09-04-2009 9:16 AM
Hello experts,
Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
For example,
I would like to create the following Role (profile):
ZFI_AP_REPORT_DISPLAY
This role should be able to display AP report from the Financial module.
However our problem is, we would like to create authorization levels with organizational units for each user:
For example:
User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
We know we can create this authorization creating several roles, like:
ZFI_AP_REPORT_DISPLAY_3201
ZFI_AP_REPORT_DISPLAY _3202
ZFI_AP_REPORT_DISPLAY_3203
but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
Is there a way to do this?
Thank you in advanced for your replies.
Christine Tseng
09-04-2009 9:30 AM
> Is there a way to do this?
This is what the parent-derived concept is meant for. Properly implemented it shouldn't cause more workload than the concept you're thinking of. It is not possible to assign authorizations to a user without using profiles.
09-04-2009 9:30 AM
> Is there a way to do this?
This is what the parent-derived concept is meant for. Properly implemented it shouldn't cause more workload than the concept you're thinking of. It is not possible to assign authorizations to a user without using profiles.
09-04-2009 9:50 AM
I agree with Jurjen. There is no point creating a "new" authorisation concept for a few transactions. If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend). By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.
09-04-2009 10:24 AM
> but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
On which basis do you determine the company code of each user?
There might be a way of doing this via their HR or address data?
Cheers,
Julius