HR Authorization restriction

Question: Hi

We are currently implementing HR in our company; we are in the process of creating the roles. We have encountered a problem when trying to restrict the user to specific groups, subgroups, organizational key, etc.

The Following is what the P_ORGINCON object looks like:

Manually HR: Master Data with Context T-RD06064100

Authorization level M, R, W AUTHC
Infotype 0000-0002, 0006-0009, 0011, 0014-0015, 0019, 0021, 0023-0024, 0040-004<...> INFTY
Personnel Area * PERSA
Employee Group 1 PERSG
Employee Subgroup 01-07, 10-12 PERSK
Authorization Profile * PROFL
Subtype * SUBTY
Organizational Key 1000PPHY* VDSK1

Manually HR: Master Data with Context T-RD06064101

Authorization level M, R AUTHC
Infotype 0003, 0005, 0010, 0016, 0026-0027, 0032, 0049, 0052, 0078, 0083, 0230,<...> INFTY
Personnel Area * PERSA
Employee Group 1 PERSG
Employee Subgroup 01-07, 10-12 PERSK
Authorization Profile * PROFL
Subtype * SUBTY
Organizational Key 1000PPHY* VDSK1

Manually HR: Master Data with Context T-RD06064102

Authorization level M, R, W AUTHC
Infotype 0045, 0139 INFTY
Personnel Area * PERSA
Employee Group 1 PERSG
Employee Subgroup 01-07, 10-12 PERSK
Authorization Profile * PROFL
Subtype 9001-9007, 9020-9033 SUBTY
Organizational Key 1000PPHY* VDSK1

Manually HR: Master Data with Context T-RD06064103

Authorization level M, R, W AUTHC
Infotype 2006 INFTY
Personnel Area * PERSA
Employee Group 1 PERSG
Employee Subgroup 01-07, 10-12 PERSK
Authorization Profile * PROFL
Subtype 20, 40-44 SUBTY
Organizational Key 1000PPHY* VDSK1


This is taken from one of the derived roles. While testing the role and running transaction PT60 we receive an authorization error:

Object P_ORGINCON HR: Master Data with Context
Object class HR Human Resources

Field Value
Authorization level
R
Infotype
2006
Personnel Area
*
Employee Group
*
Employee Subgroup
*
Authorization Profile
*
Subtype
20
Organizational Key
*


It seems like it wants access to all employee groups, subgroups, and organizational key. When we give it the full access it of course works but it is not a solution, because the users need to be retricted.

What are we missing?

Thanks

Answer:
This may not be the authorization failure that is causing the problem. SAP HR performs a large number of check before the program stops and tells you you are not authorized. This SU53 may be the last failure which is what SU53 reports it may not be the one that stops the code.

If it is correct then contact SAP.

Answer:
I have been struggling with a similar problem in our 4.7 system for some time: Is the employee you are accessing through PT60 on the default position (99999999) or indeed a default Org key? we were being asked for cross system auths whenever an employee was on the default position. Had to play around with the HR central authorisation switches - Table T77S0 t_code OOAC.

As John says this SU53 will be one of many - run the failing user through the process again while tracing it in ST01.

Answer:
The employee is not on a default position or a default org key, and I did trace the process but nothing significant comes up on the trace.

Answer:
Do you have structural authorization profiles assigned?
If so, it could be an error on soemthing that is defined outside of the allowed range. I have seen this error many times before, and it usually results in a code change. IF you run the trace again, but add SAPALL to the user id, you will know if it is an authorization error if:
the error does not occur with SAP all assigned.
you can get further than you did before you had SAP ALL assigned.

If you get the error even with SAP ALL assigned, I would contact SAP, or ask ABAP for some debugging help.

Answer:
I have exactly the same problem.

It is an authorization problem with object P_orgincon. When I try this without context senistive authorization, it works fine.