on 11-18-2009 2:20 PM
We are having a problem with security on results recording in QM. I am trying to set up security for the following scenario:
I want to allow a user to display inspection results in all plants in a company. I also want to allow that same user the ability to record and edit inspection results in their own plant, but not in the other plants. For example: I have a user u2018Joe.u2019 Joe works at plant u20180001.u2019 I want to give Joe the following access:
Plant: 0001
Access: Record, Edit and Display inspection results (QE51N, QE01, QE02, QE03, etc.)
Plant: 0002
Access: Display inspection results only (QE03)
Plant: 0003
Access: Display inspection results only (QE03)
We have a security role that includes the display transactions (QE03, etc.) for all plants. We also have a results recording role with QE51n, QE01, QE02, etc. for the useru2019s plant (0001). The problem comes that when we grant both roles to Joe, he can now perform results recording in ALL plants, not just his own. It appears from a security trace that it is checking the Q_MATERIAL and Q_INSPTYPE authorization objects. Is there any way to set up these authorization objects so that a user can view results in all plants but only record/edit results in the useru2019s own plant? Thank you for any help you can provide.
Hello
Can you check with this object Q_CHAR_PRC. This object is for Recording Authorization for Insp. Results in an Operation
Here you can maintain the plant for which you are allowing the result recording to be done
Regards
Gajesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
The object what gajesh has suggested have following
Q_CHAR_PRC
Definition
You require this authorization to record or modify results for inspection characteristics in an operation.
The functions that are permitted for processing the inspection characteristics can be defined as required by assigning the authorizations accordingly.
Defined fields
The following fields are defined:
Plant
Work center
Status of the inspection characteristic, old
Status of the inspection characteristic, new
Example
Functions that different users may carry out, with the required authorizations for changing the status of inspection characteristics from old to new:
Processing characteristics that require confirmation:
Authorization for status changes
1 -> 2
but not
0 -> 2
4 -> 2
2 -> 3
3 -> 5
5 -> 2
6 -> 2
Processing and valuating inspection characteristics:
Authorization for status changes
0 -> 2
4 -> 2
1 -> 2
2 -> 3
but not
3 -> 5
5 -> 2
6 -> 2
Only closing inspection characteristics:
Authorization for status changes
3 -> 5
but not
0 -> 2
4 -> 2
1 -> 2
2 -> 3
5 -> 2
6 -> 2
Setting characteristics for processing that have already been closed or copied to a subsystem:
Authorization for status changes
5 -> 2
6 -> 2
but not
0 -> 2
4 -> 2
1 -> 2
2 -> 3
Thank you everyone for your responses. I really appreciate it. Unfortunately, we have tried using the authorization objects you mention but we still have the same problem.
I believe Mylene may be right about it adding the assigned values up. Because even when we assign the objects mentioned by plant, if the user has 'edit results' in one plant and 'display results' in a different plant, they now have edit for both plants.
Mylene, do you by chance have the specific thread in the security forum that talks about this? I tried to find it but could not.
Does anyone else know of any work arounds to the problem? It just seems very odd that SAP wouldn't have a way to display results in all plants yet edit results only in the home plant of the specific user.
>
> Thank you everyone for your responses. I really appreciate it. Unfortunately, we have tried using the authorization objects you mention but we still have the same problem.
>
> I believe Mylene may be right about it adding the assigned values up. Because even when we assign the objects mentioned by plant, if the user has 'edit results' in one plant and 'display results' in a different plant, they now have edit for both plants.
>
> Mylene, do you by chance have the specific thread in the security forum that talks about this? I tried to find it but could not.
>
> Does anyone else know of any work arounds to the problem? It just seems very odd that SAP wouldn't have a way to display results in all plants yet edit results only in the home plant of the specific user.
i am a bit in a hurry this morning, so i cannot come up with the one thread i really sought, but this one might suffice:
sadly enough, you will have to format the answer in order to make it readable. generally, go over there again and search with keywords 'FB03' and 'Company' ... you should be able to find one or more wanting to make differentiation in visibility per company code ...
>
> We are having a problem with security on results recording in QM. I am trying to set up security for the following scenario:
>
> I want to allow a user to display inspection results in all plants in a company. I also want to allow that same user the ability to record and edit inspection results in their own plant, but not in the other plants. For example: I have a user u2018Joe.u2019 Joe works at plant u20180001.u2019 I want to give Joe the following access:
>
> Plant: 0001
> Access: Record, Edit and Display inspection results (QE51N, QE01, QE02, QE03, etc.)
>
> Plant: 0002
> Access: Display inspection results only (QE03)
>
> Plant: 0003
> Access: Display inspection results only (QE03)
>
>
> We have a security role that includes the display transactions (QE03, etc.) for all plants. We also have a results recording role with QE51n, QE01, QE02, etc. for the useru2019s plant (0001). The problem comes that when we grant both roles to Joe, he can now perform results recording in ALL plants, not just his own. It appears from a security trace that it is checking the Q_MATERIAL and Q_INSPTYPE authorization objects. Is there any way to set up these authorization objects so that a user can view results in all plants but only record/edit results in the useru2019s own plant? Thank you for any help you can provide.
no, there isn't. all the assigned values for the objects you mentioned (and all other objects ...) add up. they are all together in a memory area that is called 'user buffer' and that is that. if you do not have different document types or such a criterium per plant, you are lost then.
please have a read in the Security forum ... it has been explained there in detail.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi
please check
SAP_QM_IM_RES_REC authorization.
Check the relevant objects of Display 0r change or create.
Also create SAP_QM_IM_RES_REC plant wise like SAP_QM_IM_RES_REC_0001
Regards
Sujit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
89 | |
7 | |
7 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.