Skip to Content
avatar image
Former Member

Role Based Authorizations

Hello:

I have a question related to the role based authorization.

I have a ROLE:A, which includes Display PO (ME23N) transaction with activity 03 and Pur. Org (M_BEST_EKO) A.

I have another role ROLE:B, which includes Create/Change PO transaction with activity (ACTVT) 01-Create and 02-Change and Pur. Org (M_BEST_EKO). B.

If I assign these roles to user, Will he be able to create Purchase order for Pur. Org. A?

My situation is I do not want him to be able to create a PO for Pur. Org = A since he does not have access to ME21N transaction in Role A.

How Can I achieve this??

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • avatar image
    Former Member
    Jan 21, 2008 at 05:42 PM

    > I have a ROLE:A, which includes Display PO (ME23N) transaction with activity 03 and Pur. Org (M_BEST_EKO) A.

    >

    > I have another role ROLE:B, which includes Create/Change PO transaction with activity (ACTVT) 01-Create and 02-Change and Pur. Org (M_BEST_EKO). B.

    >

    > If I assign these roles to user, Will he be able to create Purchase order for Pur. Org. A?

    No

    As long as activity and org.field are in the same object the authorizations remain separated.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 21, 2008 at 05:43 PM

    Jurjens answer is right as the activty is directly related to the purchase ORG values given in this situation

    and besides that: While SAP calls the TRX Display, there is a change that even giving wider activity codes will not allow the user to create /change. But the ONLY way to be certain: Create a test user with both roles and test for yourselve.

    Edited by: Auke Visser on Jan 21, 2008 6:44 PM

    Edited by: Auke Visser on Jan 21, 2008 6:46 PM

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 22, 2008 at 05:53 AM

    Hi Tridev,

    In ur scenario, user will be not able to create PO for Purch.Org.A as per ur activity and maintenance of ORG levels in Role A.He can only create/change PO for Purch.Org.B.

    T-codes does only check for relative Objects along with activities only which r maintened in Roles.

    ur scenario is only possible when user have 2 roles.

    Othercase, if the same user has only one role , then u cannot differenciate Purchasing Organisation.

    Still u can do it, but then u have to insert manually into the Object M_BEST_EKO which is not recommended.

    Rgds,

    Gadde.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 22, 2008 at 06:43 AM

    Hi Tridev,

    Field values in any object are picked using the AND operator i.e. Activity 03 AND Pur Org A. Similarly it will be ACTVT 01/02 AND Pur Org B. So for every set of authorization values the fields will always have AND. So a user can have multiple sets of values for the same object BUT the field values will always be tagged together !

    It will never be a PnC of the authorization values.

    What you have proposed to do is absolutely correct!

    Regards

    Sachin

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 22, 2008 at 12:08 PM

    Hi Tridev,

    since the user has display activity in org.A, he can only display. And since the user has create activity in org B, he can create in B.

    As the organisations are different, the he cannot have both activities in both organisations.

    Add comment
    10|10000 characters needed characters exceeded