SAP Security Online!
 
Web SAPSecurityOnline.com
 
   
 
 
 

 
 
HR Security

SAP HR Asymmetrical Double Verification

  • In this procedure, two users are always required to be able to create or change an infotype's data. Here, the users do not have the same authorizations, which is why the process is called asymmetrical. User A is granted authorizations with the authorization level E (enqueue), R (read) and M (match code) for the P_ORGIN (or P_ORGXX) authorization object instead of complete write authorizations (authorization level W or *). These authorizations allow the user to create, change or delete locked records only.
  • User B is granted authorizations with the authorization level D (dequeue), R and M for the authorization object P_ORGIN (or P_ORGXX) instead of complete write authorizations. These authorizations allow the user to unlock locked records (or lock unlocked records) only.
  • New data is entered by user A and unlocked by user B. Existing data can be changed in two ways: User B locks the data, user A changes the data, and user B unlocks the data again. Alternatively, user A creates a locked copy from the unlocked data and changes this copy. User B then unlocks the data. To delete unlocked data, user B locks the data which is then deleted by user A.
  • In this process, user A is always responsible for entering and changing data and user B for approving the changes.

 

SAP HR Symmetrical Double Verification

    • In this procedure, two users are always required to be able to create or change an infotype's data. The users have the same authorizations for this. Both users are granted authorizations with the authorization level S (symmetric), R (read) and M (match code) for the P_ORGIN (or P_ORGXX) authorization object instead of complete write authorizations (authorization level W or *). These authorizations allow each user to create locked data records, change locked data records, and relock unlocked data records. In addition, each user can unlock data as long as he or she is not the last person to have changed the locked data. Neither user can delete data. 
    • New data is created by user A (or user B) and locked by user B (or user A).
    • To change existing data: user A (or user B) locks and changes the data and user B (or user A) unlocks the data.
    • Another user must be consulted to delete existing data.




 
Copyright © 2005 - 2007 SAP Security Online.com All Rights Reserved.