They are using MIGO and MB11 among others. The org levels are set at the child role level but they are maintaining 2 WERKS objects as ALL and the rest as 0012. I do not think this will work but am trying to cover all bases.

They want to do Goods Movements and STOs from one store to another, thus needing to change the site value to other than just the default store. Then they want to do POs and Goods receipts just for the default store. All of these actions use the WERKS object and I want to know if you can have 2 different values set in the same role and expect the restricted one to work on some things and the open one to work on others.

Let me know if you need me to send any further t-codes or values

Hi Bobbi Russell,

This is like logical OR operation if the user has this object WERKS set as * & 0012 , * is what he will get

what it means is if you have different values for WERKS in different roles then user gets all those plants

Why dont you think of consolidating all the transactions which have WERKS field to one Parent role that could solve your problem

or find all the tcodes which the user has related to the WERKS field value and group them together , you can easily get this output from AGR_1251 table

I don't think that would work. There are 136 store locations that will be using derived roles. They want to restrict each store to only good receipts and POs for their own locations. At the same time they want to allow store to store transfers and goods issues from one store to another,which requires another site to be allowed.

Is there any way to do this in one role? I know that Petsmart was able to accomplish this but I cannot figure out how to do it now.

Ok...now explain to me what would happen if that 2nd role is assigned to the same user as the first one. Now they have 2 instances of the object with 2 different values. Wouldn't that just be the same as if they were in the same role? Once the user gets access to both roles, they have the combination of t-codes and objects from both.

So wouldn't they still have the same issue...just coming from 2 roles now instead of one?

Bobbi,

Why dont you put the trace on for the actions the business needs and post the trace output to understand the Success factor(RC=0) and what objects are actually controlling that action.

Without that we are just catching fish in the ocean.

I think its a combination of some standard object and company code , or you might have another transaction which can perform the actions you need.

I think you are right. My guess is they aren't using the correct transactions that they could be using.

I will take your advice and trace it to see what I get.

Hi Bobbi,

Two restriction in one role is not a good idea. Better go for master / derived role concept.

2. You need to be clear with the busniess requirement rather than trace reports.

3. Dipanjan Sanpui point is also worthy( for some extend).

Thanks,

Sri

It ended up that our business is not using the ME21N functionality as it is designed to work and that is why the restriction will not work as theywant. It will require a user exit or other customization in order to be able to secure the create PO/STO functionality the way they want it. Thank you to all who responded

I am a security developer and would like to know how to change the default values in the User account.

I have seen in RSPARAM that they are these:

zcsa/moddatfm 1 1 Default date format for creation of users with SU01 and SU10

zcsa/moddcpfm Default decimal format for creation of users with SU01 and SU10

My question is how to change them. Currently they default to ddmmyyyy and we want mmddyyyy. It also has incorrect decimal placing for USA.

Is this a basis task or a security task? Any info will be appreciated

Thanks

Hi,

If you google on zcsa/moddcpfm then the first hit will tell you what values are required to default the settings to suit the US.

If you aren't comfortable making the changes then leave it to your Basis team. Responsibility depends on your company & situation, discuss with your basis folk to see how they feel about it.