cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with security access by plant for results recording

Former Member
0 Kudos

We are having a problem with security on results recording in QM. I am trying to set up security for the following scenario:

I want to allow a user to display inspection results in all plants in a company. I also want to allow that same user the ability to record and edit inspection results in their own plant, but not in the other plants. For example: I have a user u2018Joe.u2019 Joe works at plant u20180001.u2019 I want to give Joe the following access:

Plant: 0001

Access: Record, Edit and Display inspection results (QE51N, QE01, QE02, QE03, etc.)

Plant: 0002

Access: Display inspection results only (QE03)

Plant: 0003

Access: Display inspection results only (QE03)

We have a security role that includes the display transactions (QE03, etc.) for all plants. We also have a results recording role with QE51n, QE01, QE02, etc. for the useru2019s plant (0001). The problem comes that when we grant both roles to Joe, he can now perform results recording in ALL plants, not just his own. It appears from a security trace that it is checking the Q_MATERIAL and Q_INSPTYPE authorization objects. Is there any way to set up these authorization objects so that a user can view results in all plants but only record/edit results in the useru2019s own plant? Thank you for any help you can provide.

Accepted Solutions (1)

Accepted Solutions (1)

former_member186399
Active Contributor
0 Kudos

Hello

Can you check with this object Q_CHAR_PRC. This object is for Recording Authorization for Insp. Results in an Operation

Here you can maintain the plant for which you are allowing the result recording to be done

Regards

Gajesh

Former Member
0 Kudos

Hi

The object what gajesh has suggested have following

Q_CHAR_PRC

Definition

You require this authorization to record or modify results for inspection characteristics in an operation.

The functions that are permitted for processing the inspection characteristics can be defined as required by assigning the authorizations accordingly.

Defined fields

The following fields are defined:

Plant

Work center

Status of the inspection characteristic, old

Status of the inspection characteristic, new

Example

Functions that different users may carry out, with the required authorizations for changing the status of inspection characteristics from old to new:

Processing characteristics that require confirmation:

Authorization for status changes

1 -> 2

but not

0 -> 2

4 -> 2

2 -> 3

3 -> 5

5 -> 2

6 -> 2

Processing and valuating inspection characteristics:

Authorization for status changes

0 -> 2

4 -> 2

1 -> 2

2 -> 3

but not

3 -> 5

5 -> 2

6 -> 2

Only closing inspection characteristics:

Authorization for status changes

3 -> 5

but not

0 -> 2

4 -> 2

1 -> 2

2 -> 3

5 -> 2

6 -> 2

Setting characteristics for processing that have already been closed or copied to a subsystem:

Authorization for status changes

5 -> 2

6 -> 2

but not

0 -> 2

4 -> 2

1 -> 2

2 -> 3

Former Member
0 Kudos

Thank you everyone for your responses. I really appreciate it. Unfortunately, we have tried using the authorization objects you mention but we still have the same problem.

I believe Mylene may be right about it adding the assigned values up. Because even when we assign the objects mentioned by plant, if the user has 'edit results' in one plant and 'display results' in a different plant, they now have edit for both plants.

Mylene, do you by chance have the specific thread in the security forum that talks about this? I tried to find it but could not.

Does anyone else know of any work arounds to the problem? It just seems very odd that SAP wouldn't have a way to display results in all plants yet edit results only in the home plant of the specific user.

Former Member
0 Kudos

Please maintain Workcenter in Inspection Plan. Give change/create Results Recording based on Workcenter Authorization and give display based on Plant.

This would definitely help you.

Best Regards,

K. Raghavendra Nayak

Former Member
0 Kudos

>

> Thank you everyone for your responses. I really appreciate it. Unfortunately, we have tried using the authorization objects you mention but we still have the same problem.

>

> I believe Mylene may be right about it adding the assigned values up. Because even when we assign the objects mentioned by plant, if the user has 'edit results' in one plant and 'display results' in a different plant, they now have edit for both plants.

>

> Mylene, do you by chance have the specific thread in the security forum that talks about this? I tried to find it but could not.

>

> Does anyone else know of any work arounds to the problem? It just seems very odd that SAP wouldn't have a way to display results in all plants yet edit results only in the home plant of the specific user.

i am a bit in a hurry this morning, so i cannot come up with the one thread i really sought, but this one might suffice:

sadly enough, you will have to format the answer in order to make it readable. generally, go over there again and search with keywords 'FB03' and 'Company' ... you should be able to find one or more wanting to make differentiation in visibility per company code ...

Answers (2)

Answers (2)

Former Member
0 Kudos

>

> We are having a problem with security on results recording in QM. I am trying to set up security for the following scenario:

>

> I want to allow a user to display inspection results in all plants in a company. I also want to allow that same user the ability to record and edit inspection results in their own plant, but not in the other plants. For example: I have a user u2018Joe.u2019 Joe works at plant u20180001.u2019 I want to give Joe the following access:

>

> Plant: 0001

> Access: Record, Edit and Display inspection results (QE51N, QE01, QE02, QE03, etc.)

>

> Plant: 0002

> Access: Display inspection results only (QE03)

>

> Plant: 0003

> Access: Display inspection results only (QE03)

>

>

> We have a security role that includes the display transactions (QE03, etc.) for all plants. We also have a results recording role with QE51n, QE01, QE02, etc. for the useru2019s plant (0001). The problem comes that when we grant both roles to Joe, he can now perform results recording in ALL plants, not just his own. It appears from a security trace that it is checking the Q_MATERIAL and Q_INSPTYPE authorization objects. Is there any way to set up these authorization objects so that a user can view results in all plants but only record/edit results in the useru2019s own plant? Thank you for any help you can provide.

no, there isn't. all the assigned values for the objects you mentioned (and all other objects ...) add up. they are all together in a memory area that is called 'user buffer' and that is that. if you do not have different document types or such a criterium per plant, you are lost then.

please have a read in the Security forum ... it has been explained there in detail.

Former Member
0 Kudos

hi

please check

SAP_QM_IM_RES_REC authorization.

Check the relevant objects of Display 0r change or create.

Also create SAP_QM_IM_RES_REC plant wise like SAP_QM_IM_RES_REC_0001

Regards

Sujit