Re: [sap-security] Restriction on Employee Group not working
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by Sonia (Sap Basis and Securiy Analyst) on Feb 8 at 7:46 PM |  Mark as helpful |
Hi,
You say that u are not implementing structural auth profile,then why context
security?
User has 1 & 2 objects
1. P_ORGINCON (restriction on EG1)
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 2-9
PERSK:*
PROFL*
SUBTY:*
VDSK1:*
2.P_ORGINCON (restriction on EG2)
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 10 - 15
PERSK:*
PROFL*
SUBTY:*
VDSK1:*
if this is a case then user has over riding auth ie he will have access to
(2 to 9 and 10 to 15).
Another workaround shall be create two differents users - it will work ( but
disadvantage is two many user to map in org structure)
or
You need to have two Prof1 & Prof2 so that with single user it will work.
P_ORGINCON
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 2-9
PERSK:*
PROFL : PROF1
SUBTY:*
VDSK1:*
P_ORGINCON
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 2-9
PERSK:*
PROFL : PROF2
SUBTY:*
VDSK1:*
Finally : time dependency of infotype (0001) is stored in table T582A in the
VALDT field. this should solve your issue.
Thank you,
Sonia
On Mon, Feb 8, 2010 at 6:15 PM, Sonia via sap-security <
sap-security@groups.ittoolbox.com> wrote:
>
> Posted by Sonia (Sap Basis and
> Securiy Analyst)
> on Feb 8 at 6:17 PM
>
> Hi,
> How does the user assignment change from EG1 to EG2 when u are not using
> structional auth profile?
> Then you should have two roles one restriction on Personnel group EG1 and
> another on personnel group EG2.
> Thank you,
> Sonia
> On Mon, Feb 8, 2010 at 5:53 PM, Sonia via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
> >
> > Posted by Sonia (Sap Basis and
> > Securiy Analyst)
> > on Feb 8 at 6:01 PM
> >
> > HI,
> > Refer to change document thru SUIM.
> > PROFILE assigned to user are determined from table T77Ua (context purpose
>
> > is to enable both structural and general auth together).
> > Thank you,
> > Sonia
> > On Mon, Feb 8, 2010 at 10:52 AM, saphr_py via sap-security <
> > sap-security@groups.ittoolbox.com> wrote:
> > >
> > > Posted by saphr_py (consultant)
> > > on Feb 8 at 10:55 AM
> > >
> > > Hi Sonia,
> > >
> > > Many thanks for the reply. PROFL is * and dont change because we are
> not
> > > using structiral profile for this role, the * is a default entry. I
> have
> > > tried to log off and log in again but to no avail. It is really strange
>
> > > because this is standard. I have also checked in the time contrants
> table
> >
> > > V_T582A and everythign is configured correctl.
> > >
> > > Your help will be greatly appreciated
> > >
> > > ---------------Original Message---------------
> > > From: Sonia
> > > Sent: Monday, February 08, 2010 10:20 AM
> > > Subject: Restriction on Employee Group not working
> > >
> > > > Hi,<br/>Extended check with context<br/>Since the infotype has time
> > > dependent specification. an auth may exist for<br/>certain period of
> > > time.<br/>Check the time interval (since all these fields are filled
> > > automatically<br/>from org assignment infotype (0001)).<br/><br/>2.
> What
> > > about the PROFL : * ? (when the user assignment changes from EG1<br/>to
>
> > EG2
> > > the profl should also change).<br/>PROFL - used to determine which
> > > structural profile the user will access.<br/>When it changes from EG1
> to
> > EG2
> > > / profile should also change.<br/>EG1 should have profil 1<br/>EG2
> should
> >
> > > have Prof 2<br/>Finally : try to Log off / Log in to the
> system<br/>Thank
> >
> > > you,<br/>Sonia
__.____._ You say that u are not implementing structural auth profile,then why context
security?
User has 1 & 2 objects
1. P_ORGINCON (restriction on EG1)
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 2-9
PERSK:*
PROFL*
SUBTY:*
VDSK1:*
2.P_ORGINCON (restriction on EG2)
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 10 - 15
PERSK:*
PROFL*
SUBTY:*
VDSK1:*
if this is a case then user has over riding auth ie he will have access to
(2 to 9 and 10 to 15).
Another workaround shall be create two differents users - it will work ( but
disadvantage is two many user to map in org structure)
or
You need to have two Prof1 & Prof2 so that with single user it will work.
P_ORGINCON
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 2-9
PERSK:*
PROFL : PROF1
SUBTY:*
VDSK1:*
P_ORGINCON
AUTHC:*
INFTY: 0000 - 0006
PERSA:*
PERSG: 2-9
PERSK:*
PROFL : PROF2
SUBTY:*
VDSK1:*
Finally : time dependency of infotype (0001) is stored in table T582A in the
VALDT field. this should solve your issue.
Thank you,
Sonia
On Mon, Feb 8, 2010 at 6:15 PM, Sonia via sap-security <
sap-security@groups.ittoolbox.com> wrote:
>
> Posted by Sonia (Sap Basis and
> Securiy Analyst)
> on Feb 8 at 6:17 PM
>
> Hi,
> How does the user assignment change from EG1 to EG2 when u are not using
> structional auth profile?
> Then you should have two roles one restriction on Personnel group EG1 and
> another on personnel group EG2.
> Thank you,
> Sonia
> On Mon, Feb 8, 2010 at 5:53 PM, Sonia via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
> >
> > Posted by Sonia (Sap Basis and
> > Securiy Analyst)
> > on Feb 8 at 6:01 PM
> >
> > HI,
> > Refer to change document thru SUIM.
> > PROFILE assigned to user are determined from table T77Ua (context purpose
>
> > is to enable both structural and general auth together).
> > Thank you,
> > Sonia
> > On Mon, Feb 8, 2010 at 10:52 AM, saphr_py via sap-security <
> > sap-security@groups.ittoolbox.com> wrote:
> > >
> > > Posted by saphr_py (consultant)
> > > on Feb 8 at 10:55 AM
> > >
> > > Hi Sonia,
> > >
> > > Many thanks for the reply. PROFL is * and dont change because we are
> not
> > > using structiral profile for this role, the * is a default entry. I
> have
> > > tried to log off and log in again but to no avail. It is really strange
>
> > > because this is standard. I have also checked in the time contrants
> table
> >
> > > V_T582A and everythign is configured correctl.
> > >
> > > Your help will be greatly appreciated
> > >
> > > ---------------Original Message---------------
> > > From: Sonia
> > > Sent: Monday, February 08, 2010 10:20 AM
> > > Subject: Restriction on Employee Group not working
> > >
> > > > Hi,<br/>Extended check with context<br/>Since the infotype has time
> > > dependent specification. an auth may exist for<br/>certain period of
> > > time.<br/>Check the time interval (since all these fields are filled
> > > automatically<br/>from org assignment infotype (0001)).<br/><br/>2.
> What
> > > about the PROFL : * ? (when the user assignment changes from EG1<br/>to
>
> > EG2
> > > the profl should also change).<br/>PROFL - used to determine which
> > > structural profile the user will access.<br/>When it changes from EG1
> to
> > EG2
> > > / profile should also change.<br/>EG1 should have profil 1<br/>EG2
> should
> >
> > > have Prof 2<br/>Finally : try to Log off / Log in to the
> system<br/>Thank
> >
> > > you,<br/>Sonia
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
SoniaSAP Security Enthusiast
Contributed 100 posts in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
Earn Recognition for Your Contributions at Toolbox for IT. Gain Points for Community Achievements
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
