Skip to Content
author's profile photo Former Member
Former Member

Limiting VL10BATCH to Specific Shipping Points and/or Plants in ECC

Hello friends,

Does anyone know if there are auth objects associated to transaction VL10BATCH in which we can limit by shipping points and/or plants???

Auth objects associated by SAP through SU24 are as follows:

S_ADMI_FCD

S_BTCH_ADM

S_DOKU_AUT

S_GUI

S_TCODE

S_TRANSLAT

None of the above objects are useful for what it is we are trying to do.

Anyone?

Regards,

Marshall

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Best Answer
    Posted on Feb 03, 2010 at 05:48 AM

    Hi Marshall,

    VL10BATCH is originated from the transaction VL10X. So when you will create a role with VL10BATCH it will automatically pull objects maintained for VL10X. In this case Object is V_LIKP_VST what do have a check for Shipping point.

    However restriction through plant may no be possible. But shipping point sure do by above object.

    Arpan

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      No, please leave it open and let us know.

      There is already the S_TCODE check on VL10BATCH and the S_BTCH_ADM check, however in the latter case you should take a closer look. The others are "just red herrings" in the navigation and screen programming. You can ignore them.

      --> The system first checks S_BTCH_ADM to determine whether it should override the authority of S_BTCH_JOB. It does this EVERY TIME after a check against S_BTCH_JOB is makd, so SU53 will always show it.

      One way of working around this problem of periodic job scheduling wizards, is to change the user type of your "order related" batch user (user type SYSTEM) to a DIALOG user and run the wizard with that ID. The scheduler and the steps will be in the name of the batch user, and then you can change the user type and delete the password again afterewards.

      In higher releases, you can also subsequently switch the jobstep user to a SYSTEM user and leave the scheduler.

      Ideally, you should be able to define the user in the wizard, and it should be checking S_BTCH_NAM in your authorizations to the name of the SYSTEM batch user you choose - and not create dependencies.

      Please open the thread and keep us posted.

      Cheers,

      Julius

  • author's profile photo Former Member
    Former Member
    Posted on Feb 01, 2010 at 08:06 PM

    None of the above are usefull.

    What actually happens when the "batch" is processed (?) is a different story....

    Whom are you expecting to use this transaction and how often?

    Also, I would like to add that transactions which use the current logged on user (system field sy-uname) and make nasty checks, and then schedule business user type processing are in some cases a "brain-****".

    It forces either the IT department to have the (full) business access or the business department to have system and support type access.

    Su53 and St01 are not completely innocent here either... but immortalizing dialog users in the system is worse.

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 03, 2010 at 10:19 PM

    Re-Opening

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Feb 09, 2010 at 04:55 PM

    To add on to Marshall's response, here's more clarity to the issue. In VL10BATCH, a background variant was created and named for lets say plant ABC. When you select that variant and go into "change variant", through the Values tab, there is a specific shipping point saved for the vairant/plant combo, lets say shipping point 001.

    Currently, security allows a user who isn't tied to plant ABC to go into the values tab, enter or change any of the settings, shipping point, DN create window value, etc. and save that new information. This causes obviuos issues.

    What we are looking for is a security solution to only allow users that are working in plant ABC to change values in that specific variant, thanks.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Not possible, to my knowledge.

      What you can do is add an authorization group to report RVV50R10C and control via S_PROGRAM p_action VARIANT for the report group whether the variant can be changed or not. See report RSCSAUTH documentation for this.

      That way you can define the variants by a variant admin "centrally" and the users can only start and (possibly) release them, but not change or create new ones.

      For the actual batch job administration it is often the same approach as well -> make sure that object S_BTCH_ADM is not authorized beyond your batch and system administrator users.

      Worth a try, and much easier than coding screen exits and validations into the variant maintenance. RSCSAUTH also supports upgrading the system and restoring the values!

      Cheers,

      Julius

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.