cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP MDG Authorisations mix-up

former_member291053
Explorer

on ‎01-16-2017 1:28 PM

0 Kudos

We have problems to control the user authorizations for master data, if a user ID is assigned authorization for different master data processes for several accounting groups in a mixed MDG and non-MDG environment (i.e. the major Vendor account groups are managed via MDG, the rarely used account groups like plants or intercompany Vendors are managed directly in our SAP ECC system).

In SAP for granting a user change access to company code data a transaction assignment (in this case XK01/02) plus one or more objects with change authority (in this case Vendor: Account Group Authorization and Vendor: Authorization For Company Codes) are required.

Example:

- A User he has XK01/02 assigned for maintaining YCUS directly in ECC including change objects

- The same user is a MDG Requestor/Approver for YIND having change objects as described above.

This is where it goes bad: SAP mixes this together in the user buffer as transaction authorisations are NOT linked to objects. In result the user was able to maintain YIND directly using XK02.

The solution currently proposed by SAP is Business Transaction Events (BTE). As we have not had too much experience with implementation of BTEs a question to the MDG community (might also be a question to the authorisations community in general…):

Has anyone experience with implementation of the BTE in an MDG authorisations context?

Any issues / lessons learned with these BTEs & authorisations?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member291053
Explorer
‎02-07-2017 11:57 AM
0 Kudos

Hi everyone, thanks to all Folks who submitted Feedback.

To wrap this Topic up: We have implemented the Business Transaction Event functionality.

This now prohibits the direct maintenance of certain Customer and Vendor account Groups to be directly maintained in ECC. In an exception table we have maintained firefighter user IDs. Therefore all Standard Business Partner maintenance now Needs to go via SAP-MDG.

Best Regards

Klaas

Show replies
Show replies
loga201
Contributor
‎01-19-2017 1:23 PM
0 Kudos

Hi Klaas,

Set allowed account groups in the authorization object and enhance code in the ECC side to read auth obj values and throw error message if user tries to access other types.

https://archive.sap.com/discussions/thread/1108258

Thank you!

Show replies
Show replies
former_member291053
Explorer
‎01-23-2017 11:44 AM
0 Kudos

Hi Loga,

Thanks a lot for the feedback, your approach is something we have also considered. It seems it would also fulfill our requirement.

If I understand correctly, your proposal would mean adding a customer object to SAP standard authorisations?

If so, this would also be something not yet done in our MDG environment…same as the BTEs.

Thx Klaas

former_member291053
Explorer
‎01-19-2017 9:46 AM
0 Kudos

Hey Kiran,

many thanks for your Feedback. But the issue is that one and the same User is supposed to manage Supplier master data. For one Vendor Account Group via MDG CR and for another Vendor Account Group directly with XK02 in ECC. Accordingly the same user ID will need both authorisations/roles.

The authorisations are then mixed in the user buffer.

I am pretty sure I have posted this answer to you already yesterday, but somehow it disappear overnight 😞

Many thanks + Best Regards

Klaas

Show replies
Show replies
former_member206605
Active Contributor
‎01-17-2017 9:28 AM
0 Kudos

Hi

Have you tried the below option -

1. In MDG and ECC, assign a separate role to this user id or

2. Create 2 sets of roles - 1 for ECC and 1 for MDG. And assign them to different user id's

With this I think it will work.

Kiran

Show replies
Show replies
Ask a Question