Anyone know if there is a way of restrict the access to HR data by payroll area?
As delivered by SAP, Only in certain tcodes with authorization object
If you want to make it a a pre-condition for master data you will have to activate the customer defined auth object and control this as one of the fileds.
A close equivalent is Employee group and Employee sub-group which is controlled with P_ORGIN.
How can I activate the customer defined auth object?
1. Create the authorization object to be user, NOote: it is Highly recommended
you create it to REPLACE P_ORGIN if the access is to be limiteed as a VALUE-SET
with fields in P_ORGIN. If not you will be giving access to users
you do not intend.
2. Turn on the Customer object in tcode OOAC record AUTSW NNNNN; change the 0 to 1.
3.run program RPUACG00 to load the code used to check the authority.
The custom authorization object can contain any field in infotype 0001
Where can I create a customer authorization object? Our relese is 45B.
I can't find either tcode OOAC.
Create the customer Authorization object in transaction SU21,
OOAC is not available in 4.5 you will have to read the docuentationof the autorization object P_ORGIN and drill down and you will see reference to an include you must modify to activate the exit. it is something like MSAUTH0(?) SAP fixed this in 4.6 so it is a config table, in prior versions it is a code "fix"
Why don't you just use the Org Key field in P_orgin? can define combination of fields from IT0001 (incl payroll area..i believe) as an auth field.
Return to :-
SAP Hints and Tips on Configuration and ABAP/4 Programming