Time-Dependency of the Authorization Check

Monday, April 06, 2009 |


Use

When an employee undergoes an organizational change, you may want to assign him or her

infotype authorizations based on the duration of the organizational assignment. To do so, you

can run authorization checks based on a data record's history.



Example: At the start of the year, an employee changes from personnel area 0101 to

personnel area 0102. The administrator responsible for processing the employee's

personal data in the second personnel area is different from the administrator in the

first personnel area. You might want to prevent the administrator who was

responsible for the employee in the previous year from accessing data that is

entered in certain infotypes in the current year. In this case, you can set up the

access authorization for infotype data so that it is dependent on the history of data

records in the employee’s organizational assignment.




Prerequisites

If you want to carry out a time-dependent authorization check, set the corresponding indicator in the Indicator for access authorization field (T582A-VALDT) in the Infotype: Customer Specific Settings table (T582A).



Features

The procedure is as follows:



There are three possible cases:

a) The administrator’s period of responsibility for the employee starts in the future.

If the administrator has write authorization for the relevant infotype/subtype, it is

extended to all infotype records that are valid within the period of responsibility. Read

authorization exists for infotype records that have the same validity period as the period

of responsibility, or that precede the period of responsibility.

b) The period of responsibility starts before the current date. However, the end of the period

of responsibility does not exceed the maximum specified tolerance before the current

date.

In this case, a write or read authorization is extended over all periods. In other words,

there are no restrictions for this administrator in terms of the validity period of the

relevant infotype records.

The tolerance time concept ensures that an administrator can still access the data of an

employee who is no longer within his/her responsibility, for a limited period of time. This

means that the administrator still has the opportunity to close any open issues once the

person has moved.

c) The period of responsibility ends in the past. Even the end that was adjusted to the

tolerance time is before the current date.

In this case, the administrator has no write authorization. Read authorization exists for

infotype records that have the same validity period as the period of responsibility.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)