Skip to Content
author's profile photo Former Member
Former Member

Organization Units Authorization on user level

Hello experts,

Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?

For example,

I would like to create the following Role (profile):

ZFI_AP_REPORT_DISPLAY

This role should be able to display AP report from the Financial module.

However our problem is, we would like to create authorization levels with organizational units for each user:

For example:

User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.

We know we can create this authorization creating several roles, like:

ZFI_AP_REPORT_DISPLAY_3201

ZFI_AP_REPORT_DISPLAY _3202

ZFI_AP_REPORT_DISPLAY_3203

but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.

Is there a way to do this?

Thank you in advanced for your replies.

Christine Tseng

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    Posted on Sep 04, 2009 at 08:30 AM

    > Is there a way to do this?

    This is what the parent-derived concept is meant for. Properly implemented it shouldn't cause more workload than the concept you're thinking of. It is not possible to assign authorizations to a user without using profiles.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Sep 04, 2009 at 08:50 AM

    I agree with Jurjen. There is no point creating a "new" authorisation concept for a few transactions. If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.

    Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend). By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 04, 2009 at 09:24 AM

    > but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.

    On which basis do you determine the company code of each user?

    There might be a way of doing this via their HR or address data?

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.