A user attempts to call an employee’s infotype record. As a result, the authorization check is called using the following parameters:
LEVEL |
Authorization Level |
TCLAS |
Transaction Class = Difference Personnel Number/Applicant Number |
PERNR |
Personnel Number (or Applicant Number) |
INFTY |
Infotype |
SUBTY |
Subtype |
The BEGDA and ENDDA parameters are not needed as the user’s current assignment to a personnel number is always evaluated. As soon as the system recognizes that a personnel number belongs to a user, the data is differentiated using only the infotype/subtype parameter. A differentiation based on time does not take place.
The system performs all the following steps of the authorization check.
The transaction class is evaluated. If the check is on an applicant number, the check is ended with the result
undecided
.
The
PERNR
authorization main switch is evaluated. If the switch is deactivated, the check is ended with the result
undecided
.
The personnel number belonging to the user is determined (in the standard system from the 0105 infotype, subtype 0001, in earlier releases from the T513A table
User Values
).
If the personnel number does not concur with the personnel number to be checked or if no personnel number is found, the check is ended with the result
undecided
. (This is why authorization settings for the P_PERNR authorization object can never affect the authorization check by personnel number on personnel numbers that are not assigned to the user.)
An authorization check is performed for the P_PERNR authorization object:
AUTHORITY-CHECK OBJECT 'P_PERNR'
ID 'AUTHC' FIELD LEVEL
ID 'PSIGN' FIELD '*'
ID 'INFTY' FIELD INFTY
ID 'SUBTY' FIELD SUBTY.
If this check is successful ( SY-SUBRC = 0 ), the outcome is
authorized
.
A second authorization check is performed for the P_PERNR authorization object:
AUTHORITY-CHECK OBJECT 'P_PERNR'
ID 'AUTHC' FIELD LEVEL
ID 'PSIGN' FIELD 'E'
ID 'INFTY' FIELD INFTY
ID 'SUBTY' FIELD SUBTY.
If this check is successful ( SY-SUBRC = 0 ), the outcome is
not authorized
.
A third authorization check is performed for the P_PERNR authorization object:
AUTHORITY-CHECK OBJECT 'P_PERNR'
ID 'AUTHC' FIELD LEVEL
ID 'PSIGN' FIELD 'I'
ID 'INFTY' FIELD INFTY
ID 'SUBTY' FIELD SUBTY.
If this check is successful ( SY-SUBRC = 0 ), the outcome is
authorized
.
If none of the checks performed were successful, the outcome is
undecided
.
Note
The check using P_PERNR with PSIGN = * was not carried out in earlier releases. A user with * authorization for P_PERNR in the PSIGN field is was always denied access for this reason. This meant, amongst other things, that users with full authorizations were unable to access their own personnel number during active authorization checks by personnel number.
Why not, therefore, simply switch the check to PSIGN E or I? ? A user with E and I authorization should be able to access and unable to access his or her own personnel number. Since the system cannot interpret this in a meaningful way, it should deny the authorization according to the strategy "when in doubt, no authorization". This immediately rules out switching the E and I checks. The additional PSIGN = * checks were introduced to ensure that users with SAP_ALL authorization always have the authorization to access their own personnel numbers.
See also: