I have created a new SAP Authorization role (Role-1) via PFCG, which allows the user only to View/ Display all countries’ data of 3 InfoTypes only (Actions (0000), Org Assignment (0001), Pers. Data(0002)). The user also has an Existing role (Role-2) which allows him to access and CHANGE all records including Basic Pay records of UK only.
While testing when I use Role-1 on its own, it works perfectly (Displays only IT 0000, 0001, 0002 data, Basic pay data is not displayed in any SAP reports). When I use it in conjunction with Role-2, it works well under PA screens (displays Basic Pay records of UK only).
However when I run SAP reports, Basic pay records of not only UK but all countries are pulled through.
Also, under PPOME, the user is able to delete some Non-UK positions, OrgUnits and relationships if there are no employees assigned to them.
The Authorizations of both the roles are as below:
Role-1:
HR: Master Data
Authorization level M, R
Company Code *
Infotype 0000, 0001, 0002
Personnel Area *
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
Role-2 (Existing):
HR: Master Data
Authorization level *
Company Code UK
Infotype *
Personnel Area UK
Employee Group *
Employee Subgroup *
Subtype *
Organizational Key *
I would ideally want the user not to be able to view any non-UK Basic Pay records and also not be able to touch the Non-UK OrgStructure at all. How does SAP evaluate these roles, when used together?
Is there a hierarchy which is followed to evaluate the user’s access rights? Or is there a different Authorization that needs to be used for SAP reports? Or am I missing something?
Many Thanks,
Desma