PNP LDP Authorization
Hello All,
I am using PNP LDP on my report, the authorization are skipping some personnel numbers saying insufficient authorization. But my program requires all the personnel number to be downloaded, please let me know how this can be achieved.
Thanks.
When using PNP the system checks your user id security to see if you are allowed to access certain employees. It should to me as if your User ID will not let you view all employees. If you are downloading data to the server then maybe your comapny have a user Id created that has access to all employees so that when the job is scheduled it is able to pick up all employees.
Failing that have a word with your security team to get your access changed.
Regards
J
Similar Messages
-
Disabling PNP ldb authorizations
Hi Experts,
I am fetching data using pnp LDB ,
But due to authorization issue I am not able to access certain data.
Is their any way to disable pnp ldb authorization & get the results.
Thanks in Advance.
Regards,
IFFHi
Answer is pure assumption
Pls check the OSS note
Note 492743 - PNP LDB: Incorrect authorization check
it may give some idea.
Pls take opinion from SAP / Basis before implementing the note
Regards
Madhan D -
Coding ABAP using LDB PNP and authorizations problems
This post requires a blend of ABAP and HCM skills.
When coding my own ABAP using LDB PNP, the LDB will provide me with the employees selected but will skip those for which I do not have access (regarding Authorizations settings) to one or more of the infotypes declared in the program.
As a programmer I would like to receive from the LDB the information that an employee is skipped so that I can handle the exception.
Do you know how can I get this information from the LDB?
ThanksI dont know if PNP can do it but PNPCE can:
at END-OF-SELECTION call macro PNP_GET_AUTH_SKIPPED_PERNRS
it will provide a list of skiped PERNRs
for further info see docu PNPCE -
PNP LDB Authorization skipping
Hi Experts,
We have a custom report reading data from Infotype 0000,0001,0002 and 9001.This is working fine.
There are many SAP users who will use the report.
Users AAXX have 9001 authorization and user BBXX does not have 9001 authorization.
Problem # Report working fine for user AAXX but does not display output for BBXX and throw error massage(like :9001 no authorization).
The requirement is to display data from Infotype 0000,0001 and 0002 for BBXX and field from 9001 will remain blank.
Please share the sloution.
Manoj Lakhanpal
Edited by: Manoj Lakhanpal on May 8, 2011 4:37 AMHi,
Use FM : HR_READ_INFOTYPE_AUTHC_DISABLE to disable the authorization on a particular infotype.
For more info and examples check for where used list on this FM.
Regards,
Srini. -
Authorization on PNP logical database
My limited understanding of authorization on reports that uses PNP/PNPCE logical database is that if a user who runs the report does not have authorization for any of the declared infotypes then the report stops with message 'no authorization for infotype ...'. And if the user has authorization for the infotypes but do not have authorizations for some of the PERNRS then it will only display those records that user have authorization for and shows message saying no. of skipped records (of those that user did not have authorization).
Programmers here say that the users who do not have authorization for some infotypes should still be able to see list for other infotypes that they do have authorization for.
-- Please shed some light on this and guide me if there is a cookbook/document out there about this.
Thanks a bunch.
NetraHi Neha,
Adding further.
Each report is different in its own way and there are various ways of controlling the access to the Reports based on ur scenario.
The first check happens at the P_ABAP level where in it checks the access to the program corresponding to that report and level of access (1,2).
If these are missing then it goes further to check for the explicit access
in objects like
P_ORGIN, P_PERNR etc.
Now in some of these reports the processing is designed in such a way that if the access to an IT is not available it throughs a error message and the processing of the report stops at that instance (this depends on the message type which has been defined at that instance to be displayed) so at this instance you need to have access to that IT to proceed further but in some other cases the check does happen but the processing continues without stopping at that check failure(example is P_PERNR, the check happens but is not required for processing the report).
This is one example but there could even more criterion based on which the processing of the report is terminated or allowed to continue depending on the reports utility
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/9f/dbaabc35c111d1829f0000e829fbfe/frameset.htm">The different message types and their significance is as follows</a>
So what you have been told by programmers is true in some cases but surely not accross all the HR reports and all auth objects.
Hope this helps
Manohar
Message was edited by:
Manohar Kappala -
Change in LDP PNP Selection Screen
Dear Friends,
As you all are aware that for LDP PNP we have a selection screen. In the selection screen, Personnel Number field has to be changed as Employee Number. Can some one tell how we can acieve this?
Thanks
SomuHi,
Changing of text will not be possible.
You can change it at data element level which will affect at all places where the data element is used. That is also possible only in ECC.
You can create ur own field if u need and give it a text but then automatic filtering will not be possible.
Regards,
Divya -
Authorization check in LDB PNP
Hi All,
I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
Can you please let me know if any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
Any information provided will be really helpful.
Thanks,
PavanHi,
A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
Thanks,
Pavan -
Authorization checks for PNP LDB
question : how to validate authorization checks for pnp logical database?
2 nd question: hr report
this report is basically for salary survey. in this i had so many fields can any body let me know how
can i form the internal tables. and i have to display overall 150 fields in csv file for that
how can i take in to the final internal table.
what is the logic behind this:
T71JPR09-JOBCODE
PA0000-PERNR
HRP1000-STEXT
P0006-PSTLZ
PA0008-ANSAL * 100 / PA0008-BSGRD
PA0015-BETRG
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-GRADT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-ZZGRANT WHERE PA0761-CPLAN = LTI PLAN PSU YEAR 1
PA0761-LTEXT WHERE PA0761-CPLAN = LTI PLAN esu YEAR 1
like that i had.
please give me the steps how can i proceed.Hi,
The PNP database will take care of authorization check. It will not execute if used does not have authorizations.
Hope this helps. -
Authorizations with PNP and Get Pernr.
We have just noticed an issue with how our custom reports are working in regards to authorizations. Our users have authorization to see Basic Pay infotype information up to the point where an associate becomes an executive. When running our reports the latest salary shows up instead of the last one they are allowed to see or just leaving that field blank. We are using the PNP logical database and Get Pernr. Isn't that supposed to pick up whatever authorization is assigned to the person?
Thanks,
MaryI do not know how you come to this statement. Of course LDB checks ALL HR Authorization defined. This incoporates the personnel administration part as well as the combination to structural authorizations.
However PNP will skip a PERNR if the user has only partial authorization by default. To get also only the restricted data what the user can see you must use the switch PNP_SW_SKIP_PERNR = 'N' at INITIALIZATION point.
Please see the documentation available here:
http://service.sap.com/erp-hcm
On the left side follow the links:
Services for mySAP ERP HCM
Special Documentation
Regards,
Michael -
LDB PNP authorization check authorization object
Hi,
I have used LDB PNP for HR reports.
We are using the authority check also, but the problem is all the records/data for all the people is being read by the report where some of the people data should not have been read as they belong to some other personal area that the role of the executer (user).
Hence it appears that authorization check is not working properly.
Following is how I am using it, Please suggest corrections or alternate way to correct this issue.
rp-provide-from-last p0002 space gwa_outlist-begda
gwa_outlist-begda.
IF pnp-sw-found NE '1' OR
pnp-sw-auth-skipped-record EQ '1'.
EXIT.
ELSE.
ls_tab-vorna = p0002-vorna.
ls_tab-nachn = p0002-nachn.
ENDIF.
Please reply with the corrections ore alterations,
Thanks in advance.
Akash.Hi,
(1)
Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
(2)
In some case you do not work with LDB report, then you need to do the authority check by yourself. General function AUTHORITY_CHECK is what you need. AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
P_ORGIN HR: Master Data
PLOG Personnel Planning
P_PCLX HR: Clusters
P_TCODE HR: Transaction codes
Sample of checking personal area:
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
FIELD1 = ' PERSA'
OBJECT = 'P_ORGIN'
USER = 'SAPSUPPORT1'
VALUE1 = 'Z001'
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
IF SY-SUBRC NE 2.
MESSAGE E001(01) RAISING AUTH_FAILED.
ENDIF.
Reward if helpful pls! -
LDB PNP authorization check at record level - rp_provide_from_last
hi,
i am using LDB PNP,
I am using macro 'rp-provide-from-last' .
I neeed to place a authorization check so that the user of the program should only be allowed to view records of the people which comes under the same personnel area as of the user of the program.
Can you please guide me on how to implement this?
thanks in advance,
akash.Hi,
(1)
Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
(2)
In some case you do not work with LDB report, then you need to do the authority check by yourself. General function AUTHORITY_CHECK is what you need. AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
P_ORGIN HR: Master Data
PLOG Personnel Planning
P_PCLX HR: Clusters
P_TCODE HR: Transaction codes
Sample of checking personal area:
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
FIELD1 = ' PERSA'
OBJECT = 'P_ORGIN'
USER = 'SAPSUPPORT1'
VALUE1 = 'Z001'
EXCEPTIONS
USER_DONT_EXIST = 1
USER_IS_AUTHORIZED = 2
USER_NOT_AUTHORIZED = 3
USER_IS_LOCKED = 4
OTHERS = 5.
IF SY-SUBRC NE 2.
MESSAGE E001(01) RAISING AUTH_FAILED.
ENDIF.
Reward if helpful pls! -
PNP and Selection Screen 900 and Authorization
We have used the combination of logical db PNP with selection screen 900 to write a few custom payroll reports. We noticed right away that this combination seems to ignore HR authorizations. Meaning, someone could read payroll results for employees they are not authorized to see. We had to add our own authorization checks.
Am I missing something or is something wrong with the 900 selection screen?Hi Kenneth,
The 900 selection screen is for evaluation of Payroll Results. The system checks whether the user who started the evaluation has the correct authorization for this evaluation. Since the data retrieval is from the Payroll Results and not Master data the regular Authorization checks might not be relevant here. Even if the User has no authorization to view the Employee's Master data, he/she might still be able to view the Payroll results via this selection screen if he /she has the evaluation authorization. You are probably right in having to put in your own authorization checks. I hope I am not wrong.
Regards,
Suresh Datti
Message was edited by: Suresh Datti -
Hi Experts,
I am using PNP for the payroll programming.
For the PA data retrival am using PNP (Get pernr) and for payroll data am using FMD(CU_READ_RGDIR, PYXX_READ_PAYROLL_RESULT).
The basis team here has a doubt, how the authorization check is happening and for which authorization objects. I know PNP does default authorization check and the FMD also we can pass those parameters.
Can anyone explain me how it happens internally?
Thank you so much.
Thanks & Regards
Manas NayakHello,
I wanted to have the same information but the link you gave is not working anymore.
My Issue today is the same as discussed above, I'm using CU_READ_RGDIR, PYXX_READ_PAYROLL_RESULT to get payroll result.
But for someone who doesn't have the authorization to read the payroll result for a specific pernr (Eg : when I'm using TSCODE : pc_payslip, the person doesn't see the payroll result of the employee) but using my program he is able to read it. I wanted to know how the authorization check is working ?
Thank you -
guys help me out
i am facing a problem
lets us i am using pnp and in th selection screen given by the pnp
as a user i am entering wrong values that is pernr does not belong to the company code
so how to check it?.
any help would be very usefull
sarangan rhi,
go through these links,
http://www.atomhr.com/know_preview/Reading_Payroll_Results_with_ABAP.htm
http://www.atomhr.com/know_preview/Reading_an_infotype_without_PNP_database.htm
http://www.sap-img.com/abap/list-of-employees-who-have-completed-certain-yrs-of-service.htm
http://www.sapdevelopment.co.uk/programs/custom/zdownempdata.htm
http://www.sapdevelopment.co.uk/programs/custom/zp_postcode.htm
http://www.ct-software.com/reports/ypmlist1.htm
regs,
jaga -
How to use LDB PNP with ABAP objects in a program
Hello,
I am wondering if anybody has used the HR logical database(LDB) PNP with user defined ABAP objects in a program? I am using the FM- <b>LDB_PROCESS</b> but its not working. Also assigning PNP in the attributes section of the program -- so that I can use predefined fields from the LDB and then invoking the FM doesn't work -- throwing 'Logical database already active' error.
I suppose even with the ABAP objects and the new FM -- I should still be able to utilize the pre-defined fields of the PNP database -- and also the built in authorizations. I cannot use GET PERNR and REJECT as they give errors. I understand that the use of HR-macros (RP-PROVIDE-FROM-LAST and et al.) are not allowed as they use the table work area -- which is not allowed in ABAP-OOPS.
I would really appreciate if anyone could show me some insight regarding this. Thank you.
Kshitij R. DevreHi Kshitij
It would be really good if we could use both together. But as I know, it is not possible. "GET pernr." is an event-like loop statement and so cannot be used in OO context. And I guess, the same restriction holds for the "LDB_PROCESS" since it uses LDB-specific processing.
What I suggest you is to use standard and BAPI functions.
Sorry for giving bad news...
*--Serdar
Maybe you are looking for
-
Can u please give me inforamation on SRM flow ?
Hi All, Can u please give me inforamation on SRM flow and shopping cart? and any usefull links or information to find tech information like tables BADI's transactions and where master tables. Thanks for ur time Kiran.
-
hi, i am trying to update a table with following code : try{ stmt.executeUpdate("INSERT into Employee " + "(date,name,jobName,jobCode, startTime, endTime, shift, hours)" + "values('test', 'test','test', 'test','test','test','test','test') "); } catch
-
Oracle FAILSAFE and CVE-2012-1675
Folks, I'm running Oracle 10.2.0.3 {PATCH 29} on Windows32 with Oracle Failsafe 3.4.4.1. I've tried implementing the IPC fix and the dynamic_registration=OFF fix as prescribed and get the listener.log error listed below with either attempt. It doesn'
-
MAC OS 10.5.7 FireWall & Java Socket programing
Hi everyone, I am fighting for few days with a simple problem in vain. I am programming a simple java client-server application based on TCP sockets but I do not manage to open any socket at all due to a "connection refused" problem: In the previous
-
Ho un iMac con sistema operativo mac OS 9.1 e iTunes T-1.0. Ha sempre funzionato egregiamente per circa 5 anni ... improvvisamente mentre era in uso, si è chiusa l'applicazione e a ogni tentativo di riaprirla compare il messaggio: " La libreria iTune