Time-Dependency of the Authorization Check

Use
When an employee undergoes an organizational change, you may want to assign him or her
infotype authorizations based on the duration of the organizational assignment. To do so, you
can run authorization checks based on a data record’s history.
Example: At the start of the year, an employee changes from personnel area 0101 to
personnel area 0102. The administrator responsible for processing the employee’s
personal data in the second personnel area is different from the administrator in the
first personnel area. You might want to prevent the administrator who was
responsible for the employee in the previous year from accessing data that is
entered in certain infotypes in the current year. In this case, you can set up the
access authorization for infotype data so that it is dependent on the history of data
records in the employee’s organizational assignment.

Prerequisites
If you want to carry out a time-dependent authorization check, set the corresponding indicator in the Indicator for access authorization field (T582A-VALDT) in the Infotype: Customer Specific Settings table (T582A).

Features
The procedure is as follows:

There are three possible cases:
a) The administrator’s period of responsibility for the employee starts in the future.
If the administrator has write authorization for the relevant infotype/subtype, it is
extended to all infotype records that are valid within the period of responsibility. Read
authorization exists for infotype records that have the same validity period as the period
of responsibility, or that precede the period of responsibility.
b) The period of responsibility starts before the current date. However, the end of the period
of responsibility does not exceed the maximum specified tolerance before the current
date.
In this case, a write or read authorization is extended over all periods. In other words,
there are no restrictions for this administrator in terms of the validity period of the
relevant infotype records.
The tolerance time concept ensures that an administrator can still access the data of an
employee who is no longer within his/her responsibility, for a limited period of time. This
means that the administrator still has the opportunity to close any open issues once the
person has moved.
c) The period of responsibility ends in the past. Even the end that was adjusted to the
tolerance time is before the current date.
In this case, the administrator has no write authorization. Read authorization exists for
infotype records that have the same validity period as the period of responsibility.

One thought on “Time-Dependency of the Authorization Check

Leave a Reply

Your email address will not be published. Required fields are marked *