Double Verification Principle is a method used while performing change/update activities on critical HR Infotypes. It helps in protecting critical infotypes by segregating the responsibilities of data entry and data control among two users. The Double Verification Principle ensures that one person alone cannot change critical infotype such as Basic Pay of an employee (infotype 0008).
There are two types of Double Verification Principle:
- Asymmetrical Double Verification Principle
- Symmetrical Double Verification Principle
Asymmetrical Double Verification Principle:
As already discussed, the basic concept behind Double Verification Principle is that two users should always be required to create or change Infotypes.
In case of Asymmetrical Double Verification Principle, the two users do not have the same authorization (Hence, the name of this process is Asymmetrical).
None of the two users are given authorization level Write (W) or *.
User A is granted authorizations with authorization level E (“enqueue”), R (“read”) and M (“matchcode”) for the P_ORGIN (or P_ORGXX) authorization object. These authorizations allow the user A to create, change or delete the locked records only.
User B is granted authorizations with the authorization level D (“dequeue”), R (“read”) and M (“matchcode”) for the authorization object P_ORGIN (or P_ORGXX). These authorizations allow the user to unlock locked records or lock unlocked records.
Activity performed in the above case:
For new data – User A enters new data and user B unlocks that new data.
For existing data – Existing data can be changed using following ways :
- User B locks the data, user changes the data. User A then changes the data and user B unlocks the data.
- User A creates a locked copy from the unlocked data and then changes this copy. User B then unlocks this data.
Deleting unlocked data – User B locks the data. User A then deletes it.
User A is always changing or creating the data and user B is responsible for approving the changes.
Symmetrical Double Verification Principle:
As the name suggests – Both users have same authorizations with the authorization level S (symmetric), R (read) and M (matchcode) for the P_ORGIN (or P_ORGXX) authorization object.
This gives users following authorizations:
- Allows each user to create locked data records, change locked data records and relock unlocked data records.
- Each user can unlock data record as long as he is not the last person to have changed the locked data.
- Neither user can delete data.