Skip to Content

Have you been in a situation, especially in holidays and vacations season, that you had to maintain the authorization each time substitution activated in your organization?

Probably a signed hard form should be circulated ending with the system administrator or security/authorization administrator asking to copy certain roles to the acting person’s user id.

Here we are talking about a very simple and straight forward approach to come up through this need, the idea is to develop a schedule job that will run daily, or any time at your convince, all what this application to do is to check the substitution actions happened in the system and copy selective authorization accordingly.

Why it’s a seclude job not a code that responds to substitution event. simply, because I disappointed when I didn’t find an object to fulfill my need in this. probably in future; I could do more research and do an enhancement for the current solution; but let me stick with my original approach now 

The program will perform the task in a logic described next. 

Part 1:

Collect the active substitution records in internal table, say TB_SUBIN, for the current time (the time of running the program). This information can be found in two different places one for the person substitutions in table HRUS_D2; this used by R/3, through Workplace, and PORTAL, through UWL. We retrieve the data directly in the following code:

  SELECT us_name rep_name
    INTO (wa_subst-from, wa_subst-to)
    FROM hrus_d2 WHERE active = 'X'
                   AND us_name IN s_users
                   AND begda LE sy-datum
                   AND endda GE sy-datum.
    APPEND wa_subst TO tb_subin.
    CLEAR wa_subst.
  ENDSELECT.

Here we got the users participate in the substitution action directly; because this table built on direct (personal substitute) so you would only find a users in this table.

The other place is position substitution in table HRP1001,which used by R/3 system only and we retrieve the data as following: 

   SELECT * FROM hrp1001 WHERE rsign EQ 'A'
                          AND relat EQ '210'
                          AND begda LE sy-datum
                          AND endda GE sy-datum.

and check if this record active or not as follow:

    SELECT SINGLE * FROM hrpadd2 WHERE adatanr = hrp1001-adatanr.
    IF hrpadd2-active = 'X'.

But this is not every thing. Up to now; we know their is a substitution, but we don’t know the users involved in this substitutions.

First, We find the user who perform the whole thing ,the initiator, by calling the following routine:

      PERFORM obtain_us_from_s USING hrp1001-objid
                            CHANGING wa_subst-from.

(See the note at the end of this blog for details upon the routines)

Now finding the second user, the actor, is not so easy. As you see; in table HRP1001we check the relation 210 (field RELAT).This relation defines the substitution relation between position of the initiator from one side and position, employee or user of the actor from the other side.

In the next code we examine how the initiator has picked the actor in the system, either as user directly, position or employee and in this case we have to find out the related user.

         IF hrp1001-sclas = 'US'.
          IF hrp1001-sobid NE space.
            wa_subst-to = hrp1001-sobid.
            APPEND wa_subst TO tb_subin.
          ELSE.
            CLEAR wa_subst-to.
          ENDIF.
        ENDIF.
        IF hrp1001-sclas = 'P'.
          PERFORM obtain_us_from_p USING hrp1001-sobid
                                CHANGING wa_subst-to.
          IF NOT wa_subst-to IS INITIAL.
            APPEND wa_subst TO tb_subin.
          ENDIF.
        ENDIF.
        IF hrp1001-sclas = 'S'.
          PERFORM obtain_us_from_s USING hrp1001-sobid
                                CHANGING wa_subst-to.
          IF NOT wa_subst-to IS INITIAL.
            APPEND wa_subst TO tb_subin.
          ENDIF.
        ENDIF.

And always, delete the duplicate entry if exist:

DELETE ADJACENT DUPLICATES FROM tb_subin.
Part 2:

Next, we have to check from the list we prepared previously in the internal table TB_SUBIN the new substitution records that have been created since the last run of this program and those records who still in the system since that run by comparing this internal table with the database table ZHU0006 (this table keep all the users that have been assigned with authorization in the previous run for comparing) 

  SELECT userfr userto FROM zhu0006
        INTO zhu0006
        GROUP BY userfr userto.
    READ TABLE tb_subin INTO wa_subst WITH KEY FROM = zhu0006-userfr
                                                 to = zhu0006-userto.
    IF sy-subrc EQ 0.
      APPEND wa_subst TO tb_subst.
      DELETE TABLE tb_subin FROM wa_subst.
    ELSE.
      wa_subst-from = zhu0006-userfr.
      wa_subst-to = zhu0006-userto.
      APPEND wa_subst TO tb_subout.
    ENDIF.
  ENDSELECT.
  DELETE ADJACENT DUPLICATES FROM tb_subst.
  DELETE ADJACENT DUPLICATES FROM tb_subout.
Part 3:

Last, is to process three lists: first list TB_SUBIN which contains the new entry of substitution records that not captured since the last run.

  LOOP AT tb_subin INTO wa_subst.
    CLEAR: tb_roles.
    REFRESH: tb_roles.
    PERFORM read_user_autho TABLES tb_roles
                             USING wa_subst-from.
    PERFORM filter_autho TABLES tb_roles
                           USING wa_subst.
      PERFORM store_user_autho TABLES tb_roles
                                USING wa_subst.
      PERFORM write_user_autho TABLES tb_roles
                               USING wa_subst-to.
      WRITE:/ 'Authorize representatives: roles assigned'.
    PERFORM output TABLES tb_roles
                    USING wa_subst-to.
  ENDLOOP.

The second list TB_SUBOUT which contain the records captured in the last run but removed from the system in this run

  LOOP AT tb_subout INTO wa_subst.
    CLEAR: tb_roles.
    REFRESH: tb_roles.
      PERFORM clear_user_autho TABLES tb_roles
                                USING wa_subst-from
                                      wa_subst-to.
      PERFORM remov_user_autho TABLES tb_roles
                               USING wa_subst-to.
      WRITE:/ 'Deauthorize representatives: roles removed'.
    PERFORM output TABLES tb_roles
                    USING wa_subst-to.
  ENDLOOP.

 

And the third list TB_SUBST which contains the records captured in the last run and still exist in the system in the current run, this list will be empty if this is the first time you run this program in the system and there is no processing for this list only reporting purpose.

  LOOP AT tb_subst INTO wa_subst.
    CLEAR: tb_roles.
    REFRESH: tb_roles.
    WRITE:/ 'Users still to be monitored:'.
    PERFORM read_user_autho TABLES tb_roles
                             USING wa_subst-to.
    PERFORM output TABLES tb_roles
                    USING wa_subst-to.

  ENDLOOP.

 

Note that for full program code, the code for the subroutines mentioned in this blog and further selection screen description, I have post a wiki for the code gallery space.

However this post still in “Wiki Stage” stage on the link Grant authorization upon substitution thing are keeping move over their!, I’ll update this blog with the new link to the code gallery once my post approved and promoted.


To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply