Process of the Authorization Check by Personnel Number
Call Parameters
A user attempts to call an employee’s infotype record. As a result, the authorization check is called using the following parameters:
LEVEL |
Authorization Level |
TCLAS |
Transaction Class = Difference Personnel Number/Applicant Number |
PERNR |
Personnel Number (or Applicant Number) |
INFTY |
Infotype |
SUBTY |
Subtype |
The
BEGDA and ENDDA parameters are not needed as the user’s current assignment to a personnel number is always evaluated. As soon as the system recognizes that a personnel number belongs to a user, the data is differentiated using only the infotype/subtype parameter. A differentiation based on time does not take place.Process Flow
The system performs all the following steps of the authorization check.
AUTHORITY-CHECK OBJECT 'P_PERNR'
ID 'AUTHC' FIELD LEVEL
ID 'PSIGN' FIELD '*'
ID 'INFTY' FIELD INFTY
ID 'SUBTY' FIELD SUBTY.
AUTHORITY-CHECK OBJECT 'P_PERNR'
ID 'AUTHC' FIELD LEVEL
ID 'PSIGN' FIELD 'E'
ID 'INFTY' FIELD INFTY
ID 'SUBTY' FIELD SUBTY.
AUTHORITY-CHECK OBJECT 'P_PERNR'
ID 'AUTHC' FIELD LEVEL
ID 'PSIGN' FIELD 'I'
ID 'INFTY' FIELD INFTY
ID 'SUBTY' FIELD SUBTY.
The check using P_PERNR with
Why not, therefore, simply switch the check to
PSIGN E or I? A user with E and I authorization should be able to access and unable to access his or her own personnel number. Since the system cannot interpret this in a meaningful way, it should deny the authorization according to the strategy "when in doubt, no authorization". This immediately rules out switching the E and I checks. The additional PSIGN = * checks were introduced to ensure that users with SAP_ALL authorization always have the authorization to access their own personnel numbers.See also:
Flowchart of the Authorization Check by Personnel Number