I learn few things in my experiences implementing SAP HR. One of them is that security matters! So I'm gonna make a series of posts about security in SAP HR.
The first one is about authorization object Personnel Number Check. It is an authorization object in SAP that can be used to assign user a different type of authorization when maintaining their own personnel number.
For the official SAP documentation, you can find it here.
To maintain this authorization object, you have to do in both master data and role maintenance.
Master Data
You have to store the payroll admin's user ID in Infotype Communications (0105), Subtype System User name (0001). Make sure you type correctly, because -unfortunately- it's a free text field in which you can type anything you want and SAP doesn't check if there's any user ID using that name.
Role Authorization
Go to PFCG, choose role you want to change, and Edit the authorization. Create authorization object P_PERNR.
Picture 1 |
In the Picture 1, I am limiting user ID for accessing IT0014.
This user cannot do 4 kinds of operation to all subtypes in IT0014 : Write (W), Change Lock Indicator (D), Create and Change Locked Records (E), and Read Access to Entry Helps (M).
However, I still allow him/her to read the data.
#)You can find more comprehensive documentation about authorization level in SAP help page.
The last step is to assign your role to the user ID. And don't forget to click User Comparison, until the red flag turning yellow. Otherwise, the updated role will not be read in User ID.
To give you end-to-end process guidance, you can see in video below. Enjoy.. :)
Until the next series of security matters..
Regards,
Gana
No comments:
Post a Comment