Time-Dependency of the Authorization Check  

Use

When an employee undergoes an organiz ational change, you may want to assign him or her infotype authorizations based on the duration of the organizational assignment. To do so, you can run authorization checks based on a data record's history.

At the start of the year, an employee changes from personnel area 0101 to personnel area 0102. The administrator responsible for processing the employee's personal data in the second personnel area is different from the administrator in the first personnel area. You might want to prevent the administrator who was responsible for the employee in the previous year from accessing data that is entered in certain infotypes in the current year. In this case, you can set up the access authorization for infotype data so that it is dependent on the history of data records in the employee’s organizational assignment.

Prerequisites

If you want to carry out a time-dependent authorization check, set the corresponding indicator in the Indicator for access authorization field (T582A-VALDT) in the Infotype: Customer Specific Settings table (T582A).

Features

The procedure is as follows:

There are three possible cases:

  1. The administrator’s period of responsibility for the employee starts in the future.

    2. If the administrator has write authorization for the relevant infotype/subtype, it is extended to all infotype records that are valid within the period of responsibility. Read authorization exists for infotype records that have the same validity period as the period of responsibility, or that precede the period of responsibility.

  2. The period of responsibility starts before the current date. However, the end of the period of responsibility does not exceed the maximum specified tolerance before the current date.

    3. In this case, a write or read authorization is extended over all periods. In other words, there are no restrictions for this administrator in terms of the validity period of the relevant infotype records.

    The tolerance time concept ensures that an administrator can still access the data of an employee who is no longer within his/her responsibility, for a limited period of time. This means that the administrator still has the opportunity to close any open issues once the person has moved.

  3. The period of responsibility ends in the past. Even the end that was adjusted to the tolerance time is before the current date.

In this case, the administrator has no write authorization. Read authorization exists for infotype records that have the same validity period as the period of responsibility.

See also:

Technical Aspects of Authorization Checks