5, 2008 5:46 PM -
Inconsistencies in P_ORGIN for Transaction code PU00
Hello Gurus,
I am getiing a inconsistancy error in the auth object P_ORGIN when I try to add a tcode PU00 and while going into the authorization tab.
I understand that this need's to be corrected in SU24 for the tcode PU00 and deleting the proposed values and saving the settings then modifying the role and then changing back to the previous authorization values. I checked that the tcode PU00 has these values currently.
P_ORGIN AUTHC M
P_ORGIN AUTHC R
P_ORGIN AUTHC W
P_ORGIN INFTY
P_ORGIN PERSA $PERSA
P_ORGIN PERSG
P_ORGIN PERSK
P_ORGIN SUBTY
P_ORGIN VDSK1 $VDSK1
Please let me know if I need to delete all these values then save the settings and then modify the role. I see that it prompts a workbench request for this changes.
Regard's,
SalmanHi Salman
Yes, you would need to delete the objcet P_ORGIN and add it back with the same values as listed. It will promt you to create a workbench request. Once changes are done you can go to the role in transaction PFCG and authorization tab go to "Expert mode for Profile Generation" and check on "Read old status and merge with new data" to import the changes in the role.
Once the changes are done in the role, generate the role.
Thanks.
Anjan -
PT60 the field Personnel Area( PERSA ) of the authorization object P_ORGIN
Hi,
When running transaction PT60 the field Personnel Area( PERSA ) of the authorization object P_ORGIN is not checked.
I have run SU24 ,the objects are there with chech indicator of authorization object = "CHECK".
What can I do about it ? Is there any note to fix this ?
thanks!
Olivia YangHi,
In object P_ORGIN what you need to check for authorisation is it on Personnel area or PSA.Actually we have org.key for authorisation which is define in P_ORGIN.If you can define org. key as PA/PSA/EG/ESG you can check the authorisation for specific users.
Regards,
Snita -
Object P_ORGIN inconsistent
Hi all,
I have created a new Role and inserted the Tcode OOOE in the menu tab and when click on change authorization data in Authorization tab it pops up with an error message
Authorization default values of transaction OOOE for object P_ORGIN inconsistent.
Message no. 5 @ 015
Diagnosis
The authorization fields included in authorization default values are incomplete or incorrect
System Response
The action is terminated to avoid inconsistent authorization data
Procedure
In transaction SU24, modify the authorization default values in object definition from transaction SU21, and repeat the action.
I have checked the values of P_ORGIN using SU21 & SU24 and they have default values. How to make the P_ORGIN object consistent?
Thanks in Advance
RaviResult of a test in 4.6C and 4.7 system (with up-to-date support package):
The PFCG loads the merged authorization proposals for S_TCODE, PLOG, P_ORGIN and P_TCODE according to the SU24 data for the parameter transaction OOOE and the 'master' transaction PPOM. -> It seems that you have a special problem in your system.
I assume that you have the same problem if you add transactopn PPOM inte a role, because the systems loads these authorization proposals.
The PFCG shows the message if there is an inconsistency between authorization proposals in table USOBT_C and the definition of an authorization object in table TOBJ
My suggestion: Use SU24 to delete the authorization proposals for transaction PPOM, save it and add them again.
P_ORGIN
AUTHC *
INFTY 0000 0001 0002 0003
PERSA <empty>
PERSG <empty>
PERSK <empty>
SUBTY *
VDSK1 <empty>
Please check note <a href="https://service.sap.com/sap/support/notes/745655">745655</a>, too, which might be applicable.
Kind regards
Frank Buchholz -
P_ORGIN object - converting VDSK1 field to Organizational Level field
Hi there,
SAP ECC 6.0 SAP_BASIS 701 0007 SAPKB70107 SAP Basis Component
Looking for input on changind the VDSK1 field in P_ORGIN object to Organizational Level field to use Role Master and subroles(derived) concept. We currently maintain a separate role for each set of Cost Centers and infotypes. On occasion the infotypes
change but means a great deal of manual changes for each P_ORGIN defined role. Our approach is all within the P_ORGIN object - no structural auth in place. Any input or experience appreciated. We separate the functional part of the HR acess in one role tcodes/other objects and separate the master data access p_orgin in another role - which is different for each user.
Thanks !Dan,
I hope you already heard about PFCG_ORGFIELD_CREATE, using this we can convert auth field into a org field.
There are snotes aswell on this. Please do a search in SMP.
Thanks,
Brahmeshwar. -
P_ORGIN and P_ORGXX?
Guru's
What are P_ORGIN and P_ORGXX?
Thanks,
HarishHi ,
These 2 are the authorisation objects ,
P_ORGIN consisting of fields
AUTHC Authorization level
INFTY Infotype
PERSA Personnel Area
PERSG Employee Group
PERSK Employee Subgroup
SUBTY Subtype
VDSK1 Organizational Key
and
P_ORGXX consisting of fields
AUTHC Authorization level
INFTY Infotype
SACHA Payroll Administrator
SACHP Administrator for HR Master Data
SACHZ Administrator for Time Recording
SBMOD Administrator Group
SUBTY Subtype
Once these are provided to the user , he/ she can access the data accordingly .
Let us take for example there is a role maintained for a user
THis is how it looks for a user in SU01
Standard Cross-application Authorization Objects
Standard Transaction Code Check at Transaction Start
Standard Transaction Code Check at Transaction Start
Transaction Code PA51, ZPTR0011
Changed Human Resources
Changed HR: Master Data
Changed HR: Master Data
Authorization level R
Infotype 2006, 2007
Personnel Area HYD, BGL
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
Inactiv Standard HR: Clusters
Inactiv Standard HR: Master Data - Personnel Number Check
Now this employee is capable of looking into data from 2 personal areas HYD and BGL only .
Also if this being maintained can be used in the custom reports(Z-report) as well for restricting the data according to locations .
Hope this helps .
Regards
SureshP -
Relation into P_ORGIN and INFOTYPE 105 SUBTYPE 0001
Hello, at the moment I have a problem, I add the user's name in the infotipo 105 and subtype 0001 but this cause that the user can see his data in the infotipo 0001, when at level of P_ORGIN one has specified that alone he can see personal to his position by means of the organizational key.
Does this infotipo have some precedence on the P_ORGIN?when at level of P_ORGIN one has specified that alone he can see personal to his position by means of the organizational key.
At VSK1 level
P_ORGIN
INFTY - Info type
SUBTY
AUTHC- Authorization Level
PERSA u2013 Personnel area
PERSG u2013 Employee group
PERSK- Employee sub group
VDSK1- Org Key
Maybe you are looking for
-
Hi, We are seeing a difference while doing an automatic posting and manual posting of an GL transaction. After posting a document, going to T.code:FB03 giving the document number and looking into the document and from there going to Environment>Docum
-
How to create a context node for "IBHeader" at the view "BuPaIBaseDetail"?
hi, experts for the requirement, i have to get data from a root BO-IBHeader in the view of "BuPaIBaseDetail".But the view already has IBHeader's child object-"IBComponent", whose controller class is "CL_CRM_IC_BUPACONTROLLER_CN08", how can i create t
-
T Edited by: user647180 on 13-Mar-2010 8:50 PM
-
Upgrading from 10.3.9 to Tiger onto iMacG4 (flat panel)
Ok, heres the issue. When attempting to solve some minor software issues with a co-workers compy, (mail and safari would bounce once and fail to operate) i chose the Archive and Install option from OSX 10.4.X and what not. Her old version was OSX.3.9
-
Series of movie clips for advertising bar
this might be a pipe dream, but i would like to create an ad bar on my church's webpage. I would like to just create a series of movie clips and have them each play through for a period of time, then switch to the next. I would like to create the tra