Skip to Content

Authority check at field level in the sales order

Dear all, our business requirement is the following:

only some users should be able to see the prices (including netwr, netpr,...) in the sales order depending on the authority check performed on the sales group field.

This means that for an order of sales group 'A':

a user of sales group 'A' can see the prices and change the order, a user of sales group 'B' cannnot see the prices but can change the order, a user of sales group 'C' can display the order but cannnot see the prices.

I ask you if such a scenario can be realized in SAP.

We currently run SAP ECC 5.0.

thx all !

bye Roberto

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Sep 20, 2007 at 01:47 PM

    Hi,

    I tried but I am unable to answer your question. I have gone through all auth objects in SU24 for Tcode VA02. I don't see any auth object to restrict pricing as mentioned in your message.

    I suggest you to post this message in SAP Security. I guess, SAP security gurus should put some light on this issue.

    <b><REMOVED BY MODERATOR></b>

    Regards

    sudhaker

    Message was edited by:

    Alvaro Tejada Galindo

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 20, 2007 at 02:19 PM

    Hi

    In general different users will be given different authorizations based on their role in the orgn.

    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.

    USe SUIM and SU21 T codes for this.

    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.

    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.

    This means you have to allocate an authorization object in the definition of the transaction.

    For example:

    program an AUTHORITY-CHECK.

    AUTHORITY-CHECK OBJECT <authorization object>

    ID <authority field 1> FIELD <field value 1>.

    ID <authority field 2> FIELD <field value 2>.

    ...

    ID <authority-field n> FIELD <field value n>.

    The OBJECT parameter specifies the authorization object.

    The ID parameter specifies an authorization field (in the authorization object).

    The FIELD parameter specifies a value for the authorization field.

    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.

    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm

    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.

    You program the authorization check using the ABAP statement AUTHORITY-CHECK.

    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'

    ID 'ACTVT' FIELD '02'

    ID 'CUSTTYPE' FIELD 'B'.

    IF SY-SUBRC <> 0.

    MESSAGE E...

    ENDIF.

    'S_TRVL_BKS' is a auth. object

    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.

    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.

    This Authorization concept is somewhat linked with BASIS people.

    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.

    Take the help of the basis Guy and create and use.

    <b><REMOVED BY MODERATOR></b>

    regards

    Anji

    Message was edited by:

    Alvaro Tejada Galindo

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.