P_PERNR controls the authorization of HR master data, hence the infotype range for this authorization object is 0000-0999. It gives users authorization to display/maintain HR master data for their own personnel number.
If the personnel number check is active and the user has been assigned a personnel number, P_PERNR authorizations override all other checks (including P_ORGIN) except Test Procedures. This check does not take place if the user has not been assigned a personnel number, or if the user accesses a personnel number other than his or her own.
P_PERNR authorization fields:
| AUTHC | Authorization Level |
| PSIGN | Interpretation of Assigned Authorization |
| INFTY | Infotype |
| SUBTY | Subtype |
The most important field for this check is PSIGN , which is used to Include / Exclude (I / E) own personnel number during authorization check.
Let us take an example to understand how this authorization object works. Suppose a payroll administrator is responsible for the basic pay of employees of a given personnel area, say 1000.
The infotype for Basic Pay is 0008.
To perform his duty, the administrator should have following authorization:
P_ORGIN:
INFTY : 0008
SUBTY : *
AUTHC : *
PERSA : 1000
PERSG : 1
VDSK1 : *
From security point of view, the administrator should get authorization so that he is able to perform his responsibility (i.e. to administer the basic pay of employess). But he should only be allowed to display his personnel data. He should not be allowed to change his own basic pay.
It is here that the concept of P_PERNR authorization object comes into picture.
He needs to be assigned the following authorizations also:
P_PERNR:
AUTHC : R,M
PSIGN : I
INFTY : *
SUBTY : *
And,
P_PERNR:
AUTHC : W,S,D,E
PSIGN : E
INFTY : 0008
SUBTY : *
From the first instance of P_PERNR, user gets authorization (PSIGN : I) to read his own infotypes. And from the second instance of P_PERNR, he loses (PSIGN : E) write access to his infotype 0008 i.e. basic pay.
Hence, we see that P_PERNR in a way acts as providing negative authorization where it overrides the authorization provided by P_ORGIN.